I’ve talked about how dangerous browser extensions are before — they can be as dangerous as apps you install. But this week, something new happened: Not only were malicious browser extensions discovered on the Chrome Web Store, but these ones had a “featured” badge — Google’s mark of trust.

🚨 But maybe I shouldn’t call them malware! The lawyers might be along to send a legal threat soon. After all, millions of people agreed to this in the fine print, right? More on the absurdity of what we call “malware” in a moment.

The extensions in question were “privacy” extensions like Urban VPN Proxy. They were apparently capturing users’ conversations in AI tools like ChatGPT, Claude, Gemini, Perplexity, and Copilot and uploading them.

Google isn’t the only company distributing sketchy software on a supposedly trustworthy store. Even Valve’s Steam PC game store has dealt with malware in PC games recently. When it’s discovered, it’s removed from the store. But there’s really no way to fully verify apps on an app store are safe. Even Apple’s vaunted App Store has hosted malicious apps.

Maybe it’s better we stop pretending that applications hosted on an app store are always safe.

But is this malware? Here come the lawyers!

I’m sick of dancing around whether badly behaved software is “technically malware” or not!

There’s a term that goes around: “Potentially unwanted programs.” These are basically malware with a legal team. There’s a user agreement someone can point to to defend the behavior of their software. How can this software spying on your private chats be malware? You consented — right there in 4-point font on page 425b!

That’s why people frequently avoid calling things like this malware. Lawyers may be along to send a cease and desist! But, as far as I’m concerned, a browser extension that captures users’ AI conversations and sells them to advertisers without clear disclosure is malware.

If a plumber visited you and installed a device in your bathroom that spied on you and sold your data to advertisers, we’d call that malicious. We wouldn’t let the plumber argue that you technically gave them permission to install a camera and spy on you somewhere in a long contract.

Similarly, browser extensions like this are malware. Full stop.

(Hopefully I won’t be sued for saying this.)

“Featured” malware, really?

“App stores” like the Chrome Web Store — which is an app store for browser extensions, basically — are supposed to be safer than just downloading random apps from the web. That’s the whole pitch. But there’s no guarantee.

To help identify trustworthy Chrome extensions, Google has a “Featured” badge. As Google puts it:

“The Featured badge is assigned to extensions that follow our technical best practices and meet a high standard of user experience and design. Chrome team members manually evaluate each extension before it receives the badge, paying special attention to the following:

Adherence to Chrome Web Store’s best practices guidelines, including… respecting the privacy of end-users.”

Ouch. This means that Google’s human review process either isn’t good enough to spot malware or it doesn’t really exist in the way we’d like to believe it does.

This reminds me of Microsoft’s Store app back in the Windows 8 days. In 2014, I wrote up how it was full of scams. For example, Microsoft was hosting numerous apps like “VLC downloader” that charged you money to link you to a download for a free app. Per Microsoft’s documentation at the time, a human reviewed each and every app that went on Windows 8’s Store. Either Microsoft wasn’t actually having humans review the apps, or its process was so sloppy that the review process was worthless.

Were humans actually reviewing apps before they went on the Windows 8 Store? I never got an answer to that question! We’ll never know.

Either way, Google has gone out of its way to create a badge that promises security, but doesn’t offer it. It would be better if Google shrugged.

For example, Valve’s Steam store has an automated review process to catch malware. Valve doesn’t promise certain games are human reviewed or that they should be more secure. Google does.

Staying safe with Chrome extensions

Most browser extensions need a lot of permissions — they often need full access to the pages you visit and your browser history. This gives them access to everything you do in your browser. Assuming a browser extensions asks for this many permissions when you install it from the Chrome Web Store, Edge Add-ons Gallery, or Mozilla Add-ons site, you’re placing an incredible amount of trust in the developer.

Chrome and other Chromium-based browsers — Brave, Edge, Vivaldi, Opera, and the rest of the usual suspects — let you take control over extension permissions. You can head into your web browser’s Extensions page and, under a particular extension, force it to run only on certain websites instead of all websites. That can be an okay way to boost security. But honestly? If you don’t trust an extension, you probably shouldn’t have it installed at all.

Personally: I use Brave as my main browser, and I have 1Password installed as my password manager. That’s it. If I were using Chrome, I’d install the uBlock Origin Lite adblocker. That’s how paranoid I am about browser extensions.

That’s my advice! But the most important thing is that you should think carefully about each extension you install. Don’t trust something just because it’s “featured” by Google or is popular.

Share

The latest from Thurrott.com

As always, I’m happy to turn my eye to Paul Thurrott’s work and recommend some reading material from Thurrott.com.

Speaking of app stores: ChatGPT is getting an app store! Also, Mozilla has a new CEO.

More importantly, Half-Life 3 may finally arrive soon. And, for Thurrott Premium subscribers, Paul a great deep-dive into the gaming experience with Arm-based Snapdragon PCs running Windows 11.

🎄 And one last thing: The holidays are upon us! They really snuck up on me this year. I hope you and yours have an awesome holiday season.