Google removes 3 fake VPN extensions with 1.5 million users from Chrome Web Store

Martin Brinkmann
Dec 23, 2023
Google Chrome

Security researchers at Reason Labs discovered three malicious Chrome web extensions that were installed on 1.5 million installations of the web browser. Distributed via torrents, these extensions acted as legitimate VPN extensions on first glance.

The extensions appear to have been spread via torrent files of popular video games. Reason Labs mentions Grand Theft Auto, The Sims 4, Heroes 3 and Assassins Creed torrents specifically, but there may have been other games. It found the trojan installer in over 1000 different torrent files that promised access to commercial games.

The downloaded setup files had a size between 60MB and 100MB. One common signee name was Spice & Wok Limited, but there have been others as well.

When the installer gets executed on the user's device, it unpacks one of the three malicious extensions on the system and installs it in the browser without user interaction. The extension is installed via a Windows Registry key, SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings\.

A method to install extensions in Chrome that bypasses users entirely is not new. Back in 2014, security researchers discovered a method to install Chrome extensions without any user interaction.

Two different extensions, netSave for Chrome and netPlus for Microsoft Edge, do get installed on the user's system. The malicious Chrome extension was installed 1 million times according to the researchers.

The JavaScript code has more than 20,000 lines according to the researchers, which makes it difficult to analyze. The researchers discovered that it runs a fake VPN and what they call a cashback activity hack.

Once the extension is installed, it will disable other cashback extensions that may be installed in the infected web browser. It also delivers a fake VPN user interface to hide its true intentions from the user.

The extensions are in Russian and they appear to target Russian speaking regions and users, including Russia, the Ukraine or Kazakhstan.

Reason Labs informed Google about the malicious extensions. Google has removed the extensions in the meantime from the Chrome Web Store.

Chrome and Edge users who download torrent files may want to check the list of installed extensions in the browser to make sure that these extensions are not installed on their devices.

Research Labs notes that the developer of the extensions seems to have created other extensions. The company recommends that users installed extensions, games and programs from legal and legitimate sources only. It also recommends running up-to-date antivirus software, avoid clicking on unknown links or popups, and to enable two-factor authentication wherever possible.

Additional information, including technical details, can be found on the ReasonLabs website.

Now You: do you use browser extensions?

Google removes 3 fake VPN extensions with 1.5 million users from Chrome Web Store
Article Name
Google removes 3 fake VPN extensions with 1.5 million users from Chrome Web Store
Security researchers at Reason Labs discovered three malicious Chrome web extensions that were installed on 1.5 million installations of the web browser.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. upp said on December 25, 2023 at 1:32 am

    What a virus webstore! Mv3 safe ???

  2. Anonymous said on December 24, 2023 at 12:35 am

    Last time I had to use Windows Sandbox, the well forgotten feature, but works so well, people could easily use it to check files or the sandboxie which is free and open source too, there is no reason for people to just double click and exe and trust it, especially from a torrerent.

    And yes, you can install extensions without any user intervention, but it still needs admin rights, because it is writing to registry or program files in the case of a master file in place doing that. So, it is still people’s fault, no matter how people see it.

    Extensions doing ‘too much’ is the reason why MV3 was developed in the first place, more restrictions = more control and if the extension can’t just do whatever it wants then Mv3 makes sure to reduce that, people might complain about it, but it will make things ‘safer’, maybe MV3 will be finally the reason to add extensions to android too, since their excuse was ‘performance’ for not doing it.

    Of course this is a different case since it came from people’s wanting to play for free games and then not even trying to check if they were clean or not.

    But Extensions while necessary, they are still a risk, and the more secure extensions API the better.

    1. upp said on December 25, 2023 at 1:35 am

      Only the fact that people are writting mv3 malwares instead of mv2, nothing changed, at all.

  3. Anonymous said on December 23, 2023 at 4:27 pm

    I believe google chrome is a spyware either

    1. Nameless said on December 27, 2023 at 12:24 pm

      lol…do be silly. All browsers are Spyware. They all do tracking. As the saying goes…if it’s FREE you are the product.

    2. Gustus said on December 26, 2023 at 7:53 am

      Just like firefox – they collect your data and sell it without your permission and to you thay they are not

      1. bravetard said on December 27, 2023 at 8:22 pm


        FDS. No more than Brave, Opera, Chrome or any other Google based browser. All have telemetry enabled by default.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.