Legitimate Chrome VPN Extension Turns to Browser Spyware
Essential information
- Published
- 19/08/2025 17:08
- Modified
- 19/08/2025 21:22
- Tags
- 2025-08-19 browser security chrome extension data exfiltration freevpn.one google web store screenshot capture spyware user privacy vpn
- Related entities
- 3 observables, 8 techniques (mitre), 1 malware
Description
A popular Chrome VPN extension, FreeVPN.One, with over 100,000 installs has transformed into spyware. Initially legitimate, the extension began capturing screenshots of users' online activities and collecting sensitive information after an update in April 2025. The spyware operates covertly, automatically taking screenshots of every webpage visited and uploading them to an attacker-controlled domain. It also exfiltrates device and location data at installation and startup. The extension's developer provided evasive responses when confronted, claiming the feature was for background scanning of suspicious domains. This incident highlights the potential risks associated with VPN services and the importance of scrutinizing even seemingly trustworthy browser extensions.