Over 280 million at risk from malware-filled Chrome extensions — how to stay safe

 And image of the Google Chrome logo on a laptop.
Credit: Shutterstock

In the same way that you need to be careful when installing new apps on your smartphone, you also have to be cautious when adding new extensions to your browser, especially with Google Chrome.

With a 65% market share worldwide according to Statcounter, Chrome is the most popular browser by far which makes it the perfect target for hackers and other cybercriminals. While cyberattacks often exploit zero-day flaws in Google’s browser, there’s an easier way to target Chrome users: malicious extensions.

Just like with malicious apps, these bad extensions can contain malware and other threats designed to steal your data as well as your cash. Of the 250,00 extensions on the Chrome Web Store, less than 1% were found to include malware according to a recent blog post from Google. However, a new research paper is claiming differently.

Published by researchers from Stanford University and the CISPA Helmholtz Center for Information Security, the research paper (PDF) claims that 280 million people installed a malware-infected Chrome extension between July 2020 and February 2023.

Here’s everything you need to know about malicious Chrome extensions and how you can stay safe when adding new extensions to your browser.

Lasting threats

As reported by TechSpot, the researchers found that over a three year period, 346 million users installed Security-Noteworthy Extensions (SNE). While 63 million of these extensions were policy violations and 3 million were vulnerable, 280 million of these installs actually contained malware.

Surprisingly, many of these malicious extensions were available to download on the Chrome Web Store for quite some time. The malware-filled ones remained on the store for 380 days on average while the ones with vulnerable code stayed up for 1,248 days on average.

Of these malicious extensions, one called TeleApp was available to download and install for 8.5 years. The extension itself was updated in 2013 before it was finally removed after it was found to contain malware in 2022.

Normally with apps on the Google Play Store, I recommend checking user ratings and reviews to see if they are malicious. However, the researchers found that this doesn’t help when it comes to bad extensions as many of them don’t have any reviews at all. This could indicate that their users don’t know they’re dangerous or that they just didn’t take the time to rate and review them.

How to stay safe from malicious extensions

How to update Google Chrome
How to update Google Chrome

Since checking ratings and reviews on the Chrome Web Store doesn’t seem to work in this case, you’re going to have to look for external reviews to help judge whether or not a browser extension is safe to install. However, as browser extensions rarely get full reviews, there are some other things to keep in mind to stay safe.

Just like with bad apps, the researchers found that malicious extensions often ask for more permissions than they should. If you go to install a new extension and it’s asking for quite a lot of permissions, this can be a major red flag and could be a good indication that it might be malicious.

Since many malicious extensions contain malware, you’re going to want to use the best antivirus software on your PC and one of the best Mac antivirus software solutions on your Apple computer. This way, if an extension does contain malware, your antivirus software will be able to catch it before any damage can be done.

Likewise, before you install any new software or browser extensions, you first need to ask yourself if you really need to. A lot of times, you’ll be able to accomplish the same thing using built-in software or your browser’s own capabilities. If you do need to install an extension for your browser, make sure that it’s from a trusted source or a well-known software provider.

Since Chrome is the biggest browser after all, hackers will likely keep trying to have their malicious extensions slip past Google’s defenses. The search giant does have a dedicated security team that reviews every Chrome extension to make sure it isn’t malicious though. However, if you want to be extra careful, the fewer browser extensions you have installed the better.

More from Tom's Guide