Mozilla Firefox Extension Store Hit by 60 Malicious Crypto Wallet Apps

Over 40 fraudulent extensions have been identified on Mozilla’s Firefox extension store, posing as popular cryptocurrency wallet apps such as Coinbase, MetaMask, and Trust Wallet. These malicious extensions, active since April, have been secretly collecting users’ wallet credentials, including private keys and recovery phrases, and transmitting them to malicious servers. The campaign, detailed in a report by Koi Security, continues to evolve with new extensions added as recently as last week. The extensions employ the logos and descriptions of well-known crypto wallet services, creating a façade of authenticity and leveraging popular keywords to gain prominence in search results and increase their download rates. Despite numerous fake five-star reviews enhancing their credibility, these extensions pose a significant risk to users.

Security researchers have identified Russian-language comments embedded within PDF files and notes in the extensions’ source code, suggesting a potential Russian-speaking threat actor. While conclusive evidence remains elusive, geographic details such as timestamps and file paths support the likelihood of this theory. Researchers remain cautious, acknowledging that more proof is needed to confirm these findings. Since the observed onset in April, over 60 variations have surfaced, with the latest release happening just last week. To bypass detection, these extensions consistently update and rebrand, continuing their presence in the store. Some undetected copies still linger, prompting Koi Security to advise users to upgrade extensions only through verified site links.

To mitigate the threat, several measures need consideration. Regular checks and audits of extension stores to identify and remove malicious extensions are crucial. Educating users on verifying extension authenticity before installation and implementing enhanced scanning processes to detect hidden malicious scripts are also essential. Mozilla’s Firefox extension store remains a target for bad actors exploiting security gaps through deceptive practices. As these threats evolve and continue to endanger users, vigilance and heightened awareness of extension authenticity is crucial for safeguarding digital assets.