Skip to main content

Malicious Microsoft Edge extensions are mimicking popular VPN apps

Microsoft Edge
(Image credit: Shutterstock / monticello)

Microsoft has been forced to remove a series of malicious browser extensions from the Edge library, some of which were masquerading as popular VPN services.

Removed in late November, the Edge add-ons were found to be inserting advertisements into victims’ search results as a means of generating revenue for the operators.

In a bid to hoodwink Edge users, the add-ons were dressed up as popular VPN services NordVPN, Adguard VPN and TunnelBear VPN, as well as Ublock Adblock Plus, Greasemonkey and Wayback Machine.

Edge extensions ported from Chrome

A second group of dangerous extensions were found to have been ported over from original, bona fide Chrome add-ons. Malicious code was then injected and the extensions published to the Microsoft Edge add-on library.

Add-ons that fall under this category include:

  • The Great Suspender
  • Floating Player - Picture-in-Picture Mode
  • GoBack with Backspace
  • friGate CDN - smooth access to websites
  • Full Page Screenshot
  • One Click URL Shortener
  • Guru Cleaner - cache and history cleaner
  • Grammar and Spelling Checker
  • Enable Right Click
  • FNAF
  • Night Shift Redux
  • Old Layout for Facebook

Extensions are an important part of the modern browsing experience, allowing users to introduce additional functionality and customization in line with their specific needs.

Often, as with the above, add-ons provide a faster route to achieving an end goal (e.g. taking a screenshot of a full webpage) than would otherwise be possible with the default browser configuration.

However, it appears Microsoft has a few kinks to iron out in the vetting process for the Edge Add-ons store, which is still currently in beta. It is unclear how unauthorized third parties were able to publish add-ons in the name of reputable businesses.

Cybercriminals have long used the Chrome and Firefox extension stores to distribute malicious add-ons, so the problem is by no means unprecedented. But as the Edge user base expands, Microsoft will have to be increasingly alert to this popular attack vector.

Users that suspect they may have installed any of the offending Edge add-ons are advised to remove them via the “edge://extensions” portal.

Via ZDNet