Fake Google Sheets Extension

Our research team uncovered this counterfeit Google Sheets browser extension during an investigation into deceptive websites. This malicious software masquerades as a spreadsheet application from the web-based Google Docs Editors suite. It's important to clarify that this extension has no affiliation with Google Sheets, Google Docs Editors, or Google LLC.

Upon analysis, we determined that this fraudulent extension is designed to gather sensitive data, display browser notifications, and potentially engage in other harmful activities. When we ran the setup containing this fake Google Sheets extension, it also installed additional unwanted and potentially malicious software on our test system.

Interestingly, this illegitimate extension was not directly installed on either Google Chrome or Microsoft Edge browsers. Instead, the installer placed the extension's folder (titled "Extension") in the "C:\Users[username]\AppData\Local\Temp" directory. This method ensures persistence, meaning that removing the fraudulent Google Sheets extension from Chrome or Edge will not completely eliminate it. After standard removal, the software will reappear upon reopening the browser.

Furthermore, having this extension on a device modifies the Chrome or Edge browser's shortcut by adding "--proxy-server="217.65.2.14:3333"" to the target (note that the IP address may vary). Instructions for removing this software can be found below.

This fake Google Sheets browser extension also utilizes the "Managed by your organization" feature on Google Chrome and Microsoft Edge to exert control.

Additionally, the extension monitors users' browsing activity, collecting data such as browsing and search histories, downloads, internet cookies, login credentials (usernames/passwords), and financial information. This sensitive data can be sold to third parties or exploited for profit.

Moreover, the rogue extension can deliver spammy browser notifications promoting online scams, unreliable software, or even malware. It's possible that this browser extension possesses other harmful capabilities beyond those described.

What Are Rogue Browser Extensions?

Rogue browser extensions, also known as malicious or fake browser extensions, refer to software programs that are designed to deceive users or engage in harmful activities when installed in web browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, or Safari. These extensions appear to offer useful features or functionality but actually perform actions that compromise user privacy, security, or browsing experience. Here are key characteristics and behaviors of rogue browser extensions:

Deceptive Appearance: Rogue extensions often mimic legitimate browser add-ons, presenting themselves as helpful tools or utilities such as ad blockers, download managers, or productivity enhancers. Their appearance and functionality may closely resemble trusted extensions to trick users into installing them.

Unauthorized Activities: Once installed, rogue extensions may perform unauthorized activities without the user's consent. This can include collecting sensitive data, modifying browser settings, injecting advertisements, or redirecting web traffic to malicious websites.

Data Collection: Rogue extensions frequently collect users' browsing data, including visited websites, search queries, login credentials, and financial information. This data can be exploited for advertising purposes, sold to third parties, or used in identity theft and fraud schemes.

Browser Modification: Some rogue extensions modify browser settings or inject unwanted content into web pages. They may change the default search engine, alter homepage settings, or display intrusive advertisements (adware).

Security Risks: Rogue browser extensions pose significant security risks. They can introduce vulnerabilities into the browser, making it susceptible to additional malware infections or exposing users to phishing attacks.

Distribution Methods: Rogue extensions are often distributed through deceptive tactics such as fake software updates, misleading advertisements, bundled software packages, or phishing emails. Users may inadvertently install these extensions while attempting to download legitimate software or extensions.

Persistence and Difficulty in Removal: Rogue extensions may employ techniques to evade detection and removal. They can reinstall themselves even after being manually deleted, modify browser shortcuts, or use browser features (e.g., "Managed by your organization" in Chrome) to prevent easy removal.