4.3 Million Browsers Infected: Uncovering ShadyPanda's 7-Year Malware Campaign

Summary: Recently, security firm Koi.ai released a bombshell report exposing a threat group named ShadyPanda. Over the past 7 years, this group has infected more than 4.3 million users by distributing malicious browser extensions through Chrome and Edge stores. The report indicates that multiple well-known extensions, including Clean Master, WeTab, and Infinity, have been used as spyware to collect sensitive data such as user browsing history, search records, and even cookies.

---

7 Years of Planning, 4 Phases

According to Koi.ai researcher Tuval Admoni, ShadyPanda's attack activities can be traced back 7 years, with strategies continuously evolving from simple ad fraud to comprehensive browser monitoring.

Phase 1: The "Wallpaper and Productivity Tools" Scam (2023)

Initially, ShadyPanda released 145 extensions disguised as wallpaper or productivity tools (mainly in the Edge store). These extensions profited by injecting affiliate codes (Affiliate Fraud). When users visited shopping sites like Amazon and eBay, the extensions would quietly replace links to earn commissions. Although not technically sophisticated, this gave attackers a taste of success: users trust extensions with high install counts, and app store reviews primarily focus on initial submissions.

Phase 2: Search Hijacking (Early 2024)

Subsequently, attackers became bolder. Extensions represented by Infinity V+ began hijacking users' search traffic, redirecting it to known hijacking sites like trovi.com. More seriously, they started collecting users' search queries (even real-time input before users pressed Enter) and cookies from specific domains, sending the data to attackers' servers.

Phase 3: The Long Game

This phase was the most deceptive. ShadyPanda acquired or developed 5 extensions including Clean Master, allowing them to operate legitimately for years, accumulating hundreds of thousands of users, and even earning "Featured" and "Verified" badges from stores.

It wasn't until mid-2024 that attackers pushed malicious code through automatic update mechanisms. These extensions were implanted with Remote Code Execution (RCE) backdoors, downloading and executing arbitrary JavaScript code from control servers every hour. This means attackers could change extension behavior at any time, transitioning from monitoring to ransomware or credential theft.

Phase 4: The Spyware Empire (4 Million+ Users)

This is currently the most impactful phase. The report indicates that 5 other extensions operated by ShadyPanda in the Edge store (including WeTab and Infinity with 3 million users) are actually powerful spyware.

These extensions are accused of collecting and exfiltrating the following data:

• Complete browsing history: Every URL visited.
• Search queries: Recording every user search.
• Page interactions: Mouse click coordinates, dwell time, etc.
• Browser fingerprints: Screen resolution, User Agent, timezone, etc.
• Cookies and storage data: Having permissions to read all cookies and local storage.

According to reports, this data was sent to servers located in China as well as Google Analytics.

---

User Community Response

This incident has sparked strong reactions across major tech communities. Many long-term users expressed shock and anger, while others began searching for alternatives.

In the Linux.do community, users expressed concerns about data breaches:

On V2EX, users also posted:

Users in the NodeLoc community expressed relief at not being affected and reminded each other to stay vigilant about security.

These authentic voices reflect users' concern for privacy and security, as well as disappointment at being "backstabbed" by tools they once trusted.

Technical Details and Harm

The report provides detailed analysis of ShadyPanda's technical methods:

• RCE Backdoor: Infected extensions regularly check api.extensionplay[.]com, downloading and executing obfuscated JavaScript code.
• Anti-Analysis: Malicious code detects whether developer tools are open, and if debugging behavior is detected, it stops malicious activities to evade analysis.
• Man-in-the-Middle Attack Capability: Through Service Workers, malicious extensions can intercept and modify network traffic, even injecting malicious content into HTTPS connections.

Official Response and Controversy

In response to Koi.ai's allegations, the WeTab and Infinity teams quickly released response statements (see Official Statement).

The teams stated:

1. Clean Master Chrome version was sold to a third party long ago, and subsequent malicious updates are unrelated to the original team.
2. WeTab and Infinity are independently operated products with code different from Clean Master, containing no backdoors or malicious monitoring.
3. Extensions were removed because they used the same developer account as Clean Master and were "guilty by association," not because the products themselves contained malicious code.
4. Collected data is only used for basic product functions (such as syncing, statistics), does not involve privacy, and the teams have invited third-party organizations to conduct security audits.

Recommendations for Users

Regardless of the facts, browser extension security risks always exist. Security experts recommend:

• Review extension permissions: Try to avoid installing extensions that request "read and change all data on all websites" permissions unless absolutely necessary.
• Regular cleanup: Uninstall extensions that are no longer used.
• Pay attention to official notices: Watch for security warnings and removal notifications from browser stores.

Currently, Microsoft Edge and Chrome stores have removed some of the involved extensions, but according to the report, some extensions are still accessible in the Edge store. Users should remain vigilant and decide whether to continue using related products based on their own judgment.

---

Reference sources: Koi.ai Blog, BleepingComputer, V2EX Discussion