Malicious Chrome web extensions to Avoid in 2023

Many assume all extensions on Chrome Web Store are safe, but that is untrue. In fact, Google platforms malicious web extensions that seek to steal user information or bombard users with ads. Even though the Chrome Web Store employs tools to detect malicious extensions, some bypass the safeguards and are available for Chrome users to download. 

These malicious Chrome web extensions can be challenging if your company allows remote work. Unsuspecting employees may install some of these extensions and inadvertently compromise corporate data. Understanding the importance of browser security for your organization, LayerX discusses malicious Chrome web extensions to avoid in 2023.

Details of malicious Chrome web extensions

In mid-May 2023, cyber security researcher, Wladimir Palant, wrote about the popular Chrome web extension, PDF Toolbox, containing obfuscated malicious code. Weeks later, Palant identified 34 malicious extensions with 87 million users, and Google removed all of them. 

Following Palant’s discovery, cyber security company Avast verified the threats and discovered 32 malicious extensions with 75 million combined installs on the Chrome Web Store. Despite Google removing the reported extensions from the store, LayerX found that the installations remain, meaning that whatever threats they pose remain active.

Avast says it is protecting its users by blocking the malicious extensions’ backdoor communication. Doing so allows the browser extension’s non-malicious portion to work as intended while neutralizing the malicious component. However, not all users have such protection. 

Hence, we will highlight the identified malicious web extensions below so that you can avoid them. Here are identified malicious Chrome web extensions:

1. Autoskip for YouTube 
2. Soundboost
3. Crystal Ad block
4. Brisk VPN
5. Clipboard Helper
6. Maxi Refresher
7. Quick Translation
8. Easyview Reader view
9. PDF toolbox
10. Epsilon Ad blocker
11. Craft Cursors
12. Alfablocker ad blocker
13. Zoom Plus
14. Base Image Downloader
15. Clickish fun cursors
16. Cursor-A custom cursor
17. Amazing Dark Mode
18. Maximum Color Changer for Youtube
19. Awesome Auto Refresh
20. Venus Adblock
21. Adblock Dragon
22. Readl Reader mode
23. Volume Frenzy
24. Image download center
25. Font Customizer
26. Easy Undo Closed Tabs
27. Screence screen recorder
28. OneCleaner
29. Repeat button
30. Leap Video Downloader
31. Tap Image Downloader
32. Qspeed Video Speed Controller
33. HyperVolume
34. Light picture-in-picture

Effects of Malicious Chrome web extensions

Malicious browser extensions are typically designed to deliver legitimate functionality, making them appear harmless/safe at first glance. But when you look harder, you discover an obfuscated code of malicious origin within their code. Here are the effects of such malicious codes:

• Unwanted ads: The final payload of the malicious web extensions appears to be an adware that sends unwanted ads to users. These ads may redirect users to malicious websites where they can unknowingly download malware. 
• Altered search results: Another payload linked to malicious extensions is a search result hijacker that influences search experiences by displaying paid search results, potentially malicious links, and sponsored links. A few reviews on the Image Download Center extension mention it being malicious and redirecting search results. 

Reviews reporting the malicious nature of Image Download Center on Chrome Web Store (Wladimir Palant)

• Unknown threats: After cyber security researcher Palant detected malicious code in PDF Toolbox, he admitted that he did not know what it could do because he didn’t see it in action. It is not clear when or whether the code becomes active, but the unknowns make a web extension like PDF Toolbox scary. The best way for an individual or organization to deal with such extensions is to avoid them — best not to find out the threats.

How to detect Malicious Chrome web extensions

Palant and Avast’s research does not provide a definitive list of malicious extensions on the Chrome Web Store, indicating there may well be more. Hence, it would be a mistake not to mandate employees to check extensions for suspicious activity before downloading them. 

Below, we will explain how to determine a suspicious/malicious Chrome extension:

• Analyze a web extension’s reviews: Check whether users have complained about the extension being malicious. 
• Pay attention to permission requests: Malicious extensions may request permission to access personal information or unnecessary programs.
• Verify extension owners: Where possible, install extensions created and owned by popular companies to reduce the risk of malware downloads. 
• Keep Chrome and devices updated: Operating systems and browsers’ updates include new protections to help identify malicious extensions.
• Install antivirus software: It will automatically detect and notify you of any malicious activity by a web extension. The software may also block the malicious component of the extension.

How to remove malicious extensions from the Chrome browser

If you’ve detected a suspicious or malicious extension on your browser, remove it with the following steps:

• Launch Chrome.
• Open Chrome settings through the three vertical dots in the browser’s upper right corner.
• Click More Tools, and a dropdown will open.
• Tap Extensions.
• Identify the extension you are removing by scrolling down to it or searching for its name with the “search extensions” box at the top of your screen.
• Select Remove below the extension.
• Tap Remove again in the pop-up screen.

Wrapping up 

As we mentioned earlier, Google’s removal of malicious extensions from the Chrome Web Store does not automatically solve the problem. By removing the extensions from the store, they are unavailable for installation but remain active on browsers that already downloaded them. So, if you have one of them, you should manually eliminate the risk. 

As Palant suggested, there are probably more than 34 malicious extensions on the Chrome Web Store because his research was based on a sample of about 1,600 extensions — not all of the store’s contents. 

Therefore, we recommend checking extensions before you install and removing suspicious ones before they become a problem. Mandate your employees to take these steps to ensure browser security in your organization.