Skip to Main Content

How to Tell Legit Chrome Extensions From Malware


We all fall victim to the dangerous belief that if an app or extension is listed in an official repository—be it the App Store, Google Play, the Microsoft Store, Mozilla’s Add-Ons directory, et cetera—it must be legitimate. After all, the big tech companies surely use lots of automated systems (and real human beings) to ensure that their customers aren’t downloading harmful things. Right?

Unfortunately, as a recent AdGuard report reminded us, you can’t trust big tech to keep your devices safe. Malware slips through the cracks, and you need to do a little policing of your own to ensure that what you’re about to download to your device or computer is legitimate. While you won’t be able to catch sophisticated pieces of malware disguised as real apps, it’s not hard to filter out more obvious crap.

Make sure you’re downloading the right extension

I’m going to focus on Chrome extensions for this how-to guide, but the same advice generally holds true for any apps you’re downloading: from the web, from an app store, from wherever. You always want to make sure you’re downloading the right extension or application, especially if you vaguely remember the name of something you read somewhere that’s great for your PC, or some extension that a friend mentioned in a conversation that you now sort-of think you found. Nuh-huh. Do not download the extension unless you know exactly what you’re getting.

If you need any additional proof, here’s a quick list of the five big malware extensions AdGuard named in its research—all of which have since been pulled by Google, and all of which had anywhere from 30,000 to more than 10 million users. I’ve also thrown in the names of legitimate extensions. Can you tell which is which?

  • Adblock

  • AdRemover for Google Chrome

  • uBlock Plus

  • uBlock Origin

  • AdBlocker Ultimate

  • Adblock Pro

  • HD for YouTube

  • Auto HD For YouTube

  • Webutation

Tricky, isn’t it? And while a quick web search can usually help you tell if an extension is legitimate or not—as solid extensions are more likely to have strong recommendations from a number of legitimate technology and news sites—it’s not a perfect method.

You might still be fooled if someone in a forum somewhere recommends a scammy extension like uBlock Plus and you take that as truth. When in doubt, consider the authenticity of what you’ve search for. For example, if Gizmodo suggests downloading uBlock Origin, but then Reddit user “poopchute88" says uBlock Plus is the best browser extension ever—well, we hope you’ll trust our friends around the corner.

Give the extension’s description a once-over

Even the best extension creators might not be master wordsmiths, so you have to be a little thoughtful about this tip. If you read through an extension’s description and it just doesn’t feel right—maybe there are some strange phrasings, horrible misspellings, or the whole thing just feels a little off—you might want to do some extra research into the legitimacy of the extension.

Also, just because an extension uses open-source terminology doesn’t mean that it’s legitimate. Consider the language found in the description of AdRemover for Google Chrome, one of the malware extensions named in AdGuard’s report:

“Disclaimer: This extension is not affiliated or related in any way with other software or adblocker. GPLv3 Code from Adblock is used and stated in the source code. Enhanced adblock, tracking protection and bitcoin mining protection.”

Sounds slightly more like a real extension, right? Well, no. But the fake extension sure tries to make seem like it’s the natural evolution of a number of legitimate-sounding extensions:

“Open Source: Code used in this adblocker extension: Base Template of Adblock for Chrome, Banner Implementation of Adblock Pro, User Statistics of the original Adblock for Chrome before switch to Adblock Plus code, Google Analytics of Superblock - Adblock, filterlist-extension of uBlock Adblocker, Popup Code by Adguard Adblock, statistics from Fair Adblock, options page of Adblock Super, Popup Blocker inspired by Pop up blocker for Chrome™ - Poper Blocker.”

In actuality, the extension’s creator is probably just trying to keyword stuff as much as possible, to ensure a greater likelihood of this malware appearing when users search for the legitimate extensions it references. Compare this description against part of the description for, say, the much-loved (and legitimate) Adblock Plus:

“An easy-to-use, customizable ad-blocking browser extension, Adblock Plus gives you control over your Google Chrome browsing experience. Block annoying and intrusive ads for a cleaner, better web experience. Blocking ads also reduces the risk of infection from malvertising campaigns. Users also have the option to add personal filters and whitelist websites.

Used by millions worldwide, Adblock Plus is a community-driven open source project. Hundreds of volunteers contribute daily to ensure that all intrusive ads are blocked.”

Could a malware creator write a description as smooth as that? Sure. Again, we’re not trying to point to a single definitive example that separates a legitimate extension from malware. However, you can probably start to see how the malware’s description doesn’t quite pass the smell test—and even if it does, there’s more to investigate.

Check for bogus reviews

Some malware writers are crafty and try to legitimize their extensions by suggesting that they’ve been reviewed by authentic news sources. While anyone can lie, it’s easy to catch those who put absolutely no effort into creating a fake breadcrumb trail for their malware. Once again, we turn to an example from the bogus AdRemover for Google Chrome extension. In its description, you would have found the following:

“On par with other adblock software” - MediumTech

“Default filterlists work fine on this adblock” - FrugalLiving

“Some missing features, but easy to use adblock” - FrugalLiving

“Slower than uBlock but more intuitive interface” - Zing”

This one’s almost too simple. First off, there is no tech review site called “MediumTech,” nor is there a FrugalLiving or a Zing. But even if any of these sites existed, you can also just copy and paste the quotes directly into your favorite search engine. In this case, they don’t map to any of of the tech review sites listed—and, in fact, only seem to surface the malware extension in search results. Hmmmm.

The same holds true for the “benchmarks” AdRemover for Google Chrome listed in its description:

Tested by Raymonds Tech Ressources

[yes, the malware’s developer even spelled this fake website’s name wrong]

- Performance Test - Tracker Protection

5% faster average loadtimes against Adguard

- Performance Test - Adblock

90% faster average loadtimes in comparison to no Adblock software at all

2% faster average loadtimes in comparison to Superblock - Adblocker

5% faster average loadtimes in comparison to Adguard - Adblocker

62% less peak cpu usage in in comparison to Adblock Pro

12% less peak cpu usage in in comparison to Superblock - Adblocker and Adguard - Adblocker

As fast as Adblock Pro, Simply Block Ads! and Adblock Super, but with additional blocked trackers.

Again, there’s no site called “Raymonds Tech Ressources,” nor even one called “Raymonds Tech Resources.” Even if there was, a quick web search could easily confirm two things: whether this site is legitimate and whether the site has actually posted the benchmarks the extension references in its description.

While we suppose a super-savvy malware creator could create a few fake reviews websites to make an extension look legit, most don’t like to put in the effort. Heck, most don’t even make a website for their own extensions, as Make Tech Easier notes:

“Most malicious ad removal extension creators are too lazy to make entirely new websites. They will instead usurp the identities of other developers (e.g. ‘AdRemover’ vs. ‘Ad Remover’ and ‘uBlock Adblocker’ vs. ‘uBlock Plus Adblocker’). Others will not even make a website for their extensions (Superblock being a great example of this).

Do not trust, do not verify; just go and find the legitimate website and activate the extension from there. Or if you’re anywhere near as lazy as I am, search for what’s popular, find the legit source for it, then slap it on.”

Consider the commenters

Just because someone has a good experience with an extension doesn’t mean that it’s legitimate. However, if the extension seems rather new-ish, and it doesn’t have a lot of reviews, but every single review gives it a five-star rating with a bit of text that seems a little stilted, you should eye the extension with suspicion. Here are a few examples that you would have seen on AdRemover for Google Chrome’s page:

Jowanna S. - ★★★★★

“Nice adblocker! Highly recommended for chrome users!”

Ruand S. - ★★★★★

“My favorite ad blocker.”

Lewis A. - ★★★★★

“I hated theese facebook ads so much, so installed ad blocker. Thank you”

Cecilia - ★★★★★

“Excellent Adblocker !! Blocked all the unwanted & irritating pop ups! Never without Adblock.”

Patricia D. - ★★★★★

“Not pestered by anymore unwanted ads. Great app. The best adblock.”

Alden D. - ★★★★★

“I love AdRemover Adblocker. It’s brilliant! It’s also the best. No more ads. User other adblocker but this is good.”

It’s possible that a new extension’s users think it’s the greatest thing since Netscape. But these reviews just seem a little off to us: spelling errors like, “I hated theese facebook ads;” odd comments like “I love AdRemover Adblocker,” which isn’t even the name of the extension; and the bluntness of most of the five-star reviews that don’t really mention any features or use cases, just their love for the extension. If your spider-sense isn’t tingling by now, it should be.