Chrome and Edge Extensions Hijack 4M+ Devices

The Hidden Threat of Malicious Browser Extensions

Malicious Chrome and Edge extensions have evolved from simple tools like emoji keyboards or productivity add-ons into a sophisticated spyware operation that has compromised over 4 million devices. What started as seemingly harmless utilities has transformed into a long-running campaign that exploits user trust in browser marketplaces. This shift has turned everyday browsing into a data-harvesting pipeline, serving as a wake-up call for users who may have considered extensions as low-risk tools.

Researchers have uncovered a layered operation where "sleeper" extensions remained dormant for months before activating tracking code through updates or remote commands. This campaign has affected users on both Chrome and Edge, often through what appeared to be legitimate listings. It highlights the vulnerabilities within the browser extension ecosystem when attackers are willing to play the long game.

How a Seven-Year Campaign Hijacked Everyday Browsing

The scale of this operation is staggering, as it did not rely on a single rogue add-on but rather a coordinated set of extensions that evolved over time. Security researchers have linked the activity to a seven-year malicious browser extension campaign that infected 4.3 million users of Google Chrome and Microsoft Edge. These extensions turned routine web sessions into opportunities for surveillance and fraud, without the need to break into operating systems or exploit complex vulnerabilities.

Instead, the attackers relied on the permissions users granted to extensions that appeared useful or fun. One early stage involved a tool called Clean Master, which later paved the way for a phase involving 4 million users of spyware. Over time, the attackers refined their approach, shifting from obvious adware to stealthier data collection that blended into normal browsing behavior.

“Sleeper” Extensions That Turned Into Live Spyware

One of the most unsettling aspects of this story is that many of the extensions were not initially malicious. Researchers documented "sleeper" browser extensions that behaved normally at first, then received updates that activated spyware functions on 4 million devices. These add-ons had already earned user ratings and a sense of legitimacy, making the switch to spying code occur after people had stopped paying close attention.

This pattern aligns with a broader trend identified by Koi Security, where legitimate extensions turned malicious in later updates. In practice, an extension that once simply changed your new tab page could suddenly start logging search queries, capturing browsing histories, or exfiltrating other data in real time. The trust users place in updates becomes a weapon when the update channel itself is compromised.

From Emoji Keyboards to “Unlock TikTok”: The Lure of Fake Utility

The campaign’s effectiveness stems from its use of familiar, low-friction use cases that appeal to a broad audience. Security guidance now explicitly warns users to check their browsers for names like "Emoji keyboard online" on Chrome or "Free Wea themed tools" that promise quick weather updates, along with "Unlock Discord" on Edge. These labels are designed to sound like lightweight add-ons people install without a second thought.

Earlier this summer, Koi described how the extensions masquerade as popular productivity and entertainment tools across diverse categories, from emoji packs to video helpers, spread across both major browser marketplaces. On Microsoft Edge, specific entries such as "Unlock TikTok" and "Volume Boost" appear in lists of extensions that users are being urged to remove, with identifiers tied to these threats.

4.3 Million Victims on Chrome and Edge

What turns this from a niche security story into a mainstream privacy crisis is the sheer number of people affected. Reporting indicates that 4.3 million users have installed at least one of the malicious browser extensions on Chrome and Edge, often thinking they were getting simple wallpapers or productivity improvements. A parallel account notes that the same 4.3 million figure applies across both Chrome and Edge, underscoring that this is not a single platform's problem but a shared ecosystem failure.

These numbers sit alongside the 4 million devices tied to the "Sleeper" spyware phase, suggesting that the campaign has reached deep into the everyday browsing habits of people who may never have installed traditional malware. Because the extensions often marketed themselves as tools for Chrome and Edge users who wanted small conveniences, the victims include office workers, students, and families who simply clicked "Add to browser" on a trusted marketplace page.

How the Extensions Actually Spy on You

Behind the friendly icons and upbeat descriptions, the malicious extensions behave like classic spyware once activated. Researchers have documented how the "Sleeper" browser extensions, after lying dormant, woke up as spyware on 4 million devices, capturing browsing activity and other data in real time. Because extensions sit inside the browser, they can see search terms, URLs, and sometimes the content of pages, especially when users grant permissions like "read and change all your data on the websites you visit."

Koi Security researchers have also explained how hackers are hiding malware in popular Chrome extensions, often by embedding dormant code that only activates after a delay or in response to remote configuration changes. That approach helps the extensions pass initial reviews and avoid raising immediate red flags with users or automated scanners.

Why Chrome and Edge Stores Did Not Catch It Sooner

The fact that these extensions were available through official marketplaces for Chrome and Edge raises hard questions about vetting and oversight. Earlier security analysis noted that removing the malware is complicated by the reality that, at the time of writing, most AV engines do not detect the installers, and the extensions have not yet been removed by Google or Microsoft from their respective stores. That gap between discovery and removal gives attackers a window to rack up more installs and pivot to new identities when old ones are finally taken down.

Part of the problem is structural. Browser stores are designed to scale to millions of listings, which means automated checks and limited manual review. When attackers use tactics like later updates to flip legitimate extensions into malicious ones, the initial approval process is no longer enough.

The Social Engineering Layer: Fake Sites and "Search" Bars

Technical tricks are only half the story. The attackers also invested in social engineering that steers users toward the malicious extensions in the first place. Reporting details how attackers are using fake websites disguised as portals to download popular software like Roblox FPS Unlocker, YouTube tools, or VLC, then pushing rogue Google Chrome and Microsoft Edge extensions as part of the process.

Once inside the browser, the malicious Chrome extensions often lean on generic branding that blends into the background. Security researchers have pointed out that the malicious Chrome extensions usually have "Search" in their name, with examples like "Custom Search Bar" and "Your Search Bar" that sound like harmless tweaks to the default search experience.

Why This Campaign Is Different From Past Adware Waves

Browser-based threats are not new, but several aspects of this campaign set it apart from the noisy adware waves of the past. The long timeline, stretching across seven years, and the use of "Sleeper" behavior show a level of patience that is more typical of advanced espionage operations than of quick hit malware.

Another difference is the way the campaign spans both consumer and quasi-enterprise contexts. Because Chrome and Edge are standard in workplaces and schools, an extension installed at home can follow a user onto corporate networks or shared devices.

What I Would Do Now If I Used Chrome or Edge

Faced with this kind of campaign, the most practical response is to treat every extension as a potential risk until proven otherwise. If I were using Chrome or Edge today, I would start by opening the extensions page and manually reviewing each entry, looking for anything that mentions Emoji, Free Wea style weather tools, Unlock TikTok, Volume Boost, or Unlock Discord, as well as generic Search bars like Custom Search Bar and Your Search Bar.

Any extension whose purpose I could not clearly explain, or that I did not remember installing, would be removed on the spot. From there, I would cross-check my list against the guidance that urges users to delete specific Chrome and Edge extensions, including the Microsoft Edge entries like Unlock TikTok and Volume Boost that have been tied to the same threat cluster.

I would also follow the removal steps that explain how to remove the malware and malicious extensions, including resetting browser settings and scanning for leftover components, even if most AV engines are still catching up. Finally, I would make a habit of limiting new installs to extensions that are absolutely necessary, checking their permissions carefully, and revisiting the list every few months so that no Sleeper has a chance to wake up unnoticed.

More from HAWXTECH.NET

Chinese satellite hits Starlink with a 2-watt laser from orbit
USGS says lava could reach 1,500 ft as thousands get ready to leave
7 Apps That Secretly Record You—and How to Delete Them
A 6.0 magnitude earthquake was just reported in the U.S.