Most rogue extensions bombard people with ads, but the most malicious steal login names and other valuable data.
Many of these extensions have hidden extras that cause trouble for people who install them, said UC Santa Barbara computer scientist Alexandros Kapravelos, who worked with Google on the rogue extensions project.
The research found that malicious extensions were available for every major browser.
Preliminary results revealed that 5% of people accessing Google every day have been caught out by at least one malicious extension.
Some bad extensions were easy to spot, he said, because they were so obviously written to steal saleable data such as bitcoins, bank logins or personal data.
Mr Kapravelos said Google had acted on the early findings of the research by removing 192 actively malicious extensions from its Chrome catalogue.