75 million Chrome users have installed these malicious extensions
Google has removed more than two dozen malicious Chrome extensions from the official Chrome Web Store. These extensions were installed on over 75 million times by Chrome user, who need to become active to remove the extensions from their browsers.
Wladimir Palant detected the malicious extensions and published information about them on the Almost Secure blog. Palant reported a total of 34 malicious extensions to Google, but Google did not remove the extensions immediately.
Security behemoth Avast confirmed the findings and Google pulled the extensions that Avast listed from the Chrome Web Store. Palant notes in a follow-up blog post that these were not all of the malicious extensions. A total of 8 were not removed by Google, as they were later added by Palant and therefore not included in Avast's listing.
Several of the extensions had millions of users, with Autoskip for YouTube leading the list with a weekly active user count of over 9 million. Google listed many of the extensions as featured in the Chrome web store, which one again highlights that the company is not putting enough effort into making sure that featured extensions are safe.
Mozilla does a better job at that. All recommended extensions are code examined whenever they are updated, which means that the likelihood of a malicious recommended extension is very slim. A reviewer would have to overlook malicious code in an extension for that to happen.
Most extensions that Palant discovered are productivity based. Some are video downloaders, others let users interact with videos or audio, e.g., changing volumes, add visual changes or claim to block ads.
Manual removal is required
The main issue for Chrome users is that removal of the extensions does not remove the malicious extensions from Chrome installations.
Here is the full list of extensions that are malicious:
|Name||Weekly Active users||ID|
|Autoskip for Youtube||9,008,298||lgjdgmdbfhobkdbcjnpnlmhnplnidkkp|
|Crystal Ad block||6,869,278||lklmhefoneonjalpjcnhaidnodopinib|
|Easyview Reader view||2,786,137||icnekagcncdgpdnpoecofjinkplbnocm|
|Epsilon Ad blocker||2,571,050||bkpdalonclochcahhipekbnedhklcdnp|
|Alfablocker ad blocker||2,430,636||edadmcnnkkkgmofibeehgaffppadbnbi
|Base Image Downloader||2,366,136||nadenkhojomjfdcppbhhncbfakfjiabp
|Clickish fun cursors||2,353,436||pbdpfhmbdldfoioggnphkiocpidecmbp
|Cursor-A custom cursor||2,237,147||hdgdghnfcappcodemanhafioghjhlbpb
|Amazing Dark Mode||2,228,049||fbjfihoienmhbjflbobnmimfijpngkpa
|Maximum Color Changer for Youtube||2,226,293||kjeffohcijbnlkgoaibmdcfconakaajm
|Awesome Auto Refresh||2,222,284||djmpbcihmblfdlkcfncodakgopmpgpgh
|Readl Reader mode||1,852,707||dppnhoaonckcimpejpjodcdoenfjleme
|Image download center||1,493,741||deebfeldnfhemlnidojiiidadkgnglpi|
|Easy Undo Closed Tabs||1,460,691||pbebadpeajadcmaoofljnnfgofehnpeo|
|Screence screen recorder||1,459,488||flmihfcdcgigpfcfjpdcniidbfnffdcf|
|Leap Video Downloader||1,454,917||bjlcpoknpgaoaollojjdnbdojdclidkh|
|Tap Image Downloader||1,451,822||okclicinnbnfkgchommiamjnkjcibfid|
|Qspeed Video Speed Controller||732,250||pcjmcnhpobkjnhajhhleejfmpeoahclc|
Palant notes that the list is likely incomplete. It is based on a sample of about 1600 extensions and not the full number of extensions that are offered on the Chrome Web Store.
Chrome users need to load chrome://extensions/ or select Menu > More Tools > Extensions to open the list of installed browser extensions.
There they need to check the installed extensions against the list in the table above. A click on the remove button uninstalls the extension immediately.
Users interested in technical details may want to check out Palant's two articles on the matter. There is also the Avast article, which provides additional information, including that even more than the reported 32 extensions were taken down so far by Google.
For Chrome users, it is important to get rid of these malicious extensions immediately by uninstalling them from the web browser. While it is not 100% certain what they do, it is clear that they are set up for malicious activity.
Now You: have you installed any of the extensions?