75 million Chrome users have installed these malicious extensions
Google has removed more than two dozen malicious Chrome extensions from the official Chrome Web Store. These extensions were installed on over 75 million times by Chrome user, who need to become active to remove the extensions from their browsers.
Wladimir Palant detected the malicious extensions and published information about them on the Almost Secure blog. Palant reported a total of 34 malicious extensions to Google, but Google did not remove the extensions immediately.
Security behemoth Avast confirmed the findings and Google pulled the extensions that Avast listed from the Chrome Web Store. Palant notes in a follow-up blog post that these were not all of the malicious extensions. A total of 8 were not removed by Google, as they were later added by Palant and therefore not included in Avast's listing.
Several of the extensions had millions of users, with Autoskip for YouTube leading the list with a weekly active user count of over 9 million. Google listed many of the extensions as featured in the Chrome web store, which one again highlights that the company is not putting enough effort into making sure that featured extensions are safe.
Mozilla does a better job at that. All recommended extensions are code examined whenever they are updated, which means that the likelihood of a malicious recommended extension is very slim. A reviewer would have to overlook malicious code in an extension for that to happen.
Most extensions that Palant discovered are productivity based. Some are video downloaders, others let users interact with videos or audio, e.g., changing volumes, add visual changes or claim to block ads.
Manual removal is required
The main issue for Chrome users is that removal of the extensions does not remove the malicious extensions from Chrome installations.
Here is the full list of extensions that are malicious:
| Name | Weekly Active users | ID |
|---|---|---|
| Autoskip for Youtube | 9,008,298 | lgjdgmdbfhobkdbcjnpnlmhnplnidkkp |
| Soundboost | 6,925,522 | chmfnmjfghjpdamlofhlonnnnokkpbao |
| Crystal Ad block | 6,869,278 | lklmhefoneonjalpjcnhaidnodopinib |
| Brisk VPN | 5,595,420 | ciifcakemmcbbdpmljdohdmbodagmela |
| Clipboard Helper | 3,499,233 | meljmedplehjlnnaempfdoecookjenph |
| Maxi Refresher | 3,483,639 | lipmdblppejomolopniipdjlpfjcojob |
| Quick Translation | 2,797,773 | lmcboojgmmaafdmgacncdpjnpnnhpmei |
| Easyview Reader view | 2,786,137 | icnekagcncdgpdnpoecofjinkplbnocm |
| PDF toolbox | 2,782,790 | bahogceckgcanpcoabcdgmoidngedmfo |
| Epsilon Ad blocker | 2,571,050 | bkpdalonclochcahhipekbnedhklcdnp |
| Craft Cursors | 2,437,224 | magnkhldhhgdlhikeighmhlhonpmlolk |
| Alfablocker ad blocker | 2,430,636 | edadmcnnkkkgmofibeehgaffppadbnbi |
| Zoom Plus | 2,370,645 | ajneghihjbebmnljfhlpdmjjpifeaokc |
| Base Image Downloader | 2,366,136 | nadenkhojomjfdcppbhhncbfakfjiabp |
| Clickish fun cursors | 2,353,436 | pbdpfhmbdldfoioggnphkiocpidecmbp |
| Cursor-A custom cursor | 2,237,147 | hdgdghnfcappcodemanhafioghjhlbpb |
| Amazing Dark Mode | 2,228,049 | fbjfihoienmhbjflbobnmimfijpngkpa |
| Maximum Color Changer for Youtube | 2,226,293 | kjeffohcijbnlkgoaibmdcfconakaajm |
| Awesome Auto Refresh | 2,222,284 | djmpbcihmblfdlkcfncodakgopmpgpgh |
| Venus Adblock | 1,973,783 | obeokabcpoilgegepbhlcleanmpgkhcp |
| Adblock Dragon | 1,967,202 | mcmdolplhpeopapnlpbjceoofpgmkahc |
| Readl Reader mode | 1,852,707 | dppnhoaonckcimpejpjodcdoenfjleme |
| Volume Frenzy | 1,626,760 | idgncaddojiejegdmkofblgplkgmeipk |
| Image download center | 1,493,741 | deebfeldnfhemlnidojiiidadkgnglpi |
| Font Customizer | 1,471,726 | gfbgiekofllpkpaoadjhbbfnljbcimoh |
| Easy Undo Closed Tabs | 1,460,691 | pbebadpeajadcmaoofljnnfgofehnpeo |
| Screence screen recorder | 1,459,488 | flmihfcdcgigpfcfjpdcniidbfnffdcf |
| OneCleaner | 1,457,548 | pinnfpbpjancnbidnnhpemakncopaega |
| Repeat button | 1,456,013 | iicpikopjmmincpjkckdngpkmlcchold |
| Leap Video Downloader | 1,454,917 | bjlcpoknpgaoaollojjdnbdojdclidkh |
| Tap Image Downloader | 1,451,822 | okclicinnbnfkgchommiamjnkjcibfid |
| Qspeed Video Speed Controller | 732,250 | pcjmcnhpobkjnhajhhleejfmpeoahclc |
| HyperVolume | 592,479 | hinhmojdkodmficpockledafoeodokmc |
| Light picture-in-picture | 172,931 | gcnceeflimggoamelclcbhcdggcmnglm |
Palant notes that the list is likely incomplete. It is based on a sample of about 1600 extensions and not the full number of extensions that are offered on the Chrome Web Store.
Chrome users need to load chrome://extensions/ or select Menu > More Tools > Extensions to open the list of installed browser extensions.
There they need to check the installed extensions against the list in the table above. A click on the remove button uninstalls the extension immediately.
Closing Words
Users interested in technical details may want to check out Palant's two articles on the matter. There is also the Avast article, which provides additional information, including that even more than the reported 32 extensions were taken down so far by Google.
For Chrome users, it is important to get rid of these malicious extensions immediately by uninstalling them from the web browser. While it is not 100% certain what they do, it is clear that they are set up for malicious activity.
Now You: have you installed any of the extensions?
Let me reiterate that the days of browser extensions are over.
Only Chrome can be trusted because it doesn’t require extensions.
It’s not Google’s fault, it’s the Mozilla and Brave sympathizers who create the risk.
> Let me reiterate that the days of browser extensions are over.
Only Chrome can be trusted because it doesn’t require extensions.
It’s not Google’s fault, it’s the Mozilla and Brave sympathizers who create the risk.
“You cannot see the wood for the trees.”
It’s not the end of browser extensions, it’s the end of extensions the way Google works.
Google’s review system (AI) is so sloppy that it doesn’t work at all.
https://www.ghacks.net/2023/06/07/google-patches-exploited-security-issue-in-chrome-update-asap/#comment-4567733
There are many talented developers to the public.
It is a meaningful measure to provide such people with a place to play an active role.
With the shift to “AI”, not only will employment shrink, but the place of activity will also be lost.
Many of Firefox’s add-ons are developed and supported by “open source projects”, so it is an advantage that it is easy to reflect program scrutiny and user feedback.
Some people say that extension implementations “expose fingerprints”, but the same issue is caused by browser specific features with or without extensions.
In other words, even if the User-Agent is disguised, the uniqueness is exposed by turning on/off Brave’s functions. Vivaldi, in particular, has a small number of users and uses a special locale, so it can even determine where you live. Brave’s user count is three decimal places, making it extremely unique.
As a reference:
https://www.ghacks.net/2023/04/03/the-mullvad-browser-a-privacy-focused-browser-designed-to-reduce-your-fingerprint/#comment-4563254
@owl
Brave has 60 million users.
@Iron Heart
> Brave has 60 million users.
Thanks for pointing out.
My knowledge was outdated.
As you know, I’m a digital detox lifestyle, so I don’t know what’s going on lately (about half a year). I will be careful with basic data (numbers). Thank you for your continued support.
>
“You cannot see the wood for the trees.”
It’s not the end of browser extensions, it’s the end of extensions the way Google works.
Google’s review system (AI) is so sloppy that it doesn’t work at all.
https://www.ghacks.net/2023/06/07/google-patches-exploited-security-issue-in-chrome-update-asap/#comment-4567733
There are many talented developers to the public.
It is a meaningful measure to provide such people with a place to play an active role.
With the shift to “AI”, not only will employment shrink, but the place of activity will also be lost.
Many of Firefox’s add-ons are developed and supported by “open source projects”, so it is an advantage that it is easy to reflect program scrutiny and user feedback.
Some people say that extension implementations “expose fingerprints”, but the same issue is caused by browser specific features with or without extensions.
In other words, even if the User-Agent is disguised, the uniqueness is exposed by turning on/off Brave’s functions. Vivaldi, in particular, has a small number of users and uses a special locale, so it can even determine where you live. Brave’s user count is three decimal places, making it extremely unique.
As a reference:
https://www.ghacks.net/2023/04/03/the-mullvad-browser-a-privacy-focused-browser-designed-to-reduce-your-fingerprint/#comment-4563254
Great warning; to see how many users are affected by each extension.
Certainly, it makes little scientific/statistical sense to add all the users of all the “as of now” malicious extensions and compile a 75 million users affected number.
It would be like adding all the salaries of all the bartenders in Austria and saying, “Bartenders in Austria make 75 million dollars per month.”
Unless one can verify that each user has all the named extensions installed, which is unsupported in the article, only 9,000,000 [or fewer] users may be at risk if any one extension is installed.
Chrome is the only one that strictly enforces MV3. That’s why Chrome is the best.
What is clear is that Google is trustworthy and anti-Google Mozilla is the worst.
Don’t be fooled.
Chrome is the best and has proven to have the strongest security. Nothing to worry about.
Browser security is not extension security.
I use Chrome, so I don’t need any extensions. Browsers that require extensions only create risks. Trust Chrome.
I am not sure if your comment regarding Chrome is satire or not. How do you browse the web without err, even an ad blocker?
@Kirk
I assume the widely used open source extension uBlock Origin has a long enough track record for you to trust it?
> open source extension uBlock Origin has a long enough track record for you to trust it?
Can you trust uBlock Origin?
https://github.com/gorhill/uBlock/wiki/Can-you-trust-uBlock-Origin%3F
uBlock Origin works best on Firefox
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-best-on-Firefox
@owl
uBlock Origin works very well on Chromium too and is maintained by the same guy, so not sure what the Firefox advertisement is doing here.
Not that I care, I use Brave.
@Iron Heart
> Not that I care, I use Brave.
People have different sense of values, so they are free to choose whatever they want.
As you know, my regular device is “iPad” and Safari with countermeasures.
When using a Windows machine, I also use Brave, but in that case only “Brave Shield” (anti-fingerprinting).
From a few days ago, I started using Pale Moon 32.2.0 (64-bit). In the case of Pale Moon, it is uBlock Origin (uBlock0_1.16.4.30.firefox-legacy.xpi), but the Maintainer Ukrainian Last Missing Jun 12, 2021 (probably due to the war with Russia), and that filters has not been updated since.
https://github.com/gorhill/uBlock-for-firefox-legacy/releases
So I added eMatrix (Fork of uMatrix,) 5.0.3.
https://gitlab.com/vannilla/ematrix
That’s how it is for me.
MV3 was invented to stop this kind of thing, and Mozilla, which denies MV3, is the biggest risk of all!
Yeah, sure. Nice try.
Even the Brave is just copying Firefox.
Only Google can enable the one and only best browser and service.
With Google everything works.
> Only Google can enable the one and only best browser and service.
With Google everything works.
With Google, everything about advertising marketing works.
On the other hand, users will criticize the inexhaustible vulnerability of the system and ridicule it as the “vulnerable king”, comparing it to Emmentaler cheese, which is famous for its holes.
https://www.ghacks.net/2023/06/07/google-patches-exploited-security-issue-in-chrome-update-asap/#comment-4567685
How much do you earn for promoting spybrowser?
Nothing unexpected coming from a software that users catch while browsing instead of being installed.
Google has financial means that Mozilla has not.
Google does not prevent malicious extensions whilst Mozilla does.
Google lingers to remove extensions proved to be malicious or just doesn’t remove some of them.
And, of course, Google tracks as detailed on Google Watchdog [https://www.googlewatchdog.com/}
Despite all this Google has the market share we know : tremendous.
Why? Fame, fashion? A former U.S. President had observed that he could shoot an individual on a widely trafficked New York City street and not “lose one voter.”. In the same way Google could do worse than it already does and not lose one user.
Hopeless.
@Tom Hawack, hopeless word couldn’t exist anymore really soon. One teacher of mine told some time ago that the world is so fuc** up that it works like a swiss clock. Although it may seem contradictory, the best way to predict “peace” is the fear of starting a new “war”. Fear of changes, fear of losing the few things you have in your home. Pandemic? Oh, God, people only want fun. The same could be applied to Google, it’s so powerful and it has so many services globally that every Android phone could start burning and the next day everyone would be buying the same phone again. Just because people are tired of fighting, tired of configuring, tired of reinstalling, and tired of everything. They are so tired that they don’t care a real sh** about the choice between the fear and the freedom. Laziness is the new hopelessness. For example, one of my best friends is complaining every single day about his W11, however he doesn’t want to install W10 because he doesn’t want to lose all the third party software that he installed to make W11 visually equal to W10. Hopeless? The smallest of all possible worries in this world is hopeless.
And I could have talked about the censored word forbidden here, but for what? We are fewer and fewer and it is not a matter of saying goodbye all in a bad way. Just my two cents about this.
The extensions may be using sites using tracking cookies (amongst other stuff) that Google can exploit for their own gain, so perhaps they don’t want to force an auto removal.
Never heard of any of these. LOL.
Its the malware-undetected extensions you have heard of that are the main worry! In other words, don’t be complacent because extensions you use remain unreported.
Why doesn’t google just remove them?
They have the ability to remove extensions from users browsers with out the users permission or involvment and have done so before.
>”Why doesn’t google just remove them?”
Probably the same reason Google keeps selling ad space at the top of its search page for malware links.
Do you think they care?
“Buyer beware”
Even “Clickish Fun Cursers”?
Et tu, Brute?
What’s the world coming to when your cursors can’t be clickish and fun(ish) without being malware(ish)?
Manual uninstall is required. LOL. Just pure LOL.