Skip to content
logo The magazine for digital lifestyle and entertainment
A brand of Bild
Browser CoBi Google Internet News All topics
Millions Affected

Google Extension Hijacked by Scammers

Google Logo
A seemingly harmless Chrome extension was deliberately embedded with malicious code and misused. Photo: Getty Images
Share article

March 19, 2026, 7:31 am | Read time: 2 minutes

In the Chrome Web Store, you typically find extensions that usefully enhance your browser. Google highlights selected tools as editorial recommendations. This designation acts like a seal of quality and is meant to build trust. However, a case shows that even recommended extensions can be misused.

Specifically, it’s about the extension “Save Image as Type,” reported by the online magazine “XDA-Developer.” The tool performs a simple task: It helps you convert images from the internet into common formats such as JPG or PNG. The WebP format, in particular, is often difficult to process further, which is why many users rely on such solutions. With more than a million users and a recommendation by Google, the extension was long considered reliable. The company has since responded by removing the add-on from the store and deleting it from browsers.

Unnoticed Ownership Change as Trigger

Behind the incident is a well-known method in cybercrime. Fraudsters buy popular extensions and manipulate them. This is exactly what happened with “Save Image as Type” at the end of 2025. The change went largely unnoticed. According to security expert Adam Conway, the extension behaved inconspicuously until then. Only after the takeover was the code significantly altered and new functions added.

Also of interest: Deceptively Real Banking App Spies on Smartphones in Real-Time

From version 1.7.2, the extension contains a script that activates only under certain conditions. The developers deliberately built in hurdles so that security checks do not immediately trigger. Only when users have used the function ten times to save images does the malware become active. Additionally, certain websites are specifically avoided. The system recognizes these based on special fonts frequently used by developers. This is intended to prevent technically savvy users from discovering the manipulation.

How the Perpetrators Make Money

At its core, it’s about so-called cookie-stuffing. The extension opens invisible windows in the background and accesses numerous online shops. The goal is to place cookies in the browser. These are then provided with affiliate links or existing entries are overwritten.

If you later make a purchase in one of these shops, the operators of the extension receive a commission. For buyers, this goes unnoticed, as prices or processes in the shop do not change. According to Conway, large retailers like Amazon or brands like Adidas are among the affected targets, as well as many smaller shops worldwide.

This article is a machine translation of the original German version of TECHBOOK and has been reviewed for accuracy and quality by a native speaker. For feedback, please contact us at info@techbook.de.

You have successfully withdrawn your consent to the processing of personal data through tracking and advertising when using this website. You can now consent to data processing again or object to legitimate interests.