Did I Vet You Before? Assessing the Chrome Web Store Vetting Process through Browser Extension Similarity

TL;DR

This study evaluates the effectiveness of the Chrome Web Store's vetting process by analyzing the similarity and maliciousness of extensions, revealing significant gaps and delays in removing infringing and malicious extensions.

Contribution

Introduces SimExt, a novel methodology combining static/dynamic analysis and NLP to detect similar extensions, and provides an empirical assessment of vetting process gaps in the Chrome Web Store.

Findings

86% of infringing extensions are highly similar to vetted ones

Most infringing extensions remain for months or years before removal

Only 1% of malware extensions are detected by anti-malware engines

Abstract

Web browsers, particularly Google Chrome and other Chromium-based browsers, have grown in popularity over the past decade, with browser extensions becoming an integral part of their ecosystem. These extensions can customize and enhance the user experience, providing functionality that ranges from ad blockers to, more recently, AI assistants. Given the ever-increasing importance of web browsers, distribution marketplaces for extensions play a key role in keeping users safe by vetting submissions that display abusive or malicious behavior. In this paper, we characterize the prevalence of malware and other infringing extensions in the Chrome Web Store (CWS), the largest distribution platform for this type of software. To do so, we introduce SimExt, a novel methodology for detecting similarly behaving extensions that leverages static and dynamic analysis, Natural Language Processing (NLP) and vector embeddings. Our study reveals significant gaps in the CWS vetting process, as 86% of infringing extensions are extremely similar to previously vetted items, and these extensions take months or even years to be removed. By characterizing the top kinds of infringing extension, we find that 83% are New Tab Extensions (NTEs) and raise some concerns about the consistency of the vetting labels assigned by CWS analysts. Our study also reveals that only 1% of malware extensions flagged by the CWS are detected as malicious by anti-malware engines, indicating a concerning gap between the threat landscape seen by CWS moderators and the detection capabilities of the threat intelligence community.