Fast Facts
- A network of 152 Chrome extensions disguises adware and potentially unwanted programs while logging user data like IPs and click patterns, misleading users with false privacy claims.
- The extensions manipulate traffic attribution by embedding URLs that mimic organic Google search traffic during installation and uninstallation, fabricating search origin signals.
- The campaign employs JavaScript techniques to simulate human search activity and can delete IndexedDB data, indicating sophisticated traffic fraud and potential privacy breaches.
Threat, Attack Techniques, and Targets
Cybersecurity researchers found a network of 152 Chrome extensions that act as live wallpaper add-ons. These extensions are spread across 38 publisher accounts and three brand websites: tabplugins.com, yowgames.com, and chromewallpaper.com. In total, they have been installed about 105,000 times. The extensions include popular themes like manga, sports cars, anime, and music.
The attackers use these extensions to push unwanted software known as potentially unwanted programs (PUP). During installation or removal, the extensions run JavaScript code that connects to two hard-coded URLs. One URL imitates an “organic” Google search activity, making it look like the extension was clicked naturally. The other URL tricks Google into thinking uninstallation is genuine activity.
Additionally, the extensions log user data, like IP addresses and click counts, even though they claim not to. They share this information with ad companies like Google AdSense and DoubleClick. When installed, they can open browser tabs and simulate organic search traffic. This technique creates fake signals to make the traffic look legitimate, even though it is artificially generated.
The targets are mainly Chrome users who want wallpapers and themes, but they also expose those users to adware and traffic manipulation.
Impact, Security Implications, and Remediation Guidance
The extensions can cause negative effects such as delivering unwanted ads and manipulating web traffic data. They may also collect personal information despite claiming not to. The activity is designed to generate fake traffic, which can affect advertising metrics and undermine trust in web analytics.
Security teams should be aware of these extensions’ capabilities. They pose a threat of adware infection and traffic fraud. The tactics used include hijacking user activity and disguising fake signals as real Google search traffic. This can mislead analytics and ad revenues.
If you suspect your system is affected, you should remove these extensions immediately. For proper removal steps and further guidance, consult the vendor or relevant cybersecurity authority. They can provide specific tools and instructions to fully eliminate the threat and prevent future infections.
Discover More Technology Insights
Learn how the Internet of Things (IoT) is transforming everyday life.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
