Key Takeaways
- 152 “live wallpaper” Chrome extensions were found to secretly collect user data and forge Google organic‑search traffic to boost ad revenue.
- Despite Chrome Web Store listings claiming no data collection, the extensions’ privacy policies admit logging IP addresses, ISP, browser type, timestamps, referring pages, click counts, and device details, which are shared with Google AdSense, DoubleClick, Google Analytics, and unnamed third‑party partners.
- A subset of 54 extensions automatically opens a tab with
utm_source=google&utm_medium=organicon install, making extension‑generated visits appear as legitimate Google search results in analytics. - On uninstall, the extensions craft a Google‑style redirect URL that mimics a real search‑result click, further disguising traffic as high‑value organic clicks.
- All extensions employ an anti‑forensic routine that enumerates and deletes every IndexedDB database belonging to the extension’s origin each time the service worker starts, demonstrating a built‑in capability to erase telemetry.
- The extensions are built from a single codebase, spread across 38 publisher accounts and three brand domains (tabplugins[.]com, yowgames[.]com, chromewallpaper[.]com → owhit[.]com), and are monetized through programmatic ad exchanges including Google Ad Manager, Xandr/AppNexus, PixFuture, and SmileWanted.
- Users face privacy leakage and distorted measurement data rather than direct device compromise, but the operation undermines advertiser trust and skews web‑analytics metrics.
- Detection hinges on spotting MV3 extensions with a background service worker that logs deleted IndexedDB databases, forces
utm_source=google&utm_medium=organicnavigations on install, and uses a Google‑wrapper uninstall URL pointing to the operator‑controlled domains.
Introduction
Socket’s Threat Research Team recently exposed a large‑scale ad‑fraud campaign hidden inside seemingly innocuous Chrome “live wallpaper” extensions. These add‑ons promise decorative new‑tab backgrounds but secretly harvest user data and manipulate traffic metrics to inflate ad revenue. The operation spans 152 extension IDs, tied to 38 publisher accounts and three brand domains, revealing a coordinated effort to abuse Chrome’s extension ecosystem for financial gain.
Discovery and Scope
The researchers identified the family by analyzing new‑tab extensions that shared identical code patterns across multiple store listings. Although the Chrome Web Store shows install numbers in rounded buckets—making the exact count uncertain—the extensions collectively claim around 105,000 users. The extensions are grouped under three brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com (which redirects to owhit[.]com). Each brand uses a variety of popular themes—anime, games, football, cars—to attract installs while concealing the malicious behavior behind a uniform codebase.
Deceptive Privacy Claims
On the Chrome Web Store, every extension’s “Privacy practices” tab asserts that it does not collect or use user data, does not sell data, and does not transfer data for unrelated purposes. This claim is directly contradicted by the linked privacy policy, which explicitly states that the extension logs IP addresses, ISP, browser type, timestamps, referring pages, click counts, and details about the user’s device and installed software. This information is then shared with Google AdSense, DoubleClick, Google Analytics, and unnamed third‑party ad partners, revealing a clear case of false disclosure.
Data Collection Practices
The harvested data includes traditional web‑analytics elements (IP, user‑agent, referrer) plus more granular details such as ISP and installed software. By transmitting this data to advertising networks, the operators can build detailed profiles for programmatic bidding, even though the extensions never inject ads into arbitrary websites. Instead, they redirect users to operator‑controlled domains that serve as hubs for serving and measuring ads.
Fake Traffic Mechanism
A critical component of the fraud is the artificial inflation of “organic search” traffic. In 54 extensions built on the newer tabplugins template, the background service worker automatically opens a new tab to tabplugins[.]com with the query parameters utm_source=google&utm_medium=organic upon installation. Analytics platforms interpret these parameters as evidence that the user arrived at the site via a standard Google search result, not via an extension‑forced navigation. This misattribution makes the traffic appear higher‑value to advertisers and affiliate programs, which often pay a premium for genuine organic clicks.
Uninstall Trick
To further disguise the origin of traffic, the extensions employ a sophisticated uninstall routine. When a user removes the extension, a background script fires a request to a URL patterned after Google’s own click‑tracking links:
https://www.google.com/url?…&url=https://tabplugins.com/…&ved=…&usg=…
The URL includes the same signed tokens and structure Google uses for real search‑result clicks, causing analytics systems to log the uninstall ping as if a human had clicked a legitimate Google result. Consequently, even the act of removing the extension contributes to the fraudulent traffic count.
Anti‑forensic Measures
Every analyzed extension contains a background script that, on each service‑worker start, enumerates all IndexedDB databases accessible to the extension’s origin and deletes them via indexedDB.databases().then(... deleteDatabase ...). Although the current build stores its settings in localStorage—so the wipe presently affects nothing—the code demonstrates a ready capability to erase any future IndexedDB‑based telemetry. This behavior appears across 141 retrievable service‑worker scripts (out of 152 total IDs), with 11 extensions already delisted from the Store. Some variants even contain a syntactically broken bg.js file, indicating rushed mass production that nevertheless passed Google’s review process.
Infrastructure and Monetization
The malicious extensions rely on a network of 38 publisher accounts spread across two hosting clusters, each linked to separate Google Ad Manager or AdSense accounts. Domains such as tabplugins[.]com host a WordPress‑based extension catalog integrated with a Prebid header‑ bidding stack from Advergic (avads[.]live). This setup feeds ad exchanges including Google Ad Manager, Xandr/AppNexus, PixFuture, and SmileWanted, while employing Google Analytics 4 and FOU Analytics for user tracking. Archived snapshots of yowgames[.]com and owhit[.]com show direct Google AdSense and Analytics integrations, reusing boilerplate privacy language about DoubleClick and third‑party advertisers. The overall scheme converts silent new‑tab installs into what appear to be high‑value Google search visits, thereby inflating perceived popularity and trustworthiness.
Risks to Users
For end‑users, the primary risk lies in undisclosed telemetry and participation in deceptive traffic measurement rather than direct malware or device compromise. Their browsing habits, IP addresses, and device details are harvested and sold to advertising networks, eroding privacy. Moreover, the falsified organic‑search traffic distorts analytics data used by publishers, advertisers, and even Google itself, potentially leading to misguided business decisions and degraded trust in web‑metrics.
Recommendations for Security Teams
Defenders should hunt for the following indicators of compromise (IOCs) within their environments:
- Manifest Version 3 (MV3) extensions that contain a background service worker.
- Code that logs the string “Deleted IndexedDB database” and executes
indexedDB.databases().then(dbs => dbs.forEach(db => indexedDB.deleteDatabase(db.name))). - On install, automatic navigation to any of the operator‑controlled domains (
tabplugins[.]com,yowgames[.]com,chromewallpaper[.]com,owhit[.]com) with UTM parametersutm_source=google&utm_medium=organic. - An uninstall URL that follows the pattern
https://www.google.com/url?…&url=<operator‑domain>&…&ved=…&usg=…, mimicking Google’s click‑tracking format. - Presence of pre‑bid or header‑bidding scripts linked to known ad‑tech vendors (Advergic, Xandr/AppNexus, PixFuture, SmileWanted).
- Repeated use of identical privacy‑policy language across multiple extensions that contradicts the Chrome Web Store “No data collection” claim.
Blocking these extensions at the network or endpoint level, and monitoring for the described beacon patterns, will help mitigate the fraud and protect user privacy.
Conclusion
The uncovering of 152 deceptive Chrome “live wallpaper” extensions illustrates how attackers can leverage seemingly benign browser add‑ons to conduct large‑scale ad fraud and privacy violations. By falsifying privacy statements, harvesting detailed user data, and crafting traffic that masquerades as valuable Google organic search, the operators have managed to monetize silent installs while evading casual detection. Continued vigilance, based on the shared behavioral fingerprints outlined above, is essential for security teams, advertisers, and platform providers to preserve the integrity of web analytics and safeguard user information.