A Combined Static and Dynamic Analysis Approach to Detect Malicious Browser Extensions

<table class="algorithm-group"><tr><td><table class="algorithm" id="alg1"><tr><td colspan="2"> <svg height="11.5564pt" id="M1" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 6.80666 11.5564" width="6.80666pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g></svg></td></tr><tr><td colspan="2"> “name”: “Chrome Extension”,</td></tr><tr><td colspan="2"> “version”: “1.1”,</td></tr><tr><td colspan="2"> “manifest_version”: 2,</td></tr><tr><td colspan="2"> “browser_action”: <svg height="11.5564pt" id="M2" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 6.80666 11.5564" width="6.80666pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g></svg></td></tr><tr><td colspan="2">  “default_title”: “…”,</td></tr><tr><td colspan="2">  “default_popup”: “popup.html”</td></tr><tr><td colspan="2"> <span class="nowrap"><svg height="11.5564pt" id="M3" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 6.80666 11.5564" width="6.80666pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,2.179,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg>,</span></td></tr><tr><td colspan="2"> “permissions”: <svg height="11.439pt" id="M4" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 8.95969 11.439" width="8.95969pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z" id="g113-92"></path></g></svg>“bookmarks”, “https://<span class="nowrap"><svg height="6.01072pt" id="M5" style="vertical-align:-0.04980993pt" version="1.1" viewbox="-0.0498162 -5.96091 7.75925 6.01072" width="7.75925pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M471 153C471 170 463 194 452 212C400 220 373 229 322 255C373 281 400 290 452 298C463 316 471 339 471 357C456 366 431 371 410 370C377 329 356 310 308 279C311 336 317 364 336 413C326 432 310 451 294 459C279 451 262 432 252 413C271 364 277 336 280 279C232 310 211 329 178 370C157 371 132 367 117 357C117 340 125 316 136 298C188 290 215 281 266 255C215 229 188 220 136 212C125 194 117 171 117 153C132 144 157 139 178 140C211 181 232 200 280 231C277 174 271 146 252 97C262 78 278 59 294 51C309 59 326 78 336 97C317 146 311 174 308 231C356 200 377 181 410 140C431 139 456 143 471 153Z" id="g113-43"></path></g></svg>.</span>google.com/”<span class="nowrap"><svg height="11.439pt" id="M6" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 4.60146 11.439" width="4.60146pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M226 -163V703H56V676C162 667 165 662 165 584V-43C165 -122 162 -126 56 -136V-163H226Z" id="g113-94"></path></g></svg>,</span></td></tr><tr><td colspan="2"> “background”: <svg height="11.5564pt" id="M7" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 6.80666 11.5564" width="6.80666pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g></svg></td></tr><tr><td colspan="2">  “scripts”: <svg height="11.439pt" id="M8" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 4.60146 11.439" width="4.60146pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z" id="g113-92"></path></g></svg>“bj.js”<span class="nowrap"><svg height="11.439pt" id="M9" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 4.60146 11.439" width="4.60146pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M226 -163V703H56V676C162 667 165 662 165 584V-43C165 -122 162 -126 56 -136V-163H226Z" id="g113-94"></path></g></svg>,</span></td></tr><tr><td colspan="2">  “persistent”: false</td></tr><tr><td colspan="2"> <span class="nowrap"><svg height="11.5564pt" id="M10" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 6.80666 11.5564" width="6.80666pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,2.179,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg>,</span></td></tr><tr><td colspan="2"> “content_scripts”: <svg height="11.439pt" id="M11" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 4.60146 11.439" width="4.60146pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z" id="g113-92"></path></g></svg></td></tr><tr><td colspan="2"> <svg height="11.5564pt" id="M12" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 6.80666 11.5564" width="6.80666pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g></svg></td></tr><tr><td colspan="2">  “js”: <svg height="11.439pt" id="M13" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 4.60146 11.439" width="4.60146pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z" id="g113-92"></path></g></svg>“jquery.js”, “myscripts.js”<svg height="11.439pt" id="M14" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 4.60146 11.439" width="4.60146pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M226 -163V703H56V676C162 667 165 662 165 584V-43C165 -122 162 -126 56 -136V-163H226Z" id="g113-94"></path></g></svg></td></tr><tr><td colspan="2"> <svg height="11.5564pt" id="M15" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 6.80666 11.5564" width="6.80666pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,2.179,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg>],</td></tr><tr><td colspan="2"> “content_security_policy”: “script-src ‘self’ ‘unsafe-eval’ https://<span class="nowrap"><svg height="6.01072pt" id="M16" style="vertical-align:-0.04980993pt" version="1.1" viewbox="-0.0498162 -5.96091 7.75925 6.01072" width="7.75925pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M471 153C471 170 463 194 452 212C400 220 373 229 322 255C373 281 400 290 452 298C463 316 471 339 471 357C456 366 431 371 410 370C377 329 356 310 308 279C311 336 317 364 336 413C326 432 310 451 294 459C279 451 262 432 252 413C271 364 277 336 280 279C232 310 211 329 178 370C157 371 132 367 117 357C117 340 125 316 136 298C188 290 215 281 266 255C215 229 188 220 136 212C125 194 117 171 117 153C132 144 157 139 178 140C211 181 232 200 280 231C277 174 271 146 252 97C262 78 278 59 294 51C309 59 326 78 336 97C317 146 311 174 308 231C356 200 377 181 410 140C431 139 456 143 471 153Z" id="g113-43"></path></g></svg>.</span>google.com;”</td></tr><tr><td colspan="2"> <svg height="11.5564pt" id="M17" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 6.80666 11.5564" width="6.80666pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,2.179,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg></td></tr></table></td></tr></table>

Security and Communication Networks

alg1

Algorithm 1

Algorithm 1: A Combined Static and Dynamic Analysis Approach to Detect Malicious Browser Extensions 