Google Chrome extensions downloaded over 32 million times allow users to be spied on

Google Chrome spyware extensions, which have been downloaded more than 32 million times, let users to be spied on. Researchers at Awake Security told Reuters that this is tech industry's failure to protect browsers as they are used more for email, payroll and other sensitive functions. Alphabet's Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.

“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.

The extensions removed by the tech giant were to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools. According to Awake co-founder and chief scientist Gary Golomb, this was the most far-reaching malicious Chrome store campaign to date.

WATCH Zee Business TV LIVE Streaming Online

However, Google is yet to release an official statement on this.

Awake said the developers supplied fake contact information when they submitted the extensions to Google.

“Anything that gets you into somebody's browser or email or other sensitive areas would be a target for national espionage as well as organized crime,” said former National Security Agency engineer Ben Johnson, who founded security companies Carbon Black and Obsidian Security.

The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains, Golomb said.

How do they work?

The researchers found that when users opened the browser to surf the web on a home computer, it would connect to a series of websites and transmit information. Anyone using a corporate network, which would include security services, would not transmit the sensitive information or even reach the malicious versions of the websites.

“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.