ShadyPanda played the long game, with extensions including the popular Clean Master utility with 200,000 installs distributed as completely legitimate tools early on, earning them positive user ratings and, in some cases, trust signals such as “Featured” or “Verified” badges in the Chrome Web Store and Microsoft Edge Add-ons store.
No review after submission: This long-term legitimacy built a large user base and may have normalized these extensions inside enterprises, where browser add-ons often pass through with little scrutiny. Only after accumulating trust, and millions of installs, did ShadyPanda push silent malicious updates. It embedded hidden install-tracking routines that mapped user behavior and optimized reach before weaponizing it through a malicious update.Because Chrome and Edge updates occur automatically and do not require user re-approval for existing permissions, the exploit happened quietly.”ShadyPanda’s success is about systematically exploiting the same vulnerability for seven years: Marketplaces review extensions at submission,” Admoni said. “They don’t watch what happens after approval.” Evasion and Man-in-the-Browser tricks: ShadyPanda also invested in staying hidden. Koi found that when developer tools were opened, the malicious logic immediately switched to benign behavior, making manual analysis harder. Obfuscation and controlled activation further obscured the malicious component, ensuring stealth.Koi noted that some of these extensions were still live in the Edge Add-ons store at the time of disclosure. Clean Master’s publisher, Starlab Technology, launched 5 additional extensions on Microsoft Edge around 2023, picking up over 4 million combined installs. “All 5 extensions are still live in Microsoft Edge marketplace,” Admoni said, adding that two of those are comprehensive spyware.Google recently removed Clean Master from the Chrome Web Store, and today none of the extensions are available on Chrome Web Store, a Google spokesman said. Microsoft did not immediately respond to CSO’s request for comment.Like in a man-in-the-middle (MitM) style attack, ShadyPanda effectively positioned itself between users and the websites they visited, inserting tracking logic into pages they loaded. This allowed the attackers to observe and manipulate traffic through the browser, giving the actor continuous visibility into how infected users interacted with the web.Admoni pointed out that removing the extensions might not help as, presumably, the attackers may already have collected high-value data including cookies, browsing patterns, session tokens, fingerprinting data, etc.In its blog post, Koi provided a list of malicious Chrome and Edge extensions, along with C2 and data exfiltration domains to support detection efforts.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4099446/newly-discovered-malicious-extensions-could-be-lurking-in-enterprise-browsers.html
