Three malicious VPN extensions on the Chrome Web Store infected 1.5 million devices before being removed by Google

The big picture: Malicious browser extensions remain a problem on the Chrome Web Store, but Google has been proactive in recent years in its attempts to make life safer for Chrome users. The company routinely deletes malicious extensions from its store, and has now removed three dangerous add-ons that were posing as VPNs.

The fake VPN extensions were discovered by cybersecurity researchers at ReasonLabs, who say the malicious software was distributed through torrents of popular video games, such as Grand Theft Auto, The Sims 4, Heroes 3 and Assassin's Creed. The trojan installers, which were Electron apps between 60MB and 100MB in size, were reportedly found in more than 1,000 different torrent files, and worked like legitimate VPNs at first to avoid detection.

Once the files were downloaded on a computer, the VPN extensions automatically installed on the system without any interaction on the part of the user. The installer also reportedly checked for anti-malware software on the infected device before forcibly installing one of at least three fake VPN extensions. The most popular of the three was netPlus, which had over 1 million users, while the other two were netSave and netWin, which accounted for a further 500,000 installs.

The developers of the malicious extensions tried their best to portray them as authentic by offering some actual VPN functionality, as well as paid subscription tiers that made them look genuine at first glance. However, all three were abusing the 'offscreen' permission, enabling them to run scripts through the Offscreen API, gaining comprehensive access to the web page's current DOM (Document Object Model), enabling them to steal sensitive user data.

The extensions were also able to hijack browsers, manipulate web requests, and even disable other extensions automatically. As per the report, the malware disabled cashback extensions on the infected computer and redirected profits to the criminals. The malware reportedly targeted over 100 legitimate cashback extensions, including Avast SafePrice, AVG SafePrice, Honey: Automatic Coupons & Rewards, LetyShops, Megabonus, AliRadar Shopping Assistant, Yandex.Market Adviser, ChinaHelper, and Backlit.

Google has removed all three extensions from the Chrome web store after being contacted by ReasonLabs, but not before they infected around 1.5 million devices. While these extensions are now history, they are unlikely to be the last pieces of malware on the Chrome Web Store, so it's imperative that people stay vigilant about what they install on their devices.