Seven-Year Chrome and Edge Spyware Campaign Exposed

Malicious Chrome and Edge extensions uploaded since 2018 secretly tracked users for seven years. Koi Security found over 4.3M installs collecting URLs, search history and mouse activity. Learn removal and protection steps.

Emma Collins Emma Collins . Comments
Seven-Year Chrome and Edge Spyware Campaign Exposed

3 Minutes

For seven years, seemingly helpful browser add-ons quietly tracked millions of users across Chrome and Edge. Security researchers say a developer turned trusted extensions into data-harvesting tools, collecting browsing histories, clicked links, and more.

How useful tools became spying tools

According to a new Koi Security report, a user known as ShadyPanda uploaded several benign-looking extensions starting in 2018. At first they behaved like normal utility plugins, some even receiving special verification that reassured users. But as installs grew, later updates introduced malicious code that turned these tools into spyware.

The affected extensions posed as browser-management utilities and together reached more than 4.3 million installs across Chrome and Edge. Notable examples include Clean Master, which alone logged over 200,000 installs, and WeTab, which contributed to millions of installations between the two stores.

What data was being taken

Researchers found the extensions continuously collected a wide range of signals: URLs visited, search history, and granular interaction data such as mouse clicks and how users moved through pages, inferred from HTTP referrer information. The harvested data was repeatedly sent to unknown remote servers, enabling ongoing tracking without users realizing.

What you should do now

Both Google and Microsoft confirmed the malicious extensions have been removed from their web stores, but removal from the store does not uninstall extensions from users devices. That means you should take action yourself. Start by auditing installed extensions and removing anything unfamiliar or outdated. Keep your browser updated; recent versions include protections that detect and disable malicious extensions.

After uninstalling suspect add-ons, clear any synced browser data to prevent continued tracking, and consider signing out and back in if you use account sync. If you notice suspicious behavior after removal, scan your system with reputable security software and change passwords for critical accounts as a precaution.

This incident is a reminder that even trusted-seeming extensions can become threats over time. Regularly review permissions, limit installs to well-known developers, and stay on top of browser updates to reduce exposure.

“I cover emerging technologies, digital innovation, and the intersection of tech and everyday life. My goal is to make complex trends accessible and inspiring.”

Leave a Comment

Comments

Related Posts