ShadyPanda Malware Patiently Spread Across Edge And Chrome Web Store For Years Before Activating

Sleeper Apps Awakened

ShadyPanda is a nasty project that has been running invisibly for years only to attempt to unleash devastation this year.  The group behind it has been publishing useful apps to both the Chrome Web Store and the Edge marketplace, some apps gaining Featured and Verified status on those platforms.  The apps were handy tools which were downloaded millions of times and got many great reviews on both stores.  The group behind ShadyPanda was even nice enough to keep those apps updated as new versions of the browsers came out and bugs were discovered.

Unfortunately this was all in the name of evil, as they then released an update to those apps heavily laden with a variety of malware.  The apps, if they got that update started to surveil everything, “checking api.extensionplay[.]com for new instructions every hour, downloading arbitrary JavaScript, and executing it with full browser API access. It can also inject malicious content into any website, including HTTPS connections.”  This let them watch you browse in real time, or just collect logs to upload.

The malware was also bright enough to detect if a user fired up any development tools, and if they did the apps reverted back to their innocent versions until there was no risk of detection.  Chrome checks all updates to apps on their store, and managed to catch what ShadyPanda was up to relatively quickly but not before some machines were infected.  It took until this week before those apps disappeared from the Edge Add-on store.

If one of your favourite apps just disappeared from your browser, you might want to make sure to do a few scans of your machine!