Security researchers discovered malicious Chrome extensions with more than 2.3 million combined installs

Browser extensions can be very useful. They may help you block ads and other unwanted content, download content from websites, enhance online services, or introduce AI features that you really want to use in the browser.

However, reports about malicious extensions for Google Chrome, and thus all other Chromium-based browsers, appear online in regular intervals. Security is not perfect and users may fall pray to malicious extensions not only on third-party sites but also when they browse the Chrome Web Store.

Security researchers at Koi Security discovered a coordinated malware campaign of 18 extensions for Google Chrome, Microsoft Edge, and other Chromium-based browsers that had over 2.3 million users.

The extensions, among them Color Picker, Eyedropper — Geco colorpick, Free Weather Forecast, or Unlock TikTok, were fully functional according to the developers. These were not “thrown together in a weekend” and obiously scam, but “carefully crafted trojan horses”.

Color Picker, for example, provided color picking functionality. It must have done an okay-job at that, as it had a rating of 4.2 of 5 on the Chrome Web Store, over 800 ratings, and more than 100,000 users.

Interestingly enough, several of the extensions were listed as “featured” on the store, which meant that Google promoted them to users who visited the Store. It is very likely that this gave the featured extensions a significant boost, more eyes on them, more downloads.

A Reddit developer observed an increase of impressions of almost 300 percent after the extension got the coveted featured badge on the Chrome Web Store. While the percentage may vary, it is without a doubt pushing installs.

Browser Hijacking

The extensions provide users with functionality that they claim, but they also run malicious tasks in the background according to Koi Security.

The malware monitors every page you visit, submits it to a remote server along with your unique tracking ID, and may receive redirect URLs from the server.

The malware group introduced the malicious code sometime after the extensions were launched on the Chrome Web Store. The fact that browser extensions are designed to update automatically most of the time helped them. Users did not have to click on anything or fall pray to a sophisticated phishing or social engineering attack to get the malware on their devices.

All they did in the beginning was install a perfectly harmless and working extension for the browser. The malware came later.

Koi Security reported the malware extensions to Google. At the time of writing, some are still available on the Store.

Here are the names and unique IDs, so that you can check them against the installed extensions:

Chrome:

kgmeffmlnkfnjpgmdndccklfigfhajen — [Emoji keyboard online — copy&past your emoji.]
dpdibkjjgbaadnnjhkmmnenkmbnhpobj — [Free Weather Forecast]
gaiceihehajjahakcglkhmdbbdclbnlf — [Video Speed Controller — Video manager]
mlgbkfnjdmaoldgagamcnommbbnhfnhf — [Unlock Discord — VPN Proxy to Unblock Discord Anywhere]
eckokfcjbjbgjifpcbdmengnabecdakp — [Dark Theme — Dark Reader for Chrome]
mgbhdehiapbjamfgekfpebmhmnmcmemg — [Volume Max — Ultimate Sound Booster]
cbajickflblmpjodnjoldpiicfmecmif — [Unblock TikTok — Seamless Access with One-Click Proxy]
pdbfcnhlobhoahcamoefbfodpmklgmjm — [Unlock YouTube VPN]
eokjikchkppnkdipbiggnmlkahcdkikp — [Color Picker, Eyedropper — Geco colorpick]
ihbiedpeaicgipncdnnkikeehnjiddck — [Weather]

Edge:

jjdajogomggcjifnjgkpghcijgkbcjdi — [Unlock TikTok]
mmcnmppeeghenglmidpmjkaiamcacmgm — [Volume Booster — Increase your sound]
ojdkklpgpacpicaobnhankbalkkgaafp — [Web Sound Equalizer]
lodeighbngipjjedfelnboplhgediclp — [Header Value]
hkjagicdaogfgdifaklcgajmgefjllmd — [Flash Player — games emulator]
gflkbgebojohihfnnplhbdakoipdbpdm — [Youtube Unblocked]
kpilmncnoafddjpnbhepaiilgkdcieaf — [SearchGPT — ChatGPT for Search Engine]
caibdnkmpnjhjdfnomfhijhmebigcelo — [Unlock Discord]