I Spy with My Little Eye: Analysis and Detection of Spying Browser Extensions

TL;DR

This paper investigates spying browser extensions that can capture complete user activity and communicate sensitive data externally, analyzing their behavior and proposing an RNN-based detection method with high accuracy.

Contribution

It provides an empirical analysis of spying extensions' behaviors and introduces a machine learning approach using RNNs for effective detection.

Findings

Spying extensions steal browsing history, social tokens, IP, and geolocation.

RNN-based detection achieves over 90% precision and recall.

Sequence of API calls is a robust feature for identifying spying extensions.

Abstract

Several studies have been conducted on understanding third-party user tracking on the web. However, web trackers can only track users on sites where they are embedded by the publisher, thus obtaining a fragmented view of a user's online footprint. In this work, we investigate a different form of user tracking, where browser extensions are repurposed to capture the complete online activities of a user and communicate the collected sensitive information to a third-party domain. We conduct an empirical study of spying browser extensions on the Chrome Web Store. First, we present an in-depth analysis of the spying behavior of these extensions. We observe that these extensions steal a variety of sensitive user information, such as the complete browsing history (e.g., the sequence of web traversals), online social network (OSN) access tokens, IP address, and user geolocation. Second, we investigate the potential for automatically detecting spying extensions by applying machine learning schemes. We show that using a Recurrent Neural Network (RNN), the sequences of browser API calls can be a robust feature, outperforming hand-crafted features (used in prior work on malicious extensions) to detect spying extensions. Our RNN based detection scheme achieves a high precision (90.02%) and recall (93.31%) in detecting spying extensions.