A set of fraudulent browser extensions masquerading as Proton VPN — the privacy-focused service operated by Swiss-based Proton AG — recently appeared on the Chrome Web Store, raising fresh concerns about Google’s ability to police its own extension marketplace. The incident underscores a recurring vulnerability in the browser extension supply chain, one that has plagued users and security researchers for years despite repeated assurances from platform operators that safeguards are in place.
The fake extensions were flagged by security researchers and reported on by TechRadar, which noted that the impostors closely mimicked the branding, iconography, and description language of the legitimate Proton VPN extension. Some of the counterfeit listings had already accumulated hundreds of downloads before they were identified and reported. The fraudulent extensions were not developed or endorsed by Proton AG, and the company has warned users to verify the publisher identity before installing any extension claiming to offer its services.
Google operates a review system for Chrome Web Store submissions that is supposed to catch malicious or deceptive extensions before they reach end users. The process involves both automated scanning and, in some cases, manual review. Yet the appearance of these fake Proton VPN extensions demonstrates that determined bad actors can still circumvent these controls with relative ease. The counterfeit listings used names like “Proton VPN” and “ProtonVPN – Free VPN,” paired with logos and screenshots nearly identical to the real product, according to TechRadar.
The extensions’ actual functionality remains under scrutiny. In past incidents involving fake VPN extensions, researchers have found that the software either did nothing at all — offering no real VPN tunnel — or, more dangerously, routed user traffic through attacker-controlled servers, effectively enabling surveillance of all browsing activity. Some fake VPN tools have also been found to inject advertisements, harvest credentials, or install additional malware components. While the specific payloads of the latest Proton VPN imposters have not been fully disclosed publicly, the risk profile is consistent with these established patterns.
Proton AG has long maintained an official Chrome extension for its VPN service, and the company has been vocal about the threat posed by impersonators. The legitimate Proton VPN extension is published under the verified “Proton AG” developer account on the Chrome Web Store. Proton has advised users to check the publisher name carefully and to access extension downloads only through links on the official Proton VPN website rather than searching the Chrome Web Store directly, where fake results can appear prominently.
The problem is not unique to Proton. Popular VPN providers, password managers, and cryptocurrency wallets are among the most frequently impersonated categories on browser extension marketplaces. A 2023 study by researchers at Stanford University and the CISPA Helmholtz Center for Information Security found that millions of users had installed extensions that were later flagged as containing malware or violating Chrome Web Store policies. The study highlighted that many of these extensions remained available for months or even years before removal, a timeline that gives attackers ample opportunity to exploit victims.
The Chrome Web Store has faced criticism for years over its handling of malicious extensions. In 2024, Google introduced Manifest V3, a new extension platform designed in part to limit the permissions that extensions can request and to reduce the attack surface available to malicious developers. However, security experts have noted that Manifest V3 primarily addresses technical capabilities and does not solve the social engineering problem — that is, the ability of attackers to trick users into installing software that looks legitimate but is not.
The core challenge is one of trust signals. When a user searches for “Proton VPN” in the Chrome Web Store, they may encounter multiple results. The legitimate extension may not always appear first, and the visual differences between a real and a fake listing can be negligible. Star ratings and review counts can be manipulated through bot networks, and even the “Featured” badge that Google assigns to some extensions is not universally applied to all legitimate products. This creates an environment where even technically savvy users can be deceived.
Security professionals recommend several steps to reduce the risk of installing a fraudulent browser extension. First, users should always access extension download pages through the official website of the software provider rather than searching the Chrome Web Store directly. For Proton VPN, this means visiting protonvpn.com and following the link to the Chrome extension from there. Second, users should verify the developer name listed on the extension’s Chrome Web Store page. The legitimate Proton VPN extension is published by “Proton AG” — any variation on this name is a red flag.
Third, users should review the permissions requested by an extension before installation. A VPN extension will need certain network-related permissions, but requests for access to browsing history, the ability to read data on all websites, or permissions unrelated to VPN functionality should be treated with suspicion. Fourth, keeping the number of installed extensions to a minimum reduces overall exposure. Each extension represents a potential attack vector, and unused extensions should be removed promptly. As TechRadar noted, users should also report suspicious extensions to Google to help accelerate their removal from the store.
Google has repeatedly stated that it removes extensions that violate its policies and that it invests heavily in automated detection systems. The company reported removing hundreds of thousands of extensions and developer accounts in recent years. Yet the persistence of fake extensions mimicking high-profile brands suggests that the current enforcement model remains reactive rather than preventive. Extensions are typically removed after they are reported by users or flagged by external researchers — by which point they may have already been installed by thousands of people.
Some industry observers have called for Google to implement a verified publisher program similar to the blue-check verification systems used on social media platforms, where well-known software companies could receive a visible trust indicator that would be difficult for imposters to replicate. Google does offer a “Featured” badge and developer verification, but these mechanisms are not consistently applied, and their criteria are not fully transparent. A more aggressive approach to identity verification at the point of submission — requiring, for instance, proof of trademark ownership for extensions using established brand names — could significantly reduce the volume of impersonation attacks.
For enterprise IT departments, the incident is a reminder that browser extensions represent a significant and often undermonitored attack surface. Many organizations allow employees to install extensions freely, and few have policies or tools in place to audit the extensions running across their fleet of managed browsers. Google does offer Chrome Enterprise management tools that allow administrators to whitelist approved extensions and block all others, but adoption of these controls varies widely across industries.
The fake Proton VPN extensions also highlight the risks associated with remote work, where employees may rely on personal devices or install VPN tools independently to access corporate resources. An employee who installs a fake VPN extension believing it to be legitimate could inadvertently expose corporate credentials, session tokens, or sensitive communications to an attacker. Organizations that depend on VPN tools for secure access should consider distributing approved extensions through managed deployment rather than relying on employees to find and install them on their own.
The appearance of fake Proton VPN extensions on the Chrome Web Store is not an isolated event but rather the latest chapter in an ongoing struggle between platform operators, security researchers, and malicious actors. As long as browser extension marketplaces rely on a model where anyone can submit software under any name with minimal upfront verification, impersonation attacks will continue. The burden of verification falls disproportionately on end users, who are expected to distinguish real from fake in an environment where the visual cues are nearly identical.
Proton AG, for its part, has been proactive in alerting its user base and working with Google to remove the fraudulent listings. But the company’s efforts, like those of other frequently impersonated brands, amount to a game of whack-a-mole. New fake extensions can appear as quickly as old ones are taken down. Until platform operators invest in more rigorous identity verification and real-time monitoring at the point of submission, the Chrome Web Store — and extension marketplaces more broadly — will remain fertile ground for impersonation and fraud.
Counterfeit Proton VPN Extensions Infiltrate the Chrome Web Store, Exposing a Persistent Blind Spot in Browser Security first appeared on Web and IT News.
For all the billions of dollars pouring into live sports streaming rights, one of the…
Lucid Group Inc., the Newark, California-based electric vehicle maker backed by Saudi Arabia’s Public Investment…
For the better part of a decade, OLED has reigned supreme in the premium display…
A sophisticated new scam campaign is exploiting the name recognition of Google’s Gemini artificial intelligence…
For more than a century, photographs have served as the closest thing humanity has to…
For years, joining a WhatsApp group chat meant arriving late to the party with no…
This website uses cookies.