Check Now – 18 Trusted Web Browser Extensions Discovered Stealing Your Data

Researchers from Kai Security have identified eighteen extensions (add-ons) for Google’s Chrome and Microsoft’s Edge website browsers, some of which are both well rated and widely installed, that have been stealthily used to hide a Trojan infection that can hijack your browser and steal personal data. Worse is that 2.3 million users have installed one of them.

The extensions themselves are often quite clever in the sense that they actually deliver on the features they claim in public and often only add the Trojan much later (sometimes years later). As a result, many of them have been around for years, earning good reviews and a degree of trust. Not to mention that Microsoft and Google clearly have not previously discovered any problems via their limited checks and balances.

“This isn’t some obvious scam extension thrown together in a weekend. This is a carefully crafted Trojan horse that delivers exactly what it promises while simultaneously hijacking your browser, tracking every website you visit, and maintaining a persistent command and control backdoor. Not only that, but it remained legitimate for years before becoming malicious through a version update,” said Idan Dardikman of Kai Security about one of the identified extensions.

Due to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed themselves silently, often without end-users needing to click anything. “No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance malware,” added Idan. “Every click, every website visit, every online transaction becomes a potential attack vector.”

Kai Security first discovered this while investigating the ‘Color Picker, Eyedropper — Geco colorpick‘ extension, before later identifying it as being just the tip of a “sophisticated cross-platform network” of eighteen malicious extensions spanning both Chrome and Edge stores, all sharing the same hijacking functionality. The team have dubbed this as the RedDirection campaign.

The extensions span across a diverse set of categories including emoji keyboards, weather forecasters, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters, and YouTube unblockers. But if you’ve read this far, then you’d probably rather we just skipped ahead to list the ones you need to check and remove.

Extension IDs

Chrome:

• kgmeffmlnkfnjpgmdndccklfigfhajen — [Emoji keyboard online — copy&past your emoji.]
• dpdibkjjgbaadnnjhkmmnenkmbnhpobj — [Free Weather Forecast]
• gaiceihehajjahakcglkhmdbbdclbnlf — [Video Speed Controller — Video manager]
• mlgbkfnjdmaoldgagamcnommbbnhfnhf — [Unlock Discord — VPN Proxy to Unblock Discord Anywhere]
• eckokfcjbjbgjifpcbdmengnabecdakp — [Dark Theme — Dark Reader for Chrome]
• mgbhdehiapbjamfgekfpebmhmnmcmemg — [Volume Max — Ultimate Sound Booster]
• cbajickflblmpjodnjoldpiicfmecmif — [Unblock TikTok — Seamless Access with One-Click Proxy]
• pdbfcnhlobhoahcamoefbfodpmklgmjm — [Unlock YouTube VPN]
• eokjikchkppnkdipbiggnmlkahcdkikp — [Color Picker, Eyedropper — Geco colorpick]
• ihbiedpeaicgipncdnnkikeehnjiddck — [Weather]

Edge:

• jjdajogomggcjifnjgkpghcijgkbcjdi — [Unlock TikTok]
• mmcnmppeeghenglmidpmjkaiamcacmgm — [Volume Booster — Increase your sound]
• ojdkklpgpacpicaobnhankbalkkgaafp — [Web Sound Equalizer]
• lodeighbngipjjedfelnboplhgediclp — [Header Value]
• hkjagicdaogfgdifaklcgajmgefjllmd — [Flash Player — games emulator]
• gflkbgebojohihfnnplhbdakoipdbpdm — [Youtube Unblocked]
• kpilmncnoafddjpnbhepaiilgkdcieaf — [SearchGPT — ChatGPT for Search Engine]
• caibdnkmpnjhjdfnomfhijhmebigcelo — [Unlock Discord]

Kai Security recommends that anybody who has installed one of these browser extensions should, obviously, remove them, then clear your browser data/cache, run a full system malware scan, monitor your online accounts and also conduct a review of all your other extensions.

“The attackers didn’t just evade Google and Microsoft’s review process; they systematically exploited it at scale, turning the marketplace into a distribution platform for sophisticated surveillance malware,” concluded Idan. Clearly, Microsoft and Google need to re-think their current approach to extension security and updates, particularly as some of these add-ons are still available for download from some of the official stores (e.g. here).