These 108 Malicious Chrome Extensions Are Stealing Data From Google and Telegram.
If you use Google Chrome, be aware: you may be running malicious extensions without even realizing it. As reported by The Hacker News , cybersecurity researchers from the threat research group Socket have identified 108 extensions available in Google Chrome that steal login credentials, user IDs, and web browsing data. All 108 extensions transmit this information to servers controlled by a single operator, despite being published by five different developers (GameGen, InterAlt, Rodeo Games, SideGames, and Yana Project). Collectively, these extensions have approximately 20,000 installations—not a huge number of targets , given Chrome’s 3.62 billion users —but still concerning given the number of extensions involved in this coordinated scheme.
The Socket team identified several key categories of these extensions: Telegram sidebar clients that display a working Telegram chat interface in the browser; slot machines and keno apps that offer gambling; YouTube and TikTok enhancers; webpage extensions; and a text translation tool. All of the extensions appear to offer services advertised in the Chrome Web Store but also launch malware.
Users who install the Telegram client may have a working chat, but in reality, an extension hijacks Telegram Web sessions every 15 seconds, leaking all messages, contacts, and linked accounts. 54 extensions steal your Google account credentials when you click “sign in,” leaking your email address, name, and profile photo to the operator. (Notably, this scheme does not grant the operator access to your Google account.) 45 extensions have a backdoor that can open any URL the operator wants in your browser. 78 extensions can inject HTML code into your browser. Five extensions can bypass YouTube and TikTok security measures to inject gambling ads and pop-ups on those sites. And when you register for a text translation tool, your email address and full name, along with anything you translate using the extension, are sent to the server.
How to protect yourself from these malicious extensions
The first thing you should do is check if you have any of these extensions installed in your browser. Some of the more popular extensions listed here include “Telegram Multi-account,” “Black Beard Slot Machine,” “Page Locker,” and “InterAlt,” but a full list of extensions, including their Chrome IDs, can be found in Socket’s report here .
If you used Telegram Multi-account, Socket recommends logging out of all Telegram Web sessions using the Telegram app. This option can be found in Settings > Devices > Log Out All Other Sessions . If you signed in to any of these extensions with your Google account, assume your identity has been compromised and check the third-party app permissions here . Unfortunately, if you used Text Translation with email, your name and email address were compromised.
In the future, exercise extreme caution before installing new extensions to your browser. Although the Chrome Web Store is supposed to contain only “safe” extensions, malware still finds its way into the market. Always carefully check each extension description before installing: if an extension requires sensitive information, has few reviews, or is poorly written, it’s best to avoid installing it altogether.