Not so long ago, a few dozen malicious plugins were discovered in the Chrome Web Store (the official browser extension store for Google Chrome). The most popular of these extensions had over nine million downloads, and altogether these plugins had been downloaded around 87 million times. We explain what these extensions are and why they’re dangerous.
Malicious extensions in the Chrome Web Store
It all began when independent cybersecurity researcher Vladimir Palant found an extension called PDF Toolbox containing suspicious code in the Chrome Web Store. At first glance, it was a perfectly respectable plugin for converting Office documents and performing other simple operations with PDF files.
PDF Toolbox boasted an impressive user base and good reviews, with close to two million downloads and an average score of 4.2. However, inside this extension interesting “additional functionality” was discovered: the plugin accessed a serasearchtop[.]com site, from where it loaded arbitrary code on all pages viewed by the user.
Next, Palant searched the Chrome Web Store for other extensions accessing this server and found a couple dozen plugins with similar additional functionality. They were downloaded 55 million times combined.
Finally, armed with many samples of malicious extensions, he conducted an even more thorough search of Google’s store and discovered 34 malicious extensions with completely different core functionalities. Altogether they’ve been downloaded 87 million times. The most popular malicious plugin found by the researcher was “Autoskip for Youtube” with nine million downloads.
The extensions were uploaded to the Chrome Web Store in 2021 and 2022, which means they’d been there for at least six months when the study was carried out. What’s more, among the reviews to some of them, there were complaints from vigilant users about extensions replacing addresses in search results with adware links. As you can guess, these complaints went unnoticed by Chrome Web Store moderators.
After Palant’s study was published, as well as another paper on the same topic by a team of experts, Google finally removed the dangerous extensions. But it took the authority of several well-known specialists for it to happen. Incidentally, it’s the same story with Google Play — there, too, ordinary users’ complaints generally go unheeded.
Why malicious browser extensions are particularly nasty
In a nutshell, there are three major problems with browser extensions. First is the level of access to user data they have. In fact, to function properly and be useful, any plugin usually needs your consent to Read and change all your data on all websites.
And yes, it means exactly what it says. As a rule, browser plugins ask for consent to view and change all your data on all sites. That is, they see absolutely everything you do on all sites you visit, and can arbitrarily change the content of a displayed page.
Here’s what this potentially allows extension creators to do:
- Track all user activities in order to collect and sell information about them.
- Steal card details and account credentials.
- Embed ads in web pages.
- Substitute links in search results (as mentioned above).
- Replace the browser’s home page with an advertising link.
Note that a plugin’s malicious functionality can evolve over time in line with its owners’ goals. And the owners themselves may change: there have been cases when malicious features appeared in a previously safe extension after its creators sold the plugin to someone else.
The second problem is that users generally pay little attention to the dangers of browser extensions: they install many of them and hand out consent to read and change any data in the browser. What choice have they got? If they refuse, the plugin simply won’t work.
In theory, the moderators of the stores where these plugins are placed should monitor the safety of extensions. But — problem number three — as is clear from the above, they don’t do this too well. Even Google’s official Chrome Web Store had dozens of malicious extensions crawling around in it. Moreover, they can remain there for years — despite users’ reviews.
What to do if you’ve installed a malicious extension
Bear in mind that, if a plugin is banned from a store, this doesn’t mean it will be automatically removed from the devices of all users who installed it. So it’s worth checking if you’ve any malicious extensions installed on your device. Delete immediately plugins from the list below, and, if necessary, download a safe alternative:
- Autoskip for Youtube
- Crystal Adblock
- Brisk VPN
- Clipboard Helper
- Maxi Refresher
- Quick Translation
- Easyview Reader view
- PDF Toolbox
- Epsilon Ad blocker
- Craft Cursors
- Alfablocker ad blocker
- Zoom Plus
- Base Image Downloader
- Clickish fun cursors
- Cursor-A custom cursor
- Amazing Dark Mode
- Maximum Color Changer for Youtube
- Awesome Auto Refresh
- Venus Adblock
- Adblock Dragon
- Readl Reader mode
- Volume Frenzy
- Image download center
- Font Customizer
- Easy Undo Closed Tabs
- Screence screen recorder
- Repeat button
- Leap Video Downloader
- Tap Image Downloader
- Qspeed Video Speed Controller
- Light picture-in-picture
This list was compiled by Vladimir Palant himself. He also notes that the list of malicious plugins may not be complete. So be wary of other extensions too.
How to defend yourself against malicious browser extensions
This story illustrates how you should never rely unconditionally on the moderators of stores where you get your browser extensions. It’s always wise to take some precautions of your own. Here’s how to protect yourself from malicious plugins:
- Don’t install too many browser extensions. The fewer — the safer.
- Before installing an extension, read the reviews about it. Sure, this is no guarantee of security, but in some cases it will at least help unmask a malicious plugin.
- Review your list of installed extensions from time to time and get rid of ones you don’t use/really need.
- Install reliable protection on all your devices.