A widely-used screenshot extension in Chrome, called Screenshot & Screen Capture Elite, is reportedly acting more akin to ads-serving malware. That’s based on comments in the extension’s reviews, spotted by TechDows. The Chrome extension, available for all desktop iterations of the browser, has over a million downloads. And it’s still available, as of this writing.
Summarily, what appears to be happening, at the surface, is that the extension is inserting ads directly into Google Search results. The bad behavior appears to go much deeper than that too, in direct violation of Chrome’s increasingly strict security policies. But the primary purpose of the extension seems to be ad delivery.
Ad blockers, and even an ads-blocking extension such as UBlock Origin, doesn’t seem to stop this Chrome extension from working.
How malicious is the popular Chrome screenshot extension, beyond ads?
Now, it isn’t just ads that this apparent Chrome extension malware is serving up for end-users. It not only allows users to save screen captures but also to upload those to the web. And, when users do that, it appears to upload with an unidentified IP address attached. Specifically, it utilizes “Fly analytics” and gains permission to connect to external IP address 67.205.139.234.
Users report that it is using the built-in analytics to track activity across the web when the extension is installed. In particular, it seems to be tracking users’ search histories.
Adding insult to injury, at least some users also report that the Google Search results themselves are impacted. Users aren’t providing exact details. But, according to review, the extension fundamentally alters the quality, accuracy, and even order of appearance for those results.
The extension doesn’t start off malicious
The final point to note about Screenshot & Screen Capture Elite is that the malicious activity doesn’t seem to start immediately. Instead, users describe the behavior as ‘sneaky’. That’s because the Chrome extension appears to slowly ramp up on the ads and malware-like activity from the initial install. So users won’t necessarily notice it immediately or be able to clearly link the change in behavior back to the extension.
Those who have the extension installed will likely want to remove it from their browser. It’s also advisable that they report the behavior in the Chrome Web Store in order to bring it to Google’s attention.