New research from LayerX Security reveals a new malicious campaign called “StealTok” involving more than a dozen browser extensions that target TikTok users over major browser marketplaces. These extensions, which promise to download videos without watermarks, collect user data and perform device fingerprinting, a technique used to identify and track unique devices.
According to researchers, scammers behind this campaign have kept their operation active for over a year by tweaking the names and looks of their extensions, all while recycling the same share code on Microsoft Edge or Chrome stores.
A Long-Term Scam
Worse, the campaign so far has successfully targeted over 130,000 users worldwide and has gone undetected through reputation building by using legitimate services before activating its hidden functions.
Researchers also found that many of these extensions operated without any malicious activity for six to twelve months, a tactic that allowed them to get thousands of users and even earned “Featured” badges from store moderators.
Once a large-scale and reliable user base was established, the extensions began communicating with remote servers to receive new instructions, bypassing the initial security reviews performed at the time of publication.
Invasive Data Collection
One of the more invasive aspects of this campaign is the depth of information gathered from unsuspecting browsers. According to LayerX’s blog post shared with Hackread.com, besides tracking video interests and usage patterns, these extensions “pull high-entropy data” such as timezone, language settings, and even the device’s battery status.
For your information, this specific combination of data points allows cyber criminals to create a unique fingerprint for each user, facilitating long-term tracking on different web sessions.
130,000 Victims and Counting
So far, researchers have found that more than 130,000 people fell for the scam, which shows a coordinated and large-scale campaign to target everyday users around the world. The situation could get worse, as, at the time of writing, while some extensions were finally kicked off the stores, the majority are still available for anyone to download, with about 12,500 people actively using them right now.
| ID | Name | Installs | Browser | Status |
| injnjbcogjhcjhnhcbmlahgikemedbko | TikTok Downloader – Save Videos, No Watermark | 3,000 | Google Chrome | Active |
| ehdkeonoccndeaggbnolijnmmeohkbpf | TikTok Video Downloader – Bulk Save | 1,000 | Google Chrome | Active |
| pfpijacnpangmkfdpgodlbokpkhpkeka | Tiktok Downloader | 353 | Google Chrome | Active |
| cfbgdmiobbicgjnaegnenlcgbdabkcli | TikTok Video Downloader – Save Without Watermark | 4,000 | Google Chrome | Active |
| mpalaahimeigibehbocnjipjfakekfia | Mass Tiktok Video Downloader | 77 | Microsoft Edge | Active |
| kkhjihaeddnhknninbekkhaklnailngh | TikTok Video Downloader – Save Without Watermark | 9 | Microsoft Edge | Active |
| kbifpojhlkdoidmndacedmkbjopeekgl | TikTok Downloader – Save Videos, No Watermark | 47 | Microsoft Edge | Active |
| jacilgchggenbmgbfnehcegalhlgpnhf | Mass Tiktok VideoDownloader | 4,000 | Google Chrome | Active |
| oaceepljpkcbcgccnmlepeofkhplkbih | Mass Tiktok Video Downloader | 30,000 | Google Chrome | Removed |
| ilcjgmjecbhpgpipmkfkibjopafpbcag | TikTok Downloader – Save Videos, No Watermark | 10,000 | Google Chrome | Removed |
| kmobjdioiclamniofdnngmafbhgcniok | TikTok Video Keeper | 60,000 | Google Chrome | Removed |
| cgnbfcoeopaehocfdnkkjecibafichje | Video Downloader for Tiktok | 20,000 | Google Chrome | Removed |
If you’ve recently added any extensions from the Chrome Web Store or Microsoft Edge Add-ons, now is a good time to double-check your list. If you find any of the tools mentioned in the report, you should remove them immediately rather than just disabling them.
Since these extensions have the ability to track what you type and capture login tokens, it is a good idea to change your passwords for important accounts like your email or bank. It’s also wise to check your browser settings to ensure you haven’t saved sensitive financial info or personal details that these tools could have accessed while they were active.
