Is RoRegion – Reduce Lag, Ping & Boost FPS: Roblox Region Selector safe?

Analysis summary

Malware versions

16.3

malware

16.2

malware

16.1

malware

Findings

Malicious Activity Detected

Flags items that exhibit confirmed malicious activity.

critical

Evidence

This extension injects arbitrary content into Roblox pages via a remote code injection backdoor by fetching and executing content from `https://sheetcdn.net/primary.css`, enabling potential phishing and credential theft. It also manipulates UI elements by hiding specific sections without user disclosure, collects authenticated user Roblox IDs, and uses MutationObserver to lock page elements in place. These behaviors pose significant security risks, allowing the extension author to execute malicious actions at will while compromising user privacy and control.

Code Execution Permissions

Flags items that request permissions allowing them to inject, execute, or modify code at runtime. These capabilities expand the item’s control over the browser environment and significantly increase the potential for evasive behavior, or post-install exploitation.

medium

Network Interception Permissions

Flags items that request privileges enabling interception, observation, or modification of network traffic. Such capabilities can be used to monitor user activity, redirect requests, or interfere with external content, increasing the risk of surveillance, content manipulation, or traffic redirection.

medium

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

This Chrome extension is designed to allow users to select their Roblox region, presumably to improve connection quality and reduce lag during gameplay. The code manages extension installation, script injection, and network request rule toggling.

Key behaviors:

On installation, it checks and sets a default value (regionSelectorEnabled) in local storage.
Listens for messages to inject scripts into the main world of the current tab. The script to inject is provided via message (codeToInject).
Listens for messages to enable or disable a specific network request ruleset (ruleset_2) using the chrome.declarativeNetRequest API.

API Calls:

chrome.storage.local for storing extension state.
chrome.scripting.executeScript for injecting arbitrary scripts into web pages.
chrome.declarativeNetRequest.updateEnabledRulesets for toggling network request rules.

Potentially Sensitive Functionality:

The ability to inject arbitrary scripts into the main world of a tab (chrome.scripting.executeScript with user-supplied code) can be risky if not properly controlled. However, there is no evidence in this code that the injected code is fetched from an external or untrusted source; it is passed via message, likely from the extension's own UI.

No evidence of:

Network exfiltration, external command & control, or filesystem access.
Obfuscation or attempts to hide code intent.

Example of script injection logic:

if (message.action === "injectScript") {
  const { codeToInject } = message;
  chrome.scripting.executeScript({
    target: { tabId: sender.tab.id },
    world: "MAIN",
    func: (code) => {
      try {
        const script = document.createElement('script');
        script.textContent = code;
        document.documentElement.appendChild(script);
        script.remove();
      } catch(error){}
    },
    args: [codeToInject],
  })
}

Overall, the code is straightforward and matches the described functionality of region selection and network rule management for Roblox.

Permissions

high

declarativeNetRequest

api

Enables network request filtering using predefined rules without requiring direct access to request content.

high

scripting

api

Allows execution of scripts in web page contexts, potentially manipulating site behavior and user interactions.

medium

storage

api

Enables persistent data storage for the extension, potentially storing large amounts of user-related information.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

SECRETS ARE AVAILABLE FOR ENTERPRISE USERS

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

VULNERABILITIES ARE AVAILABLE FOR ENTERPRISE USERS

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://apis.roblox.com/user-settings-api/v1/user-settings

regionSelector.js

https://auth.roblox.com/v2/logout

regionSelector.js

https://chromewebstore.google.com/detail/kholpglpladobppelhcjjjlckjplkgan/reviews

regionSelector.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

DEPENDENCIES ARE AVAILABLE FOR ENTERPRISE USERS

Licenses & Compliance

Compliance

Compliance status and certifications for the extension and its publisher

Ro Region

Ro Region is compliant with SOC2, as mentioned in their compliance information. Additionally, Ro (the parent company, Roman Health Ventures Inc.) also states its compliance with SOC2. Hence, both the company and the parent company are SOC2 compliant.

Compliant

Licenses

No license text available...