Massive browser hijack: 2.3 million Chrome and Edge users are infected by extensions that convert into Trojan horses

Before a version bump made 18 extensions into deadly trojans without any user involvement, their codebases were "squeaky clean," sometimes for years. Although more than 2.3 million people have recently been infiltrated, security experts caution that there are still many more extensions out there.

One of the extensions had more than 800 reviews, a Google certified symbol, and a highlighted position on the Chrome Web Store before it turned malicious.

The "Color Picker, Eyedropper - Geco colorpick" extension is one of the 18 that were recently modified to include harmful malware, according to Koi Security experts.

According to the researchers, "this is a well-designed Trojan horse that offers precisely what it promises (a working color picker) while simultaneously hijacking your browser, persistently maintaining a command and control backdoor, and tracking every page you visit."

One of the biggest browser hijacking campaigns, RedDirection is a smart effort that has affected over 2.3 million users of Chrome and Edge.

From the beginning, none of the 18 extensions were malevolent. Emoji keyboards, weather predictions, video speed controllers, volume boosters, YouTube blockers, dark themes, and other tools were common productivity or entertainment tools.

According to the research, "these malicious versions auto-installed surreptitiously because of the way Google and Microsoft manage browser extension upgrades."

"Avoid phishing. Don't use social engineering. Silent version spikes in trusted extensions transformed productivity tools into spying spyware.

While verification procedures were unable to identify harmful alterations, the threat actor was able to effectively exploit big tech's platforms to expand the reach of their infection.