A group of browser extensions posing as TikTok video download tools has been found to covertly monitor users and collect data, affecting more than 130,000 individuals across Google Chrome and Microsoft Edge.
Security researchers at LayerX identified at least 12 extensions involved in the campaign, which they named “StealkTok.” The extensions were presented as tools for downloading TikTok videos, but operated with hidden surveillance capabilities.
According to the researchers, the extensions gathered detailed information about users, including browsing activity, downloaded content, device data, and environmental details. The collected data allowed operators to build user profiles and monitor behaviour across websites.
The extensions also included remote control functionality. This allowed operators to update behaviour dynamically by fetching configurations from external servers. Researchers stated that this capability could enable additional actions such as data exfiltration or integration into larger malicious infrastructure.
Most of the identified extensions shared similar code and were described as modified versions of the same base software. This pattern indicated that a single threat actor was responsible for maintaining and distributing multiple variants.
The campaign used a delayed activation method to avoid detection. The extensions initially functioned as advertised for periods ranging from six to twelve months before introducing malicious features through updates. This approach allowed them to pass platform review processes and accumulate user installations before being flagged.
Several of the extensions reached significant download counts. Reported figures include 60,000 installs for one extension, 30,000 for another, and multiple others with tens of thousands of users.
Some of the identified extensions have been removed from official browser stores, including Google Chrome’s Web Store. However, researchers reported that several remained available at the time of disclosure.
Browser extensions typically require permissions that allow access to browsing data and interaction with web pages. Security research has previously shown that such permissions can be used to collect sensitive information or modify browser behaviour when exploited.
The findings add to a series of incidents involving malicious browser extensions distributed through official marketplaces. Researchers noted that the ability to introduce harmful functionality through updates remains a key challenge for platform enforcement systems.