Security & Infrastructure Tools
QuickLens Chrome Extension Steals Crypto – A ClickFix Attack Revealed
Chrome extension “QuickLens – Search Screen with Google Lens” was removed from the Chrome Web Store after a malicious update (v5.8) pushed malware that stole cryptocurrency and user data, including wallet seed phrases, credentials, and sensitive form information. The update stripped security headers, injected scripts via a command‑and‑control server, displayed fake “Google Update” prompts leading to ClickFix attacks that downloaded an executable named googleupdate.exe. Users who installed the extension should uninstall it, scan for malware, reset passwords, and move crypto funds to new wallets. Chrome now automatically disables the extension for affected users.
QuickLens – The Chrome Extension That Turned Into a Crypto‑Stealing Malware
A once‑popular Google Lens shortcut for Chrome, called QuickLens – Search Screen with Google Lens, was quietly pulled from the Chrome Web Store after it became a vector for widespread malware and cryptocurrency theft. The extension, which had gained a feature badge from Google and attracted roughly 7 000 users, released a malicious update on February 17, 2026 that introduced a series of sophisticated attacks.
How the Attack Was Uncovered
Security researchers at Annex Security discovered that QuickLens’s ownership changed to “LLC Quick Lens” with an obscure domain in early February. Two weeks later, version 5.8 was pushed to users and immediately began requesting new permissions such as declarativeNetRequestWithHostAccess and webRequest. A hidden rules.json file stripped essential browser security headers—Content‑Security‑Policy, X‑Frame‑Options, and X‑XSS‑Protection—from every page visited. This made it possible for malicious scripts to run inline without being blocked by the site’s own policies.
The Malicious Payloads
ClickFix Attack
The extension injected a “fake Google Update” prompt that led users to click an update button. On Windows, this downloaded a disguised executable named googleupdate.exe, signed with a certificate from a Chinese company. Once executed, the malware spawned hidden PowerShell commands that attempted to connect to remote servers and execute further payloads. While the second‑stage URL was no longer active when BleepingComputer analyzed it, the initial exploit was still potent.Crypto Theft
QuickLens monitored for installed cryptocurrency wallets—MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare, Brave Wallet, Exodus, Binance Chain Wallet, and more. When a wallet was detected, the extension attempted to harvest seed phrases, private keys, or transaction histories, enabling attackers to hijack accounts and siphon funds.Data Stealer
Beyond crypto, the malware also captured login credentials, payment information, Gmail inbox contents, Facebook Business Manager data, YouTube channel details, and other sensitive form data. The attack leveraged a “1x1 GIF pixel onload trick” to inject JavaScript payloads that executed on every page load.
What Happens Now
Google has removed QuickLens from the Chrome Web Store and automatically disabled it for affected users. If you still have the extension installed:
- Remove it completely from your browser.
- Run a full malware scan on your device.
- Reset any passwords stored in the browser, especially those linked to crypto wallets or sensitive accounts.
If you used any of the mentioned cryptocurrency wallets, consider transferring funds to a new wallet immediately. The attack demonstrates that even seemingly harmless extensions can become powerful tools for data theft and ransomware, underscoring the importance of vigilant extension management and continuous security monitoring.
Stay alert, keep your browser extensions up‑to‑date, and never trust unsolicited “updates” from unfamiliar sources.