Extension Details
Context-Aware Verdict
The extension has a relatively small user base of 3,000 users with a decent rating of 4.4 stars, though based on only 13 reviews which is quite limited. The developer is associated with pgyer.com, which appears to be a legitimate app distribution platform. However, the extension name contains a typo ("Downloder" instead of "Downloader"), which raises questions about quality control and attention to detail.
The most significant concern is the broad content script injection capability that allows the extension to run scripts on all websites you visit. This creates substantial privacy and security risks as it can potentially access sensitive information like passwords, personal data, or financial information on any site. The combination of activeTab permission with all_urls content scripts is particularly concerning, as it provides extensive access to web content. While the individual permissions (contextMenus, activeTab, storage) are reasonable for an app downloader, the broad injection capability seems excessive for the stated purpose.
Given the high-risk content script injection, consider running this extension in a separate Chrome profile to isolate it from your primary browsing activities. Monitor the extension's behavior closely and be cautious when visiting sensitive websites while it's active. Consider whether the functionality truly requires such broad access, and look for alternative extensions with more limited permissions if available.
Findings
Security Analysis Details
Required Permissions:
- contextMenus
- activeTab
- storage
Host Permissions:
- https://www.pgyer.com/
Embedded URLs (26 total):
| https://clients2.google.com/service/update2/crx | https://www.pgyer.com/ | |
| https://tailwindcss.com | https://github.com/mozdevs/cssremedy/issues/4 | |
| https://github.com/tailwindcss/tailwindcss/pull/116 | https://bugzilla.mozilla.org/show_bug.cgi?id=190655 | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=999088 | https://bugs.webkit.org/show_bug.cgi?id=201297 | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=935729 | https://bugs.webkit.org/show_bug.cgi?id=195016 | |
| https://github.com/mozilla/gecko-dev/blob/2f9eacd9d3d995c937b4251a5557d95d494c9be1/layout/style/res/forms.css#L728-L737 | https://github.com/tailwindlabs/tailwindcss/issues/3300 | |
| https://github.com/mozdevs/cssremedy/issues/14 | https://github.com/jensimmons/cssremedy/issues/14#issuecomment-634934210 | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/2000/svg | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/1999/xhtml | |
| https://www.pgyer.com/apk/ | https://www.pgyer.com/apk/search/ | |
| https://www.pgyer.com/apk/api/ext? | https://www.pgyer.com/apk | |
| https://github.com/facebook/regenerator/blob/main/LICENSE | https://assets.apk.live/ |
Raw Manifest
{ "name": "APKHUB App Downloder", "icons": { "16": "assets/icon_16.png", "32": "assets/icon_32.png", "48": "assets/icon_48.png", "128": "assets/icon_128.png" }, "action": { "default_icon": "assets/icon_48.png", "default_popup": "action/main.htm" }, "version": "1.0.1", "background": { "service_worker": "worker/main.js" }, "options_ui": { "page": "option/main.htm", "open_in_tab": false }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Download App File Directly without any account or device limit.", "permissions": [ "contextMenus", "activeTab", "storage" ], "content_scripts": [ { "js": [ "worker/content.js" ], "run_at": "document_start", "matches": [ "<all_urls>" ] } ], "host_permissions": [ "https://www.pgyer.com/" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "/assets/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.