{"id":48562,"date":"2023-07-04T09:07:17","date_gmt":"2023-07-04T13:07:17","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=48562"},"modified":"2023-07-06T04:46:07","modified_gmt":"2023-07-06T08:46:07","slug":"dangerous-chrome-extensions-87-million","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/dangerous-chrome-extensions-87-million\/48562\/","title":{"rendered":"Malicious extensions in the Chrome Web Store"},"content":{"rendered":"<p>Not so long ago, a few dozen malicious plugins were discovered in the Chrome Web Store (the official browser extension store for Google Chrome). The most popular of these extensions had over nine million downloads, and altogether these plugins had been downloaded around 87 million times. We explain what these extensions are and why they\u2019re dangerous.<\/p>\n<h2>Malicious extensions in the Chrome Web Store<\/h2>\n<p>It all began when independent cybersecurity researcher Vladimir Palant <a href=\"https:\/\/palant.info\/2023\/05\/16\/malicious-code-in-pdf-toolbox-extension\/\" target=\"_blank\" rel=\"nofollow noopener\">found<\/a> an extension called PDF Toolbox containing suspicious code in the Chrome Web Store. At first glance, it was a perfectly respectable plugin for converting Office documents and performing other simple operations with PDF files.<\/p>\n<p>PDF Toolbox boasted an impressive user base and good reviews, with close to two million downloads and an average score of 4.2. However, inside this extension interesting \u201cadditional functionality\u201d was discovered: the plugin accessed a serasearchtop[.]com site, from where it loaded arbitrary code on all pages viewed by the user.<\/p>\n<p>Next, Palant searched the Chrome Web Store for other extensions accessing this server and found a couple dozen plugins with similar additional functionality. They were downloaded 55 million times combined.<\/p>\n<p>Finally, armed with many samples of malicious extensions, he conducted an even more thorough search of Google\u2019s store and <a href=\"https:\/\/palant.info\/2023\/05\/31\/more-malicious-extensions-in-chrome-web-store\/\" target=\"_blank\" rel=\"nofollow noopener\">discovered 34 malicious extensions<\/a> with completely different core functionalities. Altogether they\u2019ve been downloaded 87 million times. The most popular malicious plugin found by the researcher was \u201cAutoskip for Youtube\u201d with nine million downloads.<\/p>\n<p>The extensions were uploaded to the Chrome Web Store in 2021 and 2022, which means they\u2019d been there for at least six months when the study was carried out. What\u2019s more, among the reviews to some of them, there were complaints from vigilant users about extensions replacing addresses in search results with adware links. As you can guess, these complaints went unnoticed by Chrome Web Store moderators.<\/p>\n<p>After Palant\u2019s study was published, as well as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-chrome-extensions-with-75m-installs-removed-from-web-store\/\" target=\"_blank\" rel=\"nofollow noopener\">another paper<\/a> on the same topic by a team of experts, Google finally removed the dangerous extensions. But it took the authority of several well-known specialists for it to happen. Incidentally, it\u2019s the same story with Google Play \u2014 there, too, ordinary users\u2019 complaints generally <a href=\"https:\/\/www.kaspersky.com\/blog\/camscanner-malicious-android-app\/28156\/\" target=\"_blank\" rel=\"noopener nofollow\">go unheeded<\/a>.<\/p>\n<h2>Why malicious browser extensions are particularly nasty<\/h2>\n<p>In a nutshell, there are three major problems with browser extensions. First is the level of access to user data they have. In fact, to function properly and be useful, any plugin usually needs your consent to <strong>Read and change all your data on all websites<\/strong>.<\/p>\n<p>And yes, it means exactly what it says. As a rule, browser plugins ask for consent to view and change all your data on all sites. That is, they see absolutely everything you do on all sites you visit, and can arbitrarily change the content of a displayed page.<\/p>\n<p>Here\u2019s what this potentially allows extension creators to do:<\/p>\n<ul>\n<li>Track all user activities in order to collect and sell information about them.<\/li>\n<li>Steal card details and account credentials.<\/li>\n<li>Embed ads in web pages.<\/li>\n<li>Substitute links in search results (as mentioned above).<\/li>\n<li>Replace the browser\u2019s home page with an advertising link.<\/li>\n<\/ul>\n<p>Note that a plugin\u2019s <a href=\"https:\/\/www.kaspersky.com\/blog\/dangers-of-browser-extensions\/45448\/\" target=\"_blank\" rel=\"noopener nofollow\">malicious functionality<\/a> can evolve over time in line with its owners\u2019 goals. And the owners themselves may change: there have been cases when malicious features appeared in a previously safe extension after its creators sold the plugin to someone else.<\/p>\n<p>The second problem is that users generally pay little attention to the dangers of browser extensions: they install many of them and hand out consent to read and change any data in the browser. What choice have they got? If they refuse, the plugin simply won\u2019t work.<\/p>\n<p>In theory, the moderators of the stores where these plugins are placed should monitor the safety of extensions. But \u2014 problem number three \u2014 as is clear from the above, they don\u2019t do this too well. Even Google\u2019s official Chrome Web Store had dozens of malicious extensions crawling around in it. Moreover, they can remain there for years \u2014 despite users\u2019 reviews.<\/p>\n<h2>What to do if you\u2019ve installed a malicious extension<\/h2>\n<p>Bear in mind that, if a plugin is banned from a store, this doesn\u2019t mean it will be automatically removed from the devices of all users who installed it. So it\u2019s worth checking if you\u2019ve any malicious extensions installed on your device. Delete immediately plugins from the list below, and, if necessary, download a safe alternative:<\/p>\n<ul>\n<li>Autoskip for Youtube<\/li>\n<li>Soundboost<\/li>\n<li>Crystal Adblock<\/li>\n<li>Brisk VPN<\/li>\n<li>Clipboard Helper<\/li>\n<li>Maxi Refresher<\/li>\n<li>Quick Translation<\/li>\n<li>Easyview Reader view<\/li>\n<li>PDF Toolbox<\/li>\n<li>Epsilon Ad blocker<\/li>\n<li>Craft Cursors<\/li>\n<li>Alfablocker ad blocker<\/li>\n<li>Zoom Plus<\/li>\n<li>Base Image Downloader<\/li>\n<li>Clickish fun cursors<\/li>\n<li>Cursor-A custom cursor<\/li>\n<li>Amazing Dark Mode<\/li>\n<li>Maximum Color Changer for Youtube<\/li>\n<li>Awesome Auto Refresh<\/li>\n<li>Venus Adblock<\/li>\n<li>Adblock Dragon<\/li>\n<li>Readl Reader mode<\/li>\n<li>Volume Frenzy<\/li>\n<li>Image download center<\/li>\n<li>Font Customizer<\/li>\n<li>Easy Undo Closed Tabs<\/li>\n<li>Screence screen recorder<\/li>\n<li>OneCleaner<\/li>\n<li>Repeat button<\/li>\n<li>Leap Video Downloader<\/li>\n<li>Tap Image Downloader<\/li>\n<li>Qspeed Video Speed Controller<\/li>\n<li>HyperVolume<\/li>\n<li>Light picture-in-picture<\/li>\n<\/ul>\n<p>This list was <a href=\"https:\/\/palant.info\/2023\/05\/31\/more-malicious-extensions-in-chrome-web-store\/\" target=\"_blank\" rel=\"nofollow noopener\">compiled<\/a> by Vladimir Palant himself. He also notes that the list of malicious plugins may not be complete. So be wary of other extensions too.<\/p>\n<h2>How to defend yourself against malicious browser extensions<\/h2>\n<p>This story illustrates how you should never rely unconditionally on the moderators of stores where you get your browser extensions. It\u2019s always wise to take some precautions of your own. Here\u2019s how to protect yourself from malicious plugins:<\/p>\n<ul>\n<li>Don\u2019t install too many browser extensions. The fewer \u2014 the safer.<\/li>\n<li>Before installing an extension, read the reviews about it. Sure, this is no guarantee of security, but in some cases it will at least help unmask a malicious plugin.<\/li>\n<li>Review your list of installed extensions from time to time and get rid of ones you don\u2019t use\/really need.<\/li>\n<li>Install <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">reliable protection<\/a> on all your devices.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>A few dozen malicious extensions \u2014 with a combined 87 million downloads \u2014 discovered in Google\u2019s Chrome Web Store.<\/p>\n","protected":false},"author":2726,"featured_media":48563,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[1278,16,1499,22,422],"class_list":{"0":"post-48562","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-browsers","9":"tag-chrome","10":"tag-extensions","11":"tag-google","12":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/dangerous-chrome-extensions-87-million\/48562\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/dangerous-chrome-extensions-87-million\/10931\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/dangerous-chrome-extensions-87-million\/26523\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/dangerous-chrome-extensions-87-million\/29008\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/dangerous-chrome-extensions-87-million\/27906\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/dangerous-chrome-extensions-87-million\/35676\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/dangerous-chrome-extensions-87-million\/20839\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/dangerous-chrome-extensions-87-million\/21534\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/dangerous-chrome-extensions-87-million\/30351\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/dangerous-chrome-extensions-87-million\/26477\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/chrome\/","name":"Chrome"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/48562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=48562"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/48562\/revisions"}],"predecessor-version":[{"id":48566,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/48562\/revisions\/48566"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/48563"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=48562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=48562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=48562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}