You already know to be wary of third-party Android apps, and even to watch your back in the Google Play Store. A flashlight app with only 12 reviews might be hiding some malware as well. But your hyper-vigilant download habits should extend beyond your smartphone. You need to keep an eye on your desktop Chrome extensions as well.

These handy little applets give you seamless access to services like Evernote or password managers, or put your Bitmoji just a click away. As with Android apps, though, Chrome extensions can sometimes hide malware or other scourges, even when you install them from the official Chrome Web Store. Google says that malicious extension installs have decreased by roughly 70 percent over the last two and a half years, but a steady stream of recent research findings show that the problem, and risk to users, is far from resolved.

“What we’re seeing is an increase in criminal use of extensions,” says William Peteroy, CEO of the security firm Icebrg. “And when we start to see criminal pickup on things it absolutely meets our bar that this is something we need to pay attention to, and something users need to start paying a lot more attention to than they are right now.”

Sneak Attacks

Other browsers suffer a similar onslaught, but with almost 60 percent market share, attacks on Chrome users will generally affect the largest number of people, making it a prime target for criminal hackers. Icebrg recently highlighted four malicious extensions in the Chrome Web Store that had more than 500,000 downloads combined. The extensions masqueraded as standard utilities, with names like “Stickies” and “Lite Bookmarks.” The researchers saw indications, though, that they were actually part of click-fraud scams to boost revenue for attackers. And the extensions requested enough privileges that they could have snooped even more, accessing things like user data, and tracking their behavior. Google removed the four extensions after Icebrg disclosed them privately.

“Since the creation of the extensions platform, we’ve worked hard to keep the extensions ecosystem free from malware and abuse,” says James Wagner, a Chrome product manager at Google. “We're using machine learning to detect malicious behavior in extensions, and … we’ve been particularly focused on cracking down on abusive distribution methods.” In particular, the Chrome team has been working to detect and block situations where websites push users to get an extension, sometimes trapping them in layers of installation pop-ups that try to trick people into installing.

In spite of these efforts, though, malicious extension campaigns pop up regularly. Part of the problem: Chrome is already a trusted application. When users give it permission to run certain code, like an extension, their operating system and most antivirus products usually give it a free pass. And the more systems and services move into the browser—like Microsoft 365 and Google’s G Suite—the more valuable data and network access a malicious Chrome extension could potentially get.

In addition to distributing malicious apps through mechanisms like phishing and compromised sites, attackers have also refined techniques to smuggle their extensions into the Chrome Web Store, and then modify them remotely once downloaded to add or activate nasty features.

In October, Google removed three extensions impersonating AdBlock Plus, one of which had almost 40,000 downloads. That same month, researchers at Morphus Labs discovered an extension, dubbed “Catch-All,” that launched from a phishing attempt targeting WhatsApp users, mimicked an Adobe Acrobat installer, and then captured all the data users entered while browsing in Chrome once installed, including usernames and passwords.

In December, researchers at the internet security firm Zscaler found an extension that lifted login credentials, cookies, and financial data from users who visited and logged into Banco do Brasil websites and accounts. And this month, the software security company Malwarebytes published findings about an extension (built for both Chrome and Firefox) called “Tiempo en colombia en vivo” that forced itself to install when users visited compromised web pages and then was deviously difficult to uninstall. Malwarebytes researcher Pieter Arntz said that he couldn’t even completely analyze what the extension’s operations and goals were, because it was coded with extensive obfuscation.

Arms Race

When hackers put effort into masking the true intent of software, it generally indicates that an arms race is ramping up. Obfuscation and runtime changes are the same techniques attackers use to sneak malicious mobile apps into the Google Play Store and Apple’s App Store.