Keylogger hidden in the Pidgin extension

Recently, the developers of Pidgin announced on their blog that they had officially included the ss-otr plug-in as a download on their website on July 6. On August 16, the warning from developer 0xFFFC0000 revealed that a keylogger was hidden behind it.

It is a screen capturing tool that allows hackers to transfer screenshots to their own server at short intervals. This allows them to see what inputs are made on your own screen. Such methods are usually used by federal trojans or criminals to steal the victims’ login data.

Pidgin had offered extension as a download

“We immediately removed the plugin from the list and investigated. On August 22, Johnny Xmas was able to confirm that a keylogger was present“, the developers write. As a result, the third-party extension was removed from their own download page. Anyone who has accidentally installed this Pidgin extension must uninstall it immediately for their own safety.

In July, it was simply not noticed that the unknown creators of the plug-in had not provided any source code, but only the sophisticated binaries for download.In the future we will (for safety) Recall that all plugins we link to have an OSI-approved open source license“, the developers write on their blog. The licensing requires that the software is always thoroughly checked by third parties. This ensures that the software cannot contain viruses.

Simply uninstalling is not enough

Deleting the extension and scanning your PC for malware is not enough. Often the keylogger has dug itself so deeply into the operating system that a complete reinstallation is necessary. It is not known how many downloads have been made from the Pidgin website. It is therefore unclear how many systems are affected by an infection.

Creator of the Darkgate malware is suspected to be the author

On X, security researchers from Eset announced that the maker of the Darkgate malware had offered further extensive extensions for download on a fake plug-in website. The website jabberplugins.net is now offline. The extensions OMEMO, Pidgin Paranoia, Master Password, Window Merge, HTTP File Upload and possibly others were offered for download.

Eset employees suspect that these are probably infected as well. The researchers examined the extension of Pidgin’s OTR encryption for Linux and Windows. They can confirm the contamination with the keylogger.

Pidgin has become increasingly popular since 1998

The instant messenger Pidgin is very popular. It allows you to use countless chat networks such as Jabber/XMPP, Bonjour, Gadu-Gadu, IRC, MicroFocus GroupWise Messenger (formerly from Novell), HCL Sametime (formerly from Lotus/IBM), SILC, SIMPLE and Zephyr at the same time. The plug-ins offered enable the use of many other networks. Pidgin is also known to be very popular with cyber criminals because it allows them to communicate securely and end-to-end encrypted without much effort.