Malicious Browser Extensions

Malicious Browser Extensions

Browser extensions are small blocks of code that allow users to customise the browsing experience and add additional features and functionalities to a basic browser. These features can include blocking advertisements, changing the appearance of web pages, grammar-checking your writing, and much more. Extensions can be downloaded typically for free from official browser provider sites, for instance Chrome’s, Safari’s, and Mozilla’s online stores, or from other sites. As they improve the convenience, productivity, and efficiency of browsers for both personal and work-related activities, extensions have become increasingly popular.
Browser extensions, however, are not always as secure as they look, and can pose a significant challenge to cybersecurity. As a matter of fact, extensions can be easily downloaded with just one click, typically have full access to the contents of any web page the user loads and can handle sensitive data. This has made extensions a valuable target for threat actors.

Malicious extensions, and “good” extensions gone bad

Seeing the popularity of browser extensions, cybercriminals have found ways to package malware inside seemingly legitimate extensions. As a matter of fact, these add-ons may impersonate legitimate and popular extensions, or may have legitimate and helpful functions in addition to the malicious ones. Malicious extensions allow threat actors to perform many illicit activities, including spying on users’ web activity, and stealing sensitive data, including passwords, and personal and financial information.

Threat actors have also managed to distribute malicious extensions through browsers’ official marketplaces. In 2020, Google found and subsequently removed over 106 extensions from the Chrome Web Store, which had been downloaded over 32 million times. These malicious extensions were responsible for tracking and stealing sensitive information, including passwords, and could even take screenshots. The users who had downloaded these malicious extensions included businesses as well, giving threat actors access to financial services firms, oil and gas companies, and healthcare and government organisations.

The most popular type of malicious extension are those containing adware. Threat actors insert unwanted software in the extensions that allows them to generate revenue by automatically displaying a high number of advertisements on users’ screens. The second most popular type, are extensions that contain malware, that can track users’ activity, steal information, gain access to users’ cameras and photos, and access users’ emails and sensitive data. Legitimate extensions can also turn into malicious ones at a later time. In fact, legitimate extensions can be hijacked or bought by threat actors, who can then push updates containing malicious code, which will inject malware into the extension.

According to Kasperky’s findings, between 2020 and 2022 almost 7 million users have attempted to download malicious browsers extensions, of which 70% were infected with adware.


How to stay protected

To avoid inadvertently installing malicious extensions there are some elements to pay particular attention to:

  • First, it is essential to consider whether the extension is really needed, as even some legitimate extensions can negatively affect the browser ‘s performance. Before installing an extension, it is recommended to check its publisher, and go to the official website to download it, rather than relying on the results of search engines. This way, users can avoid installing extensions from unofficial sources.
  • Another useful tip is to carefully read the permissions that the extension requires, for instance access to the users’ camera or geolocation, and assess whether these permissions are worth it for the specific extension. By visiting browser forums users can check whether anyone else has complained or raised flags on an extension. Once the extension is installed, it is important to keep an eye out for suspicious and unusual behaviour, for instance if there is a significant increase in the amount of adverts displayed on the users’ screen. Lastly, if an extension is no longer used, it is always recommended to remove it, in order to decrease the potential attack surface that threat actors could exploit.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference list


The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

Why phishing emails contain errors?

You have probably noticed that all the phishing mails are poorly written and some details may let us think they are somewhat unprofessional. Find out why.

Read more
Data privacy and security in the healthcare sector | White Blue Ocean Blog
Data privacy and security in the healthcare sector: medical firm Dedalus fined €1.5 million for data breach

At the end of April 2022, the CNIL, the data protection authority for France, announced it had imposed a fine of €1.5 million on the medical software provider Dedalus Biology, following a significant leak of patients’ data.

Read more
Top 10 online shopping safety tips
10 Cybersecurity Tips for Online Shopping: the Ultimate Checklist For Online Shoppers

In this article, we will explore the top 10 essential tips to help you navigate the online shopping landscape safely, enabling you to enjoy the convenience of e-commerce while protecting yourself from potential threats.

Read more
Ransomware in 2021: a growing global threat

Ransomware is not a new threat, but in recent years it has grown so exponentially that it has become one of the most prominent global threats, not only in the digital world but in the physical one as well.

Read more

Advertising permeates every online interaction in our digital society. This ubiquitous presence has led to a new cyber threat, malvertising, which attempts to inject malicious code into digital ads, often distributed by legitimate advertising networks, making it more challenging to detect.

Read more


Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!