Dozens of Chrome background extensions turn malicious
Dozens of Chrome background extensions turn malicious
Publish Date: 2026-06-04 01:15:00
Source Domain: www.escudodigital.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
A new malware campaign has managed to infiltrate Google’s Chrome Web Store through dozens of fraudulent extensions presented as animated wallpapers.
According to research by cybersecurity firm Unit 42, cybercriminals managed to distribute more than fifty malicious add-ons that infected about 30,000 users.
The attackers took advantage of the appeal of customization extensions to convince users to install seemingly harmless tools. However, once added to the browser, these add-ons initiated a series of malicious activities aimed at hijacking browsing sessions, injecting unwanted advertisements, and collecting information about the victims’ online activity.
The campaign stands out for the way its operators managed to bypass the Chrome Web Store’s control mechanisms. Instead of directly including malicious code in the package submitted for review, the extensions downloaded additional content from external servers once installed.
After that, the extensions established communication with command and control servers from which they received instructions and new payloads in HTML format. According to the analysis, more than 40 of these add-ons were configured to receive remote code, which gave the attackers great flexibility to modify their behavior without needing to publish new versions in the official store.
Researchers note that the criminals distributed the extensions through three different developer accounts. This strategy allowed them to reduce the risk of the entire operation being disabled if the Mountain View firm detected and suspended any of the accounts used to publish the add-ons.
Another striking aspect of the campaign is the deliberate manipulation of the browser’s local storage. These tools were programmed to delete the IndexedDB database both during the initial installation and each time Chrome was launched. Although this action can complicate forensic analysis and threat detection, it also demonstrates the high technical level employed by the campaign operators.
Experts warn that this type of adware should no longer be considered a mere nuisance. In addition to generating revenue through fraudulent advertising and web traffic hijacking, the ability to execute remote code opens the door to distributing much more dangerous threats in the future, such as trojans, credential stealers, or espionage tools.
The research highlights the challenges that official extension stores continue to face in preventing malicious actors from exploiting their platforms. Although Google maintains security controls over published applications and add-ons, attackers continue to develop techniques to circumvent these barriers and keep their campaigns active for long periods. In this regard, the big G company has just patented a technology for an agent disguised as a user to review these extensions and mobile applications in its store afterward.
What to do to protect yourself
To minimize risk, specialists recommend carefully reviewing the developer’s reputation before installing any extension, checking the ratings and comments of other users, and being wary of add-ons that request excessive permissions. Excessive or irrelevant permissions with respect to actual use can also provide clues.
Additionally, it is advisable to periodically remove extensions that are no longer used and keep the browser updated to reduce the attack surface against such threats.
A new malware campaign has managed to infiltrate Google’s Chrome Web Store through dozens of fraudulent extensions presented as animated wallpapers.
According to research by cybersecurity firm Unit 42, cybercriminals managed to distribute more than fifty malicious add-ons that infected about 30,000 users.
The attackers took advantage of the appeal of customization extensions to convince users to install seemingly harmless tools. However, once added to the browser, these add-ons initiated a series of malicious activities aimed at hijacking browsing sessions, injecting unwanted advertisements, and collecting information about the victims’ online activity.
The campaign stands out for the way its operators managed to bypass the Chrome Web Store’s control mechanisms. Instead of directly including malicious code in the package submitted for review, the extensions downloaded additional content from external servers once installed.
After that, the extensions established communication with command and control servers from which they received instructions and new payloads in HTML format. According to the analysis, more than 40 of these add-ons were configured to receive remote code, which gave the attackers great flexibility to modify their behavior without needing to publish new versions in the official store.
Researchers note that the criminals distributed the extensions through three different developer accounts. This strategy allowed them to reduce the risk of the entire operation being disabled if the Mountain View firm detected and suspended any of the accounts used to publish the add-ons.
Another striking aspect of the campaign is the deliberate manipulation of the browser’s local storage. These tools were programmed to delete the IndexedDB database both during the initial installation and each time Chrome was launched. Although this action can complicate forensic analysis and threat detection, it also demonstrates the high technical level employed by the campaign operators.
Experts warn that this type of adware should no longer be considered a mere nuisance. In addition to generating revenue through fraudulent advertising and web traffic hijacking, the ability to execute remote code opens the door to distributing much more dangerous threats in the future, such as trojans, credential stealers, or espionage tools.
The research highlights the challenges that official extension stores continue to face in preventing malicious actors from exploiting their platforms. Although Google maintains security controls over published applications and add-ons, attackers continue to develop techniques to circumvent these barriers and keep their campaigns active for long periods. In this regard, the big G company has just patented a technology for an agent disguised as a user to review these extensions and mobile applications in its store afterward.
What to do to protect yourself
To minimize risk, specialists recommend carefully reviewing the developer’s reputation before installing any extension, checking the ratings and comments of other users, and being wary of add-ons that request excessive permissions. Excessive or irrelevant permissions with respect to actual use can also provide clues.
Additionally, it is advisable to periodically remove extensions that are no longer used and keep the browser updated to reduce the attack surface against such threats.
Become a premium member for free!
