Home Technology A fake extension of Chrome plays videos in the background

A fake extension of Chrome plays videos in the background

A fake extension of Chrome plays videos in the background
A fake extension of Chrome plays videos in the background

The rise of cryptocurrencies also brings problems in the form of malware. The hidden miners are very present in the different platforms. This can have a very negative effect on the proper functioning of the equipment. Consume resources and make the pieces suffer a great wear. That is why miners’ blockers also emerge. In this article we talk about a false extension to block miners that plays videos in the background.

False extension MinerBlock

Security researcher Bryan Campbell has just discovered a malicious extension of Chrome that passes itself off as the legitimate MinerBlock extension. The legitimate MinerBlock extension is used to block pages that use cryptocurrency mining in the browser. For its part, the newly discovered false extension causes Chrome to play back-stream videos repeatedly without users’ knowledge.

Original Miner Block for Chrome

Pages with this Chrome extension have some differences. In the fake it contains Russian text. We can also see that the developer is different. In the case of the legitimate extension it is CryptoMineDev, while the false one is egopastor2016.

Fake MinerBlock

Regarding appearance, the two are similar. They have the same options interface, for example. Of course, the icon and the version number are different.


In the functionality is where things change. While the original MinerBlock is designed to block access to known mining sites, the malicious version is used to play videos constantly in the background.

It is not known with certainty why the extension plays videos constantly in the background, but could be to make fraudulent clicks or to artificially increase visits.

When it starts, the malicious extension connects to the egopastor.biz site and retrieves a set of “tasks”. These tasks will determine which options the extension will use and the URLs to which it should connect.

The extension begins to connect to the specified URL, which at this time causes the videos to be played from several Russian sites . When a video is played, it will cause the CPU utilization to fire up to 100% and then fall back to 0 when the video has finished playing.

Basically, it does not act very different from what a cryptocurrency miner does on the web. Also consume resources from our team. Something that can certainly affect the pieces noticeably.

Remove it

For those who have this version installed, they can (and should) remove it easily by right clicking on its icon and selecting delete.

Because it is increasingly common for malicious extensions to become legitimate known, it is important that all users be careful when installing extensions. Before installing anything, make sure you read the reviews carefully and that the extension you are installing is correct.

We must always download the applications from official pages. This way we make sure that we are truly installing something legitimate.

As we always say, security is a key aspect in our teams. We must have it updated. This way we will be able to face possible recent threats that put at risk the good functioning.


Please enter your comment!
Please enter your name here