But the new report highlights the potential for fraudulent extensions to do harm and compromise a wide variety of systems.
“The actors behind these activities have established a persistent foothold in almost every network,” researchers at Awake said.
Google confirmed that all the browser extensions flagged by Awake have since been removed.
“We appreciate the work of the research community, and when we are alerted of extensions … that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesperson Scott Westover said in a statement provided to CNN Business. “We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”
Awake linked all the extensions associated with the spying campaign back to Galcomm, an Israeli web hosting company that claims to manage around 250,000 browser domains.
“By exploiting the trust placed in it as a domain registrar, Galcomm has enabled malicious activity that has been found across more than a hundred networks we’ve examined,” Awake researchers said in the report, adding that they found more than 15,000 Galcomm domains that were “malicious or suspicious.”
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Moshe Fogel told Reuters. Google did not comment on Galcomm’s role in the campaign.
“In addition to disabling the accounts of developers that violate our policies, we also flag certain malicious patterns we detect in order to prevent extensions from returning,” he added.