Cybersecurity researchers have uncovered a large scale network of 152 Google Chrome extensions disguised as live wallpaper and new tab customization tools that have reportedly been linked to adware activity and fraudulent traffic generation. The browser extensions, collectively installed more than 105,000 times, were found operating across 38 separate Chrome Web Store publisher accounts and connected through three backend brands identified as tabplugins.com, yowgames.com, and chromewallpaper.com. Security researchers stated that the campaign distributed a potentially unwanted program family through visually appealing themes featuring popular entertainment, gaming, anime, sports, and automotive content. Several of the extensions carried titles related to well known figures and franchises including Neymar, Spider Man, Hello Kitty, Minecraft, Demon Slayer, Death Note, Porsche, BMW, and anime inspired wallpapers, increasing their visibility among Chrome users searching for personalization tools.
According to cybersecurity researchers, the extensions presented conflicting information regarding data collection and user privacy practices. Listings published on Chrome Web Store reportedly claimed that no user data was collected or processed, while linked privacy policies disclosed that user information including Internet Protocol addresses, internet service provider details, click counts, and referral information could be logged and shared with advertising networks such as Google AdSense, DoubleClick, and additional third party advertising partners. Researchers noted that this discrepancy raised concerns regarding transparency and privacy compliance, particularly for users who may have installed the browser extensions believing their browsing activity and system information would remain private.
Further technical analysis revealed that a subset of the identified extensions included hard coded Uniform Resource Locator values within JavaScript files that triggered during installation and removal processes. Researchers found that installation events quietly opened web pages carrying Urchin Tracking Module parameters that made traffic appear as if it originated from legitimate Google organic searches. Security experts stated that this activity effectively disguised extension generated visits as unpaid search engine traffic, potentially manipulating web analytics and advertising attribution systems. During uninstall procedures, additional redirect techniques reportedly made browser activity resemble authentic user interactions through Google search result pages by using redirection structures similar to legitimate search clicks. Researchers explained that this method created the appearance of human browsing behavior while artificially generating traffic signals that could financially benefit operators through advertising and affiliate ecosystems.
Cybersecurity firm Socket assessed the operation as a financially motivated adware and traffic attribution fraud campaign, although the exact origin of the activity has not been confirmed. Available indicators suggested a possible connection to Turkey, though researchers emphasized that attribution remains uncertain. Technical investigations also discovered dormant capabilities embedded within JavaScript files that could potentially enumerate and delete IndexedDB databases after service worker activation, adding another layer of concern regarding browser level activity and potential misuse. Researchers urged caution among Chrome users installing wallpaper and customization extensions, particularly those requesting permissions or operating through little known publisher accounts. The findings also highlighted broader concerns around browser extension ecosystems, advertising abuse, and privacy risks associated with seemingly harmless customization tools distributed through trusted online marketplaces.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
