Chrome Protector notifies you if you are running malicious extensions - gHacks Tech News

Chrome Protector notifies you if you are running malicious extensions

Chrome Protector

Most Internet users do not expect that extensions that they install from official repositories can contain malicious code, either directly upon installation, or later on when they are updated.

Usually, that code is used for monetization purposes and not for the distribution of malware or other malicious activities.

News made the rounds recently that companies that are in the trade approach extension developers to acquire their extensions. If the developer agrees, ownership of the extension changes for hundreds if not thousands of Dollars.

Some time later, the very same extension is updated by the new owner with new code that may track users when they browse the Internet, inject ads on web pages, or add so-called affiliate links to pages.

This happens automatically, usually, and without notification. Since it is unlikely that many users of the extension would agree to being tracked or the extension to display ads or plant affiliate links on websites, it is usually the case that these new monetization options are opt-out, meaning they are turned on by default.

I have described previously how you can protect yourself from these extensions in Firefox and Chrome.

The new Chrome Protector extension for Google Chrome has been created as a response of the recent news. It currently checks the installed extensions and will inform you if a malicious extension has been found.

How that is done? Currently by a blacklist.It is regularly updated based on user reports, the author's on research, and alerts posted on Reddit.

The author seems to have plans though to expand on this later on in development, and this is where it could get interesting. For instance, one option could be to monitor extension ratings and verify extensions if ratings drop in a short amount of time.

While that means that the extension is not protecting you from new malicious extensions in real-time, it could reduce the time it takes before you are aware that something is not right.

While it may make sense for some to install the extension and keep it installed, it may make sense for others to install it only once or occasionally, at least for the time being.


If the author of the extension could add features to it that would improve its usability, like monitoring store rating changes, comments, extension updates and "known" developers, it could very well become a must-have extension for Chrome users who use many extensions.

For now, it is a nice concept extension that may have its uses for some users.

Update: The extension has been renamed to ExtShield - Stops Malicious Extensions. We have updated the link so that it points to the correct page on the Chrome Web Store now. An update will be released soon according to the author which warns users when they try to install one of over 100 adware, spyware or malware extensions that are currently available in the web store.

Update 2: The latest version of Shield for Chrome -- yes another name change -- can now also monitor website behavior, and blocks the Chrome bug that allows sites to listen in on conversations.

  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:


    1. ned the impala said on January 21, 2014 at 2:16 am

      I’d like to know if there’s an equivalent for Firefox. Firefox is my default browser, because it’s not [yet, though it IS about to be] FUBAR.

      1. Martin Brinkmann said on January 21, 2014 at 10:29 am

        Not that I know of.

    2. Anon said on January 21, 2014 at 3:00 am

      It’s looks like this extension is from the makers of DoNotTrackMe extension. The reviews state it was updated with malware. And both extensions link to the same website.

      1. Martin Brinkmann said on January 21, 2014 at 10:11 am

        Can you please be more precise? Are you saying that this extension is malicious in nature?

      2. Martin Brinkmann said on January 21, 2014 at 10:28 am

        I just checked this Reddit thread, and it appears it is not from the makers:

    3. InterestedBystander said on January 21, 2014 at 5:26 am

      Well. It’s getting to be quite a rodeo out there! Any sign of a movement toward an open-source repository for ethical extension developers? FOSS with something like SourceForge for apps, browser extensions, and plug-ins?

    4. Zinc said on January 21, 2014 at 11:20 am

      So is it legit or not?
      No dev listed…only 2 reviews…

      Looks like someone left a wooden horse at the gates.

      1. Martin Brinkmann said on January 21, 2014 at 11:24 am

        It is not clear yet. It may be legit, but the dev has made some unfortunate choices such as adding permissions for features that are not implemented yet.

    5. joebatch said on January 21, 2014 at 4:21 pm

      Martin,This is why I go to your e-mail first before I do anything on line. I trust you to keep me up to date and informed to protect and keep my computer working. I’m also grateful to your readers for their comments and updates. This program would be better than sliced bread,I wish I had the brains to think of it,however I will wait for your update on rather to download this or not.

    6. Bobby Phoenix said on January 21, 2014 at 6:16 pm

      Link is not working.

    7. Johnny1 said on January 21, 2014 at 7:07 pm

      Looks like Chrome Protector has been taken down from the app store.

      1. Martin Brinkmann said on January 21, 2014 at 7:31 pm

        Seems to have been taken down by the author. He mentioned on Reddit that the extension was renamed, maybe that is the reason?

        1. Johnny1 said on January 21, 2014 at 8:09 pm

          Maybe Google objected to the use of “Chrome” in the add-on’s name.

        2. Martin Brinkmann said on January 21, 2014 at 9:09 pm

          You are right, Chrome was the problem. It has been renamed and is available again.

    8. Sylvio Haas said on January 21, 2014 at 10:06 pm

      Martin, isn’t this the same as “Should I Remove It”?
      The new name seems to be ExtShield. Is that right? Tks.

    9. ned the impala said on January 22, 2014 at 2:46 pm

      I use noscript when using Chrome. Using Chrome Protector at the same time causes certain pages to refresh infinitely, adding Rs and !s to the url, while the noscript drop-down defaults back endlessly to everything blocked. Elements requiring scripts don’t load. I’ve disabled it.

      1. ned the impala said on January 22, 2014 at 2:54 pm

        this hosted image shows what i mean

    10. gorhill said on January 22, 2014 at 4:23 pm

      I wouldn’t trust this until the extension javascript code is completely de-obfuscated. I attempted to de-obfuscate the code, and the resulting code is still is impossible to make sense of. Given the circumstances, hiding the code for such an extension is the worst approach a developer can pick.

      1. gorhill said on January 22, 2014 at 5:44 pm

        The author posted a new de-obfuscated version, you might want to link to this one instead:

        I further checked the obfuscated code in the original version and I don’t see any harm with it. But certainly a bad judgment call from the author to obfuscate his code in the original version, as obfuscation is a practice often used to spread malware.

        1. Martin Brinkmann said on January 22, 2014 at 6:06 pm

          Thanks for the link. This is really confusing..

    11. John Browers said on January 24, 2014 at 4:38 am

      I just found another extension that does the same exact things, but is way more professional and less sketchy as the one you posted about here.

    12. Johnny1 said on January 24, 2014 at 2:00 pm

      It is ironical that it extensiondefender reports “MultiLogin” extension by the author of ExtShield as malicious…………….

      1. Zinc said on January 25, 2014 at 3:04 am

        +1 for using “ironical”…

    13. Tricky said on February 8, 2014 at 12:15 am

      KIS 2013/14 is deleting the extensions file: check.min.js
      Identified as: trojan-downloader.js.agent.gwr

      Can someone run virus total and post a link?

    14. Johnny1 said on February 19, 2014 at 8:15 am

      Then what should we do if the extension is a virus/malware itself?

    15. rio said on November 23, 2017 at 2:48 pm

      design, developed and write code for new web browser with no addons at all and with support common used standard for some media and information system technologies. that’s all.

    Leave a Reply