CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Malicious VPN Extensions Found Spying on Chrome Users

By Leave a Comment

A new investigation by security researcher Wladimir Palant reveals that malicious VPN extensions on the Chrome Web Store are using obfuscation techniques to bypass Google's remote code execution restrictions. These extensions secretly collect browsing data, manipulate user traffic, and employ anti-debugging measures to evade detection.

Intrusive VPN extensions

Palant found that 32 VPN extensions rely on obfuscated JavaScript code to mask their true behavior. While they appear to function as legitimate VPN services, these extensions download configurations from external servers, a method commonly used for data harvesting and potential traffic manipulation.

One of the key mechanisms employed by these extensions is anti-debugging protection—a feature designed to detect if the extension is being examined by security researchers. If an attempt is made to analyze its behavior, the extension wipes its storage and halts further activity. This technique allows malicious code to remain undetected during Google's review process.

The extensions also request broad permissions, such as:

  1. “tabs” – granting access to track user activity across different sites.
  2. “proxy” – allowing manipulation of network traffic.
  3. “storage” – enabling the extension to save and retrieve user data.

Palant found that the extensions maintain an event queue that logs browsing history. Once at least ten events are recorded, this data is sent to an external server controlled by the extension's operators. Additionally, certain extensions in this group appear to modify page navigation, potentially redirecting users to ad networks or affiliate links for monetization through fraudulent means.

VPN extensions identified

Among the 32 extensions in question, Sweet VPN is the most prominent, with over 100,000 active users. Other high-profile extensions include:

  • Sweet VPN – 100,000 weekly active users
  • VPN Surf – Fast VPN by unblock (800,000 weekly users)h
  • VPN Ultimate – Best VPN by unblock (400,000 weekly users)
  • Free privacy connection – VPN guru (500,000 weekly users)
  • VK UnBlock. Works fast. (40,000 weekly users)

These extensions, along with others, use domains such as sweet-vpn[.]com, proxy-config[.]com, and browserdatahub[.]com to retrieve instructions from their servers, raising concerns about user tracking and data exfiltration.

A pattern of abuse in the Chrome Web Store

This latest discovery follows another report from January 10, 2025, where Palant uncovered how Chrome extensions manipulate search rankings to push dubious extensions to the top of search results. That investigation exposed developers exploiting multilingual descriptions to spam keywords and bury legitimate extensions under misleading search results.

The presence of both search manipulation and malicious VPNs suggests a deeper issue with Google's enforcement of Chrome Web Store policies.

If you're using any of the identified VPN extensions, it's best to uninstall them immediately, and stick to well-known, paid VPN providers that undergo independent security audits. If an extension requests access to all sites or proxy settings, be cautious.

About Alex Lekander

Alex is the founder and Editor-in-Chief of CyberInsider.com. His background and expertise includes digital privacy, security, and tech journalism. When he’s not working behind a screen, Alex is probably tinkering with a boat or enjoying the outdoors.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *