Main points
- 30 malicious extensions posing as AI tools were discovered in the Chrome Web Store.
- Extensions steal user data, including from Gmail, and transfer it to attackers' servers.
Over 300,000 users installed malicious AI-apps for Chrome / Collage 24 Channel
A massive campaign of malicious apps disguised as AI tools has been discovered in the Chrome extension store. Some of them are still available for installation, despite hundreds of thousands of installs and serious risks to user data.
How did the AiFrame scheme work?
Security platform LayerX specialists have uncovered a campaign called AiFrame. It involves 30 extensions for the Google Chrome browser that pretended to be or still pretend to be artificial intelligence assistants, translators, and panels with popular model integration. In total, they were installed by more than 300,000 users, writes Bleeping Computer.
The most popular of these, Gemini AI Sidebar, had about 80,000 installations, but by the time of publication it had already been removed from the Chrome Web Store. However, other malicious extensions with thousands of users remain available. These include:
- AI Sidebar – 70k users. After the research was published, the scammers renamed it “Gemini AI”.
- AI Assistant – 60 thousand. After publication, the study was renamed “Claude AI”.
- ChatGPT Translate – 30 thousand. After publication, the research was renamed “AI Translator”.
- AI GPT – 20 thousand. Still published under the same name.
- ChatGPT – 20 thousand. After publication, the study was renamed “ChatGPT Ukraine”.
- Another AI Sidebar extension has 10,000 users. After the research was published, the scammers renamed it “DeepSeek.”
- Google Gemini – 10 thousand. Still published under the same name.
Despite the different names, all 30 applications had a common code structure, the same JavaScript logic, similar permissions, and operated through the same infrastructure – the tapnetic[.]pro domain.
Remote control without updates
Instead of implementing AI functions locally, the extensions simply opened a full-screen iframe and loaded content from a remote server. This meant that operators could change the logic at any time without updating the extension store – and without re-verification by Google.
In fact, the user saw the “AI tool”, but all the functionality and data collection were controlled from the outside.
What do these extensions actually do?
In the background, the extensions extract content from pages the user visits. This is done using Mozilla's Readability library. The researchers paid particular attention to 15 extensions that specifically targeted Gmail.
They ran a separate script on mail.google.com at the document_start stage and embedded their own interface elements. The script read the visible text of the emails directly from the page's DOM structure via the .textContent property. This way, not only received emails but also drafts were intercepted.
When a user activated features like AI replies or email summaries, the extracted text was sent to a third-party server infrastructure controlled by the extension operators, resulting in the email content and associated metadata being exposed outside of Gmail's secure environment.
Audio and speech recognition
Separately, a mechanism for remotely triggering voice recognition via the Web Speech API was recorded. The transcription results were also transmitted to the attackers' server. Depending on the permissions granted, this could mean intercepting conversations in the user's physical environment.
What to do?
LayerX has published indicators of compromise for the full list of extensions. If you find one of them installed, it is recommended to:
- remove the extension immediately;
- change passwords for all accounts;
- check active sessions and security settings;
- enable two-factor authentication.
At the time of publication, Google had not officially commented on the study results.
This incident demonstrates how the “AI” brand is increasingly being used as bait. While the extensions promised convenient features, they actually turned the browser into a tool for collecting sensitive data.
Download extensions only from trusted developers from official sites or from links provided on the official website of the service. Not everyone has their own extensions. For example, Google did not create an extension for Gemini, and the extension for ChatGPT only works as a tool to replace the default search engine.