Almost a dozen malicious extensions found in Google’s Chrome Web Store have been downloaded 1.7 million times. According to Bleeping Computer, these unsafe add-ons are still largely able to act as legitimate tools but meanwhile they’re also able to to track browser activity, track users, and potentially redirect users to web addresses that could spread malware.
Discovered by researchers at Koi Security, a company that provides a platform for security self-provisioned software, the extensions in question range from VPNs and weather forecasters to themes and keyboards. The researchers also reported the extensions to Google; while some of them have been removed, some continue to be available.
The extensions in question are:
- Color Picker, Eyedropper
- Emoji keyboard online
- Free Weather Forecast
- Video Speed Controller — Video manager
- Unlock Discord — VPN Proxy to Unblock Discord Anywhere
- Dark Theme — Dark Reader for Chrome
- Volume Max — Ultimate Sound Booster
- Unblock TikTok — Seamless Access with One-Click Proxy
- Unlock YouTube VPN
- Unlock TikTok
- Weather
At least one of those, Volume Max – Ultimate Sound Booster – has been previously flagged by a different set of researchers who were concerned about its potential for spying on users.
Many of the extensions are verified, have hundreds of positive reviews and are prominently featured, which not only misleads users about their safety but also may indicate that these extensions were hijacked by threat actors who then introduced malicious code.
Because malicious code was introduced at a later time via updates and because Google’s auto update system will deploy the newest version to users without requiring user interaction, the code was rolled out to users without them knowing.
The Chrome Extensions API is used by the malicious extensions to execute their functionalities in the background, registering a listener that is triggered every time a user navigates to a new webpage.
This listener captures the URL of the new webpage and exfiltrates the information to a remote server with a tracking ID for each user; the remote server can respond with redirection URLs, which hijacks the user's browsing activity and could potentially take them to unsafe destinations. This could lead to cyberattacks (though is not something that Koi Security observed in their testing).
Koi Security also discovered similar behavior in the official store for Microsoft Edge, with a total of 600,000 downloads – combined, this creates one of the largest browser hijacking operations the researchers say they’ve ever documented.
What to do if you've downloaded the malicious extensions
First, remove any and all of the listed extensions from your machine. Then make sure to clear all of your browsing data to get rid of any trackers or tracking identifiers.
Next, check your system for malware by running a scan using your antivirus software. Keep an eye on your accounts and monitor them for any suspicious or unusual activity. Many antivirus programs have features that can help you keep track of your accounts, watch the dark web, or have features like identity monitoring.
More from Tom's Guide
- More than 1,200 fake Amazon sites pop up ahead of Prime Day — avoid getting scammed
- Best Prime Day antivirus deals: 7 heavily discounted security suites to keep you safe online
- This dangerous Mac malware just got a major upgrade which makes it even harder to delete — how to stay safe
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
