Google has removed 34 malicious Google Chrome extensions from Chrome Web Store. These malicious extensions have collective downloads of over 87 million. After the installation, these extensions offer a legitimate function but later show malicious behaviors such as altering search results and showing spam or unwanted ads.
Researcher Wladimir Palant initially analyzed the PDF Toolbox extension and published a detailed report on May 16. The Chrome extension was available in Chrome Web Store and had 2 million downloads. He found the malicious code disguised as a legitimate extension API wrapper. This malicious code was allowing serasearchtop[.]com to inject arbitrary JavaScript code into any website the user visits on the browser. The injected code inserts ads into web pages. But, 24 hours after installing the extension, the extension also shows malicious intentions.
Later on May 31, Palant wrote another article after he found the same malicious code in other extensions available on the Chrome Web Store. He found a few extensions with the same behavior in the next two days. When he last updated the article, he found 34 malicious extensions with collective downloads of 87 million users.
Here’s a list of all the malicious extensions Palant found. Most of these extensions now have been removed from Chrome Web Store. Hopefully, the Remaining extensions will also be removed from the Web Store soon.
| Name | Weekly active users | Extension ID |
|---|---|---|
| Autoskip for Youtube | 9,008,298 | lgjdgmdbfhobkdbcjnpnlmhnplnidkkp |
| Soundboost | 6,925,522 | chmfnmjfghjpdamlofhlonnnnokkpbao |
| Crystal Ad block | 6,869,278 | lklmhefoneonjalpjcnhaidnodopinib |
| Brisk VPN | 5,595,420 | ciifcakemmcbbdpmljdohdmbodagmela |
| Clipboard Helper | 3,499,233 | meljmedplehjlnnaempfdoecookjenph |
| Maxi Refresher | 3,483,639 | lipmdblppejomolopniipdjlpfjcojob |
| Quick Translation | 2,797,773 | lmcboojgmmaafdmgacncdpjnpnnhpmei |
| Easyview Reader view | 2,786,137 | icnekagcncdgpdnpoecofjinkplbnocm |
| PDF toolbox | 2,782,790 | bahogceckgcanpcoabcdgmoidngedmfo |
| Epsilon Ad blocker | 2,571,050 | bkpdalonclochcahhipekbnedhklcdnp |
| Craft Cursors | 2,437,224 | magnkhldhhgdlhikeighmhlhonpmlolk |
| Alfablocker ad blocker | 2,430,636 | edadmcnnkkkgmofibeehgaffppadbnbi |
| Zoom Plus | 2,370,645 | ajneghihjbebmnljfhlpdmjjpifeaokc |
| Base Image Downloader | 2,366,136 | nadenkhojomjfdcppbhhncbfakfjiabp |
| Clickish fun cursors | 2,353,436 | pbdpfhmbdldfoioggnphkiocpidecmbp |
| Cursor-A custom cursor | 2,237,147 | hdgdghnfcappcodemanhafioghjhlbpb |
| Amazing Dark Mode | 2,228,049 | fbjfihoienmhbjflbobnmimfijpngkpa |
| Maximum Color Changer for Youtube | 2,226,293 | kjeffohcijbnlkgoaibmdcfconakaajm |
| Awesome Auto Refresh | 2,222,284 | djmpbcihmblfdlkcfncodakgopmpgpgh |
| Venus Adblock | 1,973,783 | obeokabcpoilgegepbhlcleanmpgkhcp |
| Adblock Dragon | 1,967,202 | mcmdolplhpeopapnlpbjceoofpgmkahc |
| Readl Reader mode | 1,852,707 | dppnhoaonckcimpejpjodcdoenfjleme |
| Volume Frenzy | 1,626,760 | idgncaddojiejegdmkofblgplkgmeipk |
| Image download center | 1,493,741 | deebfeldnfhemlnidojiiidadkgnglpi |
| Font Customizer | 1,471,726 | gfbgiekofllpkpaoadjhbbfnljbcimoh |
| Easy Undo Closed Tabs | 1,460,691 | pbebadpeajadcmaoofljnnfgofehnpeo |
| Screence screen recorder | 1,459,488 | flmihfcdcgigpfcfjpdcniidbfnffdcf |
| OneCleaner | 1,457,548 | pinnfpbpjancnbidnnhpemakncopaega |
| Repeat button | 1,456,013 | iicpikopjmmincpjkckdngpkmlcchold |
| Leap Video Downloader | 1,454,917 | bjlcpoknpgaoaollojjdnbdojdclidkh |
| Tap Image Downloader | 1,451,822 | okclicinnbnfkgchommiamjnkjcibfid |
| Qspeed Video Speed Controller | 732,250 | pcjmcnhpobkjnhajhhleejfmpeoahclc |
| HyperVolume | 592,479 | hinhmojdkodmficpockledafoeodokmc |
| Light picture-in-picture | 172,931 | gcnceeflimggoamelclcbhcdggcmnglm |
Look at the list carefully, these malicious extensions are actually useful. That’s the reason they also have a good number of downloads.
If you have any of these extensions installed on your browser, you need to remove them right now.
