By rssfeeds-admin The operation targeted users on both Google Chrome and Microsoft Edge marketplaces, with around 12,500 infections still active.
The attackers published at least 12 extensions that appeared legitimate, using names such as “TikTok Video Downloader” and “Mass TikTok Downloader.”
Instead of building each extension separately, the threat actors relied on a shared codebase, allowing them to quickly clone and rebrand applications.
When one extension was removed by store moderators, a nearly identical version was uploaded with the same descriptions and visuals, ensuring continuous availability.
Notably, several of these malicious extensions managed to obtain “Featured” status in official extension stores.
This badge, typically associated with trusted and vetted applications, significantly increased user confidence and download rates, amplifying the campaign’s reach.
Dynamic Evasion Techniques
The campaign’s sophistication lies in its use of dynamic remote configuration. All extensions were built using Manifest V3 (MV3) and retrieved operational instructions from attacker-controlled servers after installation.
This allowed threat actors to modify behavior in real time without triggering store security checks.
Through this mechanism, attackers could:
- Activate malicious features after installation
- Modify data collection settings without user consent
- Redirect traffic to suspicious or malicious domains
- Expand surveillance capabilities dynamically
To avoid early detection, the extensions initially behaved as advertised for several months. Only after gaining user trust and a large install base did the attackers remotely enable tracking and data harvesting functions.
Once activated, the extensions began collecting detailed telemetry to build unique user fingerprints.
The data gathered included browsing patterns, download metadata, system language, timezone, and even battery status, an unusual metric that can help uniquely identify devices.
This level of tracking enables persistent user identification across sessions, raising serious privacy and security concerns.
The operation relied on external JSON-based configuration files hosted on attacker-controlled domains.
These domains used typosquatting techniques, such as “trafficreqort.com” and “tiktak,” to appear legitimate and evade detection by both users and automated tools.
Although no specific threat group has been attributed, the coordinated infrastructure and consistent codebase suggest a well-organized and persistent actor.
This campaign highlights a critical weakness in browser security models, which primarily focus on initial extension validation.
Since these malicious tools activate harmful behavior post-installation, they bypass traditional defenses.
Because browser extensions operate within authenticated sessions, they can potentially access sensitive data and may even be leveraged for larger attacks, including botnet deployment.
Security experts recommend adopting continuous monitoring strategies that detect abnormal behavior, including suspicious network requests, unauthorized permission changes, and unusual DOM interactions, to mitigate evolving extension-based threats.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Fake TikTok Downloader Extensions Infect 130,000 Browser Users appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.