New Chrome, Firefox malicious extension found, hijacks browser to prevent removal

The 'forced' extension stems out of popups and fake advertisements on Chrome and Firefox.

  • Published: January 21, 2018 4:14 PM IST

A new browser extension has been discovered that not only spies on your browsing behavior, but also hijacks the browser completely to prevent its own removal. The malware-based extension, called “Tiempo en colombia en vivo”, has been found affecting Google Chrome and Mozilla Firefox browsers.

Security researchers at Malwarebytes discovered the pair of extensions which block any attempts of removal. The version found on Chrome is a forced extension, as a result of users clicking on the trapped JavaScript-based popup. The Firefox version, on the other hand, arises out of a malicious ad which pretends to be an official manual update requirement warning posted by Mozilla.

While the researchers have not provided details on the activities the malware-ridden extension is capable of doing, a report on Digital Trends states that it could possibly hijack the browser to push technical support scams, drive click numbers on specific websites, or completely hijack web searches. It is also said to be capable of snooping on your web behavior as well.

As the report describes, the installation of this extension is forced. If you attempt to cancel the installation or leave the page, a popup appears aking to add an extension for exiting the page. If you choose to cancel, another popup appears with an additional tick box that says “Prevent this page from creating additional dialog.” Once you check the box and hit ‘OK’, the browser goes full-screen with a popup revealing the name of the extension that is supposedly distributed through the Chrome Web Store.

Users are fooled into believing it as a legit extension and fall for the installation. Now, when Chrome users attempt to access the in-browser extension section, they are redirected to a fake extension page. As the page is internal, disabling the JavaScript does not fix the issue.

If you have been a victim of this extension, the only way to regain control of the browser is to add “-disable-extensions” after chrome.exe in the shortcut command line, or rename the “1499654451774.js” file in the extensions folder.

Now coming to the Firefox version of the extension; users see a web-based advertisement warning that Firefox requires a manual update. The advertisement is made to appear genuine to which victims fall and install the malicious extension. Doing so, prevents the victim from accessing the internal “about:addons” page by closing the tab. To remove the extension, you can restart the browser in safe mode when extensions are not active, and remove the add-ons.

In the case when you are not able to close the Firefox window because of the constant popups, you can use Task Manager by typing CTRL+ALT+DEL and terminate the browser. Once you restart the browser, it will not be able to restore the last session.

  • Published Date: January 21, 2018 4:14 PM IST