Fake Chrome Extensions Steal Data from Over 300,000 Users, Researchers Warn

Security experts have identified a group of fraudulent Chrome extensions that more than 300,000 users have downloaded and they are capturing sensitive user information. The impersonating AI tools were misrepresented as beneficial extensions, but the extensions were actually logging email content, usernames/passwords, and browsing data unbeknownst to the user.

Attackers uploaded dozens of malware CEs under different names, running them in the background to track user activity and send the data to their servers. CE’s can perform tasks such as blocking ads, translating text or generating content using AI.

Hackers continually upload fake extensions to official CE stores posing as legitimate CE’s, though they contain malicious hidden(virus) code. Attackers uploaded dozens of malware CEs under different names, which run in the background to monitor user activity and send the captured data to their servers.

Malware CE’s continue to grow as a scam because they can contact millions more easily and would never be able to after they receive approval from the Chrome Web Store. Browser extensions have access to your web data when granted certain permissions, so bad actors exploit that to collect a wide range of information.

How these extensions trick users and what they do

Fake AI extensions market themselves as productivity tools, AI writing assistants, or useful tools to enhance your browser. People download and expect these to make their browsing experience easier and more efficient.

Once installed, the extensions requested broad access to users’ web data and permissions to read what people typed in websites or saw while browsing. With these permissions, malicious code was able to collect things like:

• Email content seen or typed in the browser
• Credentials for websites, such as usernames and passwords
• Browsing history and related data

Many consider this type of data a very valuable source of information for cybercriminals; with this info, they will be able to access your accounts, impersonate you, and sell it on various dark web forums— fueling a broader underground economy as the dark web is the engine powering a new wave of decentralized cybercrime.

Google has a policy that requires the developer of an extension to declare what permissions their extension has. However, this process does not prevent bad actors from developing bad extensions. Sometimes, extensions work as promised for basic features while also secretly doing harmful tasks behind the scenes.

Malicious extensions go far beyond a single group. Over recent years, researchers have identified around 100 harmful Chrome extensions that millions of users installed, many of which steal data, inject ads, or redirect users to dangerous websites.

Why this matters and how users can stay safe

Malicious extensions are a serious privacy risk because they run inside your browser — a place where you do email, banking, shopping, and many other sensitive tasks. An add-on could be able to intercept your password and other sensitive information if you grant it permission to collect your input and display any site on your computer.

Experts are suggesting that you implement the following suggestions to help keep yourself safe:

• Be careful about what you download to your computer. Install only add-ons you trust, as even highly rated extensions can still be unsafe. (Some scale through Google).
• Check the permission it requested before loading the add-on; If an add-on requests your permission to monitor everything you do online, you should be suspicious. Most legitimate add-ons will only need specific permissions to operate.
• Uninstall any extensions you don’t use anymore: Even if they’re inactive, they’re running in the background and could be at risk.
• Make sure to check in on your accounts periodically for any unauthorized or suspicious activities: If you notice something questionable, reset your password and enable 2FA (the FTC recommends enabling 2FA as a primary means of securing your account from hackers).

Google removes malicious extensions once it identifies them, but some harmful add-ons can remain active until users report them. Remain on alert and exercise caution as they are your best form of defense against identity theft.

Broader risks in browser extension ecosystem

This trend exemplifies a much larger issue in the world of browser extensions. For years, those in the cybersecurity field have alerted users that rogue extensions could launch various forms of attacks against them such as malware, collecting passwords, and hacking user activity through spying.

Some of the known rogue extensions that experts discovered capture session tokens and/or cookies; if successfully hacked, an attacker could impersonate a victim on their active account. Attackers used some extensions to steal AI chat logs, while others hijacked affiliate links to steal from users whose accounts they compromised.

These attacks underscore a growing global tension between security measures and user privacy — a tension recently highlighted when Telegram founder criticized Spain’s new internet laws, citing a threat to free speech over similar government access concerns.

The greatest risk with a browser extension occurs when an extension receives access to your data and misuses it. As such, cybersecurity professionals have recommended that the installation of any extension should always be after a review of what the user has installed; in other words, don’t trust any product with low effort for high reward.