skip to main content
10.1145/3564625.3567988acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article
Open access

No Signal Left to Chance: Driving Browser Extension Analysis by Download Patterns

Published: 05 December 2022 Publication History

Abstract

Browser extensions are popular small applications that allow users to enrich their browsing experience. Yet browser extensions pose security concerns because they can leak user data and maliciously act on behalf of the user. Because malicious behavior can manifest dynamically, detecting malicious extensions remains a challenge for the research community, browser vendors, and web application developers. This paper identifies download patterns as a useful signal for analyzing browser extensions. We leverage machine learning for clustering extensions based on their download patterns, confirming at a large scale that many extensions follow strikingly similar download patterns. Our key insight is that the download pattern signal can be used for identifying malicious extensions. To this end, we present a novel technique to detect malicious extensions based on the public number of downloads in the Chrome Web Store. This technique fruitfully combines machine learning with security analysis, showing that the download patterns signal can be used to both directly spot malicious extensions and as input to subsequent analysis of suspicious extensions. We demonstrate the benefits of our approach on a dataset from a daily crawl of the Web Store over 6 months to track the number of downloads. We find 135 clusters and identify 61 of them to have at least 80% malicious extensions. We train our classifier and run it on a test set of 1,212 currently active extensions in the Web Store successfully detecting 326 extensions as malicious solely based on downloads. Further, we show that by combining this signal with code similarity analysis, using the 326 as a seed, we find an additional 6,579 malicious extensions.

References

[1]
AdGuard 2021. Over 20,000,000 of Chrome Users are Victims of Fake Ad Blockers. https://adguard.com/en/blog/over-20-000-000-of-chrome-users-are-victims-of-fake-ad-blockers.html.
[2]
A. Aggarwal, B. Viswanath, L. Zhang, S. Kumar, A. Shah, and P. Kumaraguru. 2018. I Spy with My Little Eye: Analysis and Detection of Spying Browser Extensions. In Euro S&P.
[3]
S. Aghabozorgi, A. S. Shirkhorshidi, and T. Y. Wah. 2015. Time-series clustering – A decade review. Information Systems 53(2015), 16–38.
[4]
S. Arshad, A. Kharraz, and W. Robertson. 2016. Identifying Extension-Based Ad Injection via Fine-Grained Web Content Provenance. In RAID.
[5]
Avast 2021. Backdoored Browser Extensions Hid Malicious Traffic in Analytics Requests. https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/.
[6]
S. Bandhakavi, N. Tiku, W. Pittman, S. T. King, P. Madhusudan, and M. Winslett. 2011. Vetting Browser Extensions for Security Vulnerabilities with VEX. Commun. ACM 54, 9 (2011).
[7]
A. Barua, M. Zulkernine, and K. Weldemariam. 2013. Protecting Web Browser Extensions from JavaScript Injection Attacks. In ICECCS.
[8]
Bots 2022. iOS Developers Use “Well-Known” Download Bots To Manipulate App Store Rankings. https://www.cultofmac.com/146438/ios-developers-use-well-known-download-bots-to-manipulate-app-store-rankings-report/.
[9]
Catch-All 2021. "Catch-All" Chrome Extension Silently Steals Your Data. https://blog.barkly.com/catch-all-malicious-google-chrome-extension.
[10]
H. Chen, D. He, S. Zhu, and J. Yang. 2017. Toward Detecting Collusive Ranking Manipulation Attackers in Mobile App Markets. In Asia CCS. 58–70.
[11]
Q. Chen and A. Kapravelos. 2018. Mystique: Uncovering Information Leakage from Browser Extensions. In CCS.
[12]
Chromium 2021. No more silent extension installs. http://blog.chromium.org.
[13]
T. Van Craenendonck, S. Dumančić, and H. Blockeel. 2017. COBRA: A Fast and Simple Method for Active Clustering with Pairwise Constraints. In IJCAI. 2871–2877.
[14]
cseGoogleSpyware 2021. Cse.google.com - Jan 2021 update. https://www.2-spyware.com/remove-cse-google-com.html.
[15]
A. Dempster, F. Petitjean, and G. I. Webb. 2020. ROCKET: exceptionally fast and accurate time series classification using random convolutional kernels. Data Mining and Knowledge Discovery 34, 5 (2020), 1454–1495.
[16]
A. Dempster, D. F. Schmidt, and G. I. Webb. 2021. MiniRocket: A Very Fast (Almost) Deterministic Transform for Time Series Classification. In KDD. 248–257.
[17]
H. Ding, G. Trajcevski, P. Scheuermann, X. Wang, and E. Keogh. 2008. Querying and Mining of Time Series Data: Experimental Comparison of Representations and Distance Measures. In VLDB, Vol. 1. 1542–1552.
[18]
Y. Dou, W. Li, Z. Liu, Z. Dong, J. Luo, and S. Y. Philip. 2019. Uncovering download fraud activities in mobile app markets. In ASONAM. 671–678.
[19]
Droidclub 2022. Malicious Chrome Extensions Found in Chrome Web Store, Form Droidclub Botnet. https://blog.trendmicro.com/trendlabs-security-intelligence/malicious-chrome-extensions-found-chrome-web-store-form-droidclub-botnet/.
[20]
B. Eriksson, P. Picazo-Sanchez, and A. Sabelfeld. 2022. Hardening the Security Analysis of Browser Extensions. In SAC.
[21]
extpose 2022. ExtPose - Track your browser extension app store performance and get competitive advantage. https://extpose.com/.
[22]
W. Fan, T. Derr, X. Zhao, Y. Ma, H. Liu, J. Wang, J. Tang, and Q. Li. 2021. Attacking Black-box Recommendations via Copying Cross-domain User Profiles. In ICDE. 1583–1594.
[23]
M. Fang, G. Yang, N. Z. Gong, and J. Liu. 2018. Poisoning Attacks to Graph-Based Recommender Systems. In ACSAC. 381–392. https://doi.org/10.1145/3274694.3274706
[24]
S. Farooqi, A. Feal, T. Lauinger, D. McCoy, Z. Shafiq, and N. Vallina-Rodriguez. 2020. Understanding Incentivized Mobile App Installs on Google Play Store. In IMC. 696–709.
[25]
Google 2022. How are items ranked in the store?https://developer.chrome.com/docs/webstore/faq/#faq-gen-24.
[26]
A. Guha, M. Fredrikson, B. Livshits, and N. Swamy. 2011. Verified Security for Browser Extensions. In S&P.
[27]
Xiaohui H., Yunming Y., Liyan X., Raymond L., Nan J., and Shaokai W.2016. Time series k-means: A new k-means type smooth subspace clustering for time series data. Information Sciences 367-368 (2016), 1–13.
[28]
N. Jagpal, E. Dingle, J.P. Gravel, P. Mavrommatis, N. Provos, M.A. Rajab, and K. Thomas. 2015. Trends and Lessons from Three Years Fighting Malicious Extensions. In USENIX.
[29]
A. Kampouraki, G. Manis, and C. Nikou. 2009. Heartbeat Time Series Classification With Support Vector Machines. IEEE Transactions on Information Technology in Biomedicine 13, 4(2009), 512–518.
[30]
A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna, and V. Paxson. 2014. Hulk: Eliciting Malicious Behavior in Browser Extensions. In USENIX.
[31]
Kreb On Security 2021. Is your Browser Extension a Botnet Backdoor. https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/.
[32]
P. Laperdrix, N. Bielova, B.t Baudry, and G. Avoine. 2020. Browser Fingerprinting: A Survey. ACM Trans. Web 14, 2, Article 8 (April 2020).
[33]
P. Laperdrix, O. Starov, Q. Chen, A. Kapravelos, and N. Nikiforakis. 2021. Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets. In USENIX.
[34]
W. Meert, K. Hendrickx, and T. Van Craenendonck. 2020. wannesm/dtaidistance v2.0.0. https://doi.org/10.5281/zenodo.3981067
[35]
M. O’Mahony, N. Hurley, N. Kushmerick, and G. Silvestre. 2004. Collaborative Recommendation: A Robustness Analysis. ACM Trans. Internet Technol. 4, 4 (Nov. 2004), 344–377.
[36]
K. Onarlioglu, M. Battal, W. Robertson, and E. Kirda. 2013. Securing Legacy Firefox Extensions with SENTINEL. In DIMVA.
[37]
N. Pantelaios, N. Nikiforakis, and A. Kapravelos. 2020. You’ve Changed: Detecting Malicious Browser Extensions through Their Update Deltas. In CCS. 477–491.
[38]
J. Paparrizos and L. Gravano. 2015. K-Shape: Efficient and Accurate Clustering of Time Series. In SIGMOD. 1855–1870.
[39]
P. Picazo-Sanchez, M. Algehed, and A. Sabelfeld. 2022. DeDup.js: Discovering Malicious and Vulnerable Extensions by Detecting Duplication. In ICISSP.
[40]
Pablo Picazo-Sanchez, Benjamin Eriksson, and Andrei Sabelfeld. 2022. No Signal Left to Chance: Driving Browser Extension Analysis by Download Patterns. https://doi.org/10.5281/zenodo.7056322
[41]
Fabio Pierazzi, Feargus Pendlebury, Jacopo Cortellazzi, and Lorenzo Cavallaro. 2020. Intriguing Properties of Adversarial ML Attacks in the Problem Space. In S&P. 1332–1349. https://doi.org/10.1109/SP40000.2020.00073
[42]
Proof Point 2022. TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations. https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-brow ser-extension-target-gmail-accounts-global.
[43]
Rabbit 2021. How dangerous is Bad Rabbit Ransomware and how to avoid it. https://safebytes.com/dangerous-bad-rabbit-ransomware-avoid/.
[44]
M. Rahman, N. Hernandez, B. Carbunar, and D. H. Chau. 2018. Search Rank Fraud De-Anonymization in Online Systems. In HT. 174–182.
[45]
M. Rahman, N. Hernandez, R. Recabarren, S. I. Ahmed, and B. Carbunar. 2019. The Art and Craft of Fraudulent App Promotion in Google Play. In CCS. 2437–2454.
[46]
M. Rahman, M. Rahman, B. Carbunar, and D. H. Chau. 2016. Fairplay: Fraud and malware detection in google play. In SDM. 99–107.
[47]
S. Rani, M. Kaur, M. Kumar, V. Ravi, U. Ghosh, and J. R. Mohanty. 2021. Detection of shilling attack in recommender system for YouTube video statistics using machine learning techniques. Soft Computing (2021), 1–13.
[48]
Reuters 2021. Exclusive: Massive spying on users of Google’s Chrome shows new security weakness. https://www.reuters.com/article/us-alphabet-google-chrome-exclusive/exclusive-massive-spying-on-users-of-googles-chrome-shows-new-security-weakness-idUSKBN23P0JO.
[49]
I. Sanchez-Rola, M. Dell’Amico, D. Balzarotti, P. Vervier, and L. Bilge. 2021. Journey to the center of the cookie ecosystem: Unraveling actors’ roles and relationships. In S&P.
[50]
I. Sánchez-Rola, I. Santos, and D. Balzarotti. 2017. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. In USENIX.
[51]
A. Sjösten, S. Van Acker, P. Picazo-Sanchez, and A. Sabelfeld. 2019. LATEX GLOVES: Protecting Browser Extensions from Probing and Revelation Attacks. In NDSS.
[52]
D. F. Somé. 2019. EmPoWeb: Empowering Web Applications with Browser Extensions. In S&P.
[53]
J. Song, Z. Li, Z. Hu, Y. Wu, Z. Li, J. Li, and J. Gao. 2020. PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems. In ICDE. 157–168.
[54]
K. Soroush, I. Panagiotis, S. Konstantinos, and P. Jason. 2020. Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting. In NDSS.
[55]
O. Starov, P. Laperdrix, A. Kapravelos, and N. Nikiforakis. 2019. Unnecessarily Identifiable: Quantifying the Fingerprintability of Browser Extensions Due to Bloat. In WWW.
[56]
O. Starov and N. Nikiforakis. 2017. Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions. In WWW.
[57]
O. Starov and N. Nikiforakis. 2017. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In S&P.
[58]
R. Tavenard, J. Faouzi, G. Vandewiele, F. Divo, G. Androz, C. Holtz, M. Payne, R. Yurchak, M. Rußwurm, K. Kolar, and E. Woods. 2020. Tslearn, A Machine Learning Toolkit for Time Series Data. Journal of Machine Learning Research 21, 118 (2020), 1–6.
[59]
K. Thomas, E. Bursztein, C. Grier, G. Ho, N. Jagpal, A. Kapravelos, D. Mccoy, A. Nappa, V. Paxson, P. Pearce, N. Provos, and M. A. Rajab. 2015. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications. In S&P.
[60]
Threatpost 2021. Malicious Chrome Extension Steals Data Posted to Any Website. https://threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/.
[61]
E. Trickel, O. Starov, A. Kapravelos, N. Nikiforakis, and A. Doupé. 2019. Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting. In USENIX.
[62]
T. Van Craenendonck, W. Meert, S. Dumančić, and H. Blockeel. 2018. COBRAS-TS: A New Approach to Semi-supervised Clustering of Time Series. In Discovery Science. Springer International Publishing, 179–193.
[63]
G. Varshney, S. Bagade, and S. Sinha. 2018. Malicious browser extensions: A growing threat: A case study on Google Chrome: Ongoing work in progress. In ICOIN.
[64]
C. Wu, D. Lian, Y. Ge, Z. Zhu, E. Chen, and S. Yuan. 2021. Fight Fire with Fire: Towards Robust Recommender Systems via Adversarial Poisoning Training. In SIGIR. 1074–1083. https://doi.org/10.1145/3404835.3462914
[65]
X. Wu, L. Xiao, Y. Sun, J. Zhang, T. Ma, and L. He. 2021. A Survey of Human-in-the-loop for Machine Learning. arxiv:2108.00941 [cs.LG]
[66]
X. Xing, W. Meng, D. Doozan, A. C. Snoeren, N. Feamster, and W. Lee. 2013. Take This Personally: Pollution Attacks on Personalized Services. In USENIX. 671–686.
[67]
X. Xing, W. Meng, B. Lee, U. Weinsberg, A. Sheth, R. Perdisci, and W. Lee. 2015. Understanding Malvertising Through Ad-Injecting Browser Extensions. In WWW.
[68]
G. Yang, N. Z. Gong, and Y. Cai. 2017. Fake Co-visitation Injection Attacks to Recommender Systems. In NDSS.
[69]
Y. Zhang, J. Xiao, S. Hao, H. Wang, S. Zhu, and S. Jajodia. 2020. Understanding the Manipulation on Recommender Systems through Web Injection. IEEE Transactions on Information Forensics and Security 15 (2020), 3807–3818.
[70]
B. Zhao and P. Liu. 2013. Behavior Decomposition: Aspect-Level Browser Extension Clustering and Its Security Implications. In RAID.
[71]
R. Zhao, C. Yue, and Q. Yi. 2015. Automatic Detection of Information Leakage Vulnerabilities in Browser Extensions. In WWW.

Cited By

View all

Index Terms

  1. No Signal Left to Chance: Driving Browser Extension Analysis by Download Patterns

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference
      December 2022
      1021 pages
      ISBN:9781450397599
      DOI:10.1145/3564625
      This work is licensed under a Creative Commons Attribution International 4.0 License.

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 05 December 2022

      Check for updates

      Author Tags

      1. Browser Extensions
      2. Web Security

      Qualifiers

      • Research-article
      • Research
      • Refereed limited

      Conference

      ACSAC

      Acceptance Rates

      Overall Acceptance Rate 104 of 497 submissions, 21%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • 0
        Total Citations
      • 493
        Total Downloads
      • Downloads (Last 12 months)278
      • Downloads (Last 6 weeks)27
      Reflects downloads up to 17 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format.

      HTML Format

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media