Fake AI Extensions for Chrome Endanger 260.000 Users

Numerous Chrome extensions, installed by over 260.000 users, are part of a campaign targeting victims' data and information. The criminal masterminds also circumvent security measures of the Chrome Store.

IT security researchers from LayerX have analyzed the extension campaign, dubbed "AiFrame," and published the findings in a recent blog post. The perpetrators offer supposed AI assistants for summarizing, chatting, writing, or as a Gmail assistant in the form of extensions for the web browser Chrome. The extensions appear legitimate on the surface but are based on a dangerous architecture. Many of the extensions' functions are not implemented locally by the masterminds; instead, they embed server-side interfaces from the internet, thus acting as privileged proxies that grant the network's infrastructure access to sensitive browser capabilities.

30 Extensions with 260.000 Installations

The analysts discovered over 30 different Chrome extensions published with varying IDs and names but sharing the same underlying codebase, permissions, and backend infrastructure. Collectively, they have been installed more than 260.000 times – some were temporarily marked as featured in the Chrome Web Store, which increased their perceived legitimacy. Known names like Claude, ChatGPT, Gemini, and Grok serve as bait, but the malicious extensions are also advertised and distributed as general "AI Gmail" tools.

The analysis delves deeper into the extensions. Despite different names and IDs, they share the same internal structure, JavaScript logic, permissions, and backend infrastructure. Therefore, this is a coordinated operation rather than independent tools. According to the IT researchers, this is so-called "Extension Spraying," where attackers bypass the impact of removed extensions and reputation-based defense mechanisms by simply submitting more extensions to the store under new names.

Critically, a significant portion of the extensions' functionalities is delivered by components hosted online. This means their runtime behavior is determined by server-side changes, not by code examined in the Chrome Web Store at the time of installation. This allows for the circumvention of some of Google's security mechanisms. The core component is embedded as an iframe from the server, displayed in full-screen size. It overlays the current webpage and visually represents the extension's user interface.

Espionage Functions

At the behest of the server-side iframe, the extension analyzes the active browser tab and extracts its content, which it sends to the server. This can include sensitive information from pages where victims are currently logged in. The iframe can also instruct the extension to start voice recognition via the Web Speech API, after which it sends a transcript to the remote page – an easily analyzable recording of the communication is possible; however, browser permissions in some cases limit potential misuse, explain the IT researchers.

The command-and-control server is located on the main domain tapnetic[.]pro, with individual extensions calling different subdomains of it. The site appears legitimate at first glance, but there are no functions, downloads, or possible user interactions. There is also no clearly named product or service, suggesting it is a deceptive front. The campaign has been ongoing for a considerable time. About a year ago, analysts investigated an extension from this campaign; it was removed from the Chrome Web Store on February 6, 2025. Two weeks later, it was re-submitted and published under a new extension ID.

At the end of the analysis, the IT researchers provide a list of Indicators of Compromise (IOCs). They name IDs, names, and the number of active installations of the malicious "AiFrame" extensions discovered so far.

Browser extensions represent a popular entry point for cybercriminals. They repeatedly cause negative attention for various web browsers. Early last year, for example, perpetrators gained access to developer accounts of various Chrome extensions and replaced the code with malicious versions of the extensions.

(dmk)