A popular “Featured” extension called FreeVPN.One was exposed as Chrome extension spyware, secretly taking screenshots of users’ browsing activity and sending the data to its developer’s servers after amassing over 100,000 installs.
Surveillance Disguised as Security
The extension captured images of every website a user visited, including sensitive information such as bank logins, private photos, and confidential documents. This surveillance activity was deceptively named “AI Threat Detection” within the extension’s code.
To operate, the FreeVPN.One spyware utilized broad scripting permissions and access to all URLs.
Developer Claims Contradicted by Evidence
The developer claimed the function was for “background scanning” of suspicious domains and that the images were not stored, but they offered no proof to support this. Security researchers from Koi Security observed the chrome extension taking screenshots of trusted sites, including Google Photos and Google Sheets, directly contradicting the developer’s explanation.
The developer stopped responding to inquiries when asked for proof of legitimacy, such as a company profile.
Concerns over Chrome Web Store Review Process
Following the discovery, Google removed the extension, and its store page now displays the message, “This item is not available.” The incident raises serious questions about the Chrome web store review process, as the spyware operated for months while carrying a verified “Featured” badge, undermining browser extension security.
How to Protect Your Data
Users who installed FreeVPN.One are strongly advised to remove it immediately. It is also recommended to run a trusted antivirus tool to scan for any hidden malware.
Since anything typed or viewed could have been logged, users should change passwords, particularly for sensitive accounts, and consider using a password manager.
