Researchers at Socket identified a cluster of 152 Google Chrome extensions that were presented as live wallpapers and new tab themes but in reality functioned as adware with traffic falsification capabilities. According to the researchers, the extensions were spread across 38 publisher accounts in the Chrome Web Store and were installed roughly 105,000 times in total. Users who have installed any of these extensions are advised to remove them immediately and review their browser privacy settings.
Scale and infrastructure of the campaign
According to the report, the entire extension network relies on three backend domains: tabplugins[.]com, yowgames[.]com and chromewallpaper[.]com. The extensions exploit popular themes — anime characters (Satoru Gojo, Tanjiro, Zenitsu Agatsuma), video games (Minecraft, Sonic Frontiers, Ghost of Tsushima), sports cars (Porsche 911, BMW M3), football players (Neymar) and popular cartoon characters (Hello Kitty, Pusheen Cat). This broad thematic coverage is aimed at attracting the widest possible and most diverse audience.
The use of 38 separate publisher accounts is a typical tactic for evading Chrome Web Store moderation: removing one account does not affect the others, which increases the overall resilience of the operation.
Technical analysis of malicious behavior
False privacy statements
According to Socket researcher Kush Pandya, each extension’s Chrome Web Store listing claimed that it does not collect or use user data. However, the associated privacy policies reportedly contained directly opposite statements: the extensions log IP addresses, ISP information, click counts and referrers, and then pass this information to Google AdSense, DoubleClick and third-party advertising partners.
Falsification of organic traffic
The most technically notable aspect of the campaign is the mechanism for faking traffic attribution. In a subcluster of extensions, researchers found a JavaScript file js/bg.js containing two hard-coded URLs that are triggered when the extension is installed and removed:
- Installation URL includes UTM parameters such as
utm_source=google&utm_medium=organic&utm_campaign=tanjiro-demon-slayer-live-wallpaper. When installed, the extension opens a tab that is tagged as a visit from Google organic search — even though the user has not performed any search. - Removal URL uses the
google.com/urlredirect wrapper with signedvedandusgtokens — exactly in the format Google uses for real clicks from search results. This disguises the removal event as an ordinary user click on a search result.
The core of the scheme is the artificial generation of organic traffic signals. Advertising systems and analytics platforms register these visits as legitimate search referrals, allowing the campaign operators to monetize falsified traffic through affiliate advertising programs.
Hidden data deletion functionality
Researchers also found a dormant JavaScript function in the extensions that can enumerate and delete all IndexedDB databases when the service worker starts. At the time of analysis this capability had not been activated, but its presence indicates potential for more destructive actions — from wiping web application data to covering tracks of malicious activity.
Impact assessment
Socket classifies the operation as a financially motivated commercial campaign for distributing adware and committing traffic attribution fraud. The direct risks to users include:
- Leakage of web activity data — IP addresses, ISP information, click patterns and referrers are passed to third parties without informed consent.
- Distortion of advertising metrics — falsified organic traffic harms advertisers who pay for impressions and clicks.
- Potential escalation — the presence of a dormant IndexedDB deletion function means operators can switch to destructive behavior at any time via an extension update.
It should be noted that the information about the campaign comes from a single research source. As of publication, there has been no official confirmation from Google regarding the number of extensions, installation counts or any remediation steps taken.
Recommendations
For individual users:
- Check the list of installed Chrome extensions (
chrome://extensions) for any live wallpaper–themed extensions, especially those linked to the domains tabplugins[.]com, yowgames[.]com or chromewallpaper[.]com. - Remove suspicious extensions and clear your browser data, including cookies and cache.
- Before installing extensions, compare the claims in the Chrome Web Store listing with the actual privacy policy text — discrepancies are a clear indicator of bad faith.
For organizations:
- Use Chrome Enterprise group policies to restrict extension installation via allowlists or to block specific extensions by ID.
- Add the listed domains (tabplugins[.]com, yowgames[.]com, chromewallpaper[.]com) to blocklists at the DNS or proxy level.
- Audit extensions on employee workstations — extensions with permissions to manage tabs and access browsing data require particular scrutiny.
This case highlights a systemic problem in Chrome Web Store moderation: distributing malicious extensions across dozens of publisher accounts makes it easier to bypass automated checks. The only reliable protection on the user side is to minimize the number of installed extensions and regularly review their permissions, while organizations should enforce extension management through browser policies.
