The tech industry’s failure to protect browsers came to the fore when researchers at Awake Security last month alerted of a newly-discovered spyware effort to attack users through 32 million downloads of extensions to Google’s market-leading Chrome web browser.
Alphabet Inc’s Google told Reuters that it removed more than 70 of the malicious add-ons from its official Chrome Web Store thereafter.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.
Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.
Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.
Google declined to discuss among others, how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.
It is unclear who was behind the effort to distribute the malware. Awake told Reuters the developers supplied fake contact information when they submitted the extensions to Google.
