Google Removes 32 Malicious Chrome Extensions with Over 75 Million Installs from Web Store

The commitment of Google to combat malicious software expands beyond its Play Store, as evidenced by its recent removal of 32 harmful extensions from the Chrome Web Store. With a cumulative installation count exceeding 75 million, these extensions had successfully infiltrated users’ browsers.

Reports from BleepingComputer shed light on the deceptive techniques employed by these malicious extensions. By camouflaging their hidden code within seemingly harmless functionalities, they managed to evade detection by unsuspecting users. This tactic allowed the extensions to operate undetected while carrying out their intended functions, effectively bypassing security measures.

Renowned cybersecurity researcher Wladimir Palant contributed significantly to uncovering the threat’s extent. During his investigation, he encountered obfuscated code in the PDF Toolbox extension for Google Chrome. Despite the extension boasting a commendable Chrome Web Store rating of 4.2 and amassing over 2 million users, Palant’s analysis revealed the presence of potentially harmful elements within the code.

Delving deeper into the issue, Palant’s findings revealed a startling revelation. The hidden code within the PDF Toolbox extension enabled the website “serasearchtop[.]com” to inject arbitrary JavaScript code into websites visited by users with the extension installed. Intriguingly, this code was programmed to activate 24 hours after installation, suggesting its primary purpose was to inject unwanted advertisements.

Google Removes 32 Malicious Chrome Extensions with Over 75 Million Installs from Web Store
Credits: TechRadar

Concerns about Installation Numbers and Potential Manipulation

Building upon his initial discovery, Palant expanded his investigation to uncover 18 additional browser extensions that employed similar malicious code. Remarkably, these compromised extensions collectively accumulated a vast user base of 55 million. Among the affected extensions was Autoskip for YouTube, catering to a staggering 9 million active users, Soundboost, with 6.9 million users; and Crystal Ad Block, with 6.8 million users. These alarming statistics are a stark reminder of the widespread impact caused by these malicious extensions.

The incidents surrounding these malicious extensions emphasize the importance of implementing comprehensive security measures to safeguard users’ online experiences. Google’s swift action in removing the compromised extensions from the Chrome Web Store is a testament to its commitment to user safety. As users, it is crucial to remain vigilant and exercise caution when installing browser extensions, ensuring their legitimacy and adhering to best practices for online security.

After confirming the presence of malicious code, Avast promptly reported the compromised extensions to Google. The cybersecurity giant’s investigation expanded to uncover additional similar extensions, ultimately reaching 32 identified threats. These extensions had collectively amassed a staggering 75 million installations.

However, Avast cautioned that while the number of installs is undeniably high, it is possible that these figures were artificially inflated. This suspicion arises from the remarkably low number of reviews accompanying these extensions on the Chrome Web Store. Additionally, Avast noted a discrepancy between the number of people who encountered the malicious activity and the reported number of installs. These anomalies raise questions about the potential manipulation of the installation figures.

The Swift Response of Google to Protect Users

While the true scope of the impact remains uncertain, it is evident that these malicious extensions posed a significant threat to a substantial user base. This incident further underscores the need for robust security measures and vigilance in the digital landscape.

Following a thorough investigation, Avast has determined that the compromised extensions’ ultimate objective revolves around adware distribution. The malicious code deployed by these extensions inundates users with intrusive and unwanted advertisements. Moreover, the extensions include a search results hijacker feature, which manipulates search queries to display sponsored links, paid search results, and potentially harmful links.

In response to these security concerns, Google promptly removed the reported extensions from the Chrome Web Store. However, it is essential for users who still have these extensions installed to take proactive measures. To mitigate the risks associated with the compromised extensions, individuals are advised to deactivate or uninstall them promptly.

Users should remain cautious when installing browser extensions and regularly review and assess the permissions and functionality of the extensions they employ. These extensions’ identified adware and search-hijacking capabilities highlight the significance of maintaining a vigilant approach to online security. By staying proactive and adopting best security practices, individuals can help protect themselves from potential threats lurking in the digital landscape.