A malicious Google Chrome extension forces users to install it via irritating installation popups and then spies on browser histories and sends them to a remote server.

Researchers at Malwarebytes discovered the extension, called iCalc, while investigating a malvertising campaign where a website was created to consistently push unlucky users to reach a particular page in order to install the malicious extension through a deluge of popups.

Malwarebytes says there was no simple way to close the window and refuse to install iCalc. When one popup closed, another one opened. If the user attempted to place their mouse near the browser URL bar or the close button, an annoying dialogue would appear and the website would play an annoying audio message. The extension also required invasive permissions.

The extension had nothing to do with a calculator, but instead a set of scripts to create a proxy and perform web request interceptions. Malwarebytes reported the extension and it was pulled from the Chrome web store but not before it reached over 1000 installations. Shortly after being removed, the same malvertising campaign pushed a different Chrome extension, specifically aimed at Russian users.

Malwarebytes advises users to check what extensions are installed on their Chrome browsers on a regular basis by typing chrome//extensions/ in the address bar. Users can remove any that have no use anymore or look unfamiliar.