In a recent analysis of the severity of the problem related to malicious extensions in the Chrome Web Store, differing opinions emerge. For one, Google claims that less than 1% of all installations contain malware. On the other hand, university researchers warned that 280 million people installed malware-tainted extensions over a three-year period.
Google announced last week that in 2024 less than 1% of all installations from the Chrome Web Store, which currently houses more than 250,000 extensions, contained malware. The company highlighted its pride in its security record, but revealed that some malicious extensions still manage to get through control, which justifies the constant monitoring of published extensions by the security team. “Like any software, extensions can also pose risks,” highlighted the security team.
Researchers Sheryl Hsu, Manda Tran and Aurore Fass from Stanford University and the CISPA Helmholtz Center for Information Security provided more specific numbers. In a detailed study, the trio analyzed Security Notable Extensions (ENS) in the Chrome store. ENS are defined as extensions that contain malware, violate Chrome Web Store policy, or contain vulnerable code.
Between July 2020 and February 2023, 346 million users were found to have installed ENSs. Of these, 63 million were policy disclosures and three million contained vulnerabilities, while a staggering 280 million of these extensions contained malware. At the time, nearly 125,000 extensions were available in the Chrome Web Store.
The study also revealed that safe extensions generally do not remain available in store for long, with only 51.8 – 62.9% still accessible after one year. In contrast, ENSs tend to remain in the store for an average of 380 days (without malware) and 1,248 days if they contain vulnerable code.
The longest-running ENS, called TeleApp, was available for 8.5 years, last updated on December 13, 2013, and identified as containing malware on June 14, 2022, when it was removed.
We often advise checking user advice to determine whether an app or extension is malicious. However, researchers have found that this doesn’t help the case for ENSs. “In general, users do not give lower ratings to ENSs, indicating that many may not be aware of the danger of these extensions”, point out the authors.
Google says a dedicated security team provides users with a personalized summary of installed extensions, reviews extensions before they are published to the store, and continues to monitor them after publication. The researchers suggest that Google also monitors extensions for similarity in code.
“For example, around 1,000 extensions use the open-source Extensionizr project; 65 – 80% of them still use the initial visible versions of the library provided with the tool six years ago”, says the report. They also highlighted the lack of maintenance that allows extensions to remain in the store long after vulnerabilities are disclosed.
This complex picture of malicious extensions in the Chrome Web Store raises important questions about digital security and reinforces the need for continued vigilance on the part of both developers and end users.
