152 Chrome 'Live Wallpaper' Extensions Caught Faking Google Search Traffic and Harvesting User Data
Socket's Threat Research Team uncovered 152 Chrome extensions that secretly log user data and forge Google organic-search attribution to inflate ad revenue.
Socket's Threat Research Team has identified 152 Chrome 'live wallpaper' extensions that secretly log user data and forge Google organic-search attribution to inflate ad revenue. The extensions, spread across 38 publisher accounts and three brands, use a single codebase and claim in the Chrome Web Store that they collect no data, while their privacy policy admits sharing data with Google AdSense, DoubleClick, and third-party ad partners.
The extensions are built from a single codebase but spread across 38 publisher accounts and three brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com (which redirects to owhit[.]com). They use popular themes such as anime, games, football, and car wallpapers to attract installs, and together they report around 105,000 users. However, Chrome's rounded install buckets make this only a lower-bound estimate.
On their Chrome Web Store 'Privacy practices' tab, the listings state that the extensions do not collect or use user data, do not sell data, and do not transfer data for unrelated purposes. However, the linked privacy policy clearly states that it logs IP addresses, browser type, ISP, timestamps, referring pages, click counts, and details about the user's device and installed software, which are shared with Google AdSense, DoubleClick, Google Analytics, and unnamed third-party ad partners.
A 54-extension subset built on the newer tabplugins template takes this further by forging Google organic-search attribution. On install, the background service worker automatically opens a tab to tabplugins[.]com with utm_source=google&utm_medium=organic, causing analytics to record the visit as if the user discovered the site via a normal Google search result instead of an extension-forced navigation. On uninstall, the extension fires a crafted https://www.google.com/url?…url=https://tabplugins.com/…ved=…usg=… redirect, mimicking the exact format and signed tokens Google uses for real search-result clicks, so the uninstall ping is indistinguishable from a human clicking a Google result.
Every analyzed family member also exhibits undisclosed anti-forensic behavior. On each service-worker start, the background script enumerates and deletes every IndexedDB database accessible to the extension's own origin. In this build, the extension stores its settings in localStorage. It does not use IndexedDB, so the wipe currently destroys nothing. However, it remains a strong fingerprint and demonstrates a built-in capability to reset any future IndexedDB-based telemetry within the extension silently.
The extensions do not inject ads into arbitrary websites. Instead, they redirect users to operator-controlled domains that are heavily monetized through programmatic advertising. One such domain, tabplugins[.]com, operates a WordPress-based extension catalog integrated with a Prebid header-bidding stack from Advergic (avads[.]live), feeding ad exchanges including Google Ad Manager, Xandr/AppNexus, PixFuture, and SmileWanted, while using Google Analytics 4 and FOU Analytics for user tracking.
For users, the main risk is enrollment in deceptive traffic measurement and undisclosed telemetry, not device-level compromise. Security teams should hunt for a shared fingerprint: an MV3 extension with a background worker that logs the 'deleted IndexedDB database', runs an indexedDB.databases().then(... deleteDatabase ...) loop, and opens utm_source=google&utm_medium=organic tabs on install. Additional indicators include an uninstall URL pointing to a google.com/url wrapper that redirects to tabplugins[.]com, yowgames[.]com, chromewallpaper[.]com, or owhit[.]com.