Threats Polymorphic Chrome Extensions Are a Digital Slight of Hand

Browser extensions are just one of many opportunities for threat actors to introduce malware into a victim's environment.  So called "drive-by-download" attacks also leverage desktop applications, and rogue mobile applications to gain access to victim's devices and execute malicious code.  The Google Play store has recently changed their policies and removed hundreds of rogue apps to protect Android users. Apple does the same for their App Store. Keeping app stores free from malware is a delicate balance between making a profit, incentivizing new developers, and keeping users safe. 

However, a novel technique discovered by security researchers doesn't leverage desktop or mobile app stores. Instead, polymorphic Chrome extensions are able to leverage their access privileges as a Chrome browser extension to achieve a deceptive process reminiscent of the old fashioned "bait and switch" scam or something from a Chris Angel magic trick. The hack is a tricky and covert app replacement that leaves users helplessly thinking they are using a secure app, while in reality, they are interacting with the hackers decoy.  Let’s dive into the details.

What Are Polymorphic Browser Extension Attacks?

Polymorphic literally means "having multiple forms." In cybersecurity, it can refer to malware or phishing attacks that can dynamically change its code or behavior to evade detection. In this case, polymorphic browser extensions can impersonate other installed extensions, including password managers, crypto wallets, and banking apps, by altering their appearance and functionality in real time. These extensions can temporarily disable the legitimate extension while displaying a perfect replica, tricking users into entering sensitive credentials into a phishing form.

The discovery of polymorphic browser extensions was made by SquareX Labs, a cybersecurity research team that investigates emerging threats in browser security. Their researchers found that these malicious extensions exploit common browser APIs, such as chrome.management, to find and disable other legitimate extensions that a user has installed, and then changes itself to imitate them. 

SquareX responsibly disclosed their findings to Google, warning that this attack method presents a serious security risk to users of Google Chrome and other Chromium-based browsers like Edge. Despite their disclosure, Google has yet to apply countermeasures to prevent these attacks. 

How Do Polymorphic Extensions Work?

Polymorphic browser extensions operate by dynamically altering their behavior and appearance to impersonate legitimate browser extensions. These extensions begin as seemingly harmless tools, often advertised as productivity enhancers, AI utilities, or other useful add-ons. Once installed, they leverage the chrome.management API if the user grants permissions to it, or else the rogue apps use web resource injection techniques to stealthily detect other installed extensions. 

When a high-value target—such as a password manager or crypto wallet—is identified, the polymorphic extension disables the legitimate one, modifies its own appearance to match, and serves a phishing form to steal credentials. After exfiltrating the stolen data to an attacker-controlled server, it reverts to its original state, making the attack difficult to detect.

The Process of a Polymorphic Browser Extension Attack

• Social Engineering for Initial Access: Attackers disguise the malicious extension as a legitimate tool, such as an AI-based productivity enhancer or a marketing assistant. Through social engineering techniques, including online ads, social media promotions, and fake reviews, attackers can persuade users to install and pin the extension to their browser toolbar.

• Enumerating Installed Extensions: Once installed, the extension determines which other extensions are present on the victim’s browser. If it has access to the chrome.management API, the rouge extension directly queries the list of installed extensions. If not, it can inject scripts into web pages to check for unique indicators of popular extensions to targets like 1Password or MetaMask.

• Command and Control: After enumerating for extensions to spoof, the extension calls back to a remote attacker-controlled server. The attacker can then decide whether to activate the polymorphic behavior.

• Morphing to Spoof a Legitimate Extension: If a target is identified, the malicious extension undergoes transformation by renaming itself, changing its icon, and generating a pixel-perfect replica of the targeted extension’s interface. This allows it to deceive users into believing they are interacting with their legitimate password manager, banking app, or crypto wallet.

• Disabling the Legitimate Extension: The polymorphic extension either uses the chrome.management API to disable the original legitimate extension or, if lacking sufficient permissions, manipulates the browser UI to hide it from view. This ensures that users interact only with the fake extension, reducing the chances of suspicion.

• Phishing Attack and Data Exfiltration: When a victim tries to use the fake extension, they are prompted with a login request identical to the legitimate one. From there, the victim enters their credentials, which are immediately sent to the attacker’s server. In some cases, the extension may also request additional authentication factors, such as MFA codes.

• The Switchback: After stealing credentials, the malicious extension reverses its modifications and re-enables the real extension. This erases evidence of tampering, making it unlikely that the victim will notice anything unusual until the stolen credentials are used for unauthorized access.

Implications for the Victim

The consequences of this attack are severe. Attackers can use stolen credentials to access sensitive accounts. Depending on the nature of the hacked accounts, attackers could proceed with a wide array of second stage tactics.

If those accounts have financial features, attackers can steal funds, make fraudulent purchases, steal other sensitive data for use in credit fraud or identify theft, or launch further attacks from the victims accounts using the victim’s identity. Also, because the malicious polymorphic extension can revert back to its original state, security teams may struggle to detect the attack.

How to Protect Yourself From Polymorphic Extensions

To defend against polymorphic extensions, users should exercise extreme caution when installing browser add-ons, even those from official stores like the Chrome Web Store. 

Here are actionable tips to avoid being hacked by rouge apps:

• Always verify the legitimacy of an extension by checking its developer, reading independent reviews, and avoiding extensions with vague descriptions or few downloads. 

• Be especially wary of extensions that request excessive permissions, such as those involving chrome.management or activeTab access. 

• Regularly audit installed extensions and disable or remove any that seem unnecessary or suspicious. 

• Implement browser-native security tools that analyze extensions dynamically, detecting runtime behavior anomalies instead of relying solely on permission-based policies.

In the end, users should expect that Google will enhance Chrome’s security model. Some possible solutions include restricting UI modifications by requiring moderator approval, using AI to detect fraudulent changes that attempt to mimic well known apps to prevent deceptive impersonation attacks.

Conclusion

A new attack dubbed the "polymorphic browser extension" has been discovered by security researchers at SquareX Labs. The attack method allows malicious extensions to impersonate legitimate ones, such as password managers and crypto wallets. The technique is posed to be very effective at tricking users into providing sensitive information to be abused. By combining social engineering with browser API abuse and a loophole that fails to validate changes to browser extensions. This technique, reminiscent of a traditional "bait and switch" scam, allows malicious extensions to covertly morph, putting unsuspecting users at risk.