Blog Post

Ritelink Blog > News > NEWS > You could be one of the 75 million Chrome users who have installed these malicious extensions

You could be one of the 75 million Chrome users who have installed these malicious extensions

Google has removed more than two dozen malicious Chrome extensions from the official Chrome Web Store. These extensions were installed on over 75 million times by Chrome user, who need to become active to remove the extensions from their browsers.

Wladimir Palant detected the malicious extensions and published information about them on the Almost Secure blog. Palant reported a total of 34 malicious extensions to Google, but Google did not remove the extensions immediately.

Security behemoth Avast confirmed the findings and Google pulled the extensions that Avast listed from the Chrome Web Store. Palant notes in a follow-up blog post that these were not all of the malicious extensions. A total of 8 were not removed by Google, as they were later added by Palant and therefore not included in Avast’s listing.

Several of the extensions had millions of users, with Autoskip for YouTube leading the list with a weekly active user count of over 9 million. Google listed many of the extensions as featured in the Chrome web store, which one again highlights that the company is not putting enough effort into making sure that featured extensions are safe.

Mozilla does a better job at that. All recommended extensions are code examined whenever they are updated, which means that the likelihood of a malicious recommended extension is very slim. A reviewer would have to overlook malicious code in an extension for that to happen.

Most extensions that Palant discovered are productivity based. Some are video downloaders, others let users interact with videos or audio, e.g., changing volumes, add visual changes or claim to block ads.

Manual removal is required

The main issue for Chrome users is that removal of the extensions does not remove the malicious extensions from Chrome installations.

Here is the full list of extensions that are malicious:

NameWeekly Active usersID
Autoskip for Youtube9,008,298lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
Crystal Ad block6,869,278lklmhefoneonjalpjcnhaidnodopinib
Brisk VPN5,595,420ciifcakemmcbbdpmljdohdmbodagmela
Clipboard Helper3,499,233meljmedplehjlnnaempfdoecookjenph
Maxi Refresher3,483,639lipmdblppejomolopniipdjlpfjcojob
Quick Translation2,797,773lmcboojgmmaafdmgacncdpjnpnnhpmei
Easyview Reader view2,786,137icnekagcncdgpdnpoecofjinkplbnocm
PDF toolbox2,782,790bahogceckgcanpcoabcdgmoidngedmfo
Epsilon Ad blocker2,571,050bkpdalonclochcahhipekbnedhklcdnp
Craft Cursors2,437,224magnkhldhhgdlhikeighmhlhonpmlolk
Alfablocker ad blocker2,430,636edadmcnnkkkgmofibeehgaffppadbnbi
Zoom Plus2,370,645ajneghihjbebmnljfhlpdmjjpifeaokc
Base Image Downloader2,366,136nadenkhojomjfdcppbhhncbfakfjiabp
Clickish fun cursors2,353,436pbdpfhmbdldfoioggnphkiocpidecmbp
Cursor-A custom cursor2,237,147hdgdghnfcappcodemanhafioghjhlbpb
Amazing Dark Mode2,228,049fbjfihoienmhbjflbobnmimfijpngkpa
Maximum Color Changer for Youtube2,226,293kjeffohcijbnlkgoaibmdcfconakaajm
Awesome Auto Refresh2,222,284djmpbcihmblfdlkcfncodakgopmpgpgh
Venus Adblock1,973,783obeokabcpoilgegepbhlcleanmpgkhcp
Adblock Dragon1,967,202mcmdolplhpeopapnlpbjceoofpgmkahc
Readl Reader mode1,852,707dppnhoaonckcimpejpjodcdoenfjleme
Volume Frenzy1,626,760idgncaddojiejegdmkofblgplkgmeipk
Image download center1,493,741deebfeldnfhemlnidojiiidadkgnglpi
Font Customizer1,471,726gfbgiekofllpkpaoadjhbbfnljbcimoh
Easy Undo Closed Tabs1,460,691pbebadpeajadcmaoofljnnfgofehnpeo
Screence screen recorder1,459,488flmihfcdcgigpfcfjpdcniidbfnffdcf
Repeat button1,456,013iicpikopjmmincpjkckdngpkmlcchold
Leap Video Downloader1,454,917bjlcpoknpgaoaollojjdnbdojdclidkh
Tap Image Downloader1,451,822okclicinnbnfkgchommiamjnkjcibfid
Qspeed Video Speed Controller732,250pcjmcnhpobkjnhajhhleejfmpeoahclc
Light picture-in-picture172,931gcnceeflimggoamelclcbhcdggcmnglm

Palant notes that the list is likely incomplete. It is based on a sample of about 1600 extensions and not the full number of extensions that are offered on the Chrome Web Store.

Chrome users need to load chrome://extensions/ or select Menu > More Tools > Extensions to open the list of installed browser extensions.

There they need to check the installed extensions against the list in the table above. A click on the remove button uninstalls the extension immediately.

Closing Words

Users interested in technical details may want to check out Palant’s two articles on the matter. There is also the Avast article, which provides additional information, including that even more than the reported 32 extensions were taken down so far by Google.

For Chrome users, it is important to get rid of these malicious extensions immediately by uninstalling them from the web browser. While it is not 100% certain what they do, it is clear that they are set up for malicious activity.

Now You: have you installed any of the extensions?

Leave a comment

Your email address will not be published. Required fields are marked *