Malicious Chrome Extensions Have More Than 80 Million Installs
Nearly 300 malicious extensions were found to be available in the Google Chrome Web Store. The extensions include phony utilities and ad blockers that inject ads into search results or engage in cookie stuffing. Google removed the extensions after a blog post from AdGuard. The extensions in question have been downloaded 80 million times.
These extensions are attractive to end-users because they claim to solve problems such as blocking ads. Unfortunately, they hide their malicious behavior so it may not be evident for a while. Consider using the Chrome Admin Console to manage your enterprise Chrome browsers, including extensions. In general run only needed and verified extensions in your browser to minimize the attack surface and keep security as close to out-of-the box as possible.
Browser market share statistics are all over the place, but Chrome has something like 60% of the browser market, probably around 2 billion active users. So, only about 4% of active users downloaded any of those extensions. At one point there were close to 200,000 extensions in the Chrome Web Store, so 300 malicious extensions is 0.15% of the total. In April, Google announced new and more restrictive/security-centric rules for developers and gave them a deadline of 27 August to comply. We need to see what progress is made in reducing that percentage in September.
The purpose of sites like the Google Webstore should be to provide a selection of known good Chrome extensions. Google has repeatedly failed at this task. Researchers regularly find large numbers of malicious extensions. Google has changed the approval process, but it appears all they accomplished is to antagonize the developers of valid extension without solving the problem of malicious or questionable extensions.