"Securing the Browser: A Hybrid Static Analysis Framework for Detecting Malicious Chrome Extensions via Local Threat Intelligence"
Article Sidebar
Main Article Content
Modern web browsers have evolved into sophisticated platforms where extensions play a crucial role in enhancing user productivity and customization. However, this extensibility significantly increases the attack surface, as malicious extensions often abuse excessive permissions to harvest cookies, manipulate the Document Object Model (DOM), and exfiltration sensitive user data. Existing browser sandboxing mechanisms provide limited visibility into such threats, while cloud-based detection approaches raise privacy concerns.
This paper proposes a hybrid static analysis framework for detecting malicious Google Chrome extensions that preserves user privacy while enabling deep security inspection. The detection logic is decoupled from the browser environment and implemented as a Python-based local analysis service, which securely communicates with a lightweight Chrome extension frontend via Restful APIs.
The framework employs a dual-layer detection strategy:
- a weighted permission risk scoring model to assess privilege abuse potential, and
- Signature-based correlation against a local threat intelligence repository containing known malicious patterns and indicators of compromise. Experimental results demonstrate that the proposed approach improves detection accuracy and significantly reduces false positives compared to standalone permission-based techniques, offering an effective and privacy-preserving defense for end-users.
Downloads
References
A. Aggarwal, R. Dallaway, and J. Oberheide, “I Spy with My Little Eye: Analysis and Detection of Spying Browser Extensions,” in Proc. Network and Distributed System Security Symp. (NDSS), 2017.
E. Toreini, B. Crispo, and M. Conti, “DOMtegrity: Ensuring Web Page Integrity Against Malicious Browser Extensions,” in Proc. ACM Conf. on Computer and Communications Security (CCS), 2019.
A. Kapravelos et al., “Exposing Malicious Browser Extensions,” in Proc. Network and Distributed System Security Symp. (NDSS), 2014.
D. Thomas, A. Bates, and E. Gerber, “Analyzing Permission Usage Patterns in Browser Extensions,” IEEE Security & Privacy, vol. 16, no. 4, pp. 34–43, 2018.
G. L. Pereira, “Antivirus Applied to Google Chrome Extension Malware,” Computers & Security, vol. 134, pp. 103–118, 2025.
B. Rosenzweig et al., “It’s Not Easy: Applying Supervised Machine Learning to Detect Malicious Extensions,” arXiv preprint arXiv:2509.21590, 2025.
S. Singh et al., “A Study on Malicious Browser Extensions,” arXiv preprint arXiv:2503.04292, 2025.
M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A Survey on Automated Malware Analysis Techniques,” ACM Computing Surveys, vol. 44, no. 2, pp. 1–42, 2012.
S. Agarwal et al., “Helping or Hindering? How Browser Extensions Undermine Web Security,” in Proc. IEEE Symp. on Security and Privacy (S&P), 2022.
A. Barth, “The Web Origin Concept,” Internet Engineering Task Force (IETF), RFC 6454, 2011.
Google, “Chrome Extension Manifest V3 Documentation,” Google Developers, 2023.
Y. Liu et al., “Insecure by Design: Permission Abuse in Browser Extensions,” IEEE Access, vol. 9, pp. 112345–112359, 2021.
A. Guha, M. Fredrikson, and B. Livshits, “Static Analysis of Chrome Extensions,” in Proc. Int. World Wide Web Conf. (WWW), 2015.
N. Nikiforakis et al., “You Are What You Install: Privacy Risks of Browser Extensions,” in Proc. Network and Distributed System Security Symp. (NDSS), 2012.
A. Razaghpanah et al., “Apps, Trackers, Privacy, and Regulators,” in Proc. Network and Distributed System Security Symp. (NDSS), 2018.
M. Ikram et al., “Towards Understanding and Detecting Malicious Browser Extensions,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 4, pp. 1560–1574, 2021.
K. Borgolte et al., “Measuring and Detecting Malware in Browser Extensions,” in Proc. ACM Internet Measurement Conf. (IMC), 2018.
M. Tschantz et al., “SoK: Security and Privacy in Browser Extensions,” in Proc. IEEE European Symp. on Security and Privacy (EuroS&P), 2017.
NIST, “Guide for Conducting Risk Assessments,” NIST Special Publication 800-30, 2012.
ISO/IEC, “Information Security Risk Management,” ISO/IEC 27005, 2018.
Malwarebytes Labs, “Millions Impacted by Malicious Browser Extensions,” Technical Report, 2024.
DomainTools Intelligence, “Dual-Function Malicious Chrome Extensions,” Threat Report, 2024.
GitLab Security Research, “Malicious Browser Extensions: Threat Intelligence Report,” GitLab, 2025.
Reuters, “Cyberhaven Chrome Extension Breach Incident,” Reuters Technology News, Dec. 2024.
Cybernews Research Team, “Hundreds of Chrome Extensions Stealing User Data,” Cybernews, 2024.
Seraphic Security, “Top Browser Extension Security Risks,” Industry Whitepaper, 2023.
Cisco Talos, “Browser-Based Malware Threat Landscape,” Threat Intelligence Report, 2023.
Kaspersky Labs, “Adware and Extension-Based Malware Analysis,” Securelist Report, 2022.
Mandiant, “Threat Intelligence for Browser-Based Attacks,” Mandiant Insights, 2023.
Wikipedia Contributors, “Potentially Unwanted Program,” Wikipedia, The Free Encyclopedia, 2024.
This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles published in our journal are licensed under CC-BY 4.0, which permits authors to retain copyright of their work. This license allows for unrestricted use, sharing, and reproduction of the articles, provided that proper credit is given to the original authors and the source.