In 2024, Google reported that less than 1% of all Chrome extension installs from its Web Store—now housing over 250,000 extensions—contained malware. Despite efforts to maintain a secure environment, some malicious extensions slip through, prompting ongoing monitoring by Google’s security team.
Researchers from Stanford University and CISPA Helmholtz Center analyzed “Security-Noteworthy Extensions” (SNEs) on the Chrome store. These include extensions with malware, policy violations, or vulnerable code. Between July 2020 and February 2023, 346 million users installed SNEs, with 280 million containing malware, 63 million violating policies, and three million having vulnerabilities. At the time, the store hosted nearly 125,000 extensions.
The study found safe extensions don’t last long, with only 51.8% to 62.9% remaining after a year. In contrast, SNEs, particularly those with malware, persisted for an average of 380 days, and up to 1,248 days if vulnerable.
The longest-surviving SNE, TeleApp, lasted 8.5 years until its malware discovery in June 2022. User ratings often fail to flag SNE dangers, suggesting many users are unaware of their risks or that fake reviews may mislead.
Google Chrome employs a dedicated security team to vet and monitor malware extensions. They review extensions before publication and continuously afterward. Researchers propose enhancing monitoring by detecting code similarities among extensions, noting that many still use outdated, vulnerable libraries.
Despite these efforts, the study highlights challenges in maintaining extension security. Users are encouraged to remain vigilant, as even seemingly popular extensions can pose risks.
