Over 280 million at risk from malware-filled Chrome extensions — how to stay safe

and image of the Google Chrome logo on a laptop
(Image credit: Shutterstock)

In the same way that you need to be careful when installing new apps on your smartphone, you also have to be cautious when adding new extensions to your browser, especially with Google Chrome.

With a 65% market share worldwide according to Statcounter, Chrome is the most popular browser by far which makes it the perfect target for hackers and other cybercriminals. While cyberattacks often exploit zero-day flaws in Google’s browser, there’s an easier way to target Chrome users: malicious extensions.

Just like with malicious apps, these bad extensions can contain malware and other threats designed to steal your data as well as your cash. Of the 250,00 extensions on the Chrome Web Store, less than 1% were found to include malware according to a recent blog post from Google. However, a new research paper is claiming differently. 

Published by researchers from Stanford University and the CISPA Helmholtz Center for Information Security, the research paper (PDF) claims that 280 million people installed a malware-infected Chrome extension between July 2020 and February 2023.

Here’s everything you need to know about malicious Chrome extensions and how you can stay safe when adding new extensions to your browser.

Lasting threats

As reported by TechSpot, the researchers found that over a three year period, 346 million users installed Security-Noteworthy Extensions (SNE). While 63 million of these extensions were policy violations and 3 million were vulnerable, 280 million of these installs actually contained malware. 

Surprisingly, many of these malicious extensions were available to download on the Chrome Web Store for quite some time. The malware-filled ones remained on the store for 380 days on average while the ones with vulnerable code stayed up for 1,248 days on average.

Of these malicious extensions, one called TeleApp was available to download and install for 8.5 years. The extension itself was updated in 2013 before it was finally removed after it was found to contain malware in 2022.

Normally with apps on the Google Play Store, I recommend checking user ratings and reviews to see if they are malicious. However, the researchers found that this doesn’t help when it comes to bad extensions as many of them don’t have any reviews at all. This could indicate that their users don’t know they’re dangerous or that they just didn’t take the time to rate and review them.

How to stay safe from malicious extensions

How to update Google Chrome

(Image credit: Firmbee.com via Unsplash)

Since checking ratings and reviews on the Chrome Web Store doesn’t seem to work in this case, you’re going to have to look for external reviews to help judge whether or not a browser extension is safe to install. However, as browser extensions rarely get full reviews, there are some other things to keep in mind to stay safe.

Just like with bad apps, the researchers found that malicious extensions often ask for more permissions than they should. If you go to install a new extension and it’s asking for quite a lot of permissions, this can be a major red flag and could be a good indication that it might be malicious.

Since many malicious extensions contain malware, you’re going to want to use the best antivirus software on your PC and one of the best Mac antivirus software solutions on your Apple computer. This way, if an extension does contain malware, your antivirus software will be able to catch it before any damage can be done.

Likewise, before you install any new software or browser extensions, you first need to ask yourself if you really need to. A lot of times, you’ll be able to accomplish the same thing using built-in software or your browser’s own capabilities. If you do need to install an extension for your browser, make sure that it’s from a trusted source or a well-known software provider.

Since Chrome is the biggest browser after all, hackers will likely keep trying to have their malicious extensions slip past Google’s defenses. The search giant does have a dedicated security team that reviews every Chrome extension to make sure it isn’t malicious though. However, if you want to be extra careful, the fewer browser extensions you have installed the better.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • Brandykandy
    Google, Chome the the largest Android softwear company there is, you have no choice weather or not you use their services, if you have Android.
    And they don't have a dedicated security team, that ensures that their products is safe? 3rd party or not that sounds crazy to me. Why don't they they can definitely afford too.
    Businesses are not being held to any kind of standards these days. Here in the US you can harm as many people as you like, just make sure you form a corporation or llc before doing it.
  • chromium4
    This is yet another reason why I gravitate towards flagship level devices. They are rich with features out of the box so I'm not dependent upon OS updates, additional apps or extensions to provide the options I want to meet my needs and give me the user experience I seek.