QuickLens - Search Screen with Google Lens Malicious Extension

The browser extension QuickLens - Search Screen with Google Lens was originally promoted as a convenient tool for searching on-screen images, translating content, and retrieving product information through visual queries. Despite its legitimate appearance and functionality, the extension ultimately evolved into a serious cybersecurity threat. Investigations revealed that the software contained malicious scripts capable of harvesting sensitive information and launching ClickFix social engineering attacks on infected systems.

Initially, the extension had a large existing user base and was widely trusted. However, a critical change occurred in February 2026, when the extension was sold on a browser extension marketplace and taken over by a new owner operating under the email address 'support@doodlebuggle.top' and the company name LLC Quick Lens. Shortly after the acquisition, a suspicious privacy policy was introduced, followed by the release of a malicious update distributed to all users.

Malicious Update Delivered Through Official Channels

Because the extension was already installed by thousands of users, the malicious update spread quickly. The Chrome Web Store's automatic update mechanism delivered the compromised version directly to existing installations without requiring additional user interaction.

The updated version requested extensive browser permissions that allowed it to monitor browsing behavior and modify website activity. These permissions enabled the extension to remove critical security protections normally enforced by websites. Safeguards designed to block malicious scripts, prevent site framing, and mitigate certain attack techniques were disabled, making it significantly easier for injected malicious code to execute on any page visited by the victim.

Persistent Communication with Command-and-Control Infrastructure

After installation, the compromised extension established communication with a remote Command-and-Control (C2) server. The malware generated a unique identifier for each infected user and collected environmental information such as geographic location, browser type, and operating system.

The extension maintained persistent communication with the remote server by sending requests every five minutes. These regular check-ins allowed the attackers to deliver new instructions, update malicious payloads, or initiate additional attack actions on compromised systems.

ClickFix Social Engineering and Fake Update Alerts

The malicious version of QuickLens also implemented aggressive social engineering techniques. It had the capability to inject scripts into any webpage visited by the victim, enabling it to display fraudulent Google Update notifications.

These deceptive alerts were designed to mimic legitimate software update prompts. In reality, they formed part of a ClickFix-style attack, a technique that manipulates users into executing harmful commands or downloading additional malware. By presenting the alerts across multiple websites, the attackers increased the likelihood that victims would trust the prompt and follow the malicious instructions.

Cryptocurrency Wallet and Data Theft Capabilities

One of the most dangerous functions of the compromised extension involved the targeting of cryptocurrency assets and sensitive user data. The embedded malicious scripts scanned browsers for installed cryptocurrency wallets and attempted to extract confidential information such as wallet seed phrases, authentication credentials, and sensitive form data.

The malware specifically targeted the following cryptocurrency wallet platforms:

• Argon
• Backpack
• Binance Chain Wallet
• Brave Wallet
• Coinbase Wallet
• Exodus
• MetaMask
• Phantom
• Solflare
• Trust Wallet
• WalletConnect

Beyond cryptocurrency theft, the extension was capable of harvesting a broad range of sensitive data entered into websites. This included login credentials, payment information, and other personal data transmitted through web forms.

Access to Online Accounts and Business Platforms

Further analysis revealed that the malicious extension could access and extract information from several widely used online platforms. These capabilities expanded the potential damage beyond individual users to businesses and content creators.

The data collection capabilities included:

• Reading email data within Gmail inboxes
• Gathering advertising account information from Facebook Business Manager
• Retrieving analytics and operational data from YouTube channels

This functionality created significant risks for organizations managing marketing campaigns, financial accounts, or online media platforms through affected browsers.

Extension Removal and Security Implications

Following the discovery of the malicious activity, Google removed and disabled the QuickLens - Search Screen with Google Lens extension from the Chrome Web Store. Despite this action, systems that previously installed the extension may remain at risk if the software is still present.

Affected users should immediately uninstall the extension and review their systems for potential compromise. Credential changes, wallet security checks, and system scans are strongly recommended.

The QuickLens incident highlights the growing security risks associated with browser extensions. Even software that begins as a legitimate tool can become a threat when ownership changes and malicious updates are distributed through official update channels. This case demonstrates how trusted applications can be weaponized to bypass security controls, steal sensitive data, and conduct large-scale social engineering attacks.