Security researchers have discovered nearly a dozen malicious Chrome extensions with over 1.7 million downloads. These popular extensions, available on Google’s Chrome Web Store, could secretly track users, steal browsing activity, and redirect them to potentially dangerous websites.
The Threat: Malicious Extensions Masquerading as Legitimate Tools
Most of the identified extensions appear legitimate, offering functionalities like color pickers, VPNs, emoji keyboards, and volume boosters. Some of them even carry the “verified” badge and boast hundreds of positive reviews, misleading users about their safety.
Researchers at Koi Security, a cybersecurity firm, discovered the malicious behavior and reported the findings to Google. While some of the extensions have since been removed, many remain available for download.
The malicious Chrome extensions include:
- Color Picker, Eyedropper — Geco colorpick
- Emoji Keyboard Online — Copy & Paste Your Emoji
- Free Weather Forecast
- Video Speed Controller — Video Manager
- Unlock Discord — VPN Proxy to Unblock Discord Anywhere
- Dark Theme — Dark Reader for Chrome
- Volume Max — Ultimate Sound Booster
- Unblock TikTok — Seamless Access with One-Click Proxy
- Unlock YouTube VPN
- Unlock TikTok
- Weather
How the Malicious Code Works
The extensions provide the advertised features but contain hidden malicious code within their background service worker, leveraging the Chrome Extensions API. The code registers a listener that activates each time users navigate to a new webpage.
This listener captures the URL of visited pages and sends the information to a remote server. It also includes a unique tracking ID for every user. The server can then reply with redirection instructions, hijacking the user’s browsing session and possibly exposing them to cyberattacks.
Although no malicious redirections were observed during Koi Security’s testing, the potential remains for abuse.
Silent Updates and Possible Compromises
Notably, the malicious code was absent in the original versions of these extensions. It was introduced later via updates silently deployed through Google’s auto-update system—without any user interaction or approval.
This raises concerns that some extensions may have been hijacked or compromised by external actors after building up user trust over time. BleepingComputer reached out to several publishers of these extensions, but no responses have been received.
Impact Beyond Chrome: Microsoft Edge Also Affected
Koi Security also identified similar malicious extensions on the official Microsoft Edge store. These had approximately 600,000 downloads. In total, over 2.3 million users across both browsers have been impacted, making this one of the largest browser hijacking operations documented to date.
What Users Should Do: Safety Recommendations from Malicious Chrome Extensions
To protect themselves, users are strongly advised to:
- Remove all the listed malicious extensions immediately
- Clear browsing data to eliminate tracking identifiers
- Check systems for malware or unusual activity
- Monitor online accounts for suspicious behavior
As cybercriminals continue to exploit browser extensions, staying vigilant and regularly reviewing installed add-ons is crucial.
Conclusion
The discovery of these malicious Chrome and Edge extensions highlights the growing risks users face from seemingly harmless browser add-ons. Even trusted and widely used extensions can turn dangerous overnight, whether through compromise or deliberate updates.
Users must remain cautious, regularly review their browser extensions, and take swift action when potential threats emerge. In the evolving landscape of cyber threats, proactive security habits are key to staying safe online.
0 responses to “Malicious Chrome Extensions with 1.7 Million Installs Found on Web Store”