108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users

Cybersecurity researchers have revealed that 108 malicious Google Chrome extensions have been quietly stealing user credentials, hijacking Telegram sessions, and injecting unwanted ads and scripts into browsers - all reporting back to the same central point.

The discovery by researchers at Socket, found that all 108 extensions were communicating with a single command-and-control server, strongly suggesting they are the work of one group of hackers.

Between them, before being identified, the extensions had racked up approximately 20,000 installs from the Chrome Web Store.

The malicious add-ons were published under five different publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) in an apparent attempt to avoid detection.

And to further disguise the reality of what was going on, each malicious Google Chrome extension adopted differing disguises - including posing as a Telegram sidebar client, slot machine games, tools to enhance YouTube and TikTok, or translation tools.

Behind the scenes, according to researchers, all 108 extensions were transferring stolen credentials, user identities, and browsing data to remote servers under the control of the hackers.

Specific malicious behaviours included:

• 54 extensions that stole Google account details - including email addresses, full names, profile pictures, and Google account IDs
• 45 extensions that contained a backdoor which could open arbitrary URLs upon browser startup
• Privacy-busting extensions that exfiltrated Telegram Web sessions every 15 seconds, and in some cases even replacing the victim's active session with of the hackers' choosing
• Extensions that stripped security headers from YouTube and TikTok, and injected gambling ads.

Although the identity of those behind the campaign remains unknown, it is perhaps telling that Russian-language comments were found in the source code of several of the add-ons.

If you're a regular reader of Hot for Security then you will know that browser extension security has been a significant problem over the years.

Back in 2018, for instance, the Mega.nz Chrome extension was compromised via a malicious update, leading to the scooping-up of login credentials and cryptocurrency private keys belonging to silently harvesting login credentials and cryptocurrency private keys from web surfers.

In 2020, researchers found 49 browser extensions targeting cryptocurrency wallets, which had been promoted via Google Ads and lauded with fake five-star reviews to appear trustworthy.

More recently, in 2023, a rogue "ChatGPT for Google" extension stole Facebook session cookies from over 9,000 users, and used them to spread malvertising.

And just this January, 16 more fake ChatGPT-themed extensions were found to be stealing authentication tokens.

Arguably the most alarming incident of all though occurred at Christmas in 2024, when a phishing email tricked a worker into granting a malicious app access to Cyberhaven's Chrome Web Store account. That allowed attackers to push a poisoned update to hundreds of thousands of users. That attack was believed to be part of a broader campaign that compromised over 35 extensions and affected an estimated 2.6 million people.

If you have installed any of the 108 extensions identified in this latest malicious campaign, your best course of action is to remove them immediately.

Furthermore, anyone who installed a dodgy Telegram-related extension should also log out of all Telegram Web sessions via the Telegram mobile app, as attackers may have already hijacked them.

More generally, don't you think it's high time you did a spring clean of your Chrome extensions? Do you actually use each one? Do the permissions they request seem proportionate for what they do? If in doubt, remove it.

After all, a lean browser with less extensions is inevitably a safer browser.