Every day, countless individuals add small browser extensions to boost their productivity or entertainment. With numerous options in the Chrome Web Store, people often depend on indicators like installation numbers, reviews, and the reputation of developers to decide what to install. It’s easy to be swayed by a shiny verification badge or high star ratings, leading us to click “Install” without a second thought.
Yet, attackers have begun to take advantage of these trust signals. Researchers have recently highlighted a campaign involving 18 extensions listed on the official Chrome and Edge web stores that monitor users’ online activities. These extensions have already accumulated over 2 million installs.
How hackers are hiding malware in popular Chrome extensions
KOI security researchers have identified that attackers use long-term, strategic methods to weaponize these browser extensions. Initially, they launch a functional and legitimate tool to gain user trust. Over time, with positive feedback and a strong reputation, they silently push updates that introduce malicious scripts into the original codebase.
Because these updates originate from official sources, they effortlessly bypass corporate firewalls. Unlike obvious phishing scams or suspicious downloads, the malicious code sneaks in through automatic daily updates, raising no immediate alarms.
How malicious Chrome extensions avoid detection
As the investigation progressed, researchers traced suspicious traffic back to seemingly innocent color picker extensions. This led them to clusters of interlinked domains serving as command and control centers. These servers recorded the URLs users visited and redirected them to fake websites full of advertisements.
Upon closer examination of the extension’s code, researchers found identical fingerprints across several unrelated tools, such as weather widgets, emoji keyboards, and video speed controllers. Though they appeared different, the underlying code and behavior were quite similar.
Collectively, these extensions gathered over 2 million installs. To maintain secrecy, attackers used distinct branding and categories for each extension, complicating detection for marketplace monitors. Alarmingly, many of these extensions sport validated badges, showcasing how attackers manipulate the review system through malicious updates.
A list of dangerous Chrome and Edge extensions to uninstall immediately
The top priority for affected users is to remove any of the listed extensions right away, followed by clearing browser caches and conducting a complete system scan. It’s essential to check your device for these harmful extensions:
- Emoji Keyboard Online (Chrome)
- Free Weather Forecast (Chrome)
- Unlock Discord (Chrome)
- Dark Theme (Chrome)
- Volume Max (Chrome)
- Unblock TikTok (Chrome)
- Unlock YouTubeVPN (Chrome)
- Geco ColorPick (Chrome)
- Weather (Chrome)
- Flash Video Player (Chrome)
- Unlock TikTok (Edge)
- Volume Booster (Edge)
- Web Sound Equalizer (Edge)
- Header Value (Edge)
- Flash Player (Edge)
- YouTube Unblocked (Edge)
- searchgpt (Edge)
- Unlock Discord (Edge)
Immediate actions to take
If you have any extensions linked to a redirection campaign, follow these steps to safeguard your data and devices:
- Remove all affected extensions immediately from both Chrome and Edge browsers.
- Clear browser data to eliminate saved tracking identifiers.
- Conduct a full system malware scan using trusted antivirus software to detect potential threats.
- Monitor your online accounts for unusual activity, especially after visiting sensitive sites while the extension was active.
- Review all installed extensions and remove anything unfamiliar or untrusted, especially if there’s suspicious behavior.
Ways to protect yourself from malicious extensions
1) Monitor your accounts for unusual activities. If you access sensitive sites while an extension is active, check those accounts for suspicious behavior and change your passwords promptly. Using a password manager to securely store and create complex passwords can help mitigate the risk of password reuse.
2) Enable two-factor authentication (2FA): Activate 2FA wherever possible to add another layer of security to your accounts. This can hinder unauthorized access, even if your password is compromised.
3) Utilize effective antivirus software: While these malicious extensions come from official stores and update automatically, robust antivirus software can help detect hidden trackers and scripted threats. Combining this with safe browsing habits is crucial.
4) Reset your browser settings: This can revert any undesirable changes to your homepage or search engine settings.
5) Be alert for security alerts: Keep an eye on warnings via email or texts regarding unauthorized login attempts. This helps you catch suspicious activities early.
6) Use a browser with extended permission control: Some browsers allow you to restrict what data extensions can access, which decreases the risk of future attacks.
Final thoughts
Browser extensions can be incredibly useful, but they come with hidden dangers. This situation is a stark reminder that even the most reputable tools can become malicious. Staying vigilant, regularly checking your extensions, and employing strong antivirus solutions can go a long way in protecting your browser and personal information.
Do you rely on ratings and reviews when choosing an extension, or do you dig deeper? Let us know your thoughts.
