SEVEN.LEGEND // V4
Users Online: 1
Total Hits: 8,851
CODES // DATA STREAM
SECURITY CODE & SCRIPTS
« BACK
Chrome Extension Scanner for WhatsApp Spamware (131+ Malicious Extensions)
PYTHON
Python scanner to detect 131+ compromised Chrome extensions targeting WhatsApp Web users. Identifies malicious extensions from the October 2025 spamware campaign (Socket.dev research) that inject code into WhatsApp to automate bulk messaging. Scans installed extensions, calculates risk scores, and generates detailed reports. Detects known malicious publishers (WL Extensão), suspicious permissions, and code injection patterns.
UPLOADED: 2025.10.24
ID: chrome-whatsapp-spamware-scanner //
LANG: Python //
LINES: 307
#!/usr/bin/env python3
"""
Chrome Extension Analyzer for WhatsApp Spamware Campaign
Detects the 131 compromised extensions targeting WhatsApp Web users
Based on Socket.dev research (October 2025)
"""
import os
import json
import glob
import platform
from pathlib import Path
from typing import List, Dict, Set
import argparse
class ChromeExtensionAnalyzer:
def __init__(self):
self.suspicious_publishers = [
"WL Extensão",
"WLExtensao",
"[email protected]",
"[email protected]"
]
# Known compromised extension IDs from the research
self.known_malicious_ids = {
"mnbdaobmkdglnmiagimcniebbgebabek", # Organize-C
}
# Known compromised extension names
self.known_malicious_names = {
"YouSeller",
"performancemais",
"Botflow",
"ZapVende",
"Organize-C",
"Lobo Vendedor"
}
# Suspicious keywords in extension descriptions/names
self.suspicious_keywords = [
"whatsapp",
"zap",
"crm",
"bulk message",
"mass message",
"automation",
"vendedor",
"vendas",
"DBX"
]
self.findings: List[Dict] = []
def get_chrome_extensions_path(self) -> List[Path]:
"""Get Chrome extensions directory based on OS"""
system = platform.system()
paths = []
if system == "Windows":
local_app_data = os.getenv('LOCALAPPDATA')
if local_app_data:
paths.append(Path(local_app_data) / "Google" / "Chrome" / "User Data" / "Default" / "Extensions")
elif system == "Darwin": # macOS
home = Path.home()
paths.append(home / "Library" / "Application Support" / "Google" / "Chrome" / "Default" / "Extensions")
elif system == "Linux":
home = Path.home()
paths.append(home / ".config" / "google-chrome" / "Default" / "Extensions")
paths.append(home / ".config" / "chromium" / "Default" / "Extensions")
return [p for p in paths if p.exists()]
def analyze_manifest(self, manifest_path: Path) -> Dict:
"""Analyze extension manifest.json for suspicious indicators"""
try:
with open(manifest_path, 'r', encoding='utf-8') as f:
manifest = json.load(f)
risk_score = 0
indicators = []
# Check extension name
name = manifest.get('name', '').lower()
if any(keyword in name for keyword in self.suspicious_keywords):
risk_score += 2
indicators.append(f"Suspicious name: {manifest.get('name')}")
if manifest.get('name') in self.known_malicious_names:
risk_score += 10
indicators.append(f"KNOWN MALICIOUS: {manifest.get('name')}")
# Check permissions
permissions = manifest.get('permissions', []) + manifest.get('host_permissions', [])
suspicious_permissions = {
'web.whatsapp.com': 'WhatsApp Web access',
'*://*/*': 'All URLs access',
'webRequest': 'Web request interception',
'webRequestBlocking': 'Blocking web requests',
'storage': 'Local storage access',
'tabs': 'Tab manipulation'
}
for perm in permissions:
for sus_perm, desc in suspicious_permissions.items():
if sus_perm in str(perm):
risk_score += 3
indicators.append(f"Permission: {desc}")
# Check for content scripts targeting WhatsApp
content_scripts = manifest.get('content_scripts', [])
for script in content_scripts:
matches = script.get('matches', [])
if any('whatsapp.com' in match for match in matches):
risk_score += 5
indicators.append("Content script injecting into WhatsApp Web")
# Check background scripts/service workers
if 'background' in manifest or 'service_worker' in str(manifest):
risk_score += 1
indicators.append("Uses background script/service worker")
# Check description for suspicious keywords
description = manifest.get('description', '').lower()
if any(keyword in description for keyword in ['bulk', 'mass', 'automation', 'crm']):
risk_score += 2
indicators.append("Description mentions bulk/mass messaging")
return {
'manifest': manifest,
'risk_score': risk_score,
'indicators': indicators
}
except Exception as e:
return {'error': str(e)}
def scan_extensions(self):
"""Scan all installed Chrome extensions"""
print("🔍 Scanning Chrome extensions...\n")
extension_dirs = self.get_chrome_extensions_path()
if not extension_dirs:
print("❌ Chrome extensions directory not found!")
return
for ext_base_dir in extension_dirs:
print(f"📁 Checking: {ext_base_dir}\n")
# Each extension has its own folder with extension ID as name
for ext_id_dir in ext_base_dir.iterdir():
if not ext_id_dir.is_dir():
continue
ext_id = ext_id_dir.name
# Check if this is a known malicious extension ID
if ext_id in self.known_malicious_ids:
print(f"🚨 CRITICAL: Known malicious extension found!")
print(f" Extension ID: {ext_id}")
print(f" Location: {ext_id_dir}\n")
self.findings.append({
'id': ext_id,
'location': str(ext_id_dir),
'status': 'KNOWN_MALICIOUS',
'risk_score': 100
})
continue
# Look for manifest.json in version folders
version_dirs = list(ext_id_dir.glob('*'))
for version_dir in version_dirs:
if not version_dir.is_dir():
continue
manifest_path = version_dir / 'manifest.json'
if manifest_path.exists():
analysis = self.analyze_manifest(manifest_path)
if 'error' in analysis:
continue
manifest = analysis['manifest']
risk_score = analysis['risk_score']
indicators = analysis['indicators']
# Check publisher
publisher = manifest.get('author', manifest.get('developer', {}).get('name', 'Unknown'))
if any(sus_pub in str(publisher) for sus_pub in self.suspicious_publishers):
risk_score += 15
indicators.append(f"SUSPICIOUS PUBLISHER: {publisher}")
if risk_score >= 10:
status = "⚠️ HIGH RISK" if risk_score >= 15 else "⚠️ SUSPICIOUS"
print(f"{status}")
print(f" Extension: {manifest.get('name', 'Unknown')}")
print(f" ID: {ext_id}")
print(f" Version: {manifest.get('version', 'Unknown')}")
print(f" Publisher: {publisher}")
print(f" Risk Score: {risk_score}")
print(f" Location: {version_dir}")
if indicators:
print(f" Indicators:")
for ind in indicators:
print(f" • {ind}")
print()
self.findings.append({
'name': manifest.get('name', 'Unknown'),
'id': ext_id,
'version': manifest.get('version', 'Unknown'),
'publisher': publisher,
'location': str(version_dir),
'risk_score': risk_score,
'indicators': indicators,
'manifest': manifest
})
def generate_report(self, output_file: str = None):
"""Generate detailed report of findings"""
if not self.findings:
print("✅ No suspicious extensions detected!")
return
print(f"\n{'='*60}")
print("📊 ANALYSIS SUMMARY")
print(f"{'='*60}")
print(f"Total suspicious extensions found: {len(self.findings)}")
critical = [f for f in self.findings if f.get('status') == 'KNOWN_MALICIOUS' or f.get('risk_score', 0) >= 20]
high_risk = [f for f in self.findings if 15 <= f.get('risk_score', 0) < 20]
suspicious = [f for f in self.findings if 10 <= f.get('risk_score', 0) < 15]
print(f" 🚨 Critical: {len(critical)}")
print(f" ⚠️ High Risk: {len(high_risk)}")
print(f" ⚠️ Suspicious: {len(suspicious)}")
print(f"\n{'='*60}")
print("🎯 RECOMMENDED ACTIONS")
print(f"{'='*60}")
print("1. IMMEDIATELY remove any critical/known malicious extensions")
print("2. Review high-risk extensions carefully")
print("3. Check browser for unusual WhatsApp Web activity")
print("4. Change passwords if you used WhatsApp Web with these extensions")
print("5. Report extensions to Chrome Web Store")
if output_file:
with open(output_file, 'w', encoding='utf-8') as f:
json.dump(self.findings, f, indent=2, default=str)
print(f"\n💾 Detailed report saved to: {output_file}")
def print_extension_list(self):
"""Print list of compromised extensions for easy reference"""
print(f"\n{'='*60}")
print("📋 COMPROMISED EXTENSIONS LIST")
print(f"{'='*60}")
print("\nKnown malicious extension names:")
for name in sorted(self.known_malicious_names):
print(f" • {name}")
print("\nKnown malicious extension IDs:")
for ext_id in sorted(self.known_malicious_ids):
print(f" • {ext_id}")
print("\nSuspicious publishers to watch for:")
for pub in sorted(self.suspicious_publishers):
print(f" • {pub}")
def main():
parser = argparse.ArgumentParser(
description='Analyze Chrome extensions for WhatsApp spamware campaign indicators'
)
parser.add_argument(
'--output', '-o',
help='Output JSON file for detailed findings',
default='chrome_extension_findings.json'
)
parser.add_argument(
'--list', '-l',
action='store_true',
help='Print list of known compromised extensions'
)
args = parser.parse_args()
print("="*60)
print("Chrome Extension Analyzer for WhatsApp Spamware")
print("Detecting 131+ compromised extensions (October 2025)")
print("="*60)
print()
analyzer = ChromeExtensionAnalyzer()
if args.list:
analyzer.print_extension_list()
analyzer.scan_extensions()
analyzer.generate_report(args.output)
if __name__ == "__main__":
main()