You've Changed: Detecting Malicious Browser Extensions Through Their Update Deltas

You've Changed: Detecting Malicious Browser Extensions Through Their Update Deltas

You’ve Changed: Detecting Malicious Browser Extensions through their Update Deltas Nikolaos Pantelaios Nick Nikiforakis Alexandros Kapravelos [email protected] [email protected] [email protected] North Carolina State University Stony Brook University North Carolina State University ABSTRACT Unlike browser plugins, extensions are comprised of JavaScript, In this paper, we conduct the largest to-date analysis of browser HTML, and CSS, but have access to privileged APIs that enable extensions, by investigating 922,684 different extension versions them to arbitrarily change webpages and bypass the browser’s Same- collected in the past six years, and using this data to discover mali- Origin Policy. This power has historically been abused by malicious cious versions of extensions. We propose a two-stage system that browser extensions to hijack session cookies, arbitrarily change the first identifies malicious extensions based on anomalous extension content of websites, steal user data, and expose users to low-quality ratings and locates the code that was added to a benign extension in ads. While multiple systems for detecting malicious extensions have order to make it malicious. We encode these code deltas according to been proposed in past work [14, 20, 23, 41, 45], malicious-extension the APIs that they abuse and search our historical dataset for other authors still manage to bypass existing defenses and infect millions similar deltas of extensions which have not yet been flagged, neither of users with malicious extensions. In the most recent high-profile by users nor by Chrome’s Web Store. We were able to discover 143 example, Google took down 49 extensions in April 2020 that were pre- malicious extensions belonging to 21 malicious clusters, exhibiting tending to be cryptocurrency wallet apps but were instead stealing a wide range of abuse, from history stealing and ad injection, to the users’ private keys and mnemonic phrases [15]. hijacking of new tabs and search engines. Our results show that Next to malicious extensions that were always malicious and our proposed techniques operate in an abuse-agnostic way and can were eventually detected (such as the aforementioned cryptowallet- identify malicious extensions that are evading detection. stealing extensions), there have been cases where previously benign extensions started behaving maliciously. For example, in 2013, Hov- KEYWORDS erZoom, an extension that magnified images on websites, started behaving maliciously by stealing user data and changing the affiliate web; browser; extensions; machine learning; malicious; security identifiers on Amazon links [12]. Similarly, in 2018, attackers com- ACM Reference Format: promised the Chrome developer account of the Mega file-sharing Nikolaos Pantelaios, Nick Nikiforakis, and Alexandros Kapravelos. 2020. extension (associated withe the mega.nz website) and pushed a ma- You’ve Changed: Detecting Malicious Browser Extensions through their Up- licious update which stole the private keys of cryptocurrency wallet date Deltas. In Proceedings of the 2020 ACM SIGSAC Conference on Computer services [11]. In addition to getting compromised, there have been and Communications Security (CCS ’20), November 9–13, 2020, Virtual Event, multiple cases where the developers of small extensions, either sold USA. ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/3372297. their extension and userbase to a third party [9, 34] or decided to mon- 3423343 etize their extensions using low quality, advertising-based programs that have the potential to expose users to malvertising. 1 INTRODUCTION Given the increased news of once-benign extensions turning mali- As users satisfy more and more of their computing needs through the cious, in this paper, we propose a new method for detecting malicious web, modern web browsers need to provide increased functionality browser extensions, by focusing on their update deltas. Given an and customizability. An indispensable feature of modern browsers is extension which turned malicious, our system uses the last benign the ability to be customized, at the client side, via browser extensions. version of that extension to identify the code responsible for its Using extensions, users can augment and alter the behavior of their malicious actions. By focusing on APIs that this code-delta abuses, browsers to match their needs. Among others, extensions are used our system creates an API sequence which it then tries to match to increase the user’s productivity (e.g. by limiting access to time- to other updates that happened in unrelated extensions on the of- wasting websites), block unwanted advertisements and tracking, ficial extension store. In this way, our system uses known malicious sync with cloud-based password managers, and offer new ways to extensions as “seeds” to identify extensions with similar malicious organize tabs and bookmarks. updates which have not yet been detected by existing systems or flagged by users. To identify these seed extensions, we show howwe Permission to make digital or hard copies of all or part of this work for personal or can use user comments to detect negative anomalies, i.e., extensions classroom use is granted without fee provided that copies are not made or distributed that generally received positive ratings and suddenly start receiv- for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the ing negative ratings, consistent with users who were exposed to a author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or malicious extension after an update, and left a review to warn other republish, to post on servers or to redistribute to lists, requires prior specific permission users of that same extension. In this way, our system identified 45 and/or a fee. Request permissions from [email protected]. CCS ’20, November 9–13, 2020, Virtual Event, USA malicious extensions via negative-ranking anomalies which it used © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. to identify an additional 143 extensions, with 44% of them not yet ACM ISBN 978-1-4503-7089-9/20/11...$15.00 flagged (neither by users nor by the Chrome Web Store) as malicious. https://doi.org/10.1145/3372297.3423343 1 User Feedback Analysis Comments Malicious Keywords Extraction Detection Initial Malicious Seeds Webstore Crawling Filter Combination Same Extension Different Clusters Ratings Ratings Anomaly Extraction Detection Version Malicious API Source Comparison Detection Code 2 Javascript API Similarities Initial Total Clusters First Malicious Clusters Further Malicious Clusters (red) (yellow) . Figure 1: Data sources collection and workflow of our malicious extensions detection pipeline. Analysis from User Feedback 1 and malicious JavaScript clustering 2 from seed extensions Our main contributions are as follows: to user experience. According to our data (described in detail in Sec- • We conduct the largest to-date analysis of Chrome browser tion 3.1) approximately 450 extensions are updated or added to the extensions, with 922,684 unique extension versions analyzed, store each day, which currently holds more than 176K extensions. gathered in a period of more than six years. An issue with updates is that users who once trusted an extension • We present a novel approach to identify new malicious exten- and installed it will now automatically receive that extension’s up- sion clusters, utilizing both user feedback from the comments dated version. This is desirable for bug fixes and the introduction of and ratings on the webstore, as well as JavaScript code clus- newfeaturesbutithasalsobeenabusedbyattackerstoinfecttheuser- tering based on deltas of code updates. base of a once-trusted extension [11, 12, 34]. If a new update needs • We detect 21 clusters of malicious extensions and a total of more permissions compared to the one a user has already installed, 143 malicious extensions that exhibit behavior against the the user will have to accept these new permissions. Note, however, Chrome Web Store policies. Still online at the time of this writ- that extensions can easily request more permissions than necessary ing are 64 (44%) of them, victimizing a total of 2,458,881 users. from the very beginning, to avoid prompting users in the future. 2 BACKGROUND 2.3 Extension Source Code 2.1 Threat Model Extensions are distributed from the webstore in the form of a .crx file, which is a ZIP archive with a special header. Inside the CRX archive Our threat model involves attackers who use multiple techniques reside all extension files that consist of the extension’s source code to change the nature of an existing benign extension to include (JavaScript/HTML/CSS), local images and a manifest.json file [17]. malicious code which will be pushed to that extension’s user base The manifest is a JSON-formatted metadata file that describes the through the extension-update mechanism. These techniques include name, the version, the description and the permissions asked from but are not limited to compromising developer accounts, purchasing the extension. The two main categories of scripts in extensions are accounts from disinterested developers and injecting malicious ob- the background script and content script. The background script is fuscated code in exchange for a payment to the extension developer. a script running throughout the extension activity, responsible for most of the background functionality of the extension. There can 2.2 Webstore description be multiple background scripts in the same extension but most of The Google Chrome browser uses the Chrome Web Store [40] as the times there is only one background script responsible for all the the official repository for publishing and distributing extensions to background actions. Content scripts are JS files running in the con- users. A distinction between the extensions available on the web text of the visited webpage and utilizing the Document Object Model store is that they can be either listed or unlisted. Listed extensions (DOM) to modify the web pages.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us