The two extensions, which are called “Add to Feedly” and “Tweet This Page”, were previously reputable applications with solid reviews on the Chrome Web Store.
However, as the latest sign that cyber criminals are looking at new ways to infiltrate popular web services, both attacks were made possible after scammers offered to buy the application from the developer. They were then able to take advantage of each application's auto-update facility, in order to create a malware-infected version that served up intrusive ads to trusted users.
Amit Agarwal, the developer of “Add to Feedly” revealed that he sold the application to an unknown owner via PayPal after receiving a sizeable offer.
“It was a four-figure offer for something that had taken an hour to create and I agreed to the deal," wrote Agarwal on his blog. After taking over the application – which is said to have approximately 32,000 users, the unknown owner added code to the browser extension, which automatically updated on users' computers, so that it served invasive ads to people who browsed the Internet.
Agarwal expressed regret at his decision, but says that users are still able to swerve the malicious software.
“The extension does offer an option to opt-out of advertising (you are opted-in by default) or you can disable them on your own by blocking the superfish.com and www.superfish.com domains in your hosts file but quietly sneaking ads doesn't sound like the most ethical way to monetise a product.
“It was probably a bad idea to sell the Chrome add-on and [I] am sorry if you were an existing user.”
Hackers employed the same tactics to serve ads, redirect links and take over Google searches on another Chrome extension, “Tweet This Page”, while the maker of another extension revealed that he too had been approached by hackers.
“Over the past year we've been approached by malware companies that have tried to buy the extension, data collection companies that have tried to buy user data, and adware companies that have tried to partner with us. We turned them all down,” said ‘gemusan', the founder of ‘Honey'.
"Usually [they] start with an email and progress to a call,” explained the co-author on Reddit. “I've spoken to a few on the phone and they sound just like normal people proposing a business deal. I'm sure they've justified what they do in their own mind so they don't sound shifty or unsure at all. Mental gymnastics is an amazing thing."
The developer was keen to point out that his application has not been taken over.
Those users looking to remove the malware-ridden extensions are urged to remove the application in question.