Desbloquear Conteudo - malicious extension that steals banking data

Malicious Google Chrome extension detected: Desbloquear Conteudo malware operates as a banking trojan

Desbloquear Conteudo banking trojanDesbloquear Conteudo - a recently detected banking trojan that spreads as Google Chrome extension.

Desbloquear Conteudo (“Unblock Content” – translated from the Portuguese language) is a Google Chrome extension that came to cybersecurity researchers’ attention because of its' used suspicious domain. Soon it became clear that it is rare banking malware. This extension carried out a man-in-the-middle (MitM)[1] attack. It means that a user cannot see anything suspicious on their bank account while cybercriminals are taking it into their own hands.

The purpose of this malicious Chrome extension is to track various information. This could be banking login and password or other important money-related information. When the victim signs into his or her bank account, the extension shows an invisible layer with matching fields on the official site. Thus, when people enter their login information and confirmation codes, these details are saved and used for their future purposes.

Researchers detect malware (HEUR:Trojan-Banker.Script.Generic) targeting Brazilian bank customers. However, this attack was unusual because developers used MitM attack and proxy server to which this extension redirected traffic from their Brazilian bank site instead of creating a difficult source code. This domain on which C&C server[2] was located had the same IP address[3] that already was known as malicious and previously exposed.

After this researcher contacted Google and this malware was removed from Chrome Web Store. Currently, it's unknown if Desbloquear Conteudo malware managed to steal money or credentials from people. However, Brazilian bank customers are suggested to change passwords and monitor money flows.

Browser extensions are not expected to operate as banking malware

Desbloquear Conteudo is unusual cyber threat detected on Chrome Web Store. Usually, browser extensions typically are adware[4] that displays a lot of intrusive advertisement and causes redirects to dubious sites. These adware programs are not that harmful to your system as they are annoying and frustrating. Although, they need to be removed in time because of the data tracking issue.

However, this banking Trojan that attacked Brazilian banks is more harmful than ad-supported applications, but it was not taken seriously at first, researcher Vyacheslav Bogdanov[5] says:

Browser extensions aimed at stealing logins and passwords are quite rare in comparison to adware extensions, but given the possible damage that they can cause, it is worth taking them seriously. We recommend choosing proven extensions that have a large number of installations and reviews in the Chrome Web Store or other official services. After all, despite the protection measures taken by the owners of such services, malicious extensions can still penetrate them.

This extension is stealing important information with the main goal of gaining money from targeted people. Logins, codes and other banking data is crucial and dangerous. People have no idea that all those attempts to log in to their bank account resulted in this theft.

Moreover, the research tells that Desbloquear Conteudo malware also had an additional function related to cryptocurrencies mining scripts. Though, such functionality is quite common among other suspicious add-ons.

Tips to avoid installation or infiltration of potentially dangerous browser extensions

The majority of malicious programs and browser extensions are spreading on third-party websites or app stores. However, many users are already aware of this dangerous situation, and often decide to stick to the official developer's sites. Developers of malware try to follow potential victims there too.

Unfortunately, Google Play Store, Chrome Web Store, and other official app stores are no longer safe. Creators of malicious programs learned how to tick and bypass security detection. Owners of software stores are also fighting malware attacks and security issues just on a bigger scale. Hence, it might take time to identify and remove potentially dangerous apps.

Thus, you need to take precautions to protect your browser, computer and personal information from cyber criminals. You can remember few steps:

  • Install those extensions you trust entirely and actually need.
  • Stick to reputable providers for downloading updates and software.
  • Do not add suggested extensions if you have enough similar ones. This could overload your browser and make it work slow. Additionally, they might be potentially dangerous.
  • Use security tools that you tried and liked before. This helps to make sure that your device has a maximum protection from various cyber threats.
About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions