Home » News » Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs
May Be Interested In:Australian election 2025 live: LNP candidate questioned over his Trump social media posts; PM warns about rising far right threat


The extensions share other dubious or suspicious similarities. Much of the code in each one is highly obfuscated, a design choice that provides no benefit other than complicating the process for analyzing and understanding how it behaves.

All but one of them are unlisted in the Chrome Web Store. This designation makes an extension visible only to users with the long pseudorandom string in the extension URL, and thus, they don’t appear in the Web Store or search engine search results. It’s unclear how these 35 unlisted extensions could have fetched 4 million installs collectively, or on average roughly 114,000 installs per extension, when they were so hard to find.

Additionally, 10 of them are stamped with the “Featured” designation, which Google reserves for developers whose identities have been verified and “follow our technical best practices and meet a high standard of user experience and design.”

One example is the extension Fire Shield Extension Protection, which, ironically enough, purports to check Chrome installations for the presence of any suspicious or malicious extensions. One of the key JavaScript files it runs references several questionable domains, where they can upload data and download instructions and code:

URLs that Fire Shield Extension Protection references in its code.


Credit:

Secure Annex

One domain in particular—unknow.com—is listed in the remaining 34 apps.

Tuckner tried analyzing what extensions did on this site but was largely thwarted by the obfuscated code and other steps the developer took to conceal their behavior. When the researcher, for instance, ran the Fire Shield extension on a lab device, it opened a blank webpage. Clicking on the icon of an installed extension usually provides an option menu, but Fire Shield displayed nothing when he did it. Tuckner then fired up a background service worker in the Chrome developer tools to seek clues about what was happening. He soon realized that the extension connected to a URL at fireshieldit.com and performed some action under the generic category “browser_action_clicked.” He tried to trigger additional events but came up empty-handed.

share Share facebook pinterest whatsapp x print

Similar Content

The rapturous return of FKA twigs: ‘I grew up feeling my body could do anything’
The rapturous return of FKA twigs: ‘I grew up feeling my body could do anything’ March 26, 2025
Reddit’s New Content Moderation & Analytical Features Will Make It Easier to Connect & Contribute
Reddit’s New Content Moderation & Analytical Features Will Make It Easier to Connect & Contribute March 7, 2025
People in their final moments often experience two sudden changes to that catch their loved ones off guard, according to Julie McFadden. Stock image
End-of-life nurse reveals the most disturbing thing that happens when people die – she wants everyone to know so they’re not shocked March 6, 2025
SpaceX Starship explosion creates spectacular aerial display for the second time this year
SpaceX Starship explosion creates spectacular aerial display for the second time this year March 7, 2025
Divers recover body of 3rd worker killed in Key Bridge collapse
Divers recover body of 3rd worker killed in Key Bridge collapse April 6, 2024
Chalmers claims Coalition planning ‘secret cuts’ as Taylor guarantees health and education spending – as it happened
Chalmers claims Coalition planning ‘secret cuts’ as Taylor guarantees health and education spending – as it happened April 9, 2025
Global Insight: Understanding the Day's Headlines | © 2025 | Daily News