Cybersecurity researchers have uncovered a large network of 152 Google Chrome extensions posing as live wallpaper and new tab customization tools that are allegedly being used to distribute a potentially unwanted program (PUP) and engage in traffic attribution fraud.
The extensive campaign spans 38 different Chrome Web Store publisher accounts and operates through three backend domains: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. Collectively, the extensions have been downloaded more than 105,000 times, raising concerns about user privacy and browser security.
Popular Extensions Identified
Many of the discovered extensions feature themes based on popular anime characters, sports personalities, video games, luxury cars, and cartoons. Some of the identified extensions include:
- Neymar – Football Live Wallpaper
- Satoru Gojo Manga Live Wallpaper
- Porsche 911 Sports Car Live Wallpaper
- Hello Kitty Wallpapers HD New Tab
- Spider-Man Miles Morales Swing Live Wallpaper
- BMW Wallpapers
- Death Note Anime Wallpapers HD New Tab
- Sonic Frontiers Starfall Live Wallpaper
- Tanjiro – Demon Slayer Live Wallpaper
- Minecraft Sakura Pond Live Wallpaper
- Zenitsu Agatsuma Live Wallpaper
Researchers believe these visually appealing themes were designed to attract a wide audience while masking the extensions’ underlying behavior.
Privacy Claims Contradict Actual Data Collection
According to security researchers, the extensions claim on the Chrome Web Store that they do not collect or use user data. However, the privacy policies linked to these extensions reportedly reveal a different story.
The policies indicate that the extensions may collect information such as:
- IP addresses
- Internet Service Provider (ISP) details
- Click activity
- Referrer information
The collected data is then allegedly shared with advertising and tracking platforms, including Google AdSense, DoubleClick, and other third-party advertising partners.
This discrepancy between public declarations and actual data practices raises significant privacy concerns for affected users.
Hidden Traffic Manipulation Mechanism Discovered
Researchers also identified a subset of these extensions containing hard-coded URLs embedded within a JavaScript file named js/bg.js.
These URLs are triggered during installation and removal events, creating the appearance of legitimate search engine traffic.
Installation Activity Masquerading as Organic Search
When installed, some extensions automatically open a browser tab containing specially crafted UTM parameters. These parameters label the visit as originating from an organic Google search, even though no actual search was performed by the user.
This tactic can artificially inflate website traffic metrics and create misleading attribution data.
Uninstall Events Disguised as Google Clicks
Even more concerning, uninstall actions trigger a URL wrapped in Google’s redirection format. The generated traffic closely resembles legitimate clicks from Google Search results, making it difficult for analytics systems to distinguish between genuine user activity and automated extension-generated visits.
Researchers describe this behavior as a deliberate attempt to fabricate traffic sources and manipulate marketing attribution systems.
Dormant Database Deletion Capability Found
Beyond traffic manipulation, analysts discovered dormant functionality within the extensions capable of identifying and deleting IndexedDB databases accessible to the extension.
Although this feature was not actively observed being used, its presence suggests the extensions possess capabilities beyond their advertised wallpaper functionality, increasing the overall security risk.
Financially Motivated Adware Operation
Security experts believe the campaign is primarily a financially motivated adware and affiliate fraud operation designed to generate advertising revenue and manipulate web traffic statistics.
While the exact operators behind the campaign remain unidentified, available indicators suggest the operation may have links to Turkey.
What Chrome Users Should Do
Users who have installed any live wallpaper or new tab extension from unknown publishers should:
- Review installed Chrome extensions immediately.
- Remove any suspicious or unnecessary wallpaper extensions.
- Check browser permissions granted to extensions.
- Clear browser data after uninstalling questionable add-ons.
- Install extensions only from trusted developers with verified reputations.
As browser extensions continue to be a common attack vector, users should remain cautious when installing customization tools that request extensive permissions or make unclear privacy claims.
Final Thoughts
The discovery of more than 150 Chrome extensions linked to adware distribution and traffic attribution fraud highlights the growing abuse of browser extension ecosystems. While these extensions appear harmless on the surface, researchers warn that hidden tracking mechanisms, deceptive analytics practices, and undisclosed data collection can expose users to significant privacy and security risks.
Organizations and individual users alike should regularly audit installed browser extensions and remove any add-ons that are no longer needed or come from untrusted sources.
