Experts uncover 350 browser extension variants used in ABCsoup ad campaign


A malicious browser extension with 350 variants impersonates a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera and Mozilla Firefox browsers.

Mobile security company Zimperium dubbed the malware family ABCsoupstating that “extensions are installed on a victim’s machine via a Windows executable, bypassing most endpoint security solutions, as well as security checks found in official extension stores”.

Rogue browser add-ons come with the same extension ID as Google Translate – “aapbdbdomjkkjkaonfhkkikfgjllcleb” – in an attempt to trick users into believing that they have installed a legitimate extension.

The extensions are not available on the official web stores of the browsers themselves. Rather, they are delivered via various Windows executables which install the add-on on the victim’s web browser.

In case the targeted user has already installed the Google Translate extension, it replaces the original version with the malicious variant due to their higher version numbers (30.2.5 versus 2.0.10).

ABCsoup ad campaign

“Additionally, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension, because the Web Store only checks extension IDs,” said Nipun Gupta, researcher at Zimperium.

All observed variants of the extension aim to deliver pop-ups, collect personal information to deliver target-specific advertisements, scan for fingerprints and inject malicious JavaScript which can further act as spyware to capture keystrokes and monitor web browser activity.

The main function of ABCsoup is to check Russian social networking services like Odnoklassniki and VK among the websites currently open in the browser, and if so, to collect first and last names, dates of birth and sex of the users, and to transmit the data to a remote server.

cyber security

Not only does the malware use this information to deliver personalized advertisements, but the extension also comes with capabilities to inject personalized JavaScript code based on the websites being opened. This includes YouTube, Facebook, ASKfm,, Yandex, Rambler, Avito, Brainly’s Znanija, Kismia and rollApp, suggesting a heavy focus on Russia.

Zimperium attributed the campaign to a “well-organized group” of Eastern European and Russian descent, with the extensions designed to target Russian users given the wide variety of local domains targeted.

“This malware is deliberately designed to target all types of users and serves its purpose of harvesting user information,” Gupta said. “Injected scripts can be easily used to serve more malicious behavior in the browser session, such as keystroke mapping and data exfiltration.”


About Author

Comments are closed.