WTF?! Using free software and services, especially when no open source project is involved, usually requires a significant degree of trust from the end user. FreeVPN.One earned that trust over the years, only to eventually weaponize it against its own users.
A recent report by Koi Security unveiled the massive threat hidden within FreeVPN.One. The supposedly free and fast VPN extension was downloaded by more than 100,000 Chrome users, boasting its ability to mask internet traffic while protecting against web snooping. The developers even claimed it avoided the security risks typically associated with installing additional software on Windows or Mac computers.
According to Koi's research, FreeVPN.One was far more than just a simple security risk. While the developer stated that it would not collect or use any personal data, the extension was doing exactly the opposite. FreeVPN.One was, and still is, essentially a surveillance tool designed to track everything users were doing and every site they were visiting.
In recent months, the malicious extension began to silently capture screenshots of every web page visited. A background script would load a few seconds after each page appeared, requiring no user action or confirmation. Even worse, the screenshots were transmitted along with the page's URL, the tab ID, and a unique user identifier.
"FreeVPN.One shows how a privacy branding can be flipped into a trap. You reach for protection, instead, the tool watches back. What's sold as safety becomes a quiet pipeline for collecting what you do and where you are," said Koi researcher Lotan Sery.
FreeVPN.One also included a so-called AI Threat Detection feature, which captured a page screenshot and uploaded it to a remote server for analysis. While the tool's privacy policy admitted that the feature would upload screenshots of a user's web activity, it failed to disclose that additional screenshots were already being taken in the background by the hidden script.
The extension further demanded an excessive set of permissions to access Chrome's data and settings, including open tabs, browsing activity, and URLs.
According to Koi, FreeVPN.One was designed to gain extensive access to and control over user data. The security company asked the developer to properly identify themselves and share their work portfolio, but the unknown vendor ultimately stopped responding to inquiries.
The report offers a fascinating yet damning look into FreeVPN.One's descent into the cybercrime business. For years the extension provided basic but legitimate VPN functionality, before gradually layering on increasingly malicious, privacy-negating features in recent months.
Free Chrome VPN extension turns malicious, silently recording user activity
