The additional code drives CPU usage through the roof, making users computers sluggish and hard to use.
SafeBrowse uses same technology tested by The Pirate Bay
The intrusive and highly damaging behavior was noticed almost immediately, as the extension’s Web Store page has filled up in the past few hours with negative reviews decrying the surge in CPU resource usage.
The above code starts a process that runs at all times in the browser’s background and mines for Moner using the user’s resources, but for the profits of the SafeBrowse authors.
Affected users include anyone who installed the SafeBrowse extension. The version featuring the Coinhive miner is 3.2.25. Chrome extensions use an auto-update system, so most SafeBrowse users will be updated to this version in the coming hours and days.
SafeBrowse extension ruins your PC’s performance
Bleeping Computer tested the extension, and the Monero mining operation is clearly visible in the Windows Task Manager and Resource Monitor applications, immediately driving up CPU resource usage shortly after installation.
The same spike in CPU usage can be seen in Chrome’s built-in Task Manager, showing the extension’s process taking up over 60% of CPU resources.
The impact on our test computer was felt immediately. Task Manager itself froze and entered a Not Responding state seconds after installing the extension. The computer became sluggish, and the SafeBrowse Chrome extension continued to mine Monero at all times when the Chrome browser was up and running.
It is no wonder that users reacted with vitriol on the extension’s review section. A Reddit user is currently trying to convince other users to report SafeBrowse as malware to the Chrome Web Store admins [1, 2].
Not the first time doing something shady
This is not the first time the extension was caught doing something shady. Back in November 2015, researchers from Detectify Labs found that SafeBrowse, along with many popular Chrome extensions, where loading analytics code without consent in order to track users across the web.
Bleeping Computer has reached out for comment to SafeBrowse. We will update the article with any statement the authors wish to make.
UPDATE [September 19, 15:30 ET]: The SafeBrowse team has provided Bleeping Computer the following statement regarding the extension’s recent Monero mining capabilities.
Unfortunately we have no knowledge, apparently has been a hack. I’m currently researching, I have already contacted the Google team. The extension has not received an update for months, so I do not know what it’s all about.
While most users know how to remove a Chrome extensions, users who lack the technical skills and need help with removing the SafeBrowse extension can consult a guide we put together here.