280 million people have installed malware-infected Chrome extensions

Last week, Google announced that less than 1% of all installs from the Chrome Store, contained malware. The Chrome Store currently contains more than 250,000 extensions.

Google added that some bad extensions still get past the company's security. So they also monitor published extensions.

However, a group of researchers from Stanford University and the CISPA Helmholtz Center for Information Security confirmed that is not true. They said 280 million people installed a Chrome extension infected with malware over a three-year period.

Researchers examined Security Notable Extensions (SNE) - extensions that contain malware, violate Chrome Web Store policies, or contain vulnerable code.

The results show that from July 2020 to February 2023, 346 million users installed SNE. Of these, 280 million Chrome extensions contained malware, 63 million extensions violated policies, and 3 million were vulnerable. At that time, there were almost 125,000 extensions available in the Chrome Store.

The researchers found that SNEs remained on the store for an average of 380 days (malware) and 1,248 days if they contained vulnerable code. Meanwhile, safe Chrome extensions often don't stay on the store for too long, with only 51.8 - 62.9% still available after a year.

The longest-running SNE at 8.5 years, called TeleApp, was last updated on December 13, 2013 and was not found to contain malware and malware until June 14, 2022. deleted.