- Apr 24, 2016
Two weeks ago I wrote about the PDF Toolbox extension containing obfuscated malicious code. Despite reporting the issue to Google via two different channels, the extension remains online. It even gained a considerable number of users after I published my article.
A reader tipped me off however that the Zoom Plus extension also makes a request to serasearchtop[.]com. I checked it out and found two other versions of the same malicious code. And I found more extensions in Chrome Web Store which are using it.
So now we are at 18 malicious extensions with a combined user count of 55 million. The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively.
So far I could identify the following 18 malicious extensions. All but two of them are listed as “Featured” in Chrome Web Store. User counts reflect the state for 2023-05-30.
Note that this list is unlikely to be complete. It’s based on a sample of roughly a thousand extensions that I have locally, not all the Chrome Web Store contents.
Name Weekly active users Extension ID Autoskip for Youtube 9,008,298 lgjdgmdbfhobkdbcjnpnlmhnplnidkkp Crystal Ad block 6,869,278 lklmhefoneonjalpjcnhaidnodopinib Brisk VPN 5,595,420 ciifcakemmcbbdpmljdohdmbodagmela Clipboard Helper 3,499,233 meljmedplehjlnnaempfdoecookjenph Maxi Refresher 3,483,639 lipmdblppejomolopniipdjlpfjcojob Quick Translation 2,797,773 lmcboojgmmaafdmgacncdpjnpnnhpmei Easyview Reader view 2,786,137 icnekagcncdgpdnpoecofjinkplbnocm PDF toolbox 2,782,790 bahogceckgcanpcoabcdgmoidngedmfo Zoom Plus 2,370,645 ajneghihjbebmnljfhlpdmjjpifeaokc Base Image Downloader 2,366,136 nadenkhojomjfdcppbhhncbfakfjiabp Clickish fun cursors 2,353,436 pbdpfhmbdldfoioggnphkiocpidecmbp Maximum Color Changer for Youtube 2,226,293 kjeffohcijbnlkgoaibmdcfconakaajm Readl Reader mode 1,852,707 dppnhoaonckcimpejpjodcdoenfjleme Image download center 1,493,741 deebfeldnfhemlnidojiiidadkgnglpi Font Customizer 1,471,726 gfbgiekofllpkpaoadjhbbfnljbcimoh Easy Undo Closed Tabs 1,460,691 pbebadpeajadcmaoofljnnfgofehnpeo OneCleaner 1,457,548 pinnfpbpjancnbidnnhpemakncopaega Repeat button 1,456,013 iicpikopjmmincpjkckdngpkmlcchold
So far I discovered 18 malicious extensions with 55 million users in total. Most popular ones are: Autoskip for Youtube, Crystal Ad block and Brisk VPN. They have been active for two years, undetected by Google.