200,000 Roblox Players Installed Chrome Extension with Backdoor

The SearchBlox Chrome extension, installed over 200,000 times, contains a backdoor that can steal credentials from Roblox, as well as victims’ funds on Rolimons (Roblox’s trading platform), researchers have warned.

The Bleeping Computer reports that the backdoor code was clearly introduced into the extension intentionally (by the developer), or appeared there after being compromised.

According to journalists, both SearchBlox extensions in the Chrome Web Store are compromised (their identifiers are blddohgncmehcepnokognejaaahehncd and ccjalhebkdogpobnbdhfpincfeohonni).

In the ad, both extensions promised to help “find the right player on the Roblox servers at lightning speed”, and both contain a backdoor.

Users raised their suspicions about SearchBlox earlier this week. The RTC account that publishes unofficial Roblox news has tweeted that SearchBlox has been compromised and infected with a backdoor, strongly advising users to remove it and change their passwords.

The journalists decided to check this information, they downloaded both versions of SearchBlox and indeed found a backdoor in the content.js and button.js files. According to the publication, the malicious code transmits the logged data of Roblox users to the releasethen[.]site address. In addition, the malicious code is activated when viewing a player’s profile on Rolimons.com, the Roblox trading platform.

According to the publication, this is not the first SearchBlox attack on users: in October of this year, Google already removed another version of the extension from the Chrome Web Store, where it had been distributed since June 28, 2022.

It is not yet clear whether the backdoor was introduced into the extension as a result of a compromise, or whether it was intentionally added by the developer himself. Roblox community members have a theory (1, 2, 3, 4) that the developer of the extensions is Unstoppablelucent, whose inventory increased noticeably overnight, while the user Rolimons ccfont was deleted due to suspicious transactions.

The publication warns that all SearchBlox users should immediately remove the malware, clear cookies, and change passwords for Roblox, Rolimons, and other sites they may have accessed while using the extension.

Bleeping Computer notified Google engineers of the discovery, and a company spokesperson has now confirmed that the extensions have been removed from the Chrome Web Store and will be automatically removed from systems where they are installed.