As antivirus apps get better at spotting malicious processes, bad actors step up their game to counter them. The arms race has gotten so intense that malicious agents are beginning to deploy some seriously nasty tactics to fool people into installing and keeping a virus on their system. Now, researchers have found a new attack vector that can impersonate your active extensions and hide in plain sight, albeit you shouldn't panic just yet.

Polymorphic extensions make malware even more complicated to detect

As spotted by The Hacker News, researchers at SquareX Labs posted an article about how this new attack vector works. It impersonates legitimate extensions installed on your browser, then asks you for your username and password. Its main goal is to fool you into believing the real extension is asking for your login details, when you're actually handing them over to a scammer.

Here's how the attack works. First, the scammer develops a malicious extension. SquareX Labs' example describes a bad actor creating an AI transcription extension, which they advertise away from Google Play to avoid the store's malware detection systems. The app urges people to pin the extension to their browser so it's always visible.

To maintain its cover, the app will perform the advertised exact duty. However, over time, the extension will harvest data on the extensions you use, including some of the top targets that people often enter their personal data into. Once it finds one, it waits for the perfect moment to strike.

In the researchers' example, the malicious app selects an installed 1Password extension as its target. When the malware detects that you have clicked on a login form, it silently disables 1Password and changes its own icon to impersonate it. This means that when you click on what looks like the 1Password extension to grab your login details, you end up opening the fake app instead. This fake app then claims that your session expired and you must log back into 1Password to get your passwords.

Of course, because this is a fake version of 1Password, entering your details into it won't do anything past handing over your login credentials to a scammer. They can then use your data to crack open your 1Password vault and gain access to all of your accounts.

So, should you be keeping an eye on your extensions and looking for an "infected" one like some sort of browser-based version of The Thing? Not quite. Fortunately, researchers have discovered this exploit before the bad actors have, and the fact they're publicly reporting it means that it's already been reported to browser designers. However, it is a good wake-up call to always install extensions via the Google Play store; even then, make sure you're downloading something trustworthy and vouched for by others.