Malicious Extensions in Chrome Web Store: 1.7 Million Users Affected

Security researchers have uncovered a widespread browser extension campaign that silently harvested user data and redirected traffic—affecting over 2.3 million users across Chrome and Edge.

Discovery by Koi Security

Researchers from Koi Security have identified 11 malicious extensions in the official Chrome Web Store that were collectively downloaded more than 1.7 million times. The campaign, dubbed “RedDirection,” involved extensions that posed as helpful tools—like VPNs, emoji keyboards, and color pickers—while secretly performing malicious activities.

Malicious Capabilities:

• Tracking user activity
• Collecting detailed browsing data
• Redirecting users to malicious or scam sites

Many of these extensions appeared legitimate at first glance, complete with polished branding and hundreds of fake positive reviews. The dangerous behavior was introduced later through silent updates—some extensions were clean for years before being hijacked.

Affected Chrome Extensions (Remove Immediately!)

The following extensions were flagged as part of the RedDirection campaign. If you have any of these installed, uninstall them immediately:

1. Color Picker, Eyedropper – Geco colorpick
2. Emoji Keyboard Online – Copy & Paste Your Emoji
3. Free Weather Forecast
4. Video Speed Controller – Video Manager
5. Unlock Discord – VPN Proxy to Unblock Discord Anywhere
6. Dark Theme – Dark Reader for Chrome
7. Volume Max – Ultimate Sound Booster
   • (Previously flagged by LayerX)
8. Unblock TikTok – Seamless Access with One-Click Proxy
9. Unlock YouTube VPN
10. Unlock TikTok

Some of these names mimic trusted tools, but their behavior tells a different story.

How the Attack Worked

The extensions used a background service worker (leveraging the Chrome Extensions API) to monitor users in real-time. Here's how the attack unfolded:

• Every visited URL was logged
• Each session was tied to a unique user ID
• Data was sent to a remote command-and-control server
• The server had the ability to issue redirect commands to malicious websites

Koi researchers did not observe active redirects during testing—but the infrastructure was in place, suggesting potential for abuse at any moment.

Microsoft Edge Also Affected

Koi Security also discovered six similar extensions in the Microsoft Edge Add-ons Store, affecting over 600,000 users.

Notable Edge Extensions:

• Unlock TikTok
• Volume Booster — Increase Your Sound
• SearchGPT — ChatGPT for Search Engine

This brings the total impact to over 2.3 million users across both major browsers.

Why This Threat Is So Serious

Browser extensions often fly under the radar—but they run with powerful permissions and can easily become attack vectors. This campaign demonstrates several concerning patterns:

• Silent updates delivered malware long after users trusted the extension
• Session hijacking risk from logged browsing activity and potential credential theft
• Long-term deception: some tools operated harmlessly for years before turning malicious

As one expert put it:

“This is one of the largest browser extension supply-chain attacks we’ve seen. The silent update mechanism makes it especially insidious.”

What Users Should Do

If you’ve used any of the extensions listed—or if you’ve noticed strange browser behavior—take action now:

Immediate Steps:

• Uninstall any of the flagged extensions
• Clear your browser history and cache
• Run a malware scan using tools like Malwarebytes or Windows Defender
• Change your passwords, especially if you accessed sensitive accounts
• Enable multi-factor authentication (2FA) wherever possible

Additionally, review all your installed extensions—remove anything unfamiliar or suspicious.

Criticism of Google and Microsoft

Despite the findings, some malicious extensions remain available in the Chrome and Edge web stores. Researchers have criticized both companies for slow response times and inadequate vetting—especially considering the vast reach of these platforms.

“If a malicious extension is active in a browser store for months—or even years—without detection, the approval process is clearly broken,” one researcher told Koi Security.

Pro Tip: How to Spot a Suspicious Extension

Not all shady extensions wave red flags—but some patterns can help you avoid future threats:

• Check update logs regularly. Did an extension recently receive a big update after years of inactivity? Be cautious.
• Watch for sudden surges in reviews, especially if they’re vague, repetitive, or overly positive.
• Review requested permissions—does a simple color picker need access to all your browsing data? Probably not.
• Prefer open-source tools with transparent development and active maintainers.

Final Word

The RedDirection campaign is a stark reminder that browser extensions remain a high-risk vector for supply-chain attacks. Whether you're using Chrome, Edge, or any other modern browser, staying informed—and skeptical—is your first line of defense.