More crypto-stealing Chrome extensions swatted by Google


Malicious extensions for the Chrome browser continue to spring up just as quickly as the search giant cuts them down. This month, another batch appeared.

Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after Harry Denley, director of security at MyCrypto, found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more.

Related articles

Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store.

Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive, according to Denley, who said:

Yeah, they have been, for the majority. Actioned my reports within 24 hours.

New rules

Google has acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store. It said:

We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.

The rules forbid developers from publishing multiple extensions that do the same thing, and prohibits misleading metadata, including anonymous user testimonials in app descriptions. Developers can’t upload extensions that exist solely to launch another app or extension, and they shouldn’t send spam notifications, the company added.