Malware News Suspicious extensions with 4 million installs discovered in Chrome Web Store

nicolaasjan · Friday at 9:35 AM

(Dutch article)

Translated:

Researchers have discovered dozens of suspicious browser extensions in the Chrome Web Store that have a combined installation count of four million. And that's striking because the extensions are "unlisted," meaning they can't be found through the Chrome Web Store or search engines. The only way to get to these extensions is to know their URL.

In total, there are 35 extensions that ask for various permissions that allow them to access web traffic on all visited URLs, access stored cookies, manage browser tabs and execute scripts. According to a researcher from Secure Annex, it is clear that the extensions collect browser information, including visited websites.

The extensions claim to offer security and search-related features. Given the permissions and design of the extensions, the researcher has reported them to Google, so that the tech company can remove them from the Chrome Web Store. In addition, users of the extensions are urged to remove them from their systems.

Captain Awesome · Friday at 10:27 AM

Now days extensions are very worrisome. So I don't install any browers extensions on my banking pc.

nicolaasjan · Friday at 12:06 PM

Also here on Ars Technica:
Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

oldschool · Friday at 12:16 PM

nicolaasjan said:
Also here on Ars Technica:
Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

This piece actually gave more detail than the OP link.

nicolaasjan · Friday at 12:35 PM

oldschool said:
This piece actually gave more detail than the OP link.

I saw it to late...

Most info is here https:// secureannex . com/blog/searching-for-something-unknow/

harlan4096 · Friday at 12:46 PM

Application name: firefox.exe
Application path: C:\Program Files\Mozilla Firefox
Component: Web Threat Protection
Result description: Detected
Type: Trojan
Name: HEUR:Trojan.Script.Generic
Precision: Heuristic analysis
Threat level: High
Object type: File
Object name: index.BDU7bgiq.js
Object path: https:// secureannex . com/assets
SHA256 of an object: B0565EF711B5D80B9E742D2300025A755BE6BF0751C15E10C43A3C6FAE1316C2
MD5 of an object: A01DC79BEB90C8F4D4B3E77EAF367A76
Reason: Expert analysis
Databases release date: Today, 11/04/2025 11:40:00

brambedkar59 · Friday at 12:54 PM

harlan4096 said:

Same. I was about to post this.
"Reason: Expert analysis" This part is what concerns me.

TairikuOkami · Friday at 1:22 PM

I use only one Edge extension, but I have recently added extensions cleanup, just in case something sneaks in.

Code:

del "%LocalAppData%\Microsoft\Edge\User Data\Default\Extension Cookies" /s /f /q
del "%LocalAppData%\Microsoft\Edge\User Data\Default\ExtensionActivityComp" /s /f /q
del "%LocalAppData%\Microsoft\Edge\User Data\Default\ExtensionActivityComp-journal" /s /f /q
del "%LocalAppData%\Microsoft\Edge\User Data\Default\ExtensionActivityEdge" /s /f /q
del "%LocalAppData%\Microsoft\Edge\User Data\Default\ExtensionActivityEdge-journal" /s /f /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Extension Rules" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Extension Scripts" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Extension State" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Local Extension Settings" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Managed Extension Settings" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Sync Extension Settings" /s /q

nicolaasjan · Friday at 1:47 PM

brambedkar59 said:
Same. I was about to post this.
"Reason: Expert analysis" This part is what concerns me.

I can assure you that I didn't link to a malicious website on purpose.

Anyone here who can read this 512KB script?

I see on VirusTotal that it was Kaspersky that marked it as HEUR:Trojan.Script.Generic
And Rising marked it as Stealer.Agent/JS!1.12736 (CLASSIC).

SeriousHoax · Friday at 2:20 PM

harlan4096 said:

Weirdly if I load the site, it does not even connect to the domain. This asset was not loaded on my device on the site

brambedkar59 said:
"Reason: Expert analysis" This part is what concerns me.

This basically means that the heuristic signature that detected this file was created a human malware analyst, not automated signature or ML based detection. It doesn't necessarily mean that an analyst analyzed this exact file and created the detection. But some suspicious code in that file triggered the detection.
No detection from ESET on this file.

harlan4096 · Friday at 2:23 PM

SeriousHoax · Friday at 2:24 PM

harlan4096 said:
View attachment 288084

Yeah, this is where I learned this info

brambedkar59 · Friday at 3:55 PM

nicolaasjan said:
I can assure you that I didn't link to a malicious website on purpose.

I believe you and I was not implying otherwise with my previous comment.

Search

Malware News Suspicious extensions with 4 million installs discovered in Chrome Web Store

nicolaasjan

Level 5

Captain Awesome

Level 26

nicolaasjan

Level 5

oldschool

Level 85

nicolaasjan

Level 5

harlan4096

Super Moderator

brambedkar59

Level 33

TairikuOkami

Level 38

nicolaasjan

Level 5

SeriousHoax

Level 51

harlan4096

Super Moderator

SeriousHoax

Level 51

brambedkar59

Level 33

Similar threads

Malware News Suspicious extensions with 4 million installs discovered in Chrome Web Store

Level 5

Level 26

​

Level 5

Level 85

Level 5

Super Moderator

Level 33

Level 38

Level 5

Level 51

Super Moderator

Level 51

Level 33

Similar threads