Over 280 million at risk from malware-filled Chrome extensions — how to stay safe

News
By last updated

Bad extensions can be just as dangerous as malicious apps

and image of the Google Chrome logo on a laptop
(Image credit: Shutterstock)

In the same way that you need to be careful when installing new apps on your smartphone, you also have to be cautious when adding new extensions to your browser, especially with Google Chrome.

With a 65% market share worldwide according to Statcounter, Chrome is the most popular browser by far which makes it the perfect target for hackers and other cybercriminals. While cyberattacks often exploit zero-day flaws in Google’s browser, there’s an easier way to target Chrome users: malicious extensions.

Just like with malicious apps, these bad extensions can contain malware and other threats designed to steal your data as well as your cash. Of the 250,00 extensions on the Chrome Web Store, less than 1% were found to include malware according to a recent blog post from Google. However, a new research paper is claiming differently. 

Latest Videos From Tom's Guide Tom's Guide

Published by researchers from Stanford University and the CISPA Helmholtz Center for Information Security, the research paper (PDF) claims that 280 million people installed a malware-infected Chrome extension between July 2020 and February 2023.

Here’s everything you need to know about malicious Chrome extensions and how you can stay safe when adding new extensions to your browser.

Lasting threats

As reported by TechSpot, the researchers found that over a three year period, 346 million users installed Security-Noteworthy Extensions (SNE). While 63 million of these extensions were policy violations and 3 million were vulnerable, 280 million of these installs actually contained malware. 

Surprisingly, many of these malicious extensions were available to download on the Chrome Web Store for quite some time. The malware-filled ones remained on the store for 380 days on average while the ones with vulnerable code stayed up for 1,248 days on average.

Of these malicious extensions, one called TeleApp was available to download and install for 8.5 years. The extension itself was updated in 2013 before it was finally removed after it was found to contain malware in 2022.

Normally with apps on the Google Play Store, I recommend checking user ratings and reviews to see if they are malicious. However, the researchers found that this doesn’t help when it comes to bad extensions as many of them don’t have any reviews at all. This could indicate that their users don’t know they’re dangerous or that they just didn’t take the time to rate and review them.

How to stay safe from malicious extensions

How to update Google Chrome

(Image credit: Firmbee.com via Unsplash)

Since checking ratings and reviews on the Chrome Web Store doesn’t seem to work in this case, you’re going to have to look for external reviews to help judge whether or not a browser extension is safe to install. However, as browser extensions rarely get full reviews, there are some other things to keep in mind to stay safe.

Just like with bad apps, the researchers found that malicious extensions often ask for more permissions than they should. If you go to install a new extension and it’s asking for quite a lot of permissions, this can be a major red flag and could be a good indication that it might be malicious.

Since many malicious extensions contain malware, you’re going to want to use the best antivirus software on your PC and one of the best Mac antivirus software solutions on your Apple computer. This way, if an extension does contain malware, your antivirus software will be able to catch it before any damage can be done.

Likewise, before you install any new software or browser extensions, you first need to ask yourself if you really need to. A lot of times, you’ll be able to accomplish the same thing using built-in software or your browser’s own capabilities. If you do need to install an extension for your browser, make sure that it’s from a trusted source or a well-known software provider.

Since Chrome is the biggest browser after all, hackers will likely keep trying to have their malicious extensions slip past Google’s defenses. The search giant does have a dedicated security team that reviews every Chrome extension to make sure it isn’t malicious though. However, if you want to be extra careful, the fewer browser extensions you have installed the better.

More from Tom's Guide

See more Computing News
TOPICS
Anthony Spadafora
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
and image of the Google Chrome logo on a laptop
Popular Chrome extensions hijacked by hackers in widespread cyberattack — 3.2 million at risk
and image of the Google Chrome logo on a laptop
Over 600,000 Chrome users at risk after 16 browser extensions compromised by hackers — what you need to know
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
and image of the Google Chrome logo on a laptop
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
iOS 18.4 logo on an iPhone
iOS 18.4 brings a bunch of helpful upgrades to your iPhone — and this is my favorite
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
More about malware and adware
Green skull on smartphone screen.

Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
Michelle Buteau in Survival of the Thickest season 2

Netflix’s most underrated comedy ‘Survival of the Thickest’ is back — and I couldn’t be happier
See more latest
2 Comments Comment from the forums
  • Brandykandy
    Google, Chome the the largest Android softwear company there is, you have no choice weather or not you use their services, if you have Android.
    And they don't have a dedicated security team, that ensures that their products is safe? 3rd party or not that sounds crazy to me. Why don't they they can definitely afford too.
    Businesses are not being held to any kind of standards these days. Here in the US you can harm as many people as you like, just make sure you form a corporation or llc before doing it.
    Reply
  • chromium4
    This is yet another reason why I gravitate towards flagship level devices. They are rich with features out of the box so I'm not dependent upon OS updates, additional apps or extensions to provide the options I want to meet my needs and give me the user experience I seek.
    Reply
Most Popular
Proton VPN and Vivaldi partnership logo
Proton VPN partners with Vivaldi browser to fight back against big tech
iOS 18.4 logo on an iPhone
iOS 18.4 brings a bunch of helpful upgrades to your iPhone — and this is my favorite
Emily (Blake LIvely), Dante (Michele Morrone), Vicky (Alex Newell) and Stephanie (Anna Kendrick) in "Another Simple Favor" coming soon to Prime Video
5 biggest Prime Video shows and movies I can’t wait to watch in spring 2025
Disney Plus logo
New on Disney Plus in April 2025 — all the new must-watch movies and shows
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #389 (Thursday, March 27 2025)
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”