In brief: Just how bad is the problem of malicious extensions on the Chrome Web Store? That depends on who you believe. Google, for its part, says less than 1% of all installs include malware. But a group of university researchers claim 280 million people installed a malware-infected Chrome extension during a three-year period.
Google said last week that in 2024, less than 1% of all installs from the Chrome Web Store, which now contains more than 250,000 extensions, were found to include malware. The company added that while it was proud of its security record, some bad extensions still get through, which is why it also monitors published extensions. "As with any software, extensions can also introduce risk," wrote the security team.
Putting a precise figure on those numbers were researchers Sheryl Hsu, Manda Tran, and Aurore Fass from Stanford University and the CISPA Helmholtz Center for Information Security.
As revealed in a research paper, the trio examined Security-Noteworthy Extensions (SNE) on the Chrome store. SNEs are defined as an extension that contains malware, violates Chrome Web Store policy, or contains vulnerable code.
It was found that between July 2020 and February 2023, 346 million users installed SNEs. While 63 million were policy violations and three million were vulnerable, 280 million of these Chrome extensions contained malware. At the time, there were almost 125,000 extensions available in the Chrome Web Store.
The researchers found that safe Chrome extensions usually don't stay in the store for very long, with just 51.8 - 62.9% still available after one year. SNEs, on the other hand, remained on the store for an average of 380 days (malware), and 1,248 days if they contained vulnerable code.
The longest surviving SNE, called TeleApp, was available for 8.5 years, having last been updated on December 13, 2013, and found to contain malware on June 14, 2022, when it was removed.
We're often advised to check user ratings to determine if an app or extension is malicious, but the researchers found that this doesn't help in the case of SNEs.
"Overall, users do not give SNE lower ratings, suggesting that users may not be aware that such extensions are dangerous," the authors wrote. "Of course, it is also possible that bots are giving fake reviews and high ratings to those extensions. However, considering that half of SNEs have no reviews, it seems that the use of fake reviews is not widespread in this case."
Google says a dedicated security team provides users with a personalized summary of the extensions they've installed, reviews extensions before they are published in the store, and continuously monitors them after they are published. The researchers suggest Google also monitor extensions for code similarities.
"For instance, roughly 1,000 extensions use the open-source Extensionizr project, 65 – 80 percent of which still use the default and vulnerable library versions initially packaged with the tool, six years ago," the report states. They also noted the lack of maintenance that sees extensions remain on the store long after vulnerabilities are disclosed.