- At least 12 fake TikTok extensions for Chrome and Edge have compromised more than 130.000 users
- They pose as TikTok video downloaders, but activate spying features after months of use
- They use Manifest V3 and remote configuration to change their behavior without the user noticing.
- Spain and Europe are affected, and it is recommended to review extensions, delete suspicious ones, and strengthen security.
TikTok's enormous popularity has become a magnet for cybercriminals, who are taking advantage of the platform's appeal to infiltrate users. fake extensions in browsers like Google Chrome and Microsoft EdgeUnder the guise of simple video downloaders, these add-ons have managed to infiltrate official stores and reach more than 130.000 users worldwide, including thousands in Europe and Spain.
Far from being an isolated anecdote, researchers speak of a well-organized, large-scale campaignIn this technique, attackers reuse the same code to create multiple, nearly identical variants. The strategy is clear: gain the user's trust with legitimate functionality, accumulate positive reviews, and then, after a while, silently activate a highly accurate spying system.
How detected fake TikTok extensions work
The alert has been issued LayerX Security, a cybersecurity firmwhich has documented at least 12 malicious extensions related to TikTok published in the official Chrome and Edge stores. They all share the same codebase, with slight variations in name, icon, or description, but the internal behavior is virtually identical.
These accessories are presented as Tools for downloading TikTok videos, often without a watermarkNames like “TikTok Downloader – Save Videos, No Watermark”, “Mass TikTok Video Downloader” or “TikTok Video Downloader – Bulk Save” are very attractive to anyone who uses the web version of TikTok and wants to save content quickly.
At first, the extension does exactly what it promises: It allows you to download videos from TikTok in a seemingly normal way.This legitimate functionality serves as a perfect facade to avoid suspicion and, incidentally, to obtain positive reviews and a solid user base.
However, the true objective is hidden behind that first layer. All these extensions have been developed on top of Manifest V3 (MV3), the current extension architecture for Chrome and derivativesThanks to her, they can connect to external servers controlled by the attackers, from which they receive configuration files and real-time instructions.
A spying system that is activated months later
One of the key aspects of this campaign is that the extensions don't start acting strangely from day one. According to LayerX Security's analysis, These tools operate for between six and twelve months with completely legitimate behavior.During that period, the user sees that the extension downloads videos without problems, builds confidence, and forgets that they installed it.
Once the extensions have accumulated a good number of installations, comments, and positive ratings, the attackers remotely activate the malicious payloadThere are no notifications, no new windows, no requests for additional permissions: the change in behavior occurs in the background and, to the user, everything appears to remain the same.
From that moment on, the complement begins to modify its settings and enable hidden featuresAmong other things, it can redirect traffic to malicious endpoints, expand the domains it monitors, or activate advanced tracking mechanisms without user intervention.
This “two-phase” model—first gaining trust, then attacking—represents a qualitative leap compared to more basic campaigns, where malicious behavior was immediate and therefore easier to detect and block. Here Patience and reputation building are paramount.This greatly complicates the work of both users and the extension stores themselves.
Data they collect and why they are so dangerous
Once activated, extensions begin collecting a large amount of browser data. They don't just record visited pages; they also generate highly detailed fingerprints of each userThe goal is to be able to uniquely identify the person, even if they change sessions or connect at different times.
Information collected includes browser usage patterns, browsing frequency, type of content consumed, time zone, system settings and other technical parameters. The use of unusual indicators, such as the device's battery level, is particularly noteworthy, as they help to further refine the generated profile.
All this data is sent to command and control servers hosted in carefully disguised domainsAttackers use typosquatting techniques, meaning they use addresses almost identical to legitimate websites, with slight variations difficult to detect at first glance. This allows them to avoid being quickly blocked by automated security systems.
The result is a digital surveillance system very precise and difficult to tracecapable of tracking user activity over time and potentially cross-referencing that information with other data stolen in different campaigns. Although no specific group has been identified yet, the infrastructure and coordination point to a well-organized actor.
Specific extensions involved in the campaign
The researchers have published a detailed list of extensions related to this campaign, along with their internal identifiers (IDs) in Chrome and Edge. Among those detected are:
- TikTok Downloader – Save Videos, No Watermark (several variants with different IDs).
- TikTok Video Downloader – Bulk Save.
- TikTok Downloader (generic version).
- TikTok Video Downloader – Save Without Watermark (two different variants).
- Mass TikTok Video Downloader (multiple editions).
- TikTok Video Keeper.
- Video Downloader for TikTok.
In total, these extensions add up to more than 130.000 installations globallyand it is estimated that at the time of the last analysis, around 12.500 were still active. Some of them were even marked as “Featured” in the official stores, a designation that normally serves to highlight quality tools and which, in this case, The feeling of confidence increased even further. between users
Although a breakdown by country has not been published, it is reasonable to assume that Users in Spain and the rest of Europe have also been affectedGiven the massive use of TikTok and Chromium-based browsers in the region, anyone who has recently installed an extension to download TikTok videos from Chrome or Edge should carefully review their list of add-ons.
How to tell if you have these fake extensions installed
The tricky part about these kinds of campaigns is that many victims They don't notice anything strange in their daily livesThe browser is working normally, TikTok loads fine, and videos download as usual. To find out if you're affected, you need to go directly to your browser's extension settings.
In Google Chrome, you can access it by typing chrome: // extensions in the address bar (query How to remove Chrome notifications). In Microsoft Edge, the equivalent path is edge: // extensionsFrom there you will see a complete list of installed add-ons, both active and deactivated.
The next step is Search by name for any reference to TikTok, “Downloader”, “Video Downloader”, “Mass Downloader” or similar variants. If you find any extension that fits the described family (by title, icon, or function), it's best not to give it the benefit of the doubt.
If your browser displays the internal ID of each extension, you can compare it with the identifiers published by LayerX Security. Even so, There's no need to overcomplicate things: if you don't remember consciously installing the extension, or you're unsure of its origin.The most prudent thing to do is to uninstall it.
What to do if you've used a fake TikTok extension
If you discover that you had any of these extensions installed, even if you no longer use them, it is important act quickly to minimize risksThe steps recommended by security experts are relatively simple, but it's best to do them calmly.
The first is remove browser extension from the add-ons management panel itself. Temporarily disabling it is not enough; it must be completely uninstalled to cut off all communication with the attackers' servers.
Then, it is advisable Change the passwords for your most sensitive accounts, especially those you accessed from that browser while the extension was active: email, social mediaOnline banking, online shopping accounts, etc. This is a good time to also activate two-step verification (2FA).
It is highly recommended to review recent activity on your profiles and main servicesin case there are any strange movements: logins from unknown locations, messages sent without your consent, unexpected purchases, or changes in security settings.
Finally, it's a good idea. Run a full scan with an updated antivirus or security suite., in case the extension downloaded additional components or opened the door to other threats while it was installed.
Why official stores haven't stopped this campaign
The fact that extensions of this type have been published—and even featured—in the Chrome and Edge stores raises questions about the effectiveness of review and validation systems from Google and Microsoft. However, the campaign's structure itself explains part of the problem.
To begin with, the attackers They don't create each extension from scratch.Instead, they reuse the same codebase over and over, changing only minor details like the name or description text. If a version is detected and taken down, they immediately upload a virtually identical variant, even keeping the same promotional images.
This is in addition to the delayed activation approach: During the first few months, the accessory performed flawlessly.passing all automated tests and initial audits. Only when it has accumulated a sufficient critical mass of users are the remotely controlled spying functions activated.
Furthermore, the Manifest V3 architecture, theoretically designed to strengthen security and limit the scope of extensionsIt also introduces communication mechanisms with external servers that, in malicious hands, allow changing the behavior without needing to publish new versions visible to the user.
All of this paints a picture in which, even with controls in place, Well-planned campaigns can go under the radar for several months.Hence the insistence that the user adopt a more critical stance and not blindly trust that, just because it is in the official store, an extension is safe.
Tips for safer browsing if you use TikTok in your browser
Beyond this specific case, specialists emphasize that every extension installed in the browser increases the attack surfaceThe more add-ons you have, the more potential entry points there are for a malicious campaign. Reducing the number of add-ons is actually a very effective security measure.
The first recommendation is Install only the extensions you really needavoiding those "one-size-fits-all" downloaders that promise to do everything, and thus help protect yourself from adware.
It is also convenient Review in detail the permissions requested by each add-on. Before accepting the installation, check if an extension intended to download videos requests full access to all websites or your browsing data. This is a clear sign that something is wrong.
Another good practice is perform regular browser cleaningUninstall anything you no longer use, remove duplicate functions (multiple blockers, multiple downloaders, etc.), and occasionally check what's still active. This quick review can prevent an extension from being forgotten for years.
Lastly, it is essential Keep your browser and operating system up to dateas well as using security solutions that monitor not only the time of download, but also the behavior of the extensions over time.
In light of what happened with the fake TikTok extensions, it's clear that the combination of a social network's popularity, technical ease, and user overconfidence It's the perfect breeding ground for silent espionage campaigns. Keeping the number of add-ons to a minimum, being suspicious of "miracle" downloaders, and occasionally checking what's installed in your browser has become almost as important as using strong passwords or enabling two-step verification.
