Back to all guides
Tips & Best Practices

Why your free online tool is a malware campaign

The security angle on free online tools is worse than you think. Trojanised PDF editors, crypto-mining extensions, and fake download buttons.

8 min read
Free Guide

We wrote about how free online tools really work, covering the funding models and privacy trade-offs. This post goes deeper into the security side, because it is worse than most people realise.

The free tool ecosystem is not just ad-supported software with dodgy privacy policies. Parts of it are active malware distribution networks. Real documented incidents, real victims, real damage.

The incidents

PDF Toolbox: 2 million users, every page compromised

PDF Toolbox was a Chrome extension that did what it said on the tin. Merge PDFs, split pages, convert formats. It had over 2 million users and a 4-star rating.

In 2023, security researchers discovered it was injecting arbitrary JavaScript into every web page the user visited. Not just on the PDF sites. Every page. The injected code could read page content, intercept form submissions, and exfiltrate data to external servers.

Google removed it along with over 30 other extensions in the same purge. The extensions had been live for months, some for years, accumulating millions of users before anyone noticed.

AppSuite PDF Editor and TamperedChef

A fake "AppSuite PDF Editor" appeared in Google Ads search results. Users searching for PDF tools clicked through to what looked like a legitimate software page, downloaded the installer, and got the TamperedChef malware instead.

TamperedChef is a credential stealer. It sits dormant for weeks after installation, then begins harvesting passwords, browser tokens, and authentication cookies. The delay is deliberate. By the time the malware activates, the user has forgotten where they downloaded it from.

The 2023 Chrome Web Store purge

Google's 2023 cleanup removed more than 30 extensions with a combined user base in the millions. The affected extensions fell into a few categories:

  • PDF tools that injected tracking scripts
  • Image editors that ran crypto miners in the background
  • Format converters that exfiltrated clipboard data
  • "Utility" extensions that requested permissions far beyond their stated function

These were not obscure extensions from unknown developers. They had reviews, ratings, and professional-looking listing pages. Some had been in the store for over a year.

The fake download button economy

Visit any free tool site with aggressive monetisation and count the buttons that say "Download." On some pages there are three or four, and only one does what you expect. The others are ads styled to look like the tool's own interface.

This is not an accident. It is a deliberate dark pattern. The site operator sells ad placements that mimic their download buttons. The advertiser gets clicks from confused users. The user gets an installer for software they never wanted.

What happens when you click a fake download button varies:

  • Best case: You install a toolbar or browser extension you did not want. It takes five minutes to remove.
  • Middling case: You install an ad-injecting program that modifies your browser behaviour and is surprisingly hard to uninstall.
  • Worst case: You install a trojan that steals credentials, installs a crypto miner, or opens a backdoor for later exploitation.

The fake download button ecosystem is massive. It funds entire ad networks. The sites that run these ads know exactly what they are doing.

Extension permissions are the real danger

When you install a browser extension, it asks for permissions. Most people click "Allow" without reading. For a malicious extension, those permissions are the keys to the kingdom.

A PDF tool extension does not need permission to "read and change all your data on all websites." But many request it. That permission lets the extension:

  • Read every page you visit, including banking sites and email
  • Modify page content in real time, including injecting ads or scripts
  • Intercept form submissions, including login forms
  • Access cookies and session tokens
  • Redirect requests to attacker-controlled servers

A legitimate PDF tool should need access to the active tab at most. If it asks for more, it is not a PDF tool. It is surveillance software that happens to also edit PDFs.

Where uploaded files go

Server-side tools that process your files have to store them somewhere, at least temporarily. The question is what happens after processing.

Good tools delete files immediately after processing and document their retention policy. Bad tools keep files indefinitely or have no policy at all.

The worst case is a tool that claims to delete files but actually retains them. There is no way for you to verify server-side deletion. You are trusting a promise from a site that may be funded primarily by data extraction.

If a tool does not have a clearly stated retention policy, assume it keeps everything. If it does have a policy, you still cannot verify it. The only truly safe option is a tool that never uploads your files in the first place.

How to spot safe tools

Here is a checklist. Apply it every time you use a free online tool.

Architecture:

  • Does it process files in your browser or upload them to a server?
  • Can you use it offline after the initial page load?
  • Does the Network tab in DevTools stay quiet while you work?

Permissions:

  • If it is an extension, what permissions does it request?
  • Does it need access to "all websites" or just the active tab?
  • Are the requested permissions proportional to what the tool does?

Transparency:

  • Is there a privacy policy?
  • Does it explain where files go and how long they are kept?
  • Does the site disclose its funding model?

Trust signals:

  • Does the download button look like an ad, or is it clearly part of the interface?
  • Are there multiple "download" buttons on the page?
  • Does the site have intrusive pop-ups, overlays, or redirect behaviour?

If a tool fails more than one of these checks, find a different tool.

The browser-based alternative

Tools that run entirely in your browser eliminate most of these risks by architecture. There is no upload, so there is no server-side retention. There is no extension, so there are no over-broad permissions. There is no installer, so there is no trojanised binary.

Our PDF tools compress, merge, split, and reorder pages using WebAssembly. Your files never leave your device. Our image tools do the same for image compression and format conversion. Unwrite GPT cleans AI text in your browser. The HTML tools tidy and convert markup locally.

This is not a sales pitch. It is a statement about architecture. Browser-based processing removes entire categories of attack vector. No uploads. No extensions. No installers. No servers that might be compromised, might retain your data, or might be running code that differs from what was promised.

The pattern

The pattern in the free tool space is consistent. Useful functionality attracts users. Users grant permissions or upload files without scrutiny. The trust is exploited.

It happens with extensions that inject scripts. It happens with installers that bundle malware. It happens with server-side tools that retain files. It happens with fake download buttons that fund malware distribution.

The fix is not "stop using free tools." The fix is using free tools that are built so they cannot betray your trust, because the architecture does not allow it.

Check our privacy policy to see how we approach this. Every tool listed on the site runs in your browser. Nothing phones home. That is the point.