Original reports on the Monero miner being added to the SafeBrowse extension focused only on the version of the extension for Google Chrome, however, the extension is also available for Firefox, Safari, and Internet Explorer. The extension has been classified as a browser hijacker. It is said to change a user’s default search engine and homepage on their web browsers. Removing SafeBrowse from a computer running Microsoft Windows is not as simple as uninstalling the extension. BleepingComputer has a guide on removing SafeBrowse for Microsoft Windows users.
SafeBrowse’s Google Chrome extension is set to automatically update, and so most users who had installed the SafeBrowse extension received the updated extension which contained the hidden Coinhive Monero miner. The version of SafeBrowse which implemented the Coinhive Monero miner is version 3.2.25. When the system’s task manager is brought up, the increase in CPU usage was made easily apparent. Users are also able to detect the increase in CPU usage by looking at the Google Chrome browser’s internal task manager. Both the system task manager and the browser task manager show that the SafeBrowse extension was using around 60% of CPU resources.
The makers of SafeBrowse deny that they are responsible for the update which included the Coinhive Monero miner. They claim that they have not updated the SafeBrowse extension for months, and that the last version they released is version 3.2.1. The SafeBrowse creators are claiming that hackers were responsible for version 3.2.25, the update which includes the Coinhive Monero miner. If it is true that hackers are the ones responsible for the update, that could mean many other extensions for Google Chrome are “infected” with cryptocurrency miners, or worse, backdoors.