MetaMask Malicious Chrome Extensions

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

MetaMask

Multiple malicious Chrome extensions attempting to impersonate the MetaMask wallet were found on the Google Play, and hundreds of users had downloaded them. The extensions, if used, would attempt to steal the 24 word seed phrase of new cryptocurrency users by tricking them into providing it. There is no report of any funds lost nor of any being recovered.

This is a global/international case not involving a specific country.

About MetaMask

MetaMask is a "crypto wallet & gateway to blockchain apps. Start exploring blockchain applications in seconds. Trusted by over 21 million users worldwide." "Available as a browser extension and as a mobile app, MetaMask equips you with a key vault, secure login, token wallet, and token exchange—everything you need to manage your digital assets."

"Since the introduction of the Chrome Web Store in 2011, it has become the largest catalog of browser extensions with over 200,000 available to all of our users. This has helped millions of users to customize their browsing experience on Chrome in ways we could have never imagined, from niche utilities to companies building businesses around the platform’s capabilities."

"As Cointelegraph reported in mid-April, Google removed 49 phishing Chrome web browser extensions after reports of malicious activity. In early March, leading cryptocurrency hardware-wallet producer Ledger warned its users about the phishing extensions on the store."

"[In late April], Google announced yet more restrictions aimed at cleaning up the Chrome Web Store, noting "the increase in adoption of the extension platform has also attracted spammers and fraudsters introducing low-quality and misleading extensions in an attempt to deceive and trick our users into installing them to make a quick profit.""

"In May 2020, a cybersecurity researcher discovered 22 malicious Google Chrome extensions imitating crypto services like Ledger and MetaMask."

"Online scammers have been targeting other popular crypto companies to impersonate their apps on Google and steal money from users. In May 2020, a cybersecurity researcher discovered 22 malicious Google Chrome extensions imitating crypto services like Trezor’s rival Ledger and major Ether (ETH) wallet MetaMask."

"Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store."

"The extensions he discovered impersonated well-known crypto firms such as Ledger, KeepKey, MetaMask and Jaxx. Their purpose is to trick users into giving away the credentials needed to access their wallets."

"MEANWHILE, Google _keeps on approving phishers_. The quantity of impostor MetaMasks on the Chrome store has been growing, and apparently they all pass the manual security review. FURTHERMORE they are all allowed to buy premium Google ad space at the top of search results."

"Most of the phishing extensions have already been taken down as of press time. Per the report, most were down within 24 hours of Denley reporting them."

"Finlay told The Register that if Google wants to run the Chrome Web Store with few people, then they should implement systems to automatically enforce brand and trademark restrictions for the store and its ad platforms."

"I think it would be great for Google to make a stance of respecting trademarks in their ads, but I’m not sure if that runs counter to their business model," he said. "I sure hope Google doesn’t feel they need to protect phishing to stay afloat."

"Google's ad policy says the company will review trademark complaints from trademark holders, but only after receiving a complaint. Google's Chrome Web Store developer agreement forbids developers from violating intellectual property rights, which probably doesn't mean much to committed law-breakers. At the same time, it makes clear, "Google is not obligated to monitor the Products or their content.""

"Most of the phishing extensions have already been taken down as of press time. Per the report, most were down within 24 hours of Denley reporting them." "Harry Denley, director of security at MyCrypto, who identified the previous lot of bad extensions, told The Register at least eight among the latest crop of 11 impostors, pretending to be crypto-wallet software KeyKeep, Jaxx, Ledger, and MetaMask, have been taken down."

In August 2020, "Google acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - MetaMask Malicious Chrome Extensions
Date	Event	Description
May 5th, 2020 9:41:00 AM	First Event	This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

Always check and visit the official website of a service. The majority of funds should be stored offline and not on a live wallet application. When setting up a new wallet or upgrading wallet software, never enter your pass phrase or send any funds without first transferring a smaller amount.