These Chrome and Firefox extensions can hijack browsers, spy on you and are almost impossible to remove
The forced install tricks users into installing the extension via a JavaScript-based popup that will not close until successfully installed.
Security researchers have discovered a nasty pair of Chrome and FireFox extensions that can hijack browsers, spy on users' browsing activities and are nearly impossible to get rid of manually. According to researchers at Malwarebytes, the new malicious extension called "Tiempo en colombia en vivo" was found lurking in both the popular browsers.
The forced install tricks users into installing the extension via a JavaScript-based popup that will not close until successfully installed.
The rogue extensions also have the ability to block users from removing it by closing pages that list all information about extensions or add-ons. It can also send users to a completely different page that does not list any details about extensions.
Once installed, the extension keeps users away from Chrome's extension list by redirecting chrome://extensions/ to chrome://apps/?r=extensions instead where only installed apps, not extensions, are listed.
"The extensions redirect users away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers," Malwarebytes said in a blog post. "In Firefox, this problem is relatively easy to circumvent, but for Chrome it takes a lot of digging."
Malwarebytes researcher Pieter Arntz said he tried removing the Chrome version of the extension by disabling JavaScript in the browser, launching the Chrome browser with all extensions disabled and even renaming the folder named "1499654451774.js" where extensions are stored.
Arntz advisers users to run the free version of Malwarebytes to scan for and get rid of the extension.
He also found a Firefox extension that behaved similarly to Tiempo en colombia en vivo that Malwarebytes detected as "PUP.Optional.FFHelperProtection."
Users receive an ad warning that Firefox requires a manual update. However, once installed, the extension prevents them from accessing the "about:addons" page by closing the tab.
"This means that you can't remove the extension manually," Arntz wrote.
Although the Firefox extension also tries to dodge any attempts to uninstall it, it is easier to deal with than in Chrome.
Arntz advises users to run Firefox in "safe mode" by holding down the Shift key when launching Firefox. Since extensions are not active in this state but are still viewable, one can easily remove the malicious extension.
"If you are kept on a Firefox tab by JavaScript(s) that keep popping up with prompts, and you are unable to close the window in the usual way, you can terminate Firefox by using Task Manager. When you restart Firefox, it will not be able to restore the session for that tab," he writes.
Tiempo en colombia en vivo was reportedly installed nearly 11,000 times before it was removed by Google.
"While the extensions have been around for a few weeks, both are still in use in one form or another," Malwarebytes added. "Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it's not always possible to avoid getting them. The best we can offer is to stay vigilant as you surf and use an adblocker."
A Google spokeswoman told Ars Technica in a statement: "We've automatically removed Tiempo en colombia en vivo and Play Red Bull version 4 from the machines of affected Chrome users. Security is a core tenet of Chrome and the browser automatically blocks over one thousand malicious or abusive extensions per month."
The report comes just days after researchers at ICEBRG uncovered four malicious Chrome extensions that racked up over 500,000 installs were found infecting users across the globe. Late last year, a popular Chrome extension called Archive Poster was caught running the in-browser cryptocurrency miner Coinhive to secretly mine Monero coins.