The malware hidden in the extensions can redirect users to ads or phishing sites, as well as stealing personal data such as birth dates and email addresses.
Avast estimates that three million people may be affected by this issue.
According to the company, the extensions are:
Direct Message for Instagram
DM for Instagram
Invisible mode for Instagram Direct Message
Downloader for Instagram
Instagram Download Video & Image
App Phone for Instagram
Stories for Instagram
Universal Video Downloader
Video Downloader for FaceBook™
Vimeo™ Video Downloader
VK UnBlock. Works fast.
Odnoklassniki UnBlock. Works quickly.
Upload photo to Instagram™
Stories for Instagram
Pretty Kitty, The Cat Pet
Video Downloader for YouTube
SoundCloud Music Downloader
Instagram App with Direct Message DM
(There are fewer than 25 extensions in this list as some are available for both Chrome and Edge.)
Some of the extensions that simplify downloading videos have the ability to download further malware onto a user's PC.
Other malicious capabilities include phoning home every time the user clicks on a link (and optionally redirecting them to a different URL before going to the intended page), and collecting the user's birth date, email address, and device information including first sign in time, last login time, name of the device, operating system, used browser and its version, and IP addresses.
IP addresses can be used with varying success to determine the user's approximate geographical location.
Avast researchers believe the motivation was financial, as some sites pay for traffic.
"Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards," said Avast malware researcher Jan Rubín
"The extensions' backdoors are well-hidden and the extensions only start to exhibit malicious behaviour days after installation, which made it hard for any security software to discover."
Avast suspects the malware may have been around for two years or more.
The malware is quite stealthy. According to Avast malware researcher Jan Vojtěšek "the virus detects if the user is googling one of its domains or, for instance, if the user is a web developer and, if so, won't perform any malicious activities on their browsers. It avoids infecting people more skilled in web development, since they could more easily find out what the extensions are doing in the background."
At least some of the infected extensions were still available for download at the time of writing, even though Avast had reported them to Microsoft and Google.
Avast's recommendation is that "users disable or uninstall the extensions for now until the problem is resolved and then scan for and remove the malware."