Security researchers at LayerX have uncovered a stealthy network of malicious Chrome extensions masquerading as in-browser sound enhancement tools.
With over 700k installations globally, these add-ons appear to be laying dormant, awaiting remote instructions to execute malicious payloads.
LayerX's report reveals that the extensions function as “sleeper agents,” capable of downloading and executing code from external servers without any visible triggers. Though the extensions currently show no overtly malicious activity, they include remote command capabilities, encrypted communications, and links to known malware infrastructure, all red flags for future exploitation.
The identified extensions share a suspiciously uniform internal structure, pointing to a single developer. Despite being listed under seemingly unrelated publishers with different contact details and no traceable online presence, their codebases, behavior, and external communication endpoints overlap significantly. This design appears to intentionally obscure common ownership while maintaining centralized control over their behavior.
LayerX identified four active extensions on the Chrome Web Store, with the most popular being “Volume Max – Ultimate Sound Booster,” which has amassed over 500,000 users. The others are Sound Booster (200,000 users), Volume Master: Master Your Sound (3,000), and Volume Booster: Ultimate Sound Enhancer (2,000), bringing the total exposure to approximately 700,000 users.
CyberInsider
These extensions claim to offer sound control features, but behind the scenes, they:
- Load external configuration files to execute commands dynamically.
- Open background tabs for stealthy URL access and potential malware downloads.
- Communicate with known malicious URLs such as francjohn[.]com and jermikro[.]com.
- Use base64 obfuscation and encryption to hide network activity.
LayerX's investigation also uncovered strong links between these extensions and previously banned malicious ones, particularly ReadBee, which was removed from the Chrome Web Store after being implicated in affiliate fraud and browser hijacking. Code from ReadBee's ExtStatTracker class, responsible for stealthy telemetry, persistent tracking, and remote URL injection, was found embedded in the newly discovered extensions. Another removed extension, Search ChatGPT, also used similar infrastructure and communication patterns.
The domains contacted by these extensions have troubling histories. francjohn[.]com is listed on VirusTotal as a known malicious domain, while jermikro[.]com, used by three of the extensions, has past ties to malware activity despite its current unflagged status.
Most concerning is that these extensions are still live on the Chrome Web Store despite being flagged by multiple antivirus vendors. Google has not yet acted to remove them, so users should be careful when looking for sound tools or similar browser-based utilities.
Leave a Reply