Fake Microsoft Authenticator extension removed after weeks on the Chrome Web Store: Report
According to a new report, the malicious extension sent users to a Polish website that tricked users into making an account – most likely to harvest their details.
Browser extensions offer a variety of functions beyond the advertised features of a web browser and are popular among users of the most widely used browsers – Google Chrome, Mozilla Firefox, Microsoft Edge, Vivaldi and Opera. While It’s not every day that you see a malicious browser extension on one of these browsers, sometimes malware manages to make its way onto the browser’s stores.
According to a report by Neowin, the Chrome Web Store, the official source of extensions for Google’s Chrome browser harboured a fake ‘Microsoft Authenticator’ extension for weeks before it was finally removed from the store. Ironically, the extension’s developer name was called “Extensions” instead of Microsoft, which clearly did not trigger Google’s security mechanisms, according to the report.
Just like Twilio’s Authy service and Google Authenticator, Microsoft Authenticator acts as a multi-factor authentication service that can be used on mobile devices to generate security codes after a user enters their passwords while signing to their favourite sites. The service works on both Android devices as well as devices running Apple’s iOS operating system – unlike Authy, it does not have any official browser extension.
What is especially disturbing is that last month, gHacks had identified the malicious extension masquerading as the official Microsoft Authenticator app on the Chrome Web Store. While it was reportedly found on April 23, it appears that Google did not remove the download until it had picked up hundreds of downloads. According to the report, the extension sent users to a Polish website that tricked users into making an account – most likely to harvest their details.
Microsoft has never released an extension for its Authenticator service for Google Chrome or any other browser, the company told the Register. Users who want to use the Authenticator service should either download the app on their Android and iOS powered devices from the respective app stores.