Nearly 80 Chrome extensions caught spying -- how to protect yourself

Share

• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

More than 100 malicious and fake Google Chrome browser extensions have amassed around 33 million downloads in total, according to an investigation by security firm Awake.

Security researchers discovered 111 malicious extensions that were downloaded by users of the Google Chrome browser and spread dangerous spyware. 

• The best antivirus software: stay protected online
• VPN: add an extra layer of security with a virtual private network
• Plus: New Chrome extension makes web surfing easier: How to use it

Reuters reported that the extensions claimed to warn users of dangerous websites and change the format of files when they actually had malicious intentions.

Some of the extensions never appeared in the Chrome Web Store, the full Awake report noted, but instead themselves installed the Chromium open-source version of Chrome so that they could run without Google's approval.

Awake said the extensions were able to take screenshots of the victims' devices, load malware and read clipboards, as well as harvest tokens and user input, among other malicious operations. 

The firm also found that the attackers used an infrastructure of 15,160 malicious or suspicious domains and were able to bypass sandboxes, endpoint detection and response solutions and web proxies. 

Cybercriminals bought the domain names from GalComm, an Israel-based domain registrar. GalComm's owner told Reuters that his company was not aware that it was being used as part of a malicious campaign.

However, the Awake report said that nearly 60% of the GalComm-registered domains that Awake researchers could reach were "malicious or suspicious." It added that "GalComm is at best complicit in malicious activity."

Awake co-founder and chief scientist Gary Golomb suggested that this was the most far-reaching malicious campaign found on the Google Chrome Store. 

The researchers aren’t sure who is behind the attack, but told Reuters that the attackers used fake contact details when applying to have their extensions published on the Chrome Web Store.

Taking action

After learning of the malicious extensions last month, Google removed 79 of them. A spokesman for the tech giant, Scott Westover, told Reuters:  “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”

“Illicit extensions usually require permissions to grant further access to data on your machine which users must be vigilant of," Jake Moore, a security specialist at ESET, told Tom's Guide. 

"It's vital to check which permissions a browser extension requires especially when it’s free as some can be harmful," he said. “Just like downloading anything to your device, I would always advise caution with add-ons as Google cannot verify each extension independently.”

Remember, if you have a Chrome browser extension installed, but you don't need it at the moment, you can always go to chrome://extensions/ to disable it without removing it. (You can enable it when you need it.) Doing so will make Chrome run faster and free up memory on your computer.

The malicious Chrome extensions

It doesn't make for interesting reading, but here's the full list of the extension IDs of all 111 malicious Chrome (and Chromium) extensions that Awake discovered. 

Unfortunately, if you want to see if any of the extensions you've added to Chrome are on this list, you've got to do so manually. 

Right-click or control-click the icon of a running extension in upper right corner of the browser, and select "Manage extensions." A new tab will open describing the extension, and in the address bar of the tab, you'll see something that looks like "chrome://extensions/?id=oiigbmnaadbkfbmpbfijlflahbdbdgdf." 

That long string of gibberish is a 32-character extension ID. Compare each of your extensions' IDs to the list below, and if anything matches, remove the extension.

• acmnokigkgihogfbeooklgemindnbine
• apgohnlmnmkblgfplgnlmkjcpocgfomp
• apjnadhmhgdobcdanndaphcpmnjbnfng
• bahkljhhdeciiaodlkppoonappfnheoi
• bannaglhmenocdjcmlkhkcciioaepfpj
• bgffinjklipdhacmidehoncomokcmjmh
• bifdhahddjbdbjmiekcnmeiffabcfjgh
• bjpknhldlbknoidifkjnnkpginjgkgnm
• blngdeeenccpfjbkolalandfmiinhkak
• ccdfhjebekpopcelcfkpgagbehppkadi
• cceejgojinihpakmciijfdgafhpchigo
• cebjhmljaodmgmcaecenghhikkjdfabo
• chbpnonhcgdbcpicacolalkgjlcjkbbd
• cifafogcmckphmnbeipgkpfbjphmajbc
• clopbiaijcfolfmjebjinippgmdkkppj
• cpgoblgcfemdmaolmfhpoifikehgbjbf
• dcmjopnlojhkngkmagminjbiahokmfig
• deiiiklocnibjflinkfmefpofgcfhdga
• dipecofobdcjnpffbkmfkdbfmjfjfgmn
• dopkmmcoegcjggfanajnindneifffpck
• dopmojabcdlfbnppmjeaajclohofnbol
• edcepmkpdojmciieeijebkodahjfliif
• ekbecnhekcpbfgdchfjcfmnocdfpcanj
• elflophcopcglipligoibfejllmndhmp
• eogfeijdemimhpfhlpjoifeckijeejkc
• fcobokliblbalmjmahdebcdalglnieii
• fgafnjobnempajahhgebbbpkpegcdlbf
• fgcomdacecoimaejookmlcfogngmfmli
• fgmeppijnhhafacemgoocgelcflipnfd
• fhanjgcjamaagccdkanegeefdpdkeban
• flfkimeelfnpapcgmobfgfifhackkend
• fmahbaepkpdimfcjpopjklankbbhdobk
• foebfmkeamadbhjcdglihfijdaohomlm
• fpngnlpmkfkhodklbljnncdcmkiopide
• gdifegeihkihjbkkgdijkcpkjekoicbl
• gfcmbgjehfhemioddkpcipehdfnjmief
• gfdefkjpjdbiiclhimebabkmclmiiegk
• ggijmaajgdkdijomfipnpdfijcnodpip
• ghgjhnkjohlnmngbniijbkidigifekaa
• gllihgnfnbpdmnppfjdlkciijkddfohn
• gmmohhcojdhgbjjahhpkfhbapgcfgfne
• gofhadkfcffpjdbonbladicjdbkpickk
• hapicipmkalhnklammmfdblkngahelln
• hijipblimhboccjcnnjnjelcdmceeafa
• hmamdkecijcegebmhndhcihjjkndbjgk
• hodfejbmfdhcgolcglcojkpfdjjdepji
• hpfijbjnmddglpmogpaeofdbehkpball
• ianfonfnhjeidghdegbkbbjgliiciiic
• ibfjiddieiljjjccjemgnoopkpmpniej
• inhdgbalcopmbpjfincjponejamhaeop
• iondldgmpaoekbgabgconiajpbkebkin
• ipagcbjbgailmjeaojmpiddflpbgjngl
• jagbooldjnemiedoagckjomjegkopfno
• jdheollkkpfglhohnpgkonecdealeebn
• jfefcmidfkpncdkjkkghhmjkafanhiam
• jfgkpeobcmjlocjpfgocelimhppdmigj
• jghiljaagglmcdeopnjkfhcikjnddhhc
• jgjakaebbliafihodjhpkpankimhckdf
• jiiinmeiedloeiabcgkdcbbpfelmbaff
• jkdngiblfdmfjhiahibnnhcjncehcgab
• jkofpdjclecgjcfomkaajhhmmhnninia
• kbdbmddhlgckaggdapibpihadohhelao
• keceijnpfmmlnebgnkhojinbkopolaom
• khhemdcdllgomlbleegjdpbeflgbomcj
• kjdcopljcgiekkmjhinmcpioncofoclg
• kjgaljeofmfgjfipajjeeflbknekghma
• labpefoeghdmpbfijhnnejdmnjccgplc
• lameokaalbmnhgapanlloeichlbjloak
• lbeekfefglldjjenkaekhnogoplpmfin
• lbhddhdfbcdcfbbbmimncbakkjobaedh
• ldoiiiffclpggehajofeffljablcodif
• lhjdepbplpkgmghgiphdjpnagpmhijbg
• ljddilebjpmmomoppeemckhpilhmoaok
• ljnfpiodfojmjfbiechgkbkhikfbknjc
• lnedcnepmplnjmfdiclhbfhneconamoj
• lnlkgfpceclfhomgocnnenmadlhanghf
• loigeafmbglngofpkkddgobapkkcaena
• lpajppfbbiafpmbeompbinpigbemekcg
• majekhlfhmeeplofdolkddbecmgjgplm
• mapafdeimlgplbahigmhneiibemhgcnc
• mcfeaailfhmpdphgnheboncfiikfkenn
• mgkjakldpclhkfadefnoncnjkiaffpkp
• mhinpnedhapjlbgnhcifjdkklbeefbpa
• mihiainclhehjnklijgpokdpldjmjdap
• mmkakbkmcnchdopphcbphjioggaanmim
• mopkkgobjofbkkgemcidkndbglkcfhjj
• mpifmhgignilkmeckejgamolchmgfdom
• nabmpeienmkmicpjckkgihobgleppbkc
• nahhmpbckpgdidfnmfkfgiflpjijilce
• ncepfbpjhkahgdemgmjmcgbgnfdinnhk
• npaklgbiblcbpokaiddpmmbknncnbljb
• npdfkclmbnoklkdebjfodpendkepbjek
• nplenkhhmalidgamfdejkblbaihndkcm
• oalfdomffplbcimjikgaklfamodahpmi
• odnakbaioopckimfnkllgijmkikhfhhf
• oklejhdbgggnfaggiidiaokelehcfjdp
• omgeapkgiddakeoklcapboapbamdgmhp
• oonbcpdabjcggcklopgbdagbfnkhbgbe
• opahibnipmkjincplepgjiiinbfmppmh
• pamchlfnkebmjbfbknoclehcpfclbhpl
• pcfapghfanllmbdfiipeiihpkojekckk
• pchfjdkempbhcjdifpfphmgdmnmadgce
• pdpcpceofkopegffcdnffeenbfdldock
• pgahbiaijngfmbbijfgmchcnkipajgha
• pidohlmjfgjbafgfleommlolmbjdcpal
• pilplloabdedfmialnfchjomjmpjcoej
• pklmnoldkkoholegljdkibjjhmegpjep
• pknkncdfjlncijifekldbjmeaiakdbof
• plmgefkiicjfchonlmnbabfebpnpckkk
• pnciakodcdnehobpfcjcnnlcpmjlpkac
• ponodoigcmkglddlljanchegmkgkhmgb

• Read more: The best Google Chrome extensions you can actually trust