A New Wave of Firefox Add-Ons Infected with Malware

• Three fake Firefox extensions have found their way into the Mozilla store.
• The add-ons are malicious data loggers that capture keyboard input and send it to the C&C server.
• The extensions are still available, highlighting the ineffectiveness of Mozilla’s checking process.

According to ghacks.net, there’s a new wave of malware-ridden Firefox addons that have found their way in the browser’s extensions store. Right now, the dangerous add-ons don’t have many users as they are fresh, but this could change if Mozilla wasted time in removing them (they’re still available at the time of writing). The names of the add-ons are “Adobe Flash Player”, “ublock origin Pro”, and “Adblock Flash Player”. Obviously, the malicious actors are following deception techniques, trying to trick people into thinking they’re getting something that’s needed, like an ad blocker or the flash player.

When downloaded, the filename isn’t even matching the utilities' fake names, which should be indicative of something wrong going on. For example, the ublock origin Pro downloads a file named “adpbe_flash_player-1.1-fx.xpi”. The particular extension is a fake copy of the real uBlock, making the situation even worse for the users who are looking for that specific add-on. What these counterfeit extensions do is to monitor the users’ online activity, capture keystroke data, and send them all to the malicious C&C server. The question that arises is, how did these extensions manage to pass through Mozilla’s filters in the first place?

Simply put, the filters are based on automated checks, and this approach is obviously not working as expected. It surely is efficient and low-cost, and it undoubtedly helps developers publish their work quicker. However, publishing should only come after a checking step, especially when relying on automated verification systems. The only exception to this process is the extensions that belong to the “Firefox Recommended Extensions Program”, that have been thoroughly reviewed and checked before they are published onto the add-on store. In fact, this is not the first time that Mozilla is finding that their release and checking process is causing malware and spam trouble.

If you are a Firefox user and you are unsure about the safety of an extension you want to install on your browser, check the user reviews, read the description of the add-on, and take note of the developer. Usually, fake add-ons are easy to spot when reading through these details, so you should never install something in the rush. If you want to be absolutely certain, just pick one of the “Firefox Recommended Extensions Program” add-ons. The same applied to Chrome, as similarly, loose policies are the case with Google’s browser extensions as well.

Have you ever installed a fake Firefox add-on? What can you share about your experience? Let us know in the comments down below, and also on our socials, on Facebook and Twitter.