152 Chrome extensions that present themselves as live wallpaper or new-tab add-ons have been installed about 105,000 times and are being used to distribute a potentially unwanted program (PUP) family, researchers say.
Scope: 152 extensions, 38 publisher accounts, three brand backends
Cybersecurity researchers identified a cluster of 152 Google Chrome extensions that collectively report roughly 105,000 installs. The extensions are distributed across 38 separate Chrome Web Store publisher accounts and use three brand backends — tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. Many of the extensions are themed around sports, anime, cars, and pop-culture characters; examples flagged by the researchers include Neymar - Football Live Wallpaper, Satoru Gojo Manga Live Wallpaper, Porsche 911 - Sports Car Live Wallpaper (dead service worker), Hello Kitty Wallpapers HD New Tab, Pusheen Cat Wallpapers HD New Tab, and Tanjiro - Demon Slayer Live Wallpaper.
Privacy statements versus actual data collection
"Every listing declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: that the extensions log IP addresses, ISP, click counts, and referrers and share that data with Google AdSense, DoubleClick, and third-party ad partners," Socket security researcher Kush Pandya said. The privacy policies linked from the listings explicitly describe logging IP addresses, ISP information, click counts, and referrer headers and indicate that those signals are shared with ad platforms including Google AdSense and DoubleClick and unspecified third-party ad partners.
Technical deception: fabricated "organic" search traffic and disguised uninstalls
A sub-cluster of these extensions contains a JavaScript file named js/bg.js that defines two hard-coded URLs triggered during install and uninstall. The install URL contains Urchin Tracking Module parameters — for example, utm_source=google&utm_medium=organic&utm_campaign=tanjiro-demon-slayer-live-wallpaper — a design that the researchers say disguises a tab the extension opens on installation as an "organic" search arrival. The uninstall URL uses a google.com/url redirect wrapper and includes the same click-format tokens Google uses, making the uninstall appear to be genuine Google Search activity.
"The visit is not a person who searched Google; it is the extension opening a tab on its own and stamping it 'arrived from Google organic search,'" Socket explained. "The uninstall ping goes a step further, wrapping the destination in the exact google.com/url format Google uses for real search-result clicks, including the signed ved and usg tokens, so the hit looks like a human clicking a Google result."
Dormant capability to enumerate and delete IndexedDB databases
Beyond data collection and traffic fabrication, the JavaScript service-worker files in the campaign include a dormant capability to enumerate and delete every IndexedDB database available to the extension when a service worker starts. The code is not merely oriented to telemetry or ad-reporting — it contains the means to locate and remove client-side browser storage, a behavior researchers flagged as an additional risk independent of the adware and fraud behaviors.
Assessment, possible origin, and what this means for technologists, end users, and advertisers
The campaign is assessed by the researchers as a "financially motivated commercial adware and traffic-attribution-fraud affiliate operation," though its exact provenance remains unknown. Available circumstantial indicators suggest it could have originated from Turkey.
- Technologists and security teams: Watch for extensions that open tabs automatically at install or uninstall and for service-worker scripts (js/bg.js) that include hard-coded UTM parameters or google.com/url redirect wrappers. The presence of code to enumerate and delete IndexedDB should be treated as a high-risk indicator warranting remediation.
- End users and the general public: The Chrome Web Store listings for these add-ons declare no data collection even as linked privacy policies admit logging IPs, ISP, click counts, and referrers. Users who install aesthetic add-ons should be aware that a "no data collection" claim on the store page may contradict the extension's privacy policy.
- Advertisers and ad networks: The extensions report and share telemetry with Google AdSense, DoubleClick, and third-party ad partners; artificially constructed "organic" signals and masked uninstall pings threaten the integrity of referral and click metrics that ad platforms and buyers rely upon.
The cluster combines three distinct abusive elements — data harvesting contrary to storefront claims, engineered traffic-attribution fraud that impersonates Google search clicks, and a dormant destructive routine targeting client-side IndexedDB storage — all under the cover of benign, cosmetic new-tab functionality. With roughly 105,000 installs across dozens of publisher accounts, the case illustrates how seemingly innocuous browser extensions can be repurposed into multi-faceted adware and fraud operations. The researchers' assessment of financial motivation and the circumstantial suggestion of a Turkish origin are the lead conclusions provided; the exact operator remains unconfirmed.
Original reporting: https://thehackernews.com/2026/06/152-chrome-wallpaper-extensions-with.html
