Got Malicious Chrome Extensions?

If you are like most Chrome is a staple in our everyday internet lives as well as the extension in Second Life web browser.Your web browser is your first line of defense against all manner of cyber attacks. But some disturbing reports of malicious Chrome extensions that resist most manual removal efforts have led me to wonder just how good Google is at keeping malicious extensions out of the Play Store, and how committed Google is to doing so. Read on for the scoop…

Is Google Doing All It Can To Protect Against Malicious Chrome Extensions?

Google puts a lot of effort into making the Chrome browser safe and secure. But when third-party extensions are added, your level of security may drop to zero. Browser extensions have nearly full access to the web pages you visit, so in addition to spying on your activity, a malicious extension can steal passwords, user your computer to mine cryptocurrency, and make you an unwitting participant in click fraud schemes.

The recent discovery of a uniquely stubborn rogue extension quickly led to revelations of others, and to the company’s alarming admission that over a thousand malicious apps are uploaded to the Play Store every single month. Equally disturbing is Google’s apparently lackadaisical response to the first extension; after being notified of its presence, Google took 19 days to remove it from the Play Store!

A company spokesperson stated that this extension and another user-resistant malicious app were “automatically removed… from the machines of affected users.” Now, “automatic” implies “fast,” but these removals did not happen until hours after Ars Technica published a post about them and the weeks-long delay in getting attention paid to the first one!

Malicious chrome extensions

The malicious apps in question were “Tiempo en Colombia en vivo” (Weather in Columbia Live), a Chrome extension, and “Play Red Bull version 4,” ostensibly a children’s game that runs in Chrome. They are both gone, but the way they were handled has left a sour taste in many mouths.

James Oppenheim, who reviews children’s games professionally, is one of those whose lips are twisted bitterly. The rogue “game” contained a logo that named his site, jamesgames.com, as the official home of the malware! James notes that he has never written an extension; he reviews games, he does not create them. appears that whoever published it knows enough about what I do reviewing kid’s software to think that my name would help make the malware more trustworthy,” Oppenheim told Ars.

Adding insult to that injury, he says that a week after he reported the offending app via the “REPORT ABUSE” button on its Play Store page, he had absolutely no response from Google and the malware remained available… and aimed at children, mind you!

You can protect yourself by installing only browser extensions to those that are well-established, with many thousands of positive reviews, and preferably millions of existing users. The Chrome Web Store displays star ratings, and the number of user reviews on the category pages. When you click to see the details of an extension, you can see how many users have installed it, and read the reviews.

The “game’s” page said it had 27,781 users at the time Oppenheim investigated it. Many of them posted warnings that the thing was malware. “Makes me wonder how seriously Google is taking this problem,” he said in his email to Ars Technica’s Security Editor, Dan Goodin.

Fumbling the Ball

I wonder too. Google’s spokesperson didn’t even get the word “Ball” right in the response that Goodin finally received, substituting “Bull.” Funny, that’s exactly what I think is Google’s response to this security failure! There’s a lot more to this story as told by Oppenheim and Goodin, but I think we have the gist: Google didn’t just fumble the ball, it was disgracefully late to the game.

I mentioned earlier that 1000+ malicious apps are uploaded to the Play Store every month, and the great majority of those are automatically flagged and removed. So it’s not fair to say that Google isn’t trying to protect their users. But you can only do so much with automation. When you’re dealing with numbers of users in the tens or hundreds of millions, a success rate of 99.9% is not nearly good enough.

I get it: Google Chrome is the world’s most-used browser by several country miles; it’s the first and often only target of every hacker. But Google knows that, and Google has plenty of money to throw at problems like this. If they don’t have enough people to handle problems like this, I refer you to the previous sentence. When problems are pro-actively reported by real humans who are saying “Hey, this is malware!” they should be acted on swiftly.

This sort of failure to protect, and delay in remediation, and defense of indefensible obtuseness, is simply unacceptable. Google, you must do better here. If you want better security just DON’T Use Chrome or it’s apps! Its really that simple use Firefox or Windows built in browser and make damn sure you have malwarebytes and a good anti-virus program and know where your apps are coming from.

Have a safe week from all of us on the ZI Staff