Finding dangerous browser extensions from fake reviews

Fake positive reviews have flooded every corner of today’s digital world and mislead consumers into giving an unwanted advantage to scammers and mediocre products. Fortunately, finding and tracking accounts generating such fake reviews is often the easiest way to detect fraud. In this article, we will share how false reviews of a fake browser extension Microsoft Authenticator allowed us to identify dozens of other extensions pulling personal and financial data from users.

Comments under the fake Microsoft Authenticator browser extension indicate that the reviews for these apps are either positive or highly negative, and this, in fact, makes it clear that it is fraudulent.

After hearing from our reader about the fake Microsoft Authenticator extension appearing in Google Chrome Store, we started to investigate the account that created it. Before the extension was removed, it had five reviews under it: three Google users gave it one star, warning people not to use it, but two commenters gave it three and four stars.

“Great extension!”, – writes a Google account with delight Theresa duncan… “There were almost no problems with him”

“Very convenient and pleasant”, – the extension is incomprehensibly assessed Anna jones

The Google Chrome Store reported that the email address associated with the account that published the fake Microsoft extension has also released another extension called iArtbook Digital Painting… Before it was removed from the Chrome Store, the iArtbook extension had 22 users and three reviews. As with the fake Microsoft extension, all three reviews were positive, and all were created by accounts with a first and last name like Megan vance, Olivia knox, and Alison graham

It’s not easy to search the Google Chrome Store for reviewers. To do this, I used the service developer Hao Nguyena… The service indexes an array of attributes associated with Google extensions, allowing them to be searched.

While studying Google accounts that left positive reviews about the already blocked extensions Microsoft Authenticator and iArtbook, we noticed that each of them left reviews for several more extensions, which were also removed.

Feedback for the iArtbook extension came from apparently fake Google accounts, each of which provided feedback on two other extensions, one published by the same developer. The same pattern is observed for 45 more blocked extensions.

As ever-expanding Venn diagram, reviews of extensions left by each new fake account led to the opening of new fake accounts and extensions. In approximately 24 hours of research using, more than a hundred positive reviews were found that are clearly fraudulent extensions on the network.

These reviews, in turn, led to a fairly simple identification:

  • 39 commenters who were happy with extensions that are big brand fakes or requesting financial data
  • 45 malicious extensions with a total of almost 100 thousand downloads
  • 25 developer accounts associated with multiple banned apps.

The extensions have been imitated by many consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon… After examining each of these extensions, we in turn found that many of their developers were associated with multiple apps promoted through the same fake Google accounts.

Some of the fake extensions had only a dozen downloads, but most had hundreds or thousands. Fake Microsoft Teams extension In about two months of presence in the Google store, it received 16,200 downloads. Fake version package for professional video editing CapCut for almost the same period received about 24,000 downloads.

More than 16 thousand people have downloaded the fake Microsoft Teams browser extension in the two months it was in the Google Chrome store.

Unlike malicious browser extensions that can turn your PC into a botnet or collect cookies, none of the extensions examined ask users for special permissions. Once installed, however, they invariably ask users for personal and financial information, pretending to be associated with major brands.

In some cases, fake accounts and fake extension developers in this scheme have the same name, for example, in the case brook ice – A Google account that praised the malicious extensions Adobe and Microsoft Teams. E-mail address was used to register an account for the developer who created two more fake extensions studied in our review (PhotoMath and Dollify).

Some of the data that served as the basis for our report. A link to the full table is provided at the end of the article.

As we can see from the above snippet of the spreadsheet, many Google accounts that left feedback on apparently fake extensions left comments on multiple apps over the course of one day.

In addition, Google Account recovery tools show that many developer email addresses associated with the extensions described in this article share the same recovery email address. This makes it clear that the entire scheme is controlled by a limited number of anonymous users. If you sort the data from the above spreadsheet by the email address of the extension developer, the grouping of reviews by date becomes even more obvious.

We shared our findings with Google and will update the article if the company responds to us. Be that as it may, Google has already identified all of these extensions as fraudulent and removed them from the store.

However, we will probably write a post about how long it takes to find and remove bad extensions. In general, most of these extensions were available in the store for two to three months.

I have done this research mainly out of interest. It seemed to me that they will be curious to share with others… In addition, I was fascinated by the idea that all you need to do to find fake apps is to detect and track fake commentators. I’m sure the network of rogue extensions is wider than the one described in this article.

As we can see from this story, it pays to exercise some common sense when installing extensions. Even aside from the apparently rogue extensions, many useful extensions their developers stop supporting or sell to questionable marketers, so it makes sense to only trust actively supported extensions (those that have a critical mass of users that can make noise when something undesirable happens to the program).

According to, most of the extensions (over 100,000) are, in fact, abandoned by their authors or have not been updated for over two years. In other words, there are many developers who are willing to sell their creation along with their user base.

Information from this report can be found in this google spreadsheet


VDSina offers secure VDS with daily payment, the ability to install any operating system, each server is connected to an Internet channel of 500 megabits and is protected from DDoS attacks for free!

Join the our chat on Telegram

Similar Posts

Leave a Reply