Your browser has been busy on your behalf. This week brought two reminders that Chrome can put things on your machine you never agreed to. One came from Google. One came from an impostor. Both used the same quiet machinery.
Chrome runs on billions of devices, which makes it one of the most powerful pieces of software on Earth. It also makes it a tempting place to slip something in. Two stories from the past few days show the consent problem from both ends.
Google’s 4GB houseguest #
Since at least April, Chrome has been quietly down Gemini Nano, Google’s on-device AI model, onto eligible laptops and desktops. The file is about 4GB. It arrives with no prompt, no notification, and no obvious off switch, CNET reported. Delete it, and Chrome fetches it again.
The model powers on-device features such as scam detection and writing help. The catch is that most people never asked for it and never knew it landed.
The clearest account comes from Alexander Hanff, a privacy researcher who writes as “That Privacy Guy”. He caught the install on a fresh Mac profile that had received zero human input, using the system’s own file-event log. The 4GB model unpacked itself in about 14 minutes while a tab sat idle, he wrote. He argues the silent push breaches Europe’s ePrivacy and data-protection rules, and that the bandwidth alone carries a heavy climate cost at billion-device scale.
Google says the model removes itself if a device runs short on space or power. The company also points out that, since February, users can turn it off in Chrome settings, after which it stops down.
There is a twist that muddies the trust further. The visible “AI Mode” pill in the address bar does not use the on-device model at all. Those queries go to Google’s servers. So the user pays the storage cost of a local model, while the headline AI feature still sends typing to the cloud.
The impostor in the address bar #
The second story is darker, because the actor was not Google. Microsoft’s threat researchers found a malicious Chrome extension dressed up as the AI search engine Perplexity. It quietly logged what people searched for, then sent them on to real results so nothing looked wrong.
The extension, called “Search for perplexity ai”, used a look-alike domain to pass for the real thing, The Hacker News reported. Once installed, it made itself the default search engine. Every query, and every character typed into the address bar, went first to an attacker-controlled server, which logged it with your IP address and browser details.
The theft happened on that first hop, before the redirect. The extension abused Chrome’s network-rule permissions to pull it off, and shipped server code that logged every request, Microsoft said. Google removed it after the disclosure.
This was not a one-off. Microsoft earlier tied a wave of AI-branded extensions to roughly 900,000 installs across more than 20,000 company networks, harvesting ChatGPT and DeepSeek chat histories. The AI label gets the install. The permissions do the damage.
Same surface, different intruder #
Put the two together and a pattern appears. The browser, and the address bar in particular, has become a trust surface that both vendors and attackers want to occupy. Google treats your disk as a delivery target for its own AI. A criminal treats your omnibox as a wiretap. The user sits in the middle, rarely asked.
That is the real story here, and it should worry anyone who cares about trust in everyday software. When a legitimate company normalises silent installs, it gets harder for users to spot the malware doing something similar. Consent stops being a habit. The line between a feature and an intrusion blurs.
It also lands at a moment when AI branding is a magnet. People associate AI tools with usefulness, so they click. Attackers know it, and the same instinct that makes us try a shiny new assistant makes us wave through malicious apps wearing the same costume.
What you can do #
A few minutes of housekeeping helps. On Chrome, open Settings, then System, and turn off on-device AI if you do not want the Gemini Nano model. You can also check for a folder named OptGuideOnDeviceModel in your Chrome profile to see whether the 4GB file is already there.
Then audit your extensions. Remove anything you do not recognise, check the publisher and the exact domain before installing AI-branded tools, and watch for a search engine that has quietly changed. None of this is hard. It is just the price of using a browser that, increasingly, acts on its own.
The deeper fix is not yours to make. It belongs to the company that decides whether the default browser asks before it acts. Until it does, the safest assumption is simple. Your privacy is your job, and the browser is not always on your side.
Get the TNW newsletter #
Get the most important tech news in your inbox each week.