The fact that an extension is in the Chrome Web Store does not mean that it can be used safely. There have been many cases of malicious add-ons that have been removed in the past after being installed by millions of Chrome users in some cases.
We will focus on steps that you can take before you install extensions. It is often easier to determine if an extension is shady or downright malicious if you have installed it, as this can be the cause of visible unwanted changes or activities such as hijacking of search engines, displaying ads or pop-ups or showing of other behaviors that were not mentioned in the description of the extension.
Web Store Page
Analyze the list of the extension and see if it makes some alarm bells ring. Grammar mistake in title or other English mistake can be seen as warning signs, but because developers from around the world publish extensions in the Store, some may have been written by non-English speakers. Bad grammar or spelling mistakes should not be used as an indicator. Irrelevant screen shots or very strange descriptions, on the other hand, are all significant signs of a malicious extension. However, these are quite rare.
logos
Malware developers resort to all sorts of tricks to infect users, one of which is the use of the logo (icon) of popular brands or applications. Sometimes people are fooled by this and they think it is the company that makes the actual software. Note the developer’s name and click on it to see their other extensions.
Developer website and contact
Does the extension have its own webpage? Visit it for more information and maybe something about the developer. We recommend that you use a content blocker when you visit these sites to prevent problems if the site is specifically prepared to attack.
Not all extensions have a web page, but most do, at least for support requests / frequently asked questions. Is there a contact option on the Chrome Web Store page that you can use to send an email to the developer? If there is one, this is a good sign, but the lack of one does not mean that it is a fake extension.
Privacy Policy
Is this perhaps the most overlooked? Who reads the privacy policy? You should, because unlike website registrations or software agreements, you will not see the privacy policy for an extension when you install it. But it can exist as an excuse for the developer to get out of a legal dispute, should one arise. You accept the policy as soon as you install the extension.
Use Control + F and search for words such as data, collection, tracking, personal, etc. in the privacy policy. Your browser must mark the sentences that contain the word and you must read what it says.
If the policy is in advance about the data they collect, consider whether it is worth using the extension at the expense of privacy. It is never acceptable.
It is clear that developers and companies with bad intentions can add what they want to the privacy policy.
Rights
When you click the Install button, you will read the pop-up with the permissions that the extension requires. Permissions can give important directions; an add-on for a visual enhancement (such as a theme) does not require permissions such as “Communicate with collaborating websites”. That means it can send data, your personal information, to a server.
Reviews
These are big red flags if you know how to identify real ones. Does an extension have ratings? Are they all 5 star reviews? That is suspicious. Look at the publication date of each review. If you notice that they are all posted on the same day, it can be fishy. Also look at the text, if they look more or less the same, or if the usernames only contain random characters, the alarm bells must ring and you need to look deeper.
Have the reviewers copied / pasted the comment? It is possible, but not in this case. The extension had multiple reviews, always using the same comments. Its due to more than one review from the same user. Is it possible that the extension hijacked the user to post these reviews? Or were they paid? Regardless of this, avoid such extensions to be on the safe side.
It might be a good idea to check if the developer has responded to one of the user reviews. Go through the next few pages.
Look for similar extensions, watch out for the clones
Check similar or same name extensions and clones. It was alarming. The worst thing was that the original add-on was about 2.15 MB in size, while the clone was about 4.26 MB. If it was a clone, what is the extra size for? That’s creepy. So search the web store with similar keywords (or the name of the extension), view the results. Look at the published date of the add-on, the older one is clearly the original.
If you know JavaScript, you can analyze the code to find out why the clone is nearly twice the size of the original. It can be as simple as an uncompressed image that is used as a logo or additional code that can be used for malicious or invasive practices.
Open source
If the extension is open source, it is probably safe. But Dont take it for granted. Go to the page where the source code was published to see if it actually exists. You must also check when the last commit on the source code page was created. If the extension has recently been updated but the source code is not, the extension may no longer be open source and may be open for privacy and security issues.
Search in social networks
You could try Googling the name of the extension to see if there are problems, recommendations or reviews posted by users on social networks. This gives you an idea of real-world use of the extension.