Fake crypto-wallet extensions appear in Chrome Web Store once again, siphoning off victims' passwords

Three weeks after Google removed 49 Chrome extensions from its browser's software store for stealing crypto-wallet credentials, 11 more password-swiping add-ons have been spotted – and some are still available to download.

The dodgy add-ons masquerade as legit crypto-wallet extensions, and invite people to type in their credentials to access their digital money, but are totally unofficial, and designed to siphon off those login details to crooks.

Harry Denley, director of security at MyCrypto, who identified the previous lot of bad extensions, told The Register at least eight among the latest crop of 11 impostors, pretending to be crypto-wallet software KeyKeep, Jaxx, Ledger, and MetaMask, have been taken down.

Denley provided The Register with a list of extension identifiers, previously reported to Google, and we were able to find some still available in the Chrome Web Store at time of writing.

Dan Finlay, lead developer of MetaMask, took to Twitter to get help from Google, because "it seriously sometimes seems like they're only optimized to respond to social media outrage."

Finlay complained that Google keeps approving extensions made by phishers. "The quantity of impostor MetaMasks on the Chrome store has been growing, and apparently they all pass the manual security review," he wrote. "Furthermore, they are all allowed to buy premium Google ad space at the top of search results."

As we reported in January, the Chrome Web Store appears to be understaffed and over-reliant on automation to deal with the challenges it faces. In this, it's not unlike the Google Play Store which for years has struggled to keep malicious Android apps at bay.

The Register asked Google for comment but apart from being asked for more details about the suspect extensions, we've not heard back.

Finlay told The Register that if Google wants to run the Chrome Web Store with few people, then they should implement systems to automatically enforce brand and trademark restrictions for the store and its ad platforms.

"I think it would be great for Google to make a stance of respecting trademarks in their ads, but I’m not sure if that runs counter to their business model," he said. "I sure hope Google doesn’t feel they need to protect phishing to stay afloat."

Google's ad policy says the company will review trademark complaints from trademark holders, but only after receiving a complaint. Google's Chrome Web Store developer agreement forbids developers from violating intellectual property rights, which probably doesn't mean much to committed law-breakers. At the same time, it makes clear, "Google is not obligated to monitor the Products or their content."

Denley said Google appears to be either incapable of policing the Chrome Web Store or negligent.

"I own a semi-popular Chrome extension and after each publish request it takes a while for it to be approved – so if there is a manual review process, either it doesn't work as intended (and only slows down updates to popular extensions) or it's only a manual review on popular extensions," he said. "It seems these bad extensions are just being approved from multiple different accounts instantly."

A week ago, Google announced yet more restrictions aimed at cleaning up the Chrome Web Store, noting "the increase in adoption of the extension platform has also attracted spammers and fraudsters introducing low-quality and misleading extensions in an attempt to deceive and trick our users into installing them to make a quick profit."

The policy revision aims to prevent developers from spamming the store with similar extensions and expands the company's definition of abusive behavior and review manipulation. In January, Google locked down the Chrome Web Store due to a flood of vitriolic comment.

Keep in mind that Google has made similar security enhancement announcements about the Chrome Web Store every year since 2011.

Denley said in a perfect world, owners of popular extensions would be given more attention when they report abuse, like the appearance of a similarly named and branded extension.

"I'd love to be able to get in contact with [the Chrome Web Store] team so I can pass my IOCs [indicators of compromise] to them, though I guess cryptocurrency-related Web Store items are not their priority," he said.

Perhaps someone will develop a Chrome extension that re-labels Twitter's Tweet button to read "Google Support." ®