12 TikTok Downloader Extensions Secretly Profiled 130,000 Chrome Users—Some Are Still in the Web Store

The Campaign

Researchers at LayerX Security identified 13 browser extensions across Chrome and Microsoft Edge that advertised themselves as TikTok video downloaders. The extensions functioned exactly as promised: users could save TikTok videos without watermarks. What users did not know was that the extensions were also building detailed behavioral and device profiles of everyone who installed them.

The campaign, dubbed StealTok, affected more than 130,000 users across both browsers. At least 12,500 installations were still active at the time of the report. Some of the extensions remain available in official web stores.

How the Sleeper Activation Works

The most concerning aspect of StealTok is its patience. Each extension operated legitimately for six to twelve months after publication, doing nothing malicious while accumulating positive reviews, high install counts, and the "Featured" or "Established Publisher" badges that Chrome and Edge award to trusted extensions.

Only after building that trust did the extensions activate their hidden code, delivered through a remote configuration update rather than a store update. Because the extension's published source code never changed, Chrome Web Store's automated review process had nothing to flag. The malicious behavior was loaded at runtime from an external server, invisible to anyone reviewing the store listing.

This delayed activation strategy is becoming a pattern. Earlier in April 2026, researchers found that 108 Chrome extensions were stealing Google and Telegram logins using similar techniques. The store's vetting process is designed to catch malicious code at submission time, not months later when the developer pushes a remote configuration change.

What the Extensions Collected

Once activated, the StealTok extensions collected what researchers call "high entropy" device fingerprinting data, a combination of attributes specific enough to uniquely identify a device across sessions and websites:

• System configuration: timezone, language settings, screen resolution, installed fonts
• Hardware signals: battery status, device memory, CPU core count
• Behavioral patterns: usage frequency, downloaded content metadata, browsing session timing
• Credential access: login tokens and keystroke monitoring capability
• Financial data: saved payment information accessible through browser storage

This is the same class of fingerprinting data that advertising companies use to track you across the web, but collected directly from inside your browser with full access to everything an extension can see. A fingerprint built from battery status, timezone, fonts, and screen resolution can identify a specific device with over 99% accuracy, even when cookies are cleared or VPNs are used.

The Named Extensions

LayerX identified 13 extensions by name. Some of the most installed include:

• "TikTok Video Keeper" with 60,000 installs (since removed)
• "Mass Tiktok Video Downloader" with 30,000 to 60,000 installs on Edge
• "TikTok Downloader – Save Videos, No Watermark" with 3,000 to 10,000 installs on Chrome
• "TikTok Video Downloader – Bulk Save" with 1,000 installs on Chrome

Status varies: some have been removed from official stores, while others were still available at the time of the LayerX report. If you have any TikTok downloader extension installed, check it against the full list in LayerX's research.

Why Browser Extension Stores Cannot Catch This

Chrome Web Store and Microsoft Edge Add-ons review extensions when they are submitted or updated. The StealTok extensions passed every review because their submitted code was clean. The malicious behavior was loaded remotely, after installation, from a server the developer controlled.

This is a fundamental gap in how browser extension marketplaces work. Google's Manifest V3 migration was supposed to address some of these risks by limiting what extensions can do at runtime. But Manifest V3's restrictions primarily target content blocking and network request modification. They do not prevent an extension from reading the battery API, enumerating fonts, or sending collected data to an external server.

Until browser stores implement continuous runtime monitoring rather than submission time code review, extensions that pass initial review will always be able to turn malicious later.

What to Do Now

If you use Chrome or Edge and have installed any TikTok related extensions:

• Open your extensions page (chrome://extensions or edge://extensions) and remove any TikTok video downloader you do not fully trust.
• Review all your extensions while you are there. Remove anything you no longer use. Every extension is an attack surface.
• Check extension permissions. A video downloader should not need access to "all sites" or your browsing history. If it requests broad permissions, it is probably doing more than downloading videos.
• Change saved passwords in your browser if you had a StealTok extension installed, since the extensions had keystroke monitoring capability.
• Use official tools whenever possible. TikTok's own app lets you save videos. Third party downloaders exist because they remove watermarks, but that convenience comes with risk.

Extensions You Trust Today Can Betray You Tomorrow

StealTok worked because users did what they were supposed to do. They installed extensions from official stores. They checked reviews and install counts. They looked for trust badges. Every signal said these extensions were safe.

But those signals only reflected the past. A clean extension today can become a surveillance tool tomorrow with a single remote configuration change. The same browser that hosts your email also hosts every extension you have installed, and each one has a window into your browsing, your logins, and your identity. The fewer extensions you run, the smaller that window is.