According to researchers at Socket, 152 malicious extensions were discovered in the Chrome Web Store, disguised as tools for installing live wallpapers on new browser tabs. The extensions were reportedly installed more than 105,000 times in total, collected user data contrary to the statements in their descriptions, and were apparently used for systematic falsification of advertising traffic. All Chrome users who have installed new-tab extensions themed around anime, game characters, cars, or celebrities for visual customization are advised to immediately review their installed extensions and remove anything suspicious.
Scale and infrastructure of the campaign
According to Socket’s report, the campaign involved 38 developer accounts in the Chrome Web Store—an unusually large number that indicates a deliberate distribution of the extensions to reduce the risk of mass blocking. All of the extensions offered visual customization for new browser tabs: live wallpapers featuring anime characters, video game heroes, cars, and celebrities—a theme designed to appeal to a broad audience.
Researchers linked the campaign’s infrastructure to three domains:
- tabplugins[.]com
- yowgames[.]com
- chromewallpaper[.]com
The full list of malicious extensions is available in Socket’s report.
Technical scheme: from data collection to traffic falsification
Discrepancy between description and privacy policy
The key finding was the gap between public claims and the extensions’ actual behavior. The Chrome Web Store descriptions asserted that the extensions did not collect or use user data. However, according to the researchers, the privacy policy stated the opposite: the extensions logged IP addresses, information about internet service providers, click counts, and referral sources. The collected data was reportedly shared with advertising partners, including Google AdSense and DoubleClick.
Manipulation during installation and removal
The most sophisticated part of the scheme was tied to hidden mechanisms that were activated at two critical points in the extension lifecycle:
During installation, the extensions automatically opened a special page with UTM parameters. To analytics systems, such a visit appeared as an organic hit from Google search results. As the researchers explain: “This is not a person who simply found the site via Google search. The extension opens the tab on its own and tags the visit as organic.”
During removal, some extensions sent a request via google.com/url, a legitimate Google redirector. In analytics systems this was interpreted as a user navigating from search results, even though in reality the request was generated programmatically.
Both techniques pursued a single goal: to artificially generate signals that advertising and analytics platforms associate with real visitors. The operators of the campaign gained the ability to manipulate metrics for traffic volume and origin—a classic advertising fraud scheme.
Inactive mechanism for working with IndexedDB
Researchers also found an inactive function in the code related to IndexedDB. When a service worker starts, it is capable of enumerating and deleting all detected IndexedDB databases in the browser. Although this mechanism was not in use at the time of analysis, its presence indicates built-in additional capabilities—potentially destructive ones, since IndexedDB is used by web applications to store significant amounts of structured data, including offline caches and user settings.
Impact assessment
Socket assesses this as a commercial operation aimed at advertising fraud and manipulation of traffic sources. With more than 105,000 installations, tens of thousands of users were potentially subjected to unauthorized data collection. At the same time, it is important to consider several aspects:
- For end users: leakage of IP addresses, provider data, and behavioral metrics to unknown advertising partners. The presence of dormant code for working with IndexedDB creates a risk of web application data loss if it were ever activated.
- For advertisers: falsified organic traffic distorts analytics and leads to inefficient spending of advertising budgets.
- For the Chrome Web Store ecosystem: the use of 38 developer accounts demonstrates the limitations of current moderation mechanisms in detecting coordinated campaigns.
It should be noted that all conclusions are based on the report from a single research source. At the time of publication, there was no official confirmation from Google or the Chrome Web Store.
Recommendations
- Check your installed extensions: open
chrome://extensions/and compare the list with the list of malicious extensions in Socket’s report. Remove any matches. - Review extension permissions: new-tab customization extensions should not request access to data on all sites or to network activity.
- Compare the description with the privacy policy: if an extension claims it does not collect data but its privacy policy describes sharing information with advertising partners, this is a clear sign of bad faith.
- Minimize the number of extensions: each Chrome extension runs with privileges that allow it to interact with page content and network requests. Install only extensions from vetted developers with a transparent track record.
- For corporate environment administrators: use Chrome group policies (
ExtensionInstallBlocklist,ExtensionInstallAllowlist) to restrict extension installation to an approved list only.
This case clearly shows that extensions with seemingly harmless functionality—tab themes, wallpapers, visual themes—remain one of the most effective vectors for mass data collection and advertising fraud. Users who discover any of the 152 extensions listed in Socket’s report should immediately remove it and check what data may have been transmitted by reviewing the extension’s network request history through Chrome’s developer tools.
