108 Fake Chrome Extensions Were Stealing Your Google and Telegram Data. Remove Them Now.
Malicious AppsTuesday, 14 April 2026 at 14:06
Security researchers just exposed a coordinated Chrome extension campaign that's been quietly operating across 20,000 devices. One hundred and eight malicious extensions. Five fake publisher identities. One shared backend server. And a very long list of things they were doing without users knowing.
5 Key Takeaways:
- 108 Chrome extensions published under five fake identities were discovered routing stolen credentials, session data, and browsing activity to a single command-and-control server
- 54 extensions steal Google account identity via OAuth2 — capturing email, full name, profile picture, and account ID the moment a user clicks sign-in
- 45 extensions contain a universal backdoor that silently opens arbitrary URLs every time the browser launches
- Several extensions exfiltrate Telegram Web session tokens every 15 seconds and can forcibly replace a victim's active Telegram session with the attacker's own
- Users with any of these extensions installed should remove them immediately and log out of all Telegram Web sessions from the Telegram mobile app
What These Extensions Were Actually Doing
The extensions disguised themselves as useful tools — Telegram sidebar clients, slot machine games, YouTube enhancers, translation utilities. Broad enough to catch a wide audience. All sharing the same malicious backend hosted at a single IP address.
Behind the legitimate-looking front, the code was busy. Some extensions were stripping security headers from YouTube and TikTok — Content Security Policy, X-Frame-Options, CORS — and injecting gambling overlays and ads into those pages. Others were proxying all translation requests through the attacker's server, capturing everything passed through them.
The Telegram-targeting functionality is particularly aggressive. Certain extensions were polling Telegram Web sessions every 15 seconds and sending that data to remote servers. One extension — Telegram Multi-account — could overwrite localStorage with attacker-supplied session data and force-load Telegram, effectively hijacking the victim's active session entirely and replacing it with the threat actor's own.
The Google Account Theft Mechanism
The Google OAuth2 theft is surgical. Extensions like Formula Rush Racing Game sat dormant until the user clicked a sign-in button — then captured email address, full name, profile picture URL, and Google account identifier in a single grab. No obvious signs. No prompts. Just silent data exfiltration.
Five of the extensions used Chrome's own declarativeNetRequest API to strip security headers before pages even loaded. Legitimate API. Malicious application.
Who's Behind It?
Currently unknown. Source code analysis by Socket revealed Russian-language comments scattered across several add-ons. That's a breadcrumb, not a conclusion.
The five publisher identities — Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt — have collectively accumulated around 20,000 Chrome Web Store installs.
If any of those names appear in your extensions list, remove them immediately. Then open Telegram on mobile and log out of all active Web sessions from the devices section.
Popular News
Latest News
Loading
