I made a free translation:
Millions of users downloaded fake ad blockers at Chrome Web Store adding malicious extensions to Chrome browser.
According a report by Adguard 20 million users downloaded illegitimate ad blockers that were listed in the Chrome Web Store, the official repository of Google Chrome browser extensions. All extensions have been removed by Google after the report has been published.
The 2 extensions with the most downloads were AdRemover for Google Chrome installed 10 million times, and uBlock Plus, which had 8 million downloads. AdBlock Pro, HD for YouTube and Webtutation were added another 2.5 million downloads. The extensions spied on the victims browsing, checking if the visited site was part of a list pre-configured by the extension. If so certain browsing info was sent to the scam server. One of the sites monitored was Google.com itself.
The spy process occurred in an additional code obfuscated/shuffled, to purposely make it difficult to analyze the extension behavior. This prevented Google from detecting the malicious intent of the code.
Google Store which has the job to filter Chrome extensions, has been struggling to accomplish the task, in Jan18 the virus analyst Pieter Arntz reported that Google took 19 days to remove fraudulent extensions from the Web Store with more than 500,000 downloads he had reported.
The situation in the Web Store contrasts with the current scenario in the Play Store, the Android application repository, where very few fake apps get more than hundreds of downloads.
One hit identified by Iceberg used similar code on four sheltered extensions in the Chrome Web Store, the official repository for Google Chrome extensions. The most popular of them called Nyoogle:Custom Logo for Google promised change the Google logo and had 509.000 downloads. The extension was able to inject code set by the extension creator to alter web pages.
According to Iceberg scammers used this ability to tamper with advertising campaigns and redirect traffic to advertisements defined by extension owners. With this they transferred to themselves the advertising billing of the websites visited by the Chrome user damaging these pages.
Another blow that involved an extension over weather conditions in Colombia, prevented the user from opening the Chrome extension settings. In order for the user not to notice what happened, the window opened was that of "application" settings, which is different from the window that configures the extensions.
