A Chrome VPN extension with more than 100,000 users has been caught secretly capturing screenshots of browsing activity and sending them to a remote server. Despite evidence from researchers, Google has yet to remove the FreeVPN.One extension from the Chrome Web Store.
Chrome safeguards missed the extension’s shift
According to Koi Security, FreeVPN.One operated normally for years before quietly changing behavior in July. The developer rolled out updates requesting broader permissions, then activated a screenshot capture routine. Just over a second after each page load, the extension snaps an image and transmits it remotely. Early versions sent the images unencrypted, while later ones used obfuscation.
Koi’s Lotan Sery noted that the extension was even verified and featured in the Chrome Web Store, adding that Chrome’s automated scans and human reviews failed to catch the change. The discovery highlights gaps in Google’s marketplace security, where malicious features can slip through by waiting for trust to build before pivoting.
FreeVPN.One developer insists on compliance
The developer behind FreeVPN.One defended the extension, insisting its actions are compliant with Chrome Web Store policies and are disclosed in the privacy policy. They argued screenshots only occur if a site appears suspicious as part of a background threat scan, and that data is encrypted and analyzed briefly before being discarded.
Researchers disputed those claims, showing evidence that screenshots were triggered on mainstream, trusted domains including Google itself. The fact that images are sent off device with no opt out, they said, makes the feature invasive by definition.
Privacy wrapped in loopholes
Hidden deep in the extension’s Chrome listing is a vague reference to “advanced AI Threat Detection” that passively scans pages users visit. The description never makes clear that this scanning involves sending screenshots of private browsing to a server. Koi Security says this is a bait and switch tactic, turning a once normal VPN into spyware cloaked under the guise of security.
Google’s silence keeps the FreeVPN.One extension live
When asked whether it is investigating, Google did not respond by publication time. FreeVPN.One remains downloadable in the Chrome Web Store, raising questions about how quickly Google reacts to credible security reports.
For now, the extension is still live, a reminder that even browser stores with checks in place can leave users exposed when trusted apps turn rogue.
{{user}} {{datetime}}
{{text}}