Many assume all extensions on Chrome Web Store are safe, but that is untrue. In fact, Google platforms malicious web extensions that seek to steal user information or bombard users with ads. Even though the Chrome Web Store employs tools to detect malicious extensions, some bypass the safeguards and are available for Chrome users to download.
These malicious Chrome web extensions can be challenging if your company allows remote work. Unsuspecting employees may install some of these extensions and inadvertently compromise corporate data. Understanding the importance of browser security for your organization, LayerX discusses malicious Chrome web extensions to avoid in 2023.
Details of malicious Chrome web extensions
In mid-May 2023, cyber security researcher, Wladimir Palant, wrote about the popular Chrome web extension, PDF Toolbox, containing obfuscated malicious code. Weeks later, Palant identified 34 malicious extensions with 87 million users, and Google removed all of them.
Following Palant’s discovery, cyber security company Avast verified the threats and discovered 32 malicious extensions with 75 million combined installs on the Chrome Web Store. Despite Google removing the reported extensions from the store, LayerX found that the installations remain, meaning that whatever threats they pose remain active.
Avast says it is protecting its users by blocking the malicious extensions’ backdoor communication. Doing so allows the browser extension’s non-malicious portion to work as intended while neutralizing the malicious component. However, not all users have such protection.
Hence, we will highlight the identified malicious web extensions below so that you can avoid them. Here are identified malicious Chrome web extensions:
- Autoskip for YouTube
- Soundboost
- Crystal Ad block
- Brisk VPN
- Clipboard Helper
- Maxi Refresher
- Quick Translation
- Easyview Reader view
- PDF toolbox
- Epsilon Ad blocker
- Craft Cursors
- Alfablocker ad blocker
- Zoom Plus
- Base Image Downloader
- Clickish fun cursors
- Cursor-A custom cursor
- Amazing Dark Mode
- Maximum Color Changer for Youtube
- Awesome Auto Refresh
- Venus Adblock
- Adblock Dragon
- Readl Reader mode
- Volume Frenzy
- Image download center
- Font Customizer
- Easy Undo Closed Tabs
- Screence screen recorder
- OneCleaner
- Repeat button
- Leap Video Downloader
- Tap Image Downloader
- Qspeed Video Speed Controller
- HyperVolume
- Light picture-in-picture
Effects of Malicious Chrome web extensions
Malicious browser extensions are typically designed to deliver legitimate functionality, making them appear harmless/safe at first glance. But when you look harder, you discover an obfuscated code of malicious origin within their code. Here are the effects of such malicious codes:
- Unwanted ads: The final payload of the malicious web extensions appears to be an adware that sends unwanted ads to users. These ads may redirect users to malicious websites where they can unknowingly download malware.
- Altered search results: Another payload linked to malicious extensions is a search result hijacker that influences search experiences by displaying paid search results, potentially malicious links, and sponsored links. A few reviews on the Image Download Center extension mention it being malicious and redirecting search results.
Reviews reporting the malicious nature of Image Download Center on Chrome Web Store (Wladimir Palant)
- Unknown threats: After cyber security researcher Palant detected malicious code in PDF Toolbox, he admitted that he did not know what it could do because he didn’t see it in action. It is not clear when or whether the code becomes active, but the unknowns make a web extension like PDF Toolbox scary. The best way for an individual or organization to deal with such extensions is to avoid them — best not to find out the threats.
How to detect Malicious Chrome web extensions
Palant and Avast’s research does not provide a definitive list of malicious extensions on the Chrome Web Store, indicating there may well be more. Hence, it would be a mistake not to mandate employees to check extensions for suspicious activity before downloading them.
Below, we will explain how to determine a suspicious/malicious Chrome extension:
- Analyze a web extension’s reviews: Check whether users have complained about the extension being malicious.
- Pay attention to permission requests: Malicious extensions may request permission to access personal information or unnecessary programs.
- Verify extension owners: Where possible, install extensions created and owned by popular companies to reduce the risk of malware downloads.
- Keep Chrome and devices updated: Operating systems and browsers’ updates include new protections to help identify malicious extensions.
- Install antivirus software: It will automatically detect and notify you of any malicious activity by a web extension. The software may also block the malicious component of the extension.
How to remove malicious extensions from the Chrome browser
If you’ve detected a suspicious or malicious extension on your browser, remove it with the following steps:
- Launch Chrome.
- Open Chrome settings through the three vertical dots in the browser’s upper right corner.
- Click More Tools, and a dropdown will open.
- Tap Extensions.
- Identify the extension you are removing by scrolling down to it or searching for its name with the “search extensions” box at the top of your screen.
- Select Remove below the extension.
- Tap Remove again in the pop-up screen.
Wrapping up
As we mentioned earlier, Google’s removal of malicious extensions from the Chrome Web Store does not automatically solve the problem. By removing the extensions from the store, they are unavailable for installation but remain active on browsers that already downloaded them. So, if you have one of them, you should manually eliminate the risk.
As Palant suggested, there are probably more than 34 malicious extensions on the Chrome Web Store because his research was based on a sample of about 1,600 extensions — not all of the store’s contents.
Therefore, we recommend checking extensions before you install and removing suspicious ones before they become a problem. Mandate your employees to take these steps to ensure browser security in your organization.