Retroactive removals are finally on the way for malicious Chrome browser extensions. Beginning with Chrome 117, Chrome will “proactively highlight to users when an extension they have installed is no longer in the Chrome web store”.
Previously, if you installed an extension which was subsequently unpublished by the developer or removed by Google, the extension you installed would remain in place, even if it was malicious. If, for example, the extension was some sort of data stealer, it would simply continue to steal your data (assuming the infrastructure it sent the data to had not been shut down).
Now, when an extension is pulled from the web store in one of the following three situations, Chrome users will be notified:
The extension has been unpublished by the developer.
The extension has been taken down for violating Chrome Web Store policy.
The item was marked as malware.
If we’re talking about an “under review” situation, no notification will take place. For example, if a developer is notified that they may have potentially violated one of Google’s policies and has been given time to address or appeal the issue, then a notification will not be triggered.
Violations themselves can result in a wide range of possible outcomes, from immediate suspensions and permanent disabling of extensions to warnings and re-enablement if a violation is addressed to Google’s satisfaction. If the violation involves malware, there’s a good chance there is no way back into Google’s good books. From the violations information page:
The Chrome Web Store Review team has special procedures for egregious policy violations. In cases such as malware distribution, deceptive behavior designed to evade review, repeated severe violations indicative of malicious intent, and other egregious policy violations, more drastic measures are necessary.
To limit the potential for these developers to further harm users, the Chrome Web Store team intentionally does not provide details regarding these violations. Additionally, in more severe cases the developer’s Chrome Web Store account will be permanently suspended.
In the Privacy and Security settings of Chrome, users will find a “Review” option under the Safety Check setting. It will read as follows:
Review [x amount of] extensions that were taken down from the Chrome web store
Clicking the Review button will take users to their extensions page where they will be given the option to remove all listed extensions. They can also choose to hide the warning and keep the extension if they really want to.
Malware is the exception here though. Extensions flagged as malware are automatically disabled, as they have been in previous versions of Chrome. For everything else, Chrome will state the following:
Review these extensions that were taken down from the Chrome web store. These extensions might be unsafe. Chrome recommends that you remove them.
Users can select each flagged extension individually, or just hit a “Remove all” button and wipe the lot in one go. If you don’t want to wait for the new feature to roll out in Chrome 117, Bleeping Computer notes that you can give it a try right now by switching on Chrome 116’s experimental “Extensions Module in Safety Check” feature.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
