Security researchers have uncovered a network of 152 Google Chrome extensions posing as live wallpaper and new-tab customization tools that secretly collected user information and generated fake web traffic to make money through advertising.
The extensions, which featured popular themes ranging from anime characters and football stars to sports cars and video games, were spread across 38 different Chrome Web Store publisher accounts. Together, they amassed more than 105,000 installations, according to research from Socket’s Threat Research Team.
The operation was linked to three backend brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. Researchers said the extensions were built from a shared codebase, suggesting they were part of a coordinated campaign rather than isolated projects.
Privacy claims didn’t match reality
One of the most troubling findings was the gap between what the extensions promised and what they actually did.
On their Chrome Web Store pages, the extensions claimed not to collect or use user data. But Socket found that the privacy policies linked by the extensions told a different story.
“Every listing declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: that the extensions log IP addresses, ISP, click counts, and referrers and share that data with Google AdSense, DoubleClick, and third-party ad partners,” Socket security researcher Kush Pandya said.
According to the researchers, the extensions logged details such as IP addresses, browser types, internet service providers, timestamps, click activity, and information about users’ devices.
Faking Google search traffic
The campaign went beyond merely collecting hidden data. Researchers found that a subset of the extensions automatically opened web pages after installation, using tracking tags that made visits appear to come from Google’s unpaid search results.
The uninstall process used a similar trick. Extensions sent users through a specially crafted Google redirect link designed to imitate a real click from Google Search. Socket said the goal was to manufacture the appearance of valuable organic traffic.
“The visit is not a person who searched Google; it is the extension opening a tab on its own and stamping it ‘arrived from Google organic search,'” the company explained. “The uninstall ping goes a step further, wrapping the destination in the exact google.com/url format Google uses for real search-result clicks, including the signed ved and usg tokens, so the hit looks like a human clicking a Google result.”
Researchers said this allowed the operators to disguise extension-generated traffic as genuine search traffic, potentially making their websites appear more popular and attractive to advertisers and affiliate programs.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Hidden features raised more questions
The investigation also uncovered a dormant capability that could delete IndexedDB databases accessible to the extension whenever its service worker started.
In the current versions, researchers said the feature did not appear to erase anything important because the extensions stored their settings elsewhere. Even so, the capability was present across many of the extensions.
Socket also found signs that some versions had been rushed into production. A few contained broken JavaScript files that prevented parts of their background logic from running, yet they still passed Chrome’s review process.
A financially motivated operation
The extensions did not inject advertisements into every website users visited, researchers said. Instead, they redirected users to websites controlled by the operators, where traffic could be monetized through advertising technologies and analytics tools.
Socket described the campaign as a “financially motivated commercial adware and traffic-attribution-fraud affiliate operation.” The researchers added that the exact people behind the network remain unknown, although available indicators suggest the campaign may have originated in Turkey.
What users should do
Security researchers recommend that users immediately review their installed Chrome extensions and remove any unfamiliar wallpaper or new-tab tools.
Users are also advised to:
- Check Chrome’s extension manager for unknown add-ons.
- Remove unused or suspicious extensions.
- Review privacy policies of installed extensions.
- Monitor browser behavior for unexpected new tabs or redirects.
Also read: Google’s June Android system updates add new controls for WhatsApp backups, Play Protect checks, and password transfers.