The pattern of most of these extensions is to get installed, start a clock and then activate the hidden malicious code embedded inside. In some case the code was an API wrapper disguised as a legitimate one that allowed for malicious injections. Google was informed of these issues by different researchers, but it was not until Avast submitted a list of 32 extensions that Google acted. Why Google did not respond to the individual researchers is a bit of a mystery, especially when they have always claimed to put security first in their products.

All the extensions identified by Avast (the company that finally got Google to do something), were found to do basically the same thing. Inject code to hijack browser sessions either for ad insertion or malicious redirects. Avast has a nice list of the extension IDs () for the malicious apps as well as two domains that were found to be used in combination with the extensions (and a file hash). The two domains listed were serasearchtop[.]com and onlinesly[.]com. Getting these into any URL blocking systems that you might have would be a good idea to prevent potential abuse.

For organizations that have the capability publishing Chrome as a controlled App (via Intune for example) is a good move to control the use or plug-ins by users. Even in a BYOD environment, the proper set up of Compliance policies or Configuration profiles can prevent random security issues in Chrome and other browsers. These should be part of good security and hygiene for any remote workplaces but should also not be ignored when it comes to on-site staff. As always, a little bit of proactive protection goes a long way to preventing incidents.