Malicious Chrome and Edge extensions infect at least 3 million people — what to do

Google Chrome Mac
(Image credit: Future)

More than two dozen browser extensions for Google Chrome and Microsoft Edge can steal personal information, redirect users to ads or phishing websites and even install malware, Avast researchers said yesterday (Dec. 16).

About 3 million people have installed the 28 malicious extensions, three-quarters of which were still available in the Chrome and Edge extension stores at the time of this writing. The extensions are mostly video downloaders designed to grab streaming data from Facebook, Instagram, Spotify, SoundCloud, Vimeo, YouTube and other services.

"The extensions' backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover," said Avast malware researcher Jan Rubín.

If you have any of these extensions installed — we've got a list at the end of this story — delete them right away, and then give your computer a thorough malware scan with some of the best antivirus software. Because browser extensions work equally well on Windows, macOS and Linux, all three platforms may be affected.

Stealing info, logging clicks, even downloading more malware

Avast said the extensions' true motive might be simply to collect money by redirecting users to other websites. But they're also logging every link a user clicks and sending that information to remote servers, as well as collecting information about the user and the host computer.

"The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)," the Avast report said.

Worse, the extensions have the power to "download further malware onto a user's PC," Avast said.

The extension designers took great care to avoid suspicion, which may indicate that their ultimate goal might be more than just ad fraud and search-engine redirection. Avast said the extensions can tell whether the user might be a web developer or a security researcher by analyzing traffic and, if so, then won't perform any malicious activities.

No matter who the user is, the extensions wait a while before doing anything dodgy.

"The extensions' backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover," Avast said.

This problem goes back years

Google has had a nagging problem with Chrome browser extensions, which the well-funded search-engine giant clearly does not properly screen before allowing them in the Chrome Web Store. 

Hundreds of Chrome extensions have been booted out of the store in 2020 alone for spying on users, yet the problem goes back many years and the malicious extensions just keep coming.

Now that Microsoft has relaunched its Edge browser so that it shares Chrome's underpinnings, it seems to be developing the same problems. 

Tom's Guide asked an Avast spokesperson whether Firefox browser add-ons (the Mozilla term for extensions) might also be part of this current campaign, and we will update this story when we receive further information.

The full list of Avast's browser extensions follows below. Because many extensions have similar names, links to each extension's page in the Microsoft Edge or Chrome Web Store are included to avoid confusion.

Malicious Chrome extensions

Malicious Edge extensions

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
and image of the Google Chrome logo on a laptop
Popular Chrome extensions hijacked by hackers in widespread cyberattack — 3.2 million at risk
and image of the Google Chrome logo on a laptop
Over 600,000 Chrome users at risk after 16 browser extensions compromised by hackers — what you need to know
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
and image of the Google Chrome logo on a laptop
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
A hacker typing quickly on a keyboard
Thousands of WordPress sites hijacked to spread Windows and Mac malware - how to stay safe
Latest in Browsers
Google Chrome on Android
How to stop your personal data from appearing in Google searches
Opera Air
I just tested the world’s first mindful browser — it’s calmly convinced me to ditch Google Chrome
A photo of the Google Chrome logo on a white background, displayed on the screen of a large MacBook Pro which is situated on a table with green foliage behind.
Google Chrome just got three new modes — and it's a game changer for performance
Google Calendar app on iPhone
Google Calendar just got the dark mode we’ve been waiting for — here’s how to activate it
Image of an Apple MacBook with a Google Chrome logo on the display
This new Google Chrome upgrade made me say 'whoa' out loud — and it's a game changer
Two Opera Browser Days attendees standing in front of a screen displaying the Opera logo
How Opera is challenging Google by putting privacy first
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 15 (#643)
iPhone 17 Pro render
iPhone 17 Ultra just tipped to replace Pro Max in new leak — with these key upgrades
RCS messaging on an iPhone
Forget green bubbles — iPhones will soon get encrypted RCS messaging to Androids
CAD renderings of the Google Pixel 10 Pro
Latest Google Pixel 10 leak could make you want to skip it altogether
Nintendo Switch 2
Nintendo Switch 2 — analysts say it will be massive hit even with price hike
Jason Sudeikis as Ted Lasso in Ted Lasso season 3
‘Ted Lasso’ season 4 is official — here’s what Jason Sudeikis revealed