April 15, 2020

ATTENTION! Check if you were affected by malware clones

Several malicious Dark Reader's copies were created, thousands Firefox and Edge users were affected. Follow this guide to learn how to avoid malware extensions, and how to check that you've installed Dark Reader from the original source.

Dark Reader clones

Attack of the Clones

An interesting malware technique was revealed recently. Multiple Dark Reader copies with similar names and additional code were removed from Firefox Add-ons and Microsoft Store.

A malicious code was hidden and encoded in a *.png file. In 5 days it downloaded and executed another code, that was collecting data from web pages using fake forms, and later sent this data to a remote server.

Malware code sample

It turned out that similar attacks happen periodically and affect Chrome and Firefox users (upd. Edge too).

If you were using such an extension, or noticed some strange website behavior, or remember getting an SMS security code when you were not trying to sign in somewhere, RESET ALL YOUR PASSWORDS, REISSUE YOUR CARDS or contact your bank. Check your Google, Microsoft, Amazon, or banking account activity history.

What should I do to protect myself?

1. Use extensions made by Trusted Companies

First of all, there are extensions that are owned by large well-known companies that value their reputation and are absolutely not interested in doing any harm to you. Here are a few examples:

Honey

Honey logo
★★★★★

Owned by PayPal, Honey automatically searches and applies coupon codes while you are making online purchases. It is currently used by more than 20,000,000 people and states it doesn't sell your data, but charges a small fee from your saved amount instead. Savings can be huge sometimes.

Join Honey using this link and Dark Reader will get some sponsorship.

Honey screenshot

Google Translate

Google Translate logo
★★★★☆

This extension is owned by Google, the owner of Chrome browser and Chrome Web Store. You should be calm when using an extension like this. See more extensions created by Google.

Google Translate screenshot

Other companies

Companies like Microsoft, Amazon and others provide helpers for their products. For example Office extension, which shows you shortcuts for recent documents and more. Double check the developer's name, the website and the installation URLs.

Firefox Recommended Extension badge

Firefox Add-ons have a Recommended Extensions program. This is a limited set of extensions, picked by Mozilla, that pass a deep manual review. Extensions' authors have to provide a source code, build steps, and are not allowed to use obfuscated code. Every update passes a detailed review and reviewers ask to clarify any moments they don't get.

Chrome Web Store has Editor's Picks section and other collections, and the company has tightened up its review process, but its not clear what exactly happens during the review.

3. Use open source extensions

uBlock logo
★★★★★

If an extension is not owned by some well-known company, see if there's a link to GitHub or another open source repository.

But don't just stop on the link. Check if the update date corresponds with the commit history in the repository. Find manifest.json file and have a look if the version number is the same. If you are familiar with JavaScript, you can even locate the downloaded extension's folder and browse through the source code.

Finally, check if links in ReadMe file point to a correct download page.

The best example of a trusted open source extension is uBlock Origin, an ad blocker by Raymond Hill.

4. Use paid extensions

Honey logo
★★★★☆

Although this is more common for Safari browser, rather than Chrome and Firefox, if you are using a paid extension, it is less likely that it will start doing a harm to you. For example, have a look at Momentum extension, which can help you customize a new tab page.

Extensions for the latest Safari are installed from Mac App Store and have the same review process as desktop applications. But pay attention on subscriptions.

Mac App Store - paid Safari extension screenshot

5. Check the extension's name

You should think twice before installing extensions, that are named like Adblock Origin or uBlock Plus.

6. Read the reviews

Review example: this doesn't do a thing

While some reviews could be left by people who had a bad day, make sure that they are mostly positive and look through some recent negative reviews. Pay attention to the number of reviews (e.g. if the extension with 10,000 users has more than 1,000 reviews, it looks suspicious).

7. Protect your accounts

Use 2-factor authentification. Don't fill in any data on websites, that are not using HTTPS. Whenever you enter a password, check the URL, especially if you opened a link from a message. If it's not obvious, make sure the domain belongs to the company using some Whois service.

8. What if I use an extension, that is not open source and not owned by a well-known company?

Well, use it on your own risk. Learn more about the developer, check the website. Is it a company that has some cool product, or an individual with a clear GitHub or Linkedin profile? Then you can give it a try.

Until the stores find a proper way to filter out extensions, we have to be attentive.

UPDATE

How to check where did you install extensions from

The good news is, that if you've seen Dark Reader's notification, you are most likely safe. The inspected malware has it hidden (see the screenshot below). But we strongly recommend you ensure this is true, and also check other browser extensions' URLs and other info.

Chrome (Chromium)

Firefox

Edge

Opera

There can be minor differences depending on your language code.

UPDATE 2

This guy is doing harm to Edge users right now

The users of -Dark Theme for Edge- will not be able to see this notification, the guy has disabled this functionality. The extension is using absolutely the same technique as described above.

Edge malware screenshot

Who knows how many clones of other add-ons are there in Microsoft Store. The issue has been reported.

UPDATE 3

The discovered malware was taken down, you will see a notice on edge://extensions page, if you had it installed.

Edge malware screenshot

To be continued...

Finally

Don't worry and have a nice day 😅

And check out our sponsor's extension Honey. And become a sponsor too.