Security Expert Uncovers Suspicious Chrome Extensions with Millions of Installs
Browsers/News/Software

Security Expert Uncovers Suspicious Chrome Extensions with Millions of Installs

A security researcher has identified a troubling set of Chrome extensions that may pose a risk to users, indicating they include spyware or data-stealing capabilities.

You could easily assume that downloading a Google Chrome extension from the official Chrome Web Store means it is safe. However, this perception may be misleading. John Tuckner, founder of the security platform Secure Annex, claims to have detected 35 Chrome extensions with over 4 million installs that “include some kind of spyware or infostealer.”

These extensions share several characteristics—they use similar code patterns, connect to the same servers, and require identical system permissions. Tuckner emphasizes that these extensions utilize obfuscated code designed to mask their true operations.

“These extensions have strong relationships, and most claim to serve a purpose like ad blocking, extension protection, or enhancing search results, which likely keeps them listed in the web store,” he remarks.

Despite their purported functions, the actual code for these features tends to be minimal or nonexistent. For instance, one extension, named Fire Shield Extension Protection, left a lab device displaying a blank webpage. Inspecting it with Chrome’s developer tools revealed it connected to a URL but performed no further actions.

Using a unique extension ID from GitHub, Tuckner tracked how Fire Shield sent various events to a web server, monitoring sites he accessed, including previously visited ones, and even his display size.

“While I couldn’t find evidence that Fire Shield exfiltrated credentials, the significant levels of obfuscation, along with the remote configuration capabilities in the browser extension’s code, definitively point to these extensions containing spyware or data extraction tools,” Tuckner concludes.

After reviewing the extensions, Tuckner noted they often had eerily similar names and background service listings referencing a mysterious “unknow.com.” Strikingly, 34 of these extensions are unlisted, meaning you need a direct link to access them in the Chrome store. Alarmingly, 10 of them hold the ‘Featured’ badge from Google, which deceives users into believing they are verified and trustworthy.

In the realm of software safety, it’s crucial to scrutinize any extension you consider using, especially those that are prominent in browser stores.

Next article

Incredible Newegg Bundle: Get AMD Ryzen 5 9600X, 16GB RAM, and Monster Hunter Wilds for Only $230

Newsletter

Get the most talked about stories directly in your inbox

Every week we share the most relevant news in tech, culture, and entertainment. Join our community.

Your privacy is important to us. We promise not to send you spam!