Characterizing Cryptocurrency-themed Malicious browser Extensions

Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions are developed as the portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of the malicious cryptocurrency-themed extensions that have shown their capability of evading the stringent vetting processes of the extension stores. In this work, we conduct the first systematic study to characterize and identify this emerging type of malicious extensions. We monitor various extension distribution venues for 10 months, collecting around 3,000 cryptocurrency-themed extensions. Lever aging a hybrid analysis, we have identified 124 malicious extensions that belong to five categories. Our work unveils the status quo of the malicious cryptocurrency-themed extensions, and reveals their disguises and programmatic features that detection techniques can ely on. Our work should raise an alert to the extension users, and would encourage the extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we have released all the identified malicious extensions.