In brief: It's not just the Play Store where Google has to deal with malicious software sneaking past its safeguards. The company has just removed 32 malicious extensions from the Chrome Web Store that appear to have been installed a combined 75 million times.

As is often the way in these cases, the extensions were able to hide their hidden code from users by performing their intended functions, reports BleepingComputer.

Cybersecurity researcher Wladimir Palant previously wrote that he had discovered obfuscated code in the PDF Toolbox extension for Google Chrome, which had a Chrome Web Store rating of 4.2 and more than 2 million users.

Palant wrote that the code allows the "serasearchtop[.]com" website to inject arbitrary JavaScript code into all websites that users of the extension visit. He explained the code was designed to activate 24 hours after the extension was installed, with its likely intention being the injection of ads.

A couple of weeks after discovering the code in the PDF Toolbox extension, Palant wrote in a follow-up article that he had found 18 malicious browser extensions using similar code. They had a combined user count of 55 million and included Autoskip for YouTube (9 million active users), Soundboost (6.9 million), and Crystal Ad block (6.8 million).


Avast reported the extensions to Google after it confirmed they contained malicious code. The cybersecurity giant discovered other similar extensions, taking the total to 32 and the number of installs to 75 million.

Avast did add the caveat that while that number is alarmingly high, the install counts may have been artificially inflated. It basis this theory on the suspiciously low number of reviews on the Chrome Web Store and the fact that the number of people who encountered the malicious activity didn't align with the number of installs.

Avast confirmed that the extensions' final payload appears to be adware that spams people with unwanted ads, along with a search results hijacker that displays sponsored links, paid search results, and potentially malicious links. Google said that the reported extensions have now been removed from the Chrome Store. Anyone who still has the extensions installed should deactivate or uninstall them.