Security & Privacy · 8 min read

There’s Spyware in Your Chrome Browser. You Put It There.

In the summer of 2025, 2 million people got spyware pushed into their browser.

  1. They installed it themselves.
  2. It was called Volume Booster.
Add VolumeMax — It’s Free

The safer alternative — no signup, no data collection, no tracking.

VolumeMax extension popup in inactive state with boost slider at 100%

2,000,000+

Users affected by malicious extensions

3

Malware updates pushed in 5 days

100%

Safe by design · No data collection

#1

Rated volume booster in the Chrome Web Store

What Happened

A popular Chrome extension called “Volume Booster” looked harmless. Over 2 million users installed it to get louder audio on YouTube.

Then the developer pushed three silent updates.

No warning. No permissions screen. Nothing you would have noticed.

The extension started doing things it was never supposed to do — tracking activity, injecting scripts, and opening backdoors.

“Broad permissions are the only thing you need to turn any tool into something else.”

The Spyware Playbook

Malicious extensions follow the same pattern:

  1. Ship a useful feature to earn trust.
  2. Request broad permissions (tabs, storage, web access).
  3. Push silent updates.
  4. Turn the extension into a surveillance tool.

By the time users realize something is wrong, the damage is already done.

VolumeMax extension popup in active state with blue accent styling

The safe alternative that actually respects your privacy.

  • No data collection or tracking
  • Minimal permissions
  • Open source & transparent
  • Built for performance and safety
Add VolumeMax — It’s Free

How Extensions Get Access

The extension had a clean record. It had been on Chrome for years. Over 20 million historical installs. It did one thing — pushed audio past Chrome’s 100% ceiling. No complaints. No red flags.

Then the developer pushed three updates over five days.

Here’s the part Chrome doesn’t explain when you install an extension.

When you approve an extension’s access, that access doesn’t expire. The developer can add entirely new code later — code that does something completely unrelated to the original tool — and if it doesn’t ask for permissions beyond what you already granted, Chrome stays silent. The update rolls out automatically. Nothing changes on your end.

You just get whatever the new code does.

Which raises the obvious question: what did those three updates actually do?

Version 1.0.2 requested broad access to all websites. Standard for an audio tool — you need volume control on YouTube, Twitch, everywhere. Millions approved it. Reasonable.

Version 1.0.3 added the ability to watch and intercept network requests. No warning triggered. The broad permission already covered it.

Version 1.0.4 activated a third-party tracking SDK called Give Freely. Still no warning. Silent rollout to 2 million devices.

This technique has a name. It’s called staged activation. You request the dangerous permission while you’re still behaving. Then you use it later when nobody’s watching.

So what was Give Freely actually doing inside your browser?

It scanned every website you visited for shopping activity. When you landed on a checkout page, it injected a popup. Behind the scenes, it was intercepting your purchase and rerouting the affiliate commission to itself. It tracked your device. It sent your IP to a geolocation service using a hardcoded MaxMind API key. It profiled you by country to determine how profitable you were.

It did this on every tab. Constantly. In the background.

The charity angle is where the story gets genuinely strange.

Give Freely was founded by Steve Kaufer — the co-founder of TripAdvisor. The model was that 100% of the intercepted commissions went to nonprofits. Real charities. Real donations.

A Silicon Valley legend built the operation that turned your volume booster into a shopping surveillance tool — and called it philanthropy.

“A Silicon Valley legend built the operation that turned your volume booster into a shopping surveillance tool — and called it philanthropy.”

Meanwhile, the extension’s Chrome Web Store listing said — in all caps — “NO ADS. NO MALWARE.”

When users started noticing the popups on checkout pages, the reviews collapsed. Security researchers flagged the webRequest additions and the MaxMind pings. Reddit threads piled up. The rating dropped.

Google did nothing.

As of mid-2026, the extension was still live on the store.

What Safe Looks Like

You might be thinking: okay, one bad actor. One extension. Edge case.

Here’s what happened four months later with JSON Formatter.

Different category entirely. A developer tool for reading JSON data. Twelve years old. Open source for its entire existence. 2 million users who trusted it completely.

In early 2026, it went closed-source. Shortly after, it started injecting Give Freely popups on checkout pages.

Same SDK. Same mechanism. Same staged activation pattern.

Two completely different tools. Completely different user bases. Identical playbook.

And while those affiliate plays were operating in the gray zone, LayerX security researchers found something darker in the same volume booster category. A cluster of extensions with 1.5 million combined users was communicating with active malware command-and-control servers — domains like francjohn.com and jermikro.com. Extensions called “Volume Max – Ultimate Sound Booster” and “Sound Booster” were receiving remote instructions and opening hidden background tabs.

Not affiliate tracking. Actual malware infrastructure.

The volume booster category is the most targeted segment in the Chrome extension ecosystem. Because the core function legitimately requires broad permissions. And broad permissions are the only thing you need to turn any tool into something else.

So the question that actually matters: what does an extension have to do to be trustworthy in this environment?

Not claim it. “NO MALWARE” costs nothing to write. Google doesn’t enforce it.

The answer is architecture.

An extension that processes everything locally, sends zero data to outside servers, and doesn’t hold permanent broad host permissions cannot do what Volume Booster did — not because the developer decided not to, but because the technical structure doesn’t allow it. No outbound calls means no data to intercept. No persistent broad access means no blank check to activate later.

That’s the gap between an extension that hasn’t betrayed you yet and one that structurally can’t.

The extensions you have installed right now are either one or the other.

The ones you added years ago and stopped thinking about — do you know which they are?

The safer alternative

VolumeMax was built so none of this is technically possible.

Local-only audio processing. No outbound connections. No persistent broad permissions. No path from “useful tool” to “silent tracking.” That’s not a promise — it’s architecture. Free on YouTube. One-time $5.99 everywhere else.

Add VolumeMax — It’s Free

The safer alternative — no signup, no data collection, no tracking.

FAQ

What did those three updates actually do?

Version 1.0.2 requested broad access to all websites. Standard for an audio tool — you need volume control on YouTube, Twitch, everywhere. Millions approved it. Reasonable.

Version 1.0.3 added the ability to watch and intercept network requests. No warning triggered. The broad permission already covered it.

Version 1.0.4 activated a third-party tracking SDK called Give Freely. Still no warning. Silent rollout to 2 million devices.

What was Give Freely doing inside your browser?

It scanned every website you visited for shopping activity. When you landed on a checkout page, it injected a popup. Behind the scenes, it was intercepting your purchase and rerouting the affiliate commission to itself. It tracked your device. It sent your IP to a geolocation service using a hardcoded MaxMind API key. It profiled you by country to determine how profitable you were.

It did this on every tab. Constantly. In the background.

Is Volume Booster still on the Chrome Web Store?

When users started noticing the popups on checkout pages, the reviews collapsed. Security researchers flagged the webRequest additions and the MaxMind pings. Reddit threads piled up. The rating dropped.

Google did nothing. As of mid-2026, the extension was still live on the store.

Is this just one bad extension?

Different category entirely. A developer tool for reading JSON data. Twelve years old. Open source for its entire existence. 2 million users who trusted it completely.

In early 2026, it went closed-source. Shortly after, it started injecting Give Freely popups on checkout pages. Same SDK. Same mechanism. Same staged activation pattern.

Two completely different tools. Completely different user bases. Identical playbook.