Modern browsers (Chrome, Edge, etc.) dropped support for Java applets, which were previously required to run electronic signature and cryptographic operations for Kazakhstani banking and government e-security services. This extension replaces the Java applet mechanism by using Chrome's native messaging to relay commands to a locally installed native client.

1. User visits a supported Kazakhstani banking or e-security website. 2. The website's JavaScript sends an external message to the extension to check if the extension is installed (checkExt). 3. The extension checks if the native host application is available (checkHost). 4. If available, the extension connects to the native messaging host and relays commands (e.g., for electronic signing). 5. For some operations, the extension proxies HTTP requests to localhost where a local service runs. 6. The native host handles cryptographic operations and returns results back through the extension to the web page.

Target users: Users of Kazakhstani banking services (BCC, Halyk Bank, CenterCredit, etc.) / Users of Kazakhstani government e-security and digital signature services / Users who need to sign documents electronically in Kazakhstani systems without Java-capable browsers

Cannot verify the native host application (kz.akkamal.clientloader) behavior or its licensing model
Cannot determine if any destination banking services offer unauthenticated access
The verified_contents.json contained a false-positive 'pro' keyword match in base64-encoded content which was excluded from analysis

Monetization

No paid features detected

No payment-related code, billing APIs, subscription logic, premium feature gates, or upgrade UI found in the extension source. The extension is a simple native messaging bridge with no monetization mechanism. The deterministic paid keyword 'pro' in verified_contents.json is a false positive (appears in base64-encoded 'payload' content).

Confidence: 90
Payment platform: --
Source: AI / High
Login required: Yes
Reason: The extension itself has no login UI, but it is a bridge/loader that connects to Kazakhstani banking and e-security websites (ib.bcc.kz, myhalyk.kz, halykbank.kz, e-security.kz, service.mysign.kz, etc.). The core workflow — using electronic signatures and banking services through these sites — requires authentication on the destination services. The extension cannot function without being triggered by these authenticated web applications.

Permission risk

High-risk permissions

This estimate uses declared permissions and host permissions to assess access scope and sensitivity.

敏感权限：nativeMessaging

Publisher

Ak Kamal Security LLP

Independent publisher

Email: [email protected]
Phone: --
Address: ул. Кекилбаева, 257 Алматы 050000 KZ

Public contact fields are shown above. Developer portfolio pages are available on paid accounts.

View developer portfolio

Permissions

Host access