Abstract
Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of cryptocurrency themed malicious extensions that cause heavy financial losses to the users and legitimate service providers. They have shown their capability of evading the stringent vetting processes of the extension stores, highlighting a lack of understanding of this emerging type of malware in our community. In this work, we conduct the first systematic study to identify and characterize cryptocurrency-themed malicious extensions. We monitor seven official and third-party extension distribution venues for 18 months (December 2020 to June 2022) and have collected around 3600 unique cryptocurrency-themed extensions. Leveraging a hybrid analysis, we have identified 186 malicious extensions that belong to five categories. We then characterize those extensions from various perspectives including their distribution channels, life cycles, developers, illicit behaviors, and illegal gains. Our work unveils the status quo of the cryptocurrency-themed malicious extensions and reveals their disguises and programmatic features on which detection techniques can be based. Our work serves as a warning to extension users, and an appeal to extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we release our dataset of the identified malicious extensions and open-source our analyzer.
- AdBlock. 2009. https://getadblock.com. (2009).Google Scholar
- Add-on Policies. Visited in July 2022. https://extensionworkshop.com/documentation/publish/add-on-policies. ( Visited in July 2022).Google Scholar
- Address Checker. Visited in July 2022. http://addresschecker.eu. ( Visited in July 2022).Google Scholar
- Alternative Extension Distribution Options. Visited in July 2022. https://developer.chrome.com/docs/extensions/mv3/external_extensions. ( Visited in July 2022).Google Scholar
- AST Explorer. Visited in July 2022. https://astexplorer.net. ( Visited in July 2022).Google Scholar
- Atzei, Nicola and Bartoletti, Massimo and Cimoli, Tiziana. 2017. A Survey of Attacks on Ethereum Smart Contracts SoK. In POST. 164--186.Google Scholar
- Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittman, Samuel T. King, P. Madhusudan, and Marianne Winslett. 2011. Vetting Browser Extensions for Security Vulnerabilities with VEX. Commun. ACM, Vol. 54, 9 (2011), 91--99.Google ScholarDigital Library
- Barrera, David and Kayacik, H. Günecs and van Oorschot, Paul C. and Somayaji, Anil. 2010. A Methodology for Empirical Analysis of Permission-Based Security Models and Its Application to Android. In CCS. 73--84.Google Scholar
- Bitcoin Abuse Database. Visited in July 2022. https://www.bitcoinabuse.com. ( Visited in July 2022).Google Scholar
- BlockCypher. Visited in July 2022. https://www.blockcypher.com. ( Visited in July 2022).Google Scholar
- Browser Market Share Worldwide. Visited in July 2022. https://gs.statcounter.com/browser-market-share. ( Visited in July 2022).Google Scholar
- Maurantonio Caprolu, Simone Raponi, Gabriele Oligeri, and Roberto Di Pietro. 2021. Cryptomining makes noise: Detecting cryptojacking via Machine Learning. Computer Communications , Vol. 171 (2021), 126--139.Google ScholarCross Ref
- Chen, Ting and Li, Zihao and Zhu, Yuxiao and Chen, Jiachi and Luo, Xiapu and Lui, John Chi-Shing and Lin, Xiaodong and Zhang, Xiaosong. 2020. Understanding Ethereum via Graph Analysis. ACM Trans. Internet Technol. , Vol. 20 (2020).Google Scholar
- Chen, Ting and Zhu, Yuxiao and Li, Zihao and Chen, Jiachi and Li, Xiaoqi and Luo, Xiapu and Lin, Xiaodong and Zhange, Xiaosong. 2018. Understanding Ethereum via Graph Analysis. In IEEE INFOCOM. 1484--1492.Google Scholar
- Chen, Weili and Wu, Jun and Zheng, Zibin and Chen, Chuan and Zhou, Yuren. 2019. Market Manipulation of Bitcoin: Evidence from Mining the Mt. Gox Transaction Network. In IEEE INFOCOM. 964--972.Google Scholar
- Chen, Weili and Xu, YueJin and Zheng, Zibin and Zhou, Yuren and Yang, Jianxun Eileen and Bian, Jing. 2019. Detecting "Pump Dump Schemes" on Cryptocurrency Market Using An Improved Apriori Algorithm. In SOSE. 293--2935.Google Scholar
- Chen, Weili and Zheng, Zibin and Cui, Jiahui and Ngai, Edith and Zheng, Peilin and Zhou, Yuren. 2018. Detecting Ponzi Schemes on Ethereum: Towards Healthier Blockchain Technology. In WWW. 1409--1418.Google Scholar
- CipherTrace. 2020. Cryptocurrency Crime and Anti-Money Laundering Report. https://ciphertrace.com/2020-year-end-cryptocurrency-crime-and-anti-money-laundering-report. (2020).Google Scholar
- Coin98 Wallet. Visited in July 2022. https://chrome.google.com/webstore/detail/coin98-wallet/aeachknmefphepccionboohckonoeemg. ( Visited in July 2022).Google Scholar
- Coinbase. 2021. Coinbase Wallet introduces new browser extension. https://blog.coinbase.com/coinbase-wallet-introduces-new-browser-extension-dd067403b86. (2021).Google Scholar
- Coinbase Exchange Extension. Visited in July 2022. https://chrome.google.com/webstore/detail/coinbase-wallet-extension/hnfanknocfeofbddgcijnmhnfnkdnaad. ( Visited in July 2022).Google Scholar
- Coinbase Wallet extension. Visited in July 2022. https://chrome.google.com/webstore/detail/coinbase-wallet-extension/hnfanknocfeofbddgcijnmhnfnkdnaad. ( Visited in July 2022).Google Scholar
- CoinMarketCap. Visited in July 2022a. https://coinmarketcap.com/rankings/exchanges. ( Visited in July 2022).Google Scholar
- CoinMarketCap. Visited in July 2022b. https://coinmarketcap.com. ( Visited in July 2022).Google Scholar
- Compare cryptocurrency wallets. Visited in July 2022. https://www.finder.com.au/view-cryptocurrency-wallets. ( Visited in July 2022).Google Scholar
- Crx4Chrome. Visited in July 2022. https://www.crx4chrome.com. ( Visited in July 2022).Google Scholar
- Crypto Price Tracker. Visited in July 2022. https://chrome.google.com/webstore/detail/crypto-price-tracker/fpkhlnacfhciopipcjpcjmkpldbogaeo. ( Visited in July 2022).Google Scholar
- CryptoScamDB. Visited in July 2022. https://cryptoscamdb.org. ( Visited in July 2022).Google Scholar
- Hamid Darabian, Sajad Homayounoot, Ali Dehghantanha, Sattar Hashemi, Hadis Karimipour, Reza M Parizi, and Kim-Kwang Raymond Choo. 2020. Detecting cryptomining malware: a deep learning approach for static and dynamic analysis. Journal of Grid Computing , Vol. 18, 2 (2020), 293--303.Google ScholarDigital Library
- Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, and Nektarios Leontiadis. 2017. Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser. In CSET.Google Scholar
- Alberto Falk Delgado, Gregory Garretson, and Anna Falk Delgado. 2019. The language of peer review reports on articles published in the BMJ, 2014--2017: an observational study. Scientometrics (2019), 1225--1235.Google Scholar
- Developer Program Policies. Visited in July 2022. https://developer.chrome.com/docs/webstore/program_policies. ( Visited in July 2022).Google Scholar
- Domain State. Visited in July 2022. https://www.domainstate.com. ( Visited in July 2022).Google Scholar
- Kun Du, Hao Yang, Zhou Li, Haixin Duan, and Kehuan Zhang. 2016. The Ever-Changing Labyrinth: A Large-Scale Analysis of Wildcard DNS Powered Blackhat SEO. In USENIX Security. 245--262.Google Scholar
- EQUAL Wallet. Visited in July 2022. https://chrome.google.com/webstore/detail/equal-wallet/blnieiiffboillknjnepogjhkgnoapac. ( Visited in July 2022).Google Scholar
- Esprima. Visited in July 2022. https://esprima.org. ( Visited in July 2022).Google Scholar
- Etherscan. Visited in July 2022. https://etherscan.io. ( Visited in July 2022).Google Scholar
- Europol Spotlight - Cryptocurrencies - Tracing the evolution of criminal finances. 2021. https://www.europol.europa.eu/media-press/newsroom/news/digital-gold-rush-debunking-common-myths-criminal-use-of-cryptocurrencies. (2021).Google Scholar
- ExtAnalysis. 2019. https://github.com/Tuhinshubhra/ExtAnalysis. (2019).Google Scholar
- Extension Dataset. Visited in July 2022. https://github.com/browserExtension057/Cryptocurrency-extensions. ( Visited in July 2022).Google Scholar
- Extension Deltas. Visited in July 2022. https://github.com/wspr-ncsu/extensiondeltas. ( Visited in July 2022).Google Scholar
- Fake Ledger Chrome Extension Crypto Scam May Have Stolen Up to $2.5M. 2020. https://www.financemagnates.com/cryptocurrency/news/fake-ledger-chrome-extension-crypto-scam-may-have-stolen-up-to-2--5m. (2020).Google Scholar
- Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. The Effectiveness of Application Permissions. In USENIX WebApps. 7.Google Scholar
- George Bissias and Brian Neil Levine and A. Pinar Ozisik and Gavin Andresen and Amir Houmansadr. 2016. An Analysis of Attacks on Blockchain Consensus. CoRR (2016).Google Scholar
- Google is banning all cryptomining extensions from its Chrome Web Store. 2020. https://techcrunch.com/2018/04/02/google-is-banning-all-cryptomining-extensions-from-its-chrome-web-store. (2020).Google Scholar
- Google Removes 49 Phishing Extensions That Steal Cryptocurrency Data. 2020. https://cointelegraph.com/news/google-removes-49-phishing-extensions-that-steal-cryptocurrency-data. (2020).Google Scholar
- Guge App. Visited in July 2022. https://www.gugeapps.net. ( Visited in July 2022).Google Scholar
- Guha, Arjun and Fredrikson, Matthew and Livshits, Benjamin and Swamy, Nikhil. 2011. Verified Security for Browser Extensions. In IEEE S&P. 115--130.Google Scholar
- Haoyong. Visited in July 2022. https://www.chrome666.com. ( Visited in July 2022).Google Scholar
- Harry. Visited in July 2022. https://medium.com/mycrypto/discovering-fake-browser-extensions-that-target-users-of-ledger-trezor-mew-metamask-and-more-e281a2b80ff9. ( Visited in July 2022).Google Scholar
- Huobi Market. Visited in July 2022. https://chrome.google.com/webstore/detail/lgeilhhjnhcjlmlohhlpedhgddddgebh. ( Visited in July 2022).Google Scholar
- Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting Malicious Behavior in Browser Extensions. In USENIX Security 14. 641--654.Google Scholar
- keraf. Visited in July 2022. : https://github.com/keraf/NoCoin/blob/master/src/blacklist.txt. ( Visited in July 2022).Google Scholar
- KuCoin:Bitcoin,Dogecoin Price Market. Visited in July 2022. https://chrome.google.com/webstore/detail/kucoinbitcoindogecoin-pri/nalaeminfbmmidadoaegigajbapfajgi. ( Visited in July 2022).Google Scholar
- LastPass. 2008. https://www.lastpass.com. (2008).Google Scholar
- Seunghyeon Lee, Changhoon Yoon, Heedo Kang, Yeonkeun Kim, Yongdae Kim, Dongsu Han, Sooel Son, and Seungwon Shin. 2019. Cybercriminal minds: an investigative study of cryptocurrency abuses in the dark web. In NDSS. 1--15.Google Scholar
- Yuxi Ling, Kailong Wang, Guangdong Bai, Haoyu Wang, and Jin Song Dong. 2022. Are They Toeing the Line? Diagnosing Privacy Compliance Violations among Browser Extensions. In ASE.Google Scholar
- Malware and unwanted software. Visited in July 2022. https://developers.google.com/search/docs/advanced/security/malware. ( Visited in July 2022).Google Scholar
- Massimo Bartoletti and Barbara Pes and Sergio Serusi. 2018. Data mining for detecting Bitcoin Ponzi schemes. CVCBT (2018).Google Scholar
- Metamask. Visited in July 2022. https://chrome.google.com/webstore/detail/metamask/nkbihfbeogaeaoehlefnkodbefgpgknn. ( Visited in July 2022).Google Scholar
- minerBlock. Visited in July 2022. https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl. ( Visited in July 2022).Google Scholar
- mitmproxy. Visited in July 2022. https://mitmproxy.org. ( Visited in July 2022).Google Scholar
- MonkeyLearn. Visited in July 2022. https://monkeylearn.com/sentiment-analysis. ( Visited in July 2022).Google Scholar
- Nami Wallet. Visited in July 2022. https://chrome.google.com/webstore/detail/nami-wallet/lpfcbjknijpeeillifnkikgncikgfhdo. ( Visited in July 2022).Google Scholar
- Nav Jagpal and Eric Dingle and Jean-Philippe Gravel and Panayiotis Mavrommatis and Niels Provos and Moheeb Abu Rajab and Kurt Thomas. 2015. Trends and Lessons from Three Years Fighting Malicious Extensions. In USENIX Security. 579--593.Google Scholar
- Neil Gandal and JT Hamrick and Tyler Moore and Tali Oberman. 2018. Price manipulation in the Bitcoin ecosystem. Journal of Monetary Economics , Vol. 95 (2018), 86--96.Google ScholarCross Ref
- Kaan Onarlioglu, Mustafa Battal, William Robertson, and Engin Kirda. 2013. Securing Legacy Firefox Extensions with SENTINEL (DIMVA ). 122--138.Google Scholar
- One-vs-the-rest (OvR) Multiclass Strategy. Visited in July 2022. https://scikit-learn.org/stable/modules/generated/sklearn.multiclass.OneVsRestClassifier.html. ( Visited in July 2022).Google Scholar
- Nikolaos Pantelaios, Nick Nikiforakis, and Alexandros Kapravelos. 2020. You've Changed: Detecting Malicious Browser Extensions through Their Update Deltas. In CCS. 477--491.Google Scholar
- Ross Phillips and Heidi Wilder. 2020. Tracing Cryptocurrency Scams: Clustering Replicated Advance-Fee and Phishing Websites. CoRR (2020).Google Scholar
- Shahriar, Hossain and Weldemariam, Komminist and Zulkernine, Mohammad and Lutellier, Thibaud. 2014. Effective Detection of Vulnerable and Malicious Browser Extensions. Comput. Secur. , Vol. 47 (2014), 66--84.Google ScholarDigital Library
- Share of respondents who indicated they either owned or used cryptocurrencies in 55 countries worldwide in 2020. Visited in July 2022. https://www.statista.com/statistics/1202468/global-cryptocurrency-ownership. ( Visited in July 2022).Google Scholar
- Dolière Francis Somé. 2019. EmPoWeb: Empowering Web Applications with Browser Extensions. In IEEE S&P. 227--245.Google Scholar
- Stargazer Wallet. Visited in July 2022. https://chrome.google.com/webstore/detail/stargazer-wallet/pgiaagfkgcbnmiiolekcfmljdagdhlcm. ( Visited in July 2022).Google Scholar
- Stefan Heule and Devon Rifkin and Alejandro Russo and Deian Stefan. 2015. The Most Dangerous Code in the Browser. In HotOS XV. USENIX Association.Google Scholar
- Magdalena Szumilas. 2010. Explaining odds ratios. Journal of the Canadian academy of child and adolescent psychiatry, Vol. 19, 3 (2010), 227.Google Scholar
- Tab Wrangler. 2010. https://github.com/tabwrangler/tabwrangler. (2010).Google Scholar
- Ted Knutson. 2022. Crypto Increasingly Used In Human/Drug Trafficking Says GAO. https://www.forbes.com/sites/tedknutson/2022/01/10/crypto-increasingly-used-in-humandrug-trafficking-says-gao/'sh=7043c1c4637e. (2022).Google Scholar
- Ege Tekiner, Abbas Acar, A. Selcuk Uluagac, Engin Kirda, and Ali Aydin Selcuk. 2021. SoK: Cryptojacking Malware. In 2021 IEEE EuroS&P). 120--139.Google Scholar
- Mike Ter Louw, Jin Soon Lim, and V. N. Venkatakrishnan. 2007. Extensible Web Browser Security (DIMVA). 1--19.Google Scholar
- The Selenium Project. Visited in July 2022. https://www.selenium.dev. ( Visited in July 2022).Google Scholar
- Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon Mccoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos, and Moheeb Abu Rajab. 2015. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications. In IEEE S&P. 151--167.Google Scholar
- Victor, Friedhelm and Weintraud, Andrea Marie. 2021. Detecting and Quantifying Wash Trading on Decentralized Cryptocurrency Exchanges. In WWW. 23--32.Google Scholar
- VirusTotal. Visited in July 2022. https://www.virustotal.com/gui/home. ( Visited in July 2022).Google Scholar
- WalletExplorer. Visited in July 2022a. https://www.walletexplorer.com. ( Visited in July 2022).Google Scholar
- WalletExplorer. Visited in July 2022b. https://oxt.me. ( Visited in July 2022).Google Scholar
- Yao Wang, Wandong Cai, Pin Lyu, and Wei Shao. 2018. A combined static and dynamic analysis approach to detect malicious browser extensions. Security and Communication Networks (2018).Google Scholar
- Wu, Jiajing and Yuan, Qi and Lin, Dan and You, Wei and Chen, Weili and Chen, Chuan and Zheng, Zibin. 2020. Who Are the Phishers? Phishing Scam Detection on Ethereum via Network Embedding. IEEE SMC (2020), 1--11.Google Scholar
- xd4rker. Visited in July 2022. https://github.com/xd4rker/MinerBlock/blob/master/assets/filters.txt. ( Visited in July 2022).Google Scholar
- Pengcheng Xia, Haoyu Wang, Bingyu Gao, Weihang Su, Zhou Yu, Xiapu Luo, Chao Zhang, Xusheng Xiao, and Guoai Xu. 2021. Trade or Trick? Detecting and Characterizing Scam Tokens on Uniswap Decentralized Exchange. Proc. ACM Meas. Anal. Comput. Syst. , Vol. 5, 3 (2021), 26.Google ScholarDigital Library
- Pengcheng Xia, Haoyu Wang, Xiapu Luo, Lei Wu, Yajin Zhou, Guangdong Bai, Guoai Xu, Gang Huang, and Xuanzhe Liu. 2020a. Don't Fish in Troubled Waters! Characterizing Coronavirus-themed Cryptocurrency Scams. In Symposium on Electronic Crime Research. 1--14.Google ScholarCross Ref
- Pengcheng Xia, Haoyu Wang, Bowen Zhang, Ru Ji, Bingyu Gao, Lei Wu, Xiapu Luo, and Guoai Xu. 2020b. Characterizing cryptocurrency exchange scams. Computers & Security , Vol. 98 (2020), 101993.Google ScholarCross Ref
- Xinyu Xing, Wei Meng, Byoungyoung Lee, Udi Weinsberg, Anmol Sheth, Roberto Perdisci, and Wenke Lee. 2015. Understanding Malvertising Through Ad-Injecting Browser Extensions. In WWW. 1286--1295. ioGoogle Scholar
Index Terms
- Characterizing Cryptocurrency-themed Malicious Browser Extensions
Recommendations
You've Changed: Detecting Malicious Browser Extensions through their Update Deltas
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityIn this paper, we conduct the largest to-date analysis of browser extensions, by investigating 922,684 different extension versions collected in the past six years, and using this data to discover malicious versions of extensions. We propose a two-stage ...
Characterizing Cryptocurrency-themed Malicious Browser Extensions
SIGMETRICS '23: Abstract Proceedings of the 2023 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer SystemsDue to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth ...
Characterizing Cryptocurrency-themed Malicious Browser Extensions
SIGMETRICS '23Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth ...
Comments