The rising prevalence of malicious Chrome extensions poses significant risks to internet users, with over 100 such extensions identified since February 2024. These extensions often impersonate reputable brands such as Fortinet and YouTube, in addition to offering dubious VPN and productivity services. The ongoing, global campaign to distribute these malicious extensions targets any Chrome user, exploiting compromised developer accounts that collectively affect millions. In spite of the potential threat, many of these harmful extensions remain active on the official Chrome Web Store. Spy application installations through public charging stations can lead to similar security vulnerabilities.
The emergence of malicious Chrome extensions poses grave dangers, impacting millions through account compromises and impersonation of trusted brands.
Malicious actors employ sophisticated techniques to entice users into installing these tools. They utilize lure websites that closely mimic legitimate services, guiding unsuspecting users to install the harmful extensions. Once installed, these extensions request excessive permissions that, through the manifest.json file, grant them full browser access. Moreover, they can remotely inject malicious code post-installation, effectively bypassing Google’s security measures. Threat actors frequently utilize temporary DOM elements to circumvent existing security policies, further obfuscating their malicious activities. Unknown actors have been creating malicious extensions since February 2024 that masquerade as legitimate tools, significantly complicating user detection efforts. This risky situation is intensified by cybercriminals exploiting user trust in the Chrome Web Store.
Data theft and session hijacking are central tactics among these extensions. They can harvest sensitive browser information, such as cookies and access tokens, in addition to executing arbitrary code from attacker-controlled servers. By establishing WebSocket connections to observe user traffic, malicious extensions can redirect users to phishing sites, at the same time manipulating traffic and injecting unwanted advertisements.
Phishing attacks extend beyond users to include extension developers, where compromised accounts allow unauthorized modifications. With at least 35 extensions hijacked through developer account takeover, approximately 2.6 million users have been impacted by these breaches. These circumstances underscore the urgent need for users to verify publisher information and limit requested permissions before installation.
To mitigate the risks posed by these dangerous extensions, experts recommend using official app stores, avoiding third-party links, and regularly reviewing installed extensions. Monitoring for abnormal browser behavior further improves user protection against unsolicited ad injections and malicious redirects—critical steps in an increasingly complex threat setting.
