Security News > 2023 > December > Fake VPN Chrome extensions force-installed 1.5 million times
Three malicious Chrome extensions posing as VPN infected were downloaded 1.5 million times, acting as browser hijackers, cashback hack tools, and data stealers.
ReasonLabs notified Google of its findings, and the tech giant removed the offending extensions from the Chrome Web Store, but only after those had amassed a total of 1.5 million downloads.
The installation of the VPN extensions is automatic and forced, taking place on the registry level, and does not involve the user or require any action on the victim's side.
The malicious extensions use a realistic VPN user interface with some functionality and a paid subscription option to create a sense of authenticity.
ReasonLabs points out that the abuse of the 'offscreen' permission enables the malware to run scripts through the Offscreen API and stealthily interact with the web page's current DOM. This extensive access to the DOM enables the extensions to steal sensitive user data, perform browsing hijacks, manipulate web requests, and even disable other extensions installed on the browser.
For this reason, you should routinely check the extensions installed in your browser and check for new reviews in the Chrome Web Store to see if others are reporting malicious behavior.