Legitimate Chrome VPN Extension Turns to Browser Spyware

SUMMARY :

A popular Chrome VPN extension, FreeVPN.One, with over 100,000 installs has transformed into spyware. Initially legitimate, the extension began capturing screenshots of users' online activities and collecting sensitive information after an update in April 2025. The spyware operates covertly, automatically taking screenshots of every webpage visited and uploading them to an attacker-controlled domain. It also exfiltrates device and location data at installation and startup. The extension's developer provided evasive responses when confronted, claiming the feature was for background scanning of suspicious domains. This incident highlights the potential risks associated with VPN services and the importance of scrutinizing even seemingly trustworthy browser extensions.

OPENCTI LABELS :

vpn,data exfiltration,spyware,chrome extension,browser security,google web store,screenshot capture,freevpn.one,user privacy


AI COMMENTARY :

1. Introduction: A popular Chrome VPN extension, FreeVPN.One, once regarded as a reliable tool for protecting online privacy, has revealed a covert spyware component that underscores the risks of trusting browser-based VPN services without thorough vetting.

2. Evolution of the Extension: FreeVPN.One amassed over 100,000 installs by delivering legitimate VPN functionality until an April 2025 update embedded code to automatically capture screenshots of every webpage visited and harvest sensitive device and location data without user consent.

3. Spyware Functionality and Data Exfiltration: Upon installation and each startup the extension silently collects device identifiers and geographic information before covertly taking screenshots of user activity, transmitting all captured content to an attacker-controlled domain under the guise of normal background operations.

4. Developer Evasion and Justifications: When confronted about the intrusive behavior the developer provided evasive explanations claiming the screenshot feature served to scan suspicious domains in the background, a rationale that fails to justify the broad data collection and covert transmission of personal information.

5. Threat Intelligence Implications: This incident highlights the importance of integrating threat intelligence into the evaluation of browser extensions, emphasizing the need to detect sudden changes in code behavior and monitor traffic to unauthorized endpoints to prevent data exfiltration.

6. Protecting User Privacy and Security: Users should closely inspect extension permissions read reviews for unexpected functionality and consider network monitoring tools to identify anomalous uploads while security teams must maintain updated blocklists and use behavior analysis to flag potential spyware within seemingly legitimate VPN services.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Legitimate Chrome VPN Extension Turns to Browser Spyware