Full Report
A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users. [...]
Analysis Summary
# Incident Report: QuickLens Compromise and Crypto Theft Attack
## Executive Summary
The Chrome extension "QuickLens - Search Screen with Google Lens," previously sporting a Google featured badge and reaching 7,000 users, was compromised following a change in ownership. A malicious update (v5.8) deployed on February 17, 2026, introduced malicious scripts designed to steal cryptocurrency wallet data, scrape sensitive forms, and execute ClickFix social engineering attacks leading to malware installation on Windows systems. Google has since removed the extension from the Chrome Web Store and automatically disabled it for affected users.
## Incident Details
- Discovery Date: February 28, 2026 (When BleepingComputer learned via user reports, following initial research by Annex on subsequent dates)
- Incident Date: February 17, 2026 (Date of malicious update deployment)
- Affected Organization: Users of the "QuickLens - Search Screen with Google Lens" Chrome Extension.
- Sector: Software/Browser Extensions (Digital Distribution Platform)
- Geography: Global (Where Chrome Web Store users were active)
## Timeline of Events
### Initial Access
- Date/Time: February 1, 2026 (Approximate)
- Vector: Change of extension ownership/Sale via marketplace.
- Details: The extension's ownership changed to "LLC Quick Lens" with a contact at [email protected]. A new, minimally functional privacy policy domain was established.
### Lateral Movement
- Date/Time: February 17, 2026
- Vector: Post-infection communication with C2 server.
- Details: The updated extension contacted the C2 server at `api.extensionanalyticspro[.]top` every five minutes after fingerprinting the victim (UUID generation, GEO location via Cloudflare trace endpoint). The C2 served various malicious JavaScript payloads.
### Data Exfiltration/Impact
- Date/Time: Immediately post-update (Feb 17, 2026 onwards)
- Vector: JavaScript injection and credential harvesting.
- Details: Malicious scripts were executed on every page load to:
1. Steal data from 11 specific cryptocurrency wallets (seed phrases, activity).
2. Capture login credentials and payment information from web forms.
3. Scrape Gmail inboxes, Facebook Business Manager data, and YouTube channel information.
4. Execute ClickFix attacks leading to the download of `googleupdate.exe` on Windows, which installed secondary malware via PowerShell.
### Detection & Response
- Date/Time: Starting the week before Feb 28, 2026 (User reports of fake Google update alerts begin).
- Vector: User reports and Third-party security research (Annex).
- Details: Researchers highlighted the malicious updates and C2 communication. Google ultimately removed the extension from the Chrome Web Store and automatically flagged/disabled it for users.
## Attack Methodology
- **Initial Access:** Compromise/takeover of a legitimate, previously trusted Chrome extension ("QuickLens").
- **Persistence:** The malicious code was baked into the extension update (v5.8) pushed through the Chrome Web Store.
- **Privilege Escalation:** Attacked Chrome's security model by aggressively requesting new permissions (`declarativeNetRequestWithHostAccess`, `webRequest`).
- **Defense Evasion:** Stripped critical browser security headers (`Content-Security-Policy`, `X-Frame-Options`, etc.) from all visited pages, allowing for inline script execution that would normally be blocked.
- **Credential Access:** Directly targeted popular crypto wallet extensions (MetaMask, Phantom, Exodus, etc.) to harvest seed phrases and login credentials.
- **Discovery:** Fingerprinted the victim (UUID, country via Cloudflare).
- **Lateral Movement:** (Within the browser context) Used injected JavaScript to execute secondary stage attacks, including the installer for the ClickFix vector.
- **Collection:** Harvested crypto wallet data, login fields, payment info, Gmail content, and social media data.
- **Exfiltration:** Data was sent back to the C2 server (`api.extensionanalyticspro[.]top`).
- **Impact:** Financial theft (attempted crypto hijacking) and data breach (credentials, email, social metadata).
## Impact Assessment
- **Financial:** Significant potential financial loss due to targeted cryptocurrency wallet theft attempts involving major providers.
- **Data Breach:** Theft of cryptocurrency wallet seed phrases/activity, login credentials, payment information, Gmail contents, and social media account data.
- **Operational:** Users experienced severe disruption due to persistent fake Google Update alerts, making web browsing nearly impossible until the extension was remediated.
- **Reputational:** Harm to the trust placed in the Chrome Web Store ecosystem, particularly since the extension had previously achieved a "featured badge" from Google.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- C2 Server 1: `api.extensionanalyticspro[.]top`
- Secondary Payload Server: `google-update[.]icu`
- Secondary Stage Malware C2: `drivers[.]solutions` (Payload observed, though potentially inactive at time of discovery)
- **File Indicators:**
- Malicious Executable (Windows): `googleupdate.exe` (Signed with an unrelated food technology certificate)
- **Behavioral Indicators:**
- Persistent display of fake Google Update alerts on all visited websites.
- Stripping of HTTP security headers (CSP, X-Frame-Options).
- Execution of injected JavaScript payloads via the "1x1 GIF pixel onload trick."
## Response Actions
- **Containment:** Google removed the extension "QuickLens - Search Screen with Google Lens" from the Chrome Web Store and automatically disabled it for affected users.
- **Eradication:** Users are advised to manually ensure the extension is completely removed and to scan systems for malware (specifically looking for artifacts from `googleupdate.exe` drop).
- **Recovery:** Users relying on targeted crypto wallets must immediately transfer all funds to new, clean wallets. Users should reset passwords stored in the browser.
## Lessons Learned
- **Supply Chain Risk in Extensions:** Even extensions that achieve high trust metrics (like a Google featured badge) are susceptible to compromise via ownership sales or backdoors.
- **Permission Scope:** Extensions requiring broad `webRequest` and `declarativeNetRequest` permissions pose a high inherent risk, as demonstrated by the ability to strip security headers.
- **Detection Window:** The malicious activity began two weeks before security researchers publicly reported the findings, indicating a significant dwell time post-update.
## Recommendations
- **Vetting Process:** Google/Platform maintainers must implement stricter, periodic security reviews for extensions whose ownership changes hands or those that receive significant feature updates, irrespective of prior endorsements.
- **User Hygiene Criticality:** Users must treat all browser extensions with suspicion, especially immediately following major updates or if an extension requests new, broad permissions.
- **Crypto User Protocol:** Users of browser-based crypto wallets should adopt a strict policy of only interacting with wallet functionality via official application interfaces, never through overlays or injected scripts, and should always prepare to migrate funds following a potential breach.