Skip to main content

Malicious Chrome and Edge extensions infect at least 3 million people — what to do

Google Chrome Mac
(Image credit: Future)

More than two dozen browser extensions for Google Chrome and Microsoft Edge can steal personal information, redirect users to ads or phishing websites and even install malware, Avast researchers said yesterday (Dec. 16).

About 3 million people have installed the 28 malicious extensions, three-quarters of which were still available in the Chrome and Edge extension stores at the time of this writing. The extensions are mostly video downloaders designed to grab streaming data from Facebook, Instagram, Spotify, SoundCloud, Vimeo, YouTube and other services.

"The extensions' backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover," said Avast malware researcher Jan Rubín.

If you have any of these extensions installed — we've got a list at the end of this story — delete them right away, and then give your computer a thorough malware scan with some of the best antivirus software. Because browser extensions work equally well on Windows, macOS and Linux, all three platforms may be affected.

Stealing info, logging clicks, even downloading more malware

Avast said the extensions' true motive might be simply to collect money by redirecting users to other websites. But they're also logging every link a user clicks and sending that information to remote servers, as well as collecting information about the user and the host computer.

"The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)," the Avast report said.

Worse, the extensions have the power to "download further malware onto a user's PC," Avast said.

The extension designers took great care to avoid suspicion, which may indicate that their ultimate goal might be more than just ad fraud and search-engine redirection. Avast said the extensions can tell whether the user might be a web developer or a security researcher by analyzing traffic and, if so, then won't perform any malicious activities.

No matter who the user is, the extensions wait a while before doing anything dodgy.

"The extensions' backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover," Avast said.

This problem goes back years

Google has had a nagging problem with Chrome browser extensions, which the well-funded search-engine giant clearly does not properly screen before allowing them in the Chrome Web Store. 

Hundreds of Chrome extensions have been booted out of the store in 2020 alone for spying on users, yet the problem goes back many years and the malicious extensions just keep coming.

Now that Microsoft has relaunched its Edge browser so that it shares Chrome's underpinnings, it seems to be developing the same problems. 

Tom's Guide asked an Avast spokesperson whether Firefox browser add-ons (the Mozilla term for extensions) might also be part of this current campaign, and we will update this story when we receive further information.

The full list of Avast's browser extensions follows below. Because many extensions have similar names, links to each extension's page in the Microsoft Edge or Chrome Web Store are included to avoid confusion.

Malicious Chrome extensions

Malicious Edge extensions

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.