Skip to main content

Yikes! Google just removed more than 500 malicious Chrome extensions

Chrome browser on desktop displaying Chrome logo.
(Image credit: Footage Vector Photo/Shutterstock)

Google pulled over 500 malicious Chrome extensions from the Web Store after security researchers exposed a malware operation that injects nasty ads in users’ browsing sessions.

Cisco’s Duo Security team, which shared its report with ZDNet, found malicious code that is activated under specific conditions and redirects users while browsing. The destinations varied from affiliate links for retail sites like Dell or BestBuy to malware download or phishing pages.

According to the report, the malware-injecting extensions are tied to a larger effort that’s been operating for at least two years. It’s believed the bad actors behind the code may have been active since the early 2010s. 

Exposed by a free tool

Security researcher Jamila Kaya told ZDNet that she discovered the network of malicious extensions during routine threat hunting using Duo's free CRXcavator tool, which analyzes the security of Chrome plug-ins. She noticed a common URL pattern among redirected sites.

"Individually, I identified more than a dozen extensions that shared a pattern," Kaya told ZDNet. "Upon contacting Duo, we were able to quickly fingerprint them using CRXcavator's database and discover the entire network."

Duo believes 1.7 million users had installed the initial extensions Kaya identified. Google flagged hundreds more malicious extensions in its own security sweep, though. It’s unknown how many installations those 500-plus plug-ins had.

Duo’s report serves as a reminder that Google has ongoing malware issues. Chrome extension security problems arise with alarming regularity. While the company has made efforts to beef up restrictions on extensions, there’s still a cause for concern.

Chrome malware: What you can do

Google has removed over 500 malicious extensions from the web store and also deactivated them within users’ browsers. If you have one of the bad extensions installed on your own browser, Google has labeled it as "malicious,” so you know to delete it and not reactivate it.

Duo published an index of the malicious extensions if you’re still not sure whether you have one or more of them installed in your browser.

The security firm also recommends you regularly audit the extensions you have installed, delete ones you don’t use and flag ones you don’t recognize. Some of the best antivirus programs will also detect and defang malicious browser extension.