Google Chrome Addons Youtube Video Downloader
Evangelino Cousteau
When I looked into this extension, I immediately discovered a strange code block. Supposedly, it was buggy locale processing. In reality, it turned out to be an obfuscated malicious logic meant to perform affiliate fraud.
But wait, there is some functionality to update the rules! Except: why would someone put rule updates into a tabs.onUpdated listener? This is the code running whenever a tab finishes loading (simplified):
This function is either used with a parameter to decode Base64, or without parameters to obfuscate a JSON.parse() call. When you start looking how these weird functions are used, it all leads to the locales() function:
With the instructions missing, understanding the code is tricky. Many calls can be guessed by their signature however. In particular, I can see an HTML element being created to initiate a web request. Additional data is then being extracted from the HTTP headers of the response. Presumably, the actual response data is something innocuous, meant to throw anyone off track who is monitoring network traffic.
After that at least two listeners are registered, presumably for webRequest.onBeforeSendHeaders and tabs.onUpdated events. While the former replaces/adds some HTTP header, the latter manipulates addresses and redirects some websites.
In case the name The Great Suspender sounds familiar and you are surprised to see it here: The Great Suspender used to be an open source extension, its code is still available on GitHub. Somebody took it and added some malicious code to it. Very similar code can be found in the Flash Video Downloader extension.
So p is what this code looks for in a website address. If a match is found (and a number of other conditions met), you will be redirected to where is the digit in the pr key and the second value in the array stored under the r key. All the redirects happen via the domains prj11[.]com, prj12[.]com, prj13[.]com, prj14[.]com, prj15[.]com.
Well, 13 almost identical video downloaders, 9 almost identical volume boosters, 9 almost identical translation extensions, 5 almost identical screen recorders are definitely not providing value. What they do is making it harder to people to find proper products that solve their problem.
Out of the 109 extensions listed, 102 request access to all websites, often paired with the tabs privilege. This privilege level is essential in order to conduct affiliate fraud: it allows detecting when you are about to visit a particular website.
Almost none of these extensions need this level of access for their functionality. In most cases, permissions for a single domain or the far less problematic activeTab permission would have been sufficient. In fact, in quite a few extensions one can still see https://*.youtube.com/ or activeTab in the list of permissions, only to be followed up by that the developers added later for reasons unrelated to functionality.
The webRequest API and its Manifest V3 pendant declarativeNetRequest API are among the most powerful tools available to browser extensions. They allow extensions to watch all the web requests being performed by the browser. In combination with the webRequestBlocking permission, they also allow blocking any web requests or even replacing web server responses.
This is the kind of functionality required to run an ad blocker, but rarely anything else. So very few extensions should be requesting these permissions. Yet 66 out of 109 extensions (61%) on my list do. For reference: when looking at extensions with similar popularity in all of Chrome Web Store, I count only 35% of them requesting these permissions.
Tab Suspender extension took another approach: it incorporated some very rudimentary and error-prone tracker blocking functionality. It makes no sense in this extension, and most likely no user enables it. But it is used as justification for the webRequest permission.
Other than the ad blockers, only some of the downloader extensions seem to have webRequest functionality that is actually useful. Yet even those got additional dummy calls, just in case. The honorary mention goes to the Classic 2048 extension which includes a dummy webRequest call without even requesting the webRequest permission.
Normally, extensions are protected by the default Content Security Policy that allows only code contained within the extension to run. Malicious extensions often want to circumvent this security mechanism however, so that they can put the malicious code on some web server where it cannot be as easily inspected.
The extensions here take an easier route and relax the Content Security Policy restrictions instead. 32 out of 109 extensions (29%) allow 'unsafe-eval' in their extension manifests. For comparison, only 9% of the similarly popular extensions in Chrome Web Store do this.
Obviously, the purpose of these requests is transmitting data about the user: which extension, which version and, most importantly, which user. Each user is assigned a unique randomly generated identifier that is sent along with all requests.
Clearly, providing a great user experience was never the goal of these extensions. Their idea was rather making it seem like the extension is working with as little effort as possible. The better extensions appear to be based on some previous work, either open source code or an existing product that changed hands. Others have been built from scratch and barely function at all.
Some reviews show that at least some of the extensions used to have an entirely different purpose. For example, not all the ChatGPT extensions are new. At least one of them used to be a translation extension which got repurposed.
So I was very surprised to discover that Moment Dashboard and Infinite Dashboard extensions list a developing company in their privacy policies. These extensions are monetizing themselves via the search field on the new tab page, so maybe the developers considered this business model legal enough to mention a name.
Either way, Moment Dashboard is developed by Kodice LLC based in Dubai, United Arab Emirates, and Infinite Dashboard is developed by Karbon Project LP based in London, UK. Yes, two different companies, despite these two extensions being close to identical.
And that uTab Dashboard? Developed by another London-based startup: Appolo One LTD. Coincidentally, their founder happens to be a partner at Kodice LLC. And he is also the CTO who is recruiting developers for the Hong Kong based BroCode LTD. No, not in Hongkong but for the office in Kharkiv, Ukraine (before the war).
Either way, these companies describe themselves as specializing in advertising and affiliate marketing. Karbon Project existed since 2011 according to their website. While their incorporation papers show being founded in 2018 by two companies based on Seychelles, there is in fact evidence that it existed prior to that.
And they apparently already made a name for themselves as makers of potentially unwanted software. In addition to browser extensions, they also publish at least two web browsers. I checked the corresponding installers with VirusTotal and: surprise, they are being detected as trojans! [1] [2]
Note that only the first four of these extensions are currently malicious from what I can tell. However, they were clearly created with the intention of abusing extension privileges at some point. Note also that the extension names change frequently and only the IDs can be used to reliably identify an extension.
Update (2023-06-12): The complete list of extension IDs from this article series can be found here. This repository also contains the check-extensions command-line utility which will search local browser profiles for these extensions.
Change directory to your Chrome profile extensions directory (on macOS, run cd "$HOME/Library/Application Support/Google/Chrome/Default/Extensions" for the default profile) and run the following: ls grep -E '(gbdjcgalliefpinpmggefbloehmmkncaeggeoellnjnnglaibpcmggjnjifeebpiionpbgeeliajehajombdeflogfpgmmeljaekigmcljkkalnicnjoafgfjoefkpegaeilijiaejfdnbagnpannhdoaljpkbheafdfpkhbdpioonfeknablodaejkklbdnanflghppebdhjipndogapfagemgnlblhanmbbeeiaollmpadookgoakpfjkbidafbebmphofpgkhclocdbgomhnjcpelbenhbmkgbgkneealfabgnjfeljaiegpginplccjlpblmgkncnnimcmbanbnhbggdpkiecclhgechkjghfaoebihpklmllnnlnbdbcfegchignldpfnjpodhcklmgleaoanhicfllfglbkmnbkcibbjoghimalbileaiccjljdgfhkjbdbkcdkfojleidpldagmaocoabfkgengacobjpmdlmmihhhfnhbjdmdcaffjpclkkjfacgfofgpjbmgjnjlpmhdjekgpcemgcnfkjldcclcpcjhemofcibdkbccihpiccbcheieabdbjikohfdfajedlpimjmonhbmamocpboifndnnakgknbfdmbjkidogjmmlejdmnecpmfapdmidfjgdneifdhdmnmmlobjbimlkcnhkbidmlekdoiiaejbgndnnnomcdhefcbfnbbjfbibdpfofggmkhdbfcciajfdphofclabnogoeabhkjojehdleajkbigffmpnaelncappealojglnbikknifbgleaceopepceakfnebdbcfomjliacpblnioignhfhjeajpchedlifbnjlicfpckhgjhflgkeeibhhciiehmneimbopigfgchjglgngamiccjkijhehpgcagmhpndkmglombjndkdmggkgngeekjogkoigkhbgdgpolejnjfmhdcgaoofelpdbicokgbedckgblmbhoamophfbchiemeokgokialpjadjaoeiplmnkjoaegngeokjikchkppnkdipbiggnmlkahcdkikpepeigjgefhajkiiallmfblgglmdbhfabeplfglplnlljjpeiccbgnijecmkeimedfbbjijdngocdplimineplmdllhjkaecefbjhgeaafhlbjiejehpjdnghinlcceakfedchalbmgfhdobblebblldiblbmpgdjfobaamfiblkoobhjpiigemmdegbmpohdgaiceihehajjahakcglkhmdbbdclbnlfgceehiicnbpehbbdaloolaanlnddailmggacghlcchiiejclfdajbpkbjfgjhfolgjjbmfigjpgnehjioicaalopaikcnheogpdfpljioapjogbnlpmganakfjcemifkhjlekdknhjogancdagnndeenmobeofgmhlbdhflagoegglpdminhlpenkdgloabehnfabcchmopgohnhkcojhocneefbnffgiabflonngmpkalkpbjonemaamlgdgheaibppednjgooiepmkgdcoppnmbhmieefhicchadngbpkcegnabnabhkjkfkfflmpjielooaepfhfcnmihgnabkldnpddnnldlifdepgnnjpnbkcgempionjablajancjcijejnggjjphlenbhmjhhgcdpehhacaaliklgljbighkgbjoecoddejooldolenbjimopknpgdihifjkjpmjaagcagkefddnbjchmabokofdoabocpiicjljelmackhhojdlkkmamiaikhfampledjnhhkbeifokkjglemppahimembneahjbkhjknnefeeiojiaopkfkampgnnkckajcbdgannoipcnejjgnkfncaadmaobenjjpmngdpgalemhojlbpahgopcmomkgegpbmopfodolajhbljpefmbpcbebpjpmelobfakahfdcgcmklkhdnaopfklkdcloiinccnaflffmfcioakjgkmceledmpdnmgmppiekdbnamccdjplaameccjpleogmfhilmffpdbiibgbekflagdcjmbchphhndlbpfajelapcodeklllbohagbplppjcpllnhdichjldhfgkicbledkggjjapdgojgihnaploncccgiadhglgecddhfcfhlmllljooldkbbijdcnlpelkahpjghmdhpiojknppmlenngmpkkfmalkciiknpgglgbbcgcpbpobjabglmpklelkhhagecaghfakddbncibijbjmgfhfdmlknpbgnookklokdjomiildnlalffjmmalojpdfjjionbhgplcangflkalmiadhfimdkiofbiinbmlblcfhfjgmclhdfikkpmmeffljleomgifbbcffejnmhjagncfpbdmejjgaogggabifjfjdbnobinfibaamlamhpcabliilgadobjpkameggapnpeppdgmkjjckchdfhjbpckippbnipkdnlidbebmldaiedoebimcgkokmknonjefkionldimlkjjjmhjijlmafgjlpkiobpdocdbncjmndiaaeaiclnmjcnacogaacoejchdclpmnlohknjofogcljbcknkakphddjpijaknhnfcgpcbfclhfafjlooihdfghaeinfcninecedhhpccjifamhafbdelibdjibgdnmigaijibiabddkkmjhlehchpmgbokfjnpdkkcjlmhcnnaoobfdjndibfkkhhdfnoakbcaafbicdddpdlhbchhpblmhefnghobdhcplpbliifflekgclobogbdliddjdocginjipilabheemhfbedijlhajbcabhoepjogknopbbibcjcojmedaepolkghpbofpnikijgfhlmmjlpkfaifhhdonchhoiogadflejmplcdhcldlloonbiekhnloppogfjgagnmkiigilnoiabkbbajinanlbnokkffdhbfplmbjblhgapnchjinanmnijoodkhhminilgphkdofffddlgopkgbgpmpegfdldddiilihjahcpdehhhfcbibipgphfkifnjcmdcmljnnablahicoabkokbgphjbepamfhjgjdgmbhmfflhnlohldchbpjbgfifennfhnbkhoidkdchbflppjncbplmlopfeeobajiecodiggabcihohcngepmilcmjbofinpnbnpanpdadijibcgifcpmnphobdokkajkpbkajlaiooipfcpgiopnanegnllonoiklmmlegcaajoicfifcmpnlphjjfielecalmmjjdhjjninkbjdodpooaemmkohlphkekccfajnbcokjlbehk)'
7fc3f7cf58