Security analysts from Socket have uncovered a significant hacking campaign disguised as useful browser tools, affecting more than 20,000 users.
Many of the malicious applications have been downloaded over 1,000 times. Experts advise users to immediately remove the following extensions:
- Web Client for TikTok / Telegram / YouTube – social media side panels.
- Telegram Multi-account – a highly dangerous extension that steals sessions every 15 seconds.
- Formula Rush Racing Game and Black Beard Slot Machine – simple games.
- Speed Test for Chrome and Clear Cache Plus – utilities for network testing and cleaning.
- Text Translation and Page Auto Refresh – tools for text and page management.
A complete list includes 108 items from publishers such as GameGen, Yana Project, Rodeo Games, InterAlt, and SideGames.
How the Data Theft Scheme Works
The hackers have established a unified infrastructure to manage all the extensions, enabling them to:
- Steal a “digital fingerprint” – obtaining a unique Google account identifier that cannot be changed.
- Embed backdoors – malicious code that runs automatically when the browser starts.
- Steal Telegram sessions – gaining full access to the user’s messenger via the web version.
- Manipulate content – replacing ads on websites and inserting their own harmful scripts.
Researchers discovered comments in Russian within the code, suggesting a potential origin for the developers.
How to Protect Yourself
Experts recommend not only removing the extensions but also taking additional security measures:
- Check your list of extensions: Click on the three dots in Chrome -> More Tools -> Extensions. Remove anything suspicious.
- Reset Telegram sessions: In the messenger settings, go to “Devices” and end all active sessions except the current one.
- Review Google permissions: Visit myaccount.google.com/permissions and revoke access to any third-party applications you do not recognize.
Notably, despite warnings from experts, some of these extensions remain available in the Chrome store.
A recent investigation by Socket has revealed a hacking campaign that has compromised over 20,000 users through malicious browser extensions. Experts urge immediate removal of these extensions and recommend additional security measures to protect user data.