20% of ad clicks on average are frauds

Don't pay for clicks generated by bots, competitors
or uninterested clickers

Malicious Browser Extensions

TrafficWatchdog team

15.12.2023 r.

malicious, browser, google, cybersecurity

Malicious Browser Extensions

source: own elaboration

A browser extension is a small software module that adds specific features to a web browser to extend its capabilities beyond its default settings. They were created to improve user’s experience when using web browsers, and their scope of operation is huge, from blocking ads, through creating and encrypting passwords, to tools that increase efficiency. Browser extensions are usually available in official browser-specific stores, such as the Chrome Web Store for Google Chrome.

Threats associated with Malicious Browser Extensions

However, using browser extensions involves considerable risk. As in the case of mobile applications, fraudsters quickly found a whole range of ways to use them for online fraud, including Ad Fraud. Because they are placed in real browsers, they are able to avoid detection, which allows them to perform many malicious activities such as:

  • secret collection of sensitive data,
  • tracking and then copying network activity,
  • injecting unwanted ads,
  • redirection to malicious sites,
  • extracting data from browser applications such as credentials,
  • capturing data from the browsing session itself: video, audio and everything else that was copied\pasted\filled out or entered on the website,
  • theft of login details to accounts on Facebook and other social networking sites,
  • consuming the power of device for cryptocurrency mining and even
  • taking control of the user’s browser.

Malicious browser extensions are also a popular choice for attackers looking to penetrate a company’s network. Thanks to their use, it is possible to gain access to organizational resources using collected credentials and targeted phishing attacks based on information collected from users.

Many malicious extensions are designed to operate stealthily, masquerading as legitimate browser extensions like Google Translate or extensions with useful features like PDF Converter or Video Downloader.

The scale of the phenomenon

According to researchers from Kaspersky, a cybersecurity company, in the first half of 2022 alone, 1.3 million users encountered threats related to browser extensions. This represents over 70% of the number of users affected by the same problem throughout 2021, which indicates that the phenomenon is significantly increasing.

Although such unwanted browser add-ons are most often distributed via third parties, many of them is available via official platforms - in 2020, Google removed 106 malicious browser extensions from its Chrome Web Store. However, before such fraudulent software modules were removed, they were downloaded 32 million times. Fraudsters used them to collect sensitive data (like cookies and passwords) and even take screenshots.

We need to remember that simply removing malicious extensions from the official store doesn’t change much for people who have already installed such fraudulent plug-ins - Chrome won’t automatically uninstall extensions, which means that they will remain on the devices until they will be removed by the user.

Installing a malicious extension can give the attacker full visibility and control over all data that flows or resides in the browser. How is this possible? Users themselves grant them permissions, thinking they are dealing with genuine extensions, and accidentally giving them access to sensitive data or even allowing them to take control of the entire browser.

Adware Extensions

One of the most common threats that impersonate browser extensions is adware. Such unwanted add-ons display huge amounts of unwanted advertisements on the screen, embed banners on websites or redirect to affiliate websites. From January 2020 to June 2022, Kaspersky experts observed that over 4.3 million unique users encountered fraudulent adware disguised as legitimate browser extensions.

The most famous fraud browser extensions: Nigelthorn, DataSpii, FB Stealer

Nigelthorn - 2018

The attackers distributed the malware by pretending to be a legitimate Chrome browser extension, which, once installed, injected malicious code into the victim’s browser, allowing their hardware to be used for cryptocurrency mining. In addition, the program could also steal confidential information, such as login details and personal data, posing a serious risk to the privacy and security of users, who could also observe on their devices reduced system performance and increased energy consumption. Nigelthorn managed to infect thousands of users before Google removed the malicious extension from the Chrome Web Store.


DataSpii is a whole collection of fraudulent browser extensions, mainly for Chrome, downloaded by millions of users. These seemingly innocent extensions, purporting to improve productivity or ensure security, were in fact collecting user data with alarming efficiency. Once installed, these extensions required extensive permissions supposedly necessary for their extensive functionalities to work. This enabled fraudsters to not only obtain the data of many millions of users, but also extract sensitive corporate data, which was then transmitted through a complex network of third-party services.

FB Stealer

FB Stealer, which was one of the threats analyzed by Kaspersky researchers, spread mainly through untrustworthy websites. Users who believed that they had downloaded the Google Translator extension actually received a dangerous Trojan - NullMixer, which installed a tool on the device whose task was to extract Facebook cookies and send the data contained in them to the attacker’s servers. Thanks to this, fraudsters were able to log into the victim’s Facebook account and impersonated the victim and asked his or her friends for money (trying to extort as much as possible before the user regained access to the account).

How to tell if an extension is fake?

Of course, not all browser extensions are dangerous, some of them can even help keep you safe. As Anton V. Ivanov, senior security researcher at Kaspersky, says:

“(…) Some extensions can even make devices a lot safer, for example, password managers. It is much more important to keep an eye on how reputable and trustworthy the developer is and what permissions the extension asks for. If you follow the recommendations for safe use of browser extensions, the risks of encountering any threats will be minimal.”

So how can you tell if an extension is fake? There is no clear recipe because such malicious programs aren’t marked in any way, and fraudsters have become perfect at impersonating other, real extensions. However, we should be alerted if:

  • the website associated with the extension is missing,
  • the developer’s contact information is missing,
  • the last update was a long time ago,
  • the extension doesn’t have a privacy policy,
  • there are few user reviews of the extension, or they are too good to be true,
  • the total number of user ratings is small,
  • the extension doesn’t appear in any official store,
  • the extension offers an unusual type of installation,
  • the extension is promoted in untrustworthy way.

Contact us

in order to present me a product offer and for marketing purposes. Spark DigitUP Sp. z o.o. as the Administrator, observing the provisions on the protection of personal data, has informed me of my right to access, delete, forget and transfer information, as well as rectify, supplement and limit the processing of my data in the manner arising from [Privacy Policy].

within the meaning of art. 10 paragraph 2 of the Act of July 18, 2002 on the provision of electronic services (Journal of Laws No. 144, item 1204) to the provided e-mail address and telephone number. Spark DigitUP Sp. z o.o. as the Administrator, observing the provisions on the protection of personal data, has informed me of my right to access, delete, forget and transfer informations, as well as rectify, supplement and limit the processing of my data in the manner arising from [Privacy Policy].

in relation to the phone number and email address I have provided for direct marketing purposes by Spark DigitUP Sp. z o.o., owner of the TrafficWatchdog.pl