Legitimate Chrome VPN with 100K+ Installs Secretly Captures Screenshots and Exfiltrates Sensitive Data

A Chrome extension marketed as FreeVPN.One, boasting over 100,000 installations, a verified badge, and featured placement in the Chrome Web Store, has been exposed as spyware that silently captures screenshots of users’ browsing activities and exfiltrates them to remote servers.

Despite its privacy policy explicitly stating that the developer does not collect or use user data, forensic analysis reveals a stark contradiction: the extension engages in persistent surveillance, capturing sensitive information such as banking details, personal messages, and private documents without user consent or notification.

Sophisticated Exfiltration Techniques

The extension’s malicious behavior leverages a two-stage architecture for screenshot capture.

Upon installation, a content script is injected into every HTTP and HTTPS page via broad manifest matches, triggering an automatic 1.1-second delayed capture after page load to ensure full rendering of sensitive content.

This script communicates with the background service worker, which invokes the chrome.tabs.captureVisibleTab ...