Malware can still bypass Google Chrome's extension installation protection

Martin Brinkmann
Sep 22, 2014
Google Chrome

Malicious browser extensions have been a big issue in the past couple of years. One should not confuse outright malicious extensions with adware or toolbars even though they are related to some extend.

The core difference between those groups of extensions is that malicious extensions go beyond displaying ads, leaking information about a user's browsing behavior or being plain annoying.

Browser makers such as Google or Mozilla have invested time and money in methods to protect users from potentially unwanted extensions.

Google for instance created a new policy for Chrome recently that prevents the installation of extensions in the browser if those extensions are not listed in the Chrome Web Store.

While only valid for Chrome Stable and Beta versions on Windows, it supposedly protects users running those versions of the browser from falling prey to malware attacks.

There are manual ways around this protection so that Stable and Beta users can install extensions not available on the official Chrome Web Store.

The real problem is however that malware attacks can still attack the Chrome browser and add extensions to the browser even though that should not be possible anymore due to the protection feature.


Trend Micro discovered a new malware attack recently that targeted Chrome users. The attack started on Twitter were a user tweeted "Download this Video. Facebook Secrets . Link".

The link led to a specifically prepared page that downloaded an exe file to the user's computer automatically. When executed, it started to download additional files to the system and among the things it downloaded was a browser extension for Chrome.

The malware creates a new folder in Chrome's directory on the system and places browser components inside of it. Chrome parses the information automatically and adds it to the browser.

The interesting aspect here is that the extension gets added automatically to Chrome. There does not seem to be a prompt to inform the user about the new extension and it is not blocked automatically by the browser as well.

The attack has been designed to work on Windows machines only but the extension installation itself could work on non-Windows systems as well.

The only protection against this type of attack is to avoid the urge to click on links from unknown sources that promise something (interesting).

The click on the link is not the only step required in the attack though as the exe file itself won't do anything on its own. It is still necessary for the user to click on it and that antivirus solutions that run on the system don't block it from executing.

Malware can still bypass Google Chrome's extension installation protection
Article Name
Malware can still bypass Google Chrome's extension installation protection
Security researchers have discovered a method for attackers to deploy a malicious browser extension in Chrome without installation dialog or protection of any kind.

Previous Post: «
Next Post: «


  1. InterestedBystander said on September 22, 2014 at 11:11 pm

    Boy oh boy. Seems like a month or so ago TrendMicro also published a detailed report (PDF as I recall) on the splendid new ways Android apps can harbor malware. And last month Microsoft tried to clean bogus and potential malware out of its online store, to the tune of 1500 apps.

    We might update that old Who song: “Meet the new malware, same as the old malware…” ;)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.