Technology

Chinese Hackers Used Legit Browser Extensions to Spy on 4.3 Million Users for 7 Years

A browser extension attack that went undetected for years has affected millions of Google Chrome and Microsoft Edge users. Chinese actors proceeded with long-term planning in order to generate many victims.

Addons have been positioned for years

Like the security company Koi reported a suspected Chinese hacker group called ShadyPanda infiltrated a total of around 4.3 million computers over the course of seven years using initially inconspicuous add-ons. The attackers used a particularly perfidious approach: First they published seemingly harmless productivity tools, collected high popularity, positive reviews and millions of installations over the years – and only later installed malicious updates. Since the major platforms mainly check extensions when they are first submitted, the manipulated versions were able to be distributed largely unnoticed. Even add-ons with “Featured” or “Verified” status were transformed from practical helpers into spy tools. According to Koi, no phishing or deception was necessary – just trusting established extensions was enough to install comprehensive monitoring systems on millions of browsers.

At least five extensions to the network are said to still be available in the Edge Store and together have more than four million installations. According to the researchers, two of them already contain active spying functions. One of the problematic extensions, WeTab, is said to have over three million users alone and transmits extensive data in real time to several servers in China and to Google Analytics.

Several addons still active

Another example is the Chrome and Edge extension “Clean Master” from the provider Starlab Technology. Released between 2018 and 2019, it received official seals of approval and collected over 200,000 installs. In the summer of 2024, ShadyPanda then distributed an update that retrofitted a remote access interface. Although the affected extensions have now been removed from stores, Koi warns that the infrastructure for further attacks remains active.

The malware allows you to reload any JavaScript files, manipulate website content and log your entire surfing behavior. It also has mechanisms designed to trick researchers by simulating harmless behavior when developer tools are opened. Koi sees the incidents as a structural problem in the large marketplaces: Once extensions have been released, they are hardly monitored. This would allow attackers to roll out updates unnoticed at any time – with potentially serious consequences for millions of users.

Recent Posts

Google Health: A bug is currently really annoying Pixel Watch users

An annoying software error is currently plaguing many owners of the Google Pixel Watch. The…

1 hour ago

Pixel Watch 5: Leak shows the design of the new Google smartwatch in advance

After the new Google smartphones in the Pixel 11 series, official marketing images of the…

1 hour ago

Epson is in court: first lawsuit over planned obsolescence

A French consumer protection association is taking Epson to court. The accusation is of planned…

1 hour ago

EU brings Meta to its knees: ChatGPT is running again in WhatsApp chat

After a months-long exclusion by the Facebook group Meta, the well-known AI chatbot ChatGPT has…

1 hour ago

Good news for Windows 11: Microsoft is banning advertising from search

Microsoft is fundamentally redesigning the search in Windows 11. The operating system loses advertising, forced…

2 hours ago

iOS 27 public beta is here: Apple starts the test phase for all iPhone users

Interested users can now install the first public beta version of iOS 27 on their…

2 hours ago