Chrome Draws Scrutiny for Quietly Downloading 4GB Gemini Nano Model
Google Chrome is reportedly downloading a roughly 4GB file, weights.bin, onto some users’ devices as part of its on-device Gemini Nano AI features, prompting complaints that the transfer can occur without clear notice. Reports said the file appears in Chrome user data directories on eligible systems and may be fetched in the background during normal browsing, with one researcher citing a controlled macOS test and filesystem logs that showed Chrome creating the model directory and downloading the payload automatically.
The file is described as part of Chrome’s local AI stack rather than malware, enabling faster processing, offline capabilities, and reduced reliance on cloud services, but critics said users may not realize it has been installed and that deleting it alone may not stop it from returning. Coverage said the download is tied to Chrome’s On-device AI setting, and users seeking to remove it more permanently must delete the file and disable that feature; the practice has also triggered claims that silent multi-gigabyte downloads could raise transparency, privacy, bandwidth, cost, and environmental concerns, including possible scrutiny under EU privacy rules.
How this story unfolded
5 events from the earliest known activity through the most recent confirmed update.
Google rolls out Chrome On-device AI disable toggle
Google began rolling out a Chrome Settings > System > On-device AI toggle in February 2026 that lets users disable and remove the Gemini Nano model. Google said that once the feature is disabled, the model will no longer download or update.
Google deploys Gemini Nano model download in Chrome
Google made a roughly 4GB on-device AI model file, weights.bin, part of Chrome's Gemini Nano feature set for some users. The file is associated with Chrome's On-device AI capability and may be stored in Chrome user data directories on eligible systems.
Researcher alleges Chrome silently downloads 4GB AI model
Security researcher Alexander Hanff reported that Chrome can create the model directory and download the weights.bin payload in the background without clear user notice or consent. He said a controlled macOS test with a fresh Chrome profile and filesystem event logs supported the claim.
Reports note deleted Gemini Nano file may be re-downloaded
Coverage on May 6, 2026 said users who remove the weights.bin file may see Chrome download it again unless they disable the relevant On-device AI setting or experimental flags. The reports also highlighted concerns about bandwidth use, transparency, and possible regulatory implications.
Google changes Chrome 148 On-device AI toggle wording
In Chrome 148, Google removed wording from the On-device AI settings toggle that had said the model would not send data to Google servers, triggering new privacy concerns. Google said the text change did not reflect any change in how Chrome's on-device AI works and maintained that model processing remains local to the device.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Google Chrome silently downloads large AI model, raising privacy concerns | brief | SC Media
scworld.com
Open sourceChrome's 4GB AI model isn't new, but you're not wrong for being confused - Ars Technica
arstechnica.com
Open sourceGoogle Chrome Accused of Silently Installing 4GB AI Model on User Devices
hackread.com
Open sourceHow to Disable Google's Gemini in Chrome | WIRED
wired.com
Open sourceGoogle Chrome force-installs a 4-gigabyte AI model - how to get rid of it - Pivot to AI
pivot-to-ai.com
Open sourceGoogle using Chrome to install AI files without permission - Boing Boing
boingboing.net
Open sourceGoogle Chrome 'silently' downloads 4GB AI model to your device without permission, report claims - researcher says practice may violate EU law, waste thousands of kilowatts of energy | Tom's Hardware
tomshardware.com
Open sourceWhy Chrome may have quietly downloaded a 4GB file to your PC - and how to get rid of it | ZDNET
zdnet.com
Open sourceGoogle Chrome silently installs a 4 GB AI model on your device without consent. At a billion-device scale the climate costs are insane. - That Privacy Guy!
thatprivacyguy.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Expands Gemini and On-Device AI Features, Including New Controls for Scam Detection Models
Google is testing deeper **Gemini** integration in Chrome via a new internal feature called **“Skills,”** which appears to let users define named, instruction-based automations that Gemini can execute inside the browser. The feature is surfaced through a new `chrome://skills` page and aligns with Google’s stated direction of turning Gemini into a more agent-like assistant capable of acting across tabs and, over time, integrating more tightly with Google services. Separately, Google has added user controls to manage the **on-device GenAI model** used by Chrome’s *Enhanced Protection* (Safe Browsing) capabilities, which were previously upgraded with AI for “real-time” detection of dangerous sites, downloads, and potentially malicious extensions. In Chrome Canary, users can disable *On-device GenAI* under **Chrome → Settings → System**, which also enables deletion of the local model; Google indicated the local model may support additional security and browser features beyond scam detection as it rolls out more broadly.
May 6, 2026
Google Chrome Gemini AI Agent Enhanced to Counter Prompt Injection Attacks
Google has acknowledged the significant risk of prompt injection attacks targeting its Gemini-powered Chrome browsing agent, which can be manipulated to perform unauthorized actions such as initiating financial transactions or exfiltrating sensitive data. In response, Google has introduced a second AI model, termed the 'user alignment critic,' designed to independently vet the agent's proposed actions before execution. This model operates in isolation from untrusted web content, providing an additional layer of defense against both goal hijacking and data leakage. The move comes as prompt injection has been identified as a leading vulnerability in AI systems, with industry bodies like OWASP and the UK's National Cyber Security Centre highlighting its prevalence and difficulty to mitigate due to the structural limitations of large language models. The Gemini-powered browsing agent, currently in preview, is capable of navigating websites, clicking buttons, and filling forms while users are logged into sensitive accounts, increasing the potential impact of successful attacks. Security experts and analysts have emphasized the need for robust safeguards, as malicious instructions can be hidden in web pages, iframes, or user-generated content. Google's dual-model approach aims to address these concerns by ensuring that any action not aligned with the user's intent is blocked, thereby reducing the risk of exploitation through prompt injection. The development reflects a broader industry trend of reassessing the security of AI-driven browsers and the need for advanced countermeasures to protect users and organizations from emerging threats.
Mar 21, 2026
Chrome Gemini Live Panel Hijacking via Malicious Extensions (CVE-2026-0628)
Palo Alto Networks Unit 42 disclosed a **high-severity Google Chrome vulnerability** in the new **Gemini Live in Chrome** side panel, tracked as **CVE-2026-0628**, that could have allowed **malicious browser extensions with only basic permissions** to hijack the Gemini panel and effectively “tap into” the browser environment. The reported impact included **privilege escalation** enabling access to sensitive resources such as the victim’s **camera and microphone**, the ability to **take screenshots of any website**, and access to **local files and directories**. Unit 42 reported responsible disclosure to Google and stated that Google shipped a fix in **early January** ahead of public disclosure. Dark Reading coverage echoed Unit 42’s findings, emphasizing that the flaw highlights emerging risks in **agentic/AI-enabled browsers** where AI side panels run with elevated capabilities, and that enterprise environments face amplified exposure if users install untrusted extensions. Separate reporting described unrelated supply-chain activity affecting developer and browser extensions: Socket reported suspicious, non-repository code added to **Aqua Trivy’s VS Code extension** on **OpenVSX** (versions `1.8.12`/`1.8.13`) that attempted to invoke local AI coding assistants and exfiltrate/report data, while Rescana detailed a **QuickLens Chrome extension** takeover used for credential/crypto theft and a **ClickFix** social-engineering technique; these are distinct incidents from CVE-2026-0628 but reinforce the broader risk of extension ecosystems.
Mar 21, 2026