cloudThing logo in white
Menu open icon
tel: +44 (0) 121 393 4700
Menu closed icon


Generally useful pages


We know loads about this stuff

What we do

The Building Blocks for cloudThing Magic

Scrap robot, very rusty

Google Shuts Down Over 500 Spammy Chrome Extensions

Google recently removed over 500 Chrome extensions that had been found to be stealing private data in response to a report from a researcher who had found the different browser pug-ins had aided both fraud and data theft.

The researcher, a private cyber security expert called Jamila Kaya used a free extension called CRXcavator which had been released last year.

They discovered a set of Chrome extensions that…

open quote mark

infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store. The Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms

Jamila Kaya

close quote mark

It’s fairly common knowledge that Google have been on the back foot for the last year or two as they’ve tried to change the way Chrome extensions work due to the API’s currently available being so open to abuse.

Their next update, known as Manifest v3, will be much more security focussed but the problem is, whilst it’s still in development Chrome extensions are still being written and released under the much less secure Manifest v2, with the Chrome Web Store being understaffed and struggling to deal with the issues v2 cause.


Jamila Kaya found several extensions last year that were offering Advertising as a Service such as MapsTrek Promotions, FreeWeatherApp Promos and Coupon Rockstar Offers, that were part of a much larger network of browser plugins sharing similar code.  

In total she found about seventy of these similar extensions before turning her findings over to Google to remove them.

Using that data Google then created a ‘code fingerprint’ and found over 500 more spammy/dangerous extensions which were also removed,


It’s thought about 1.7m Chrome users had these extensions installed before they were removed.


Kaya stated these extensions seem to have been created to operate ‘under the radar’ by generating ad revenue through the technique of redirecting the probably unaware victims browser to a series of malicious host sites (almost all of which were hosted on Amazon Web Service or AWS)that would then serve a variety of ads both legitimate and malicious.

open quote mark

We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses. We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.

Google spokesperson

close quote mark

You may also be interested in...

Understanding The Benefits Of Predictive Science For The Nonprofit Sector

Business Architecture

Top 6 Digital Impacts On Membership Organisations

Contact us

Worried about your cyber security? Speak to cloudThing's digital security experts to see how we can help secure your business



Company name


Email address


Telephone number

Is there anything else you'd like us to know?

© cloudThing 2021

© 2020 Copyright cloudThing ltd. All rights reserved. Company registered in England & Wales no. 7510381, VAT no. 152340739