A popular Chrome extension called QuickLens Search Screen with Google Lens has been removed from the Chrome Web Store after it was hijacked and turned into a malware delivery tool targeting thousands of users.
QuickLens originally allowed users to perform Google Lens searches directly from their browser. It grew to around 7,000 users and even received a featured badge from Google, which likely helped build trust.
However, on February 17, 2026, version 5.8 of the extension was released with hidden malicious code. Security researchers at Annex discovered that the extension had recently changed ownership after being listed for sale on ExtensionHub, a marketplace for buying and selling browser extensions.
According to Annex, ownership changed on February 1, 2026, to an account using the email [email protected] under the name LLC Quick Lens. A new privacy policy was also added on a barely functional website. Just over two weeks later, the malicious update was pushed to users.
The new version requested additional browser permissions, including declarativeNetRequestWithHostAccess and webRequest. It also added a rules.json file that stripped important browser security protections such as Content Security Policy, X Frame Options, and X XSS Protection from visited pages. These protections normally help block malicious scripts from running.
The compromised extension connected to a command and control server at api.extensionanalyticspro.top. It generated a unique identifier for each user, identified their country using Cloudflare’s trace service, collected browser and operating system details, and then checked in with the server every five minutes for instructions.
Users began reporting strange behavior, including fake Google Update alerts appearing on every website they visited. Some said the popups made it nearly impossible to interact with web pages.
Analysis showed that the extension received arrays of malicious JavaScript code from the command server. These scripts were executed on every page load using a technique researchers described as a one pixel image onload trick. Because the extension removed Content Security Policy headers, the injected scripts were able to run even on websites that would normally block them.
One of the first payloads contacted Google Update dot icu and displayed a fake Google Update prompt. If users clicked the update button, they were directed to a ClickFix attack. This trick encouraged them to run malicious code on their own computers.
For Windows users, this resulted in the download of a file named googleupdate.exe, signed with a certificate from Hubei Da’e Zhidao Food Technology Co Ltd. When executed, the file launched hidden PowerShell commands that attempted to download and run additional payloads from a remote server. At the time of analysis, the second-stage malware was no longer being served.
Another malicious component focused on stealing cryptocurrency wallets and login credentials. The extension checked for popular wallets, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare, Backpack, Brave Wallet, Exodus, Binance Chain Wallet, WalletConnect, and Argon. If detected, it attempted to extract wallet activity and seed phrases, which could be used to fully take over accounts and drain funds.
Additional scripts collected saved login credentials, payment information, and other sensitive data entered into websites. Some payloads also scraped Gmail inbox contents, Facebook Business Manager ad account data, and YouTube channel details.
There are also claims that macOS users were targeted with the Atomic Stealer malware, although this has not been independently confirmed.
Google has since removed QuickLens from the Chrome Web Store, and Chrome now automatically disables the extension on affected systems.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Anyone who installed QuickLens should make sure it is completely removed, run a full malware scan on their device, and reset passwords stored in their browser. Users of the mentioned crypto wallets should immediately move their funds to a new wallet with a newly generated seed phrase.
