Cybersecurity researchers have identified 152 Google Chrome extensions tied to live wallpaper and new tab add-ons that were used to distribute a potentially unwanted program family, with the cluster spanning 38 publisher accounts and three backend domains and reaching 105,000 installs, according to a technical analysis from Socket.
KEY FACTS
- Scope The extensions were spread across 38 Chrome Web Store publisher accounts.
- Install base The group had been installed about 105,000 times.
- Brands The cluster used three backends, tabplugins.com, yowgames.com and chromewallpaper.com.
- Tracking claim Store listings said they did not collect user data, while the privacy policy said they logged IP addresses, ISP, click counts and referrers.
- Behavior Some extensions opened install and uninstall URLs that were designed to resemble organic Google traffic.
The report said several listings used live wallpaper themes tied to anime, sports cars and popular characters. Examples included extensions such as Neymar, Satoru Gojo, Hello Kitty, Pusheen Cat and Spider-Man Miles Morales.
A subcluster also embedded hard-coded URLs in a JavaScript file that ran on install and uninstall. On install, the code added UTM parameters that made the tab open appear to come from organic search. On uninstall, the URL was wrapped in a google.com/url redirect format that was meant to resemble a normal click from search results.
The same scripts also contained dormant code that could enumerate and delete IndexedDB databases when a service worker started. Socket said the activity looked like a financially motivated commercial adware and traffic-attribution-fraud affiliate operation, although the exact origin remains unknown. The available indicators suggested the campaign may have started in Turkey.
WHY IT MATTERS
The findings show how browser extensions can be used not only for advertising but also to manufacture traffic signals that make automated visits look like real search activity. That can distort analytics, undermine trust in extension listings and expose users to tracking that was not clearly disclosed.