The researcher conducting the deep scan of all publicly available Chrome extensions which revealed a lot of suspicious activities and the malicious requests that is made to various Facebook domains.
These Chrome extensions are downloaded and used by more than 420,000 users. Following extension are discovered as a spyware extension.
It’s not limited only by Chrome extensions but the researcher identified a malicious Android app that performs the very similar operation of chrome extensions that installed more than 11,000,000 users according to Google Play and selling the installed users data.
Malicious apps are connecting to the Unimania servers and it was unclear that who is behind the Unimania’s owners or affiliates and profit of the stolen data.
Stealing the data from Browser
Once the malicious extension gets installed, it will collect the victims facebook data whenever users logged into Facebook after start the browser.
Later it parses the victim’s browser history including the sensitive information such as your purchase history and sends it to an
um-public-panel-prod.s3.amazonaws.com amazon s3 bucket which rented by the Malware authors.
According to adguard, Users data that being shared including Facebook “interests” and shockingly they can also see all of the victims Facebook posts, sponsored posts, tweets, the YouTube videos and ads you see or interact with, along with a poorly hashed user ID and totally UN-hashed location data.
This is not malicious activities are not only associated with Chrome extension but one particular app that was connecting to the Unimania servers.
This was an alternative Facebook client called “Fast – Social App“ with a record of more than 10,000,000 installs according to Google Play.
The campaign is run by a supposed Israeli company named “Unimania, Inc.” Unfortunately, I was not able to trace this further back to Unimania’s owners or affiliates and I can’t say who is profiting from the data. adguard Researcher said.