Security awareness

How to spot a malicious browser extension

Dan Virgillito
September 21, 2020 by
Dan Virgillito

Let’s not kid ourselves — the experience of surfing the web wouldn’t be the same without extensions. Browser extensions make it possible to block advertisements, change the appearance of web pages and more. 

Although the rise in their demand has required that extension marketplaces up their due diligence, they’re still a quite unregulated territory. The truth is that it’s easy for cybercriminals to publish malicious browser extensions that perform illicit activities, including spying, data theft and more.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Almost all popular web browsers offer extensions, including Chrome, Safari, Opera Firefox, Microsoft Edge and Internet Explorer. This means that a lot of people end up using them. The large user base makes it attractive for bad actors to package malware inside the extensions. 

Another appeal of using extensions is that it’s difficult for an antivirus to spot the malware. Generally, extensions aren’t considered as applications, so they often fly under a security program’s radar. Plus, the fact that marketplace authorities don’t properly vet most extensions makes these modules safe for carrying malware.

With that in mind, let’s look at a recent case of malicious browser extensions and what you can do to detect them (before it’s too late).

Malicious Chrome extensions received over 30 million downloads

During a three-month study, researchers from Awake Security discovered 111 malicious browser extensions available to download for Google Chrome. Seventy-nine of these extensions were present on the Chrome Web Store. While most of them appeared to function normally, they were actually offering support to a massive global surveillance campaign by spying on and stealing data from users across various industry verticals. 

The researchers also revealed that the extensions were downloaded almost 33 million times by Google Chrome users, with a few extensions receiving over ten million installs. Spoofed to look legitimate, the extensions carried a range of surveillance capabilities such as capturing keystrokes (like passwords), reading clipboards, taking screenshots and harvesting credential tokens present in parameters or cookies.

Based on the findings, the extensions allowed attackers to create strong footholds on enterprise networks. They had been downloaded to devices associated with healthcare, retail, oil and gas, government, financial, and many other sectors. The malicious extensions didn’t have a price tag and were packaged as add-ons to either enable users to convert files or alert them about questionable websites.

Internet domain registrar may have helped to fuel the spread

Besides the malicious extensions, Awake Security researchers discovered around 15,000 domains that were set up to store the data that the extensions gathered. All of these domains were registered via the Israeli-based internet domain provider GalComm. While researchers say they were unable to get in touch with the registrar’s representatives, GalComm’s owner Moshe Fogel told Reuters he didn’t know about any malicious activity linked to his company. He also added that the firm cooperates with security bodies and law enforcement as much as it can to prevent such cases. 

Researchers, however, determined that adversaries could exploit the advanced security processes in GalComm domains to bypass multiple layers and conduct their activities secretly. Some security mechanisms that rogue browser extensions could bypass include web proxies, cloud-based sandboxes, domain reputation engines, and endpoint security solutions. Based on these findings, Awake Security called for a better audit of domain name registrars, as cybercriminals and nation-states can exploit their platform to deliver malicious extensions, tools and websites without being caught.

Protecting yourself against malicious browser extensions

As per standard practice, Google disabled the malicious extensions in each user’s browser. Now, whoever attempts to use them will see a “malware” label alongside their name in Google Chrome’s browser extension section. But the fact that so many of these add-ons were available on the Chrome Web Store is alarming. 

The good news is that there are ways to detect malicious browser extensions before they get onto your browser. Here’s what you can do:

Look up the profile of the developer

It’s common for extension developers to have a site or a public profile through which you can verify their identity. Make sure the name listed on the extension matches the developer’s name. And if you’re still in doubt, go to the developer’s website and download the extension from there rather than scouring through the extension marketplace’s cluttered listings to find your desired extension (which may have been published by a fake developer with some changes). 

Keep tabs on your browser’s behavior

When using browser extensions, watch out for anything unusual. If your web browser suddenly displays loads of advertisements, check which extensions are active. You can then deactivate them and activate them one by one to identify the problematic extension. 

As a side note, you should never install a large number of extensions at once. It slows down the browser and puts a lot of strain on your computer’s memory.

Carefully read the permissions that extensions require

If an extension is requesting permissions that seem far-fetched, then it’s best to take a second look at its description. Doing so will let you evaluate whether they align with the functionality of the app. For instance, a screenshot extension shouldn’t require permissions to access a person’s email. In a nutshell, if you can’t come up with a valid reason for the permissions the extension requests, you’re probably looking at a malicious browser extension.


Browser extensions make our lives easier, but not all of them are created equal, and some do more harm and good. As such, you should adopt great caution when installing an extension. Look up its history and publisher before you proceed with the installation. Also, stay vigilant while using your downloaded extensions and remove the ones idle. It’s also a good idea to check browser forums to see if anyone else has complained about the extension you’re planning to install. 

By taking these steps, you should be able to spot a malicious extension before it gets a chance to spy on your personal data. 

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.


Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.