Watch Out for Malicious Chrome Extensions
Extensions are an excellent way to add new features to your internet browser that the developers couldn’t add in the first place. If Google Chrome is missing a feature you want, such as an intelligent proofreader like Grammarly, you can simply download and install it from the Chrome Web Store. However, not all extensions are what they claim to be.
Extensions are an excellent way to add new features to your internet browser that the developers couldn’t add in the first place. If Google Chrome is missing a feature you want, such as an intelligent proofreader like Grammarly, you can simply download and install it from the Chrome Web Store.
However, not all extensions are what they claim to be. While you would think Google would thoroughly vet an extension before it was allowed to be hosted on its web store, there are far too many malicious programs purporting to be legitimate, just waiting for someone to install them to their browser.
This has been a problem for some time: Every now and then, you hear about a number of users affected by a malicious Chrome extension, or a formerly legitimate extension that was bought and turned into a malicious program without anyone’s knowledge. However, it’s not often we get a glimpse at the full scope of the problem.
As reported by Forbes, researchers have discovered that, over a three year period, there were more than 280 million installations of extensions on Chrome that contained malware. They found an additional 63 million installs of extensions that violated Google’s policies, and another three million that contained “vulnerable code,” raising the total number of compromised installations to over 346 million.
These researchers discovered that malicious extensions tend to ask for more permissions that normal extensions, which makes sense: Malicious extensions want access to your device and its data, so requesting as many permissions as possible (especially permissions that don’t make sense for the extension’s purported function) is part of the plan.
They also found that these extensions were typically not caught quickly. You might hope that anytime a malicious extension started engaging in shady behavior, Google would shut it down right away. However, researchers discovered that malicious extensions stayed on the web store for an average of 380 days at a time. That means the average extension containing malware can hang out on the web store for over a year, infecting the computers of unsuspecting users, before Google finally put a stop to it.
For Google’s part, the company admits that extensions, like all software, are a target for malware and bad actors, and that there’s no way to prevent it entirely. That said, the company points to built-in safety checks users can take advantage of to protect themselves: When reviewing an extension, be on the lookout for a safety check panel, which will tell you if that extension potentially carries malware. If there’s no safety panel, Google thinks the extension is totally safe. Besides this, you should be vigilant with your extensions: Carefully review the entire extensions page and be sure everything looks legit. Don’t let an extension have more permissions than absolutely necessary. Finally, make sure to remove extensions from Chrome you don’t use anymore, as bad actors sometimes acquire existing extensions to take advantage of the established user base.
Share This
