TikTok downloader extensions reviewed: security scores, the StealTok campaign & safer alternatives
Most TikTok downloader extension clones are spyware — StealTok spied on 130K users for up to a year. Here's the security breakdown and safer ways to download.
TikTok video downloaders are one of the most searched extension categories on Chrome Web Store. They're also one of the most reliably dangerous.
On April 20, 2026, LayerX Security researcher Natalie Zargarov published findings on StealTok: a coordinated campaign involving at least 12 browser extensions disguised as TikTok video downloaders that compromised roughly 130,000 users across Chrome and Edge. The campaign had been running — silently, legitimately, with store badges — for more than a year before anyone caught it.
This isn't a fluke. TikTok downloader extensions are a consistent target for threat actors because the demand is massive, the legitimate options are surprisingly sparse, and users are conditioned to install whatever shows up first in search results. It's the same playbook I found in ad blockers that quietly sell your data — a high-demand category with too few honest options. StealTok's operators knew exactly what category to exploit.
TL;DR — what to know before scrolling further
- 12+ fake TikTok downloader extensions tracked 130,000 users across Chrome and Edge for 6–12 months before activating their spyware
- The extensions had "Featured" badges from both stores — that badge means nothing
- The data collected included device fingerprints, login tokens, browsing activity, and potentially saved financial data
- Legitimate TikTok downloaders exist but this category has a disproportionate number of malicious clones
- If you installed a TikTok video downloader before April 2026, remove it and verify before reinstalling
What a TikTok downloader extension should actually do
A legitimate TikTok downloader does one thing: adds a download button to TikTok.com so you can save videos without the watermark. That requires one permission — access to tiktok.com. Nothing else.
That's it. A real downloader doesn't need your battery status. It doesn't need to know your system timezone or browser language beyond what TikTok's own page already provides, and it doesn't need to phone home to a remote server to decide whether to activate.
Any extension that requests these things and presents itself as a simple downloader is lying about what it does.
Security analysis: what the StealTok extensions actually collected
The StealTok campaign operated via a remote configuration model. Extensions would install cleanly, behave normally, pass any post-install audit, earn positive ratings, and collect legitimate reviews for 6–12 months. Then the operators would push an updated JSON configuration from attacker-controlled domains — trafficreqort.com, browsercheckdata.com, qippin.com, virtualbrowserer.com — and the data collection would begin.
According to LayerX's analysis, three extensions illustrate the pattern:
"TikTok Video Keeper" — approximately 60,000 installs before removal. Operated dormant for roughly 8 months. Requested battery API access, which has no legitimate use case in a video downloader. Had a 4-star average review rating at the time of discovery.
"Mass TikTok Video Downloader" — ~4,000 installs on Chrome. Part of the same coordinated network, sharing C2 infrastructure with TikTok Video Keeper despite appearing to be an independent extension. The shared infrastructure only became visible after LayerX analyzed the remote configuration endpoints.
"TikTok Downloader – Save Videos, No Watermark" — ~3,000 installs. Carried a Featured badge on Chrome Web Store at the time of discovery, despite belonging to the StealTok network.
The data actually collected, per LayerX's findings, included device fingerprinting data (timezone, language, battery status, user agent strings), high-entropy browser characteristics used for cross-site tracking, login session tokens, browsing activity patterns, and potentially sensitive financial data saved in the browser's autofill storage.
That last one is the alarming detail. If you had browser-saved payment information and any of these extensions installed, your financial data may have been exposed. LayerX noted the collection was broad and not limited to TikTok-related browsing.
You can look up any extension's permission profile on Extenshi's catalog. Extensions with device API requests that don't match their stated purpose will show elevated risk indicators.
Privacy score breakdown: what to check before installing
When you're evaluating a TikTok downloader, here's what a legitimate permission profile looks like versus red flags:
| Permission | Legitimate | Suspicious |
|---|---|---|
| Access to tiktok.com | ✓ Required | — |
| Battery status API | ✗ Never needed | ✓ Fingerprinting signal |
| Remote configuration | Not needed | ✓ Post-install weaponization risk |
Access to all URLs (<all_urls>) |
✗ Never for a downloader | ✓ Massive overstep |
| Timezone/language API | ✗ Not needed | ✓ Device fingerprinting |
| Clipboard read/write | ✗ Not needed | ✓ Exfiltration risk |
storage permission |
✓ Sometimes (settings) | ✓ If combined with remote config |
When you open an extension's page in the Chrome Web Store or Edge Add-ons Store, click through to the "Privacy practices" tab. If a TikTok downloader claims to collect "browsing activity," "device information," or "financial information" — you're not looking at a downloader. You're looking at spyware with a video-download UI.
Also check the developer identity. StealTok extensions came from developer accounts with no website, no other published extensions, and no community presence. That's not automatically disqualifying — everyone starts somewhere — but combined with broad permissions and no verifiable identity, it's a pattern worth taking seriously.
Browse the TikTok-related extensions on Extenshi's catalog to see flagged behavior and permission breakdowns before you install.
What happened when users tried to remove the extensions
StealTok's operational model included a persistence layer that's worth understanding. When one clone got removed from the store, the operators uploaded a replacement under a new name and developer identity — often within days. If you searched for "TikTok downloader" after a removal, you'd often find the replacement before you found any news about the original being malicious.
This isn't unique to StealTok. I saw the same rebrand-and-reupload trick in fake Proton VPN extensions impersonating a trusted brand. As Zargarov noted in the LayerX report: "This is not just a malware campaign — it's an operational model, where persistence is achieved through duplication, rebranding, and rapid redeployment."
Chrome and Edge don't automatically disable extensions you've already installed when store listings are removed. Unlike Mozilla (which can auto-disable add-ons), Chrome and Edge leave already-installed copies running until you manually remove them. So even if you heard about StealTok after the removals, you may still have an active copy of a malicious extension running.
Safer alternatives: how to download TikTok videos without an extension
The safest TikTok downloader is one that doesn't need browser permissions at all.
Cobalt (cobalt.tools) — Open-source, actively maintained, no ads, no tracking, self-hostable. You paste a TikTok URL and get the video file. The source code is public and auditable. This is what I'd recommend for anyone who downloads TikTok content regularly.
TikTok's native save feature — When creators enable downloads, TikTok's own app includes a save button. It works without a watermark when the creator allows it. Zero third-party risk, zero permissions. The limitation is that not all creators enable it — but for those that do, it's the right choice.
SnapTik (snaptik.app) — Web-based, no extension required. Works fine on the official domain, but be aware that fake clones of snaptik.app exist with malicious redirects. Only use the direct URL, skip any ads, and don't install anything it prompts you to add.
If you specifically need browser-integrated functionality for workflow reasons, the only extension I'd trust in this category is one where the developer has a verifiable public identity, a clearly stated privacy policy, and open-source code you can read. In the current landscape, that's a short list.
Final recommendation
If you installed a TikTok downloader extension before April 2026, remove it now and verify the current status before reinstalling.
Open chrome://extensions/ or edge://extensions/, find anything related to TikTok video downloading, and uninstall it. Then — if you want to reinstall something — check its permission list, read the privacy practices disclosure, and look it up on Extenshi's catalog to see if it's been flagged.
The Featured badge on Chrome Web Store or Edge Add-ons means the extension has review momentum and install count. It is not a security certification. StealTok extensions carried that badge while actively collecting user data.
Checking permissions before you install takes 30 seconds and eliminates the risk entirely.
FAQ
What's the best TikTok downloader extension with no watermark?
Honestly? The safest "best" option isn't an extension at all. For no-watermark downloads I'd reach for the open-source web tool Cobalt (cobalt.tools) or TikTok's own save button when a creator enables it — neither needs browser permissions.
If you must use a browser extension, only trust one with a verifiable public developer, a real privacy policy, and open-source code. Most of the "no watermark" extensions topping search results are exactly the kind StealTok exploited.
Is it legal to download TikTok videos?
Downloading for personal, offline viewing is generally tolerated, especially when the creator enabled saving. Re-uploading someone else's video, stripping credit, or using it commercially is where you run into TikTok's terms of service and copyright law. This isn't legal advice — but the safe rule is: download what creators allow you to save, and don't repost other people's work as your own.
Why is a TikTok downloader asking for battery or all-sites access?
Because it isn't really a downloader. A genuine TikTok downloader only needs access to tiktok.com. Battery status, timezone, clipboard, or <all_urls> access are fingerprinting and exfiltration signals — the same ones the StealTok clones used. Treat any of them as a reason to walk away.
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Sources: LayerX Security — StealTok: 130k Users Compromised by Data Stealing TikTok Video 'Downloaders' (Natalie Zargarov, April 20, 2026)
Related Articles
Proton VPN extension review: security score, privacy analysis & safer alternatives
Fake Proton VPN extensions hit Chrome Web Store in 2026. Here's how to verify you have the real Proton VPN, what permissions it needs, and safer alternatives.
Ad blocker extensions reviewed: Stands AdBlocker, Poper Blocker & safer alternatives
Some ad blockers that sell your data are among the most installed on Chrome. LayerX flagged 12 — here's the breakdown of the worst and safer 2026 alternatives.
Firefox's free built-in VPN reviewed: how it stacks up against VPN extensions
Firefox 149 ships a free built-in VPN with 50GB/month, no downloads needed. Here's how it compares to Proton VPN, Mullvad, and NordVPN extensions in 2026.