What Is SafeBrowse? Google Chrome Extension Secretly Mines For Monero

SafeBrowse, a Google Chrome extension that has more than 140,000 downloads, has been secretly using the processing power of its users’ computers to mine for the cryptocurrency Monero without the consent of its users.

The mining process began after the creators of the extension embedded a JavaScript library into SafeBrowse’s code to discretely carry out the mining process, though users quickly caught on when the extension began bogging down their machines.

SafeBrowse is ostensibly an extension designed to help users bypass advertising services that require users wait for a period of time before viewing content. It allows users to skip the wait imposed by ad networks like Adfly and Linkbucks—both of which are particularly invasive and often found on shady or malicious websites and services.

The browser extension was relatively popular, racking up more than 140,000 installations and achieving a 4.4 out of 5 star rating in the Google Chrome Web Store with more than 2,000 reviews prior to its foray into cryptocurrency mining.

A recent update to the extension published by SafeBrowse’s authors tanked that rating, as users began bombarding the extension’s page in the Chrome Web Store with negative reviews as it started to hijack their computer’s processing power. Some users noted the extension was using more than 60 percent of their CPU resources.

The cause of that resource drain is the inclusion of the Coinhive JavaScript Miner, an in-browser implementation of a popular cryptocurrency mining algorithm used to mine for Monero—an open source cryptocurrency created in 2014. One Monero is currently valued at about $95.

While the miner uses resources from the user’s machine, the profits go directly to the authors of SafeBrowse.

The Coinhive miner first appeared in version 3.2.25 of the Chrome extension. Because Chrome automatically updates extensions to ensure users are using the most recent version, many users with the SafeBrowse extension installed received the update.

Because the update was pushed to many users and the miner had such a drastic impact on their machines, it’s clear to see why the pushback against the change was so drastic and immediate. Reddit threads that noted the change in the extension began calling for users to report SafeBrowse as malware. At the time of publication, SafeBrowse is no longer available in the Google Chrome Web Store.

While SafeBrowse was generally well liked by users before the crypotcurrency miner fiasco, the extension has far from a stellar reputation. In 2015, researchers at Detectify Labs noted SafeBrowse was one of a number of extensions that secretly tracked user activity across the web without consent or indication of the behavior.

The discovery of the Monero miner in SafeBrowse comes just days after a similar cryptocurrency miner was discovered built into the website of popular torrent destination the Pirate Bay. The miner was supposedly an alternative for the site to generate revenue without needing to display advertisements.