Nearly a dozen Chrome extensions with a combined 1.7 million downloads have been found secretly tracking user activity, stealing browser data, and redirecting users to unsafe websites, according to researchers at Koi Security.
These malicious add-ons masqueraded as useful tools like color pickers, VPNs, volume boosters, and emoji keyboards, often providing the promised features to avoid suspicion. Many of them were verified on the Chrome Web Store, had hundreds of positive reviews, and remained available even after some were reported.
The following Chrome extensions were identified as malicious and should be removed immediately:
- Color Picker, Eyedropper — Geco colorpick
- Emoji keyboard online — copy&paste your emoji
- Free Weather Forecast
- Video Speed Controller — Video manager
- Unlock Discord — VPN Proxy to Unblock Discord Anywhere
- Dark Theme — Dark Reader for Chrome
- Volume Max — Ultimate Sound Booster
- Unblock TikTok — Seamless Access with One-Click Proxy
- Unlock YouTube VPN
- Unlock TikTok
- Weather
Security researchers discovered that the tracking functionality was embedded in the background service worker of each extension using the Chrome Extensions API. This allowed them to monitor every page the user visited, exfiltrate the URLs to a remote server, and assign a unique tracking ID to each user. The server could then issue redirection commands to hijack browser activity, potentially leading users to malicious sites.
Although no redirection activity was observed during testing, the presence of such code poses a serious risk. Notably, the malicious behavior was not part of the original versions of these extensions — it was added later via updates. Google’s silent auto-update system deployed these changes without alerting users, raising concerns that some extensions may have been hijacked by threat actors.
Koi Security also found that similar extensions had been planted on the Microsoft Edge add-on store, affecting an additional 600,000 users, bringing the total impact to over 2.3 million users across both platforms.
Users are urged to:
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
- Immediately remove the listed extensions
- Clear browser data to eliminate tracking identifiers
- Scan devices for malware
- Monitor accounts for unusual activity
Google has not commented yet on the status of the remaining active extensions.
