In brief: 152 Chrome extensions claim in the Web Store to collect no data, but actually track IP addresses, ISP data, and clicks while spoofing organic search engine traffic.
Security researchers at Socket have uncovered 152 Google Chrome extensions disguised as live wallpapers that harvest user data and generate artificial website traffic. The add-ons, distributed across over 38 developer accounts in the Chrome Web Store, reached approximately 105,000 installations.
The extensions identified by Socket are configured as background wallpapers (including Hello Kitty Wallpapers HD New Tab, Sonic Frontiers Starfall Live Wallpaper, and BMW Wallpapers). The infrastructure is linked to three central backend domains: tabplugins.com, yowgames.com, and chromewallpaper.com. Despite privacy claims in the Web Store, the linked privacy policies reveal the opposite: the extensions log IP addresses, ISP information, click counts, and referrers and share this data with Google AdSense, DoubleClick, and third-party advertising partners.
The technical mechanism was revealed through analysis of JavaScript files, specifically bg.js. Upon installation, automated web calls with tracking parameters are triggered that simulate organic search engine access. Upon uninstallation, a redirect through google.com is triggered that mimics the structure of a human click on a Google search result. Additionally, the extensions can list and delete all local IndexedDB databases in the browser each time the background process starts.
Security researchers assess the campaign as a commercial adware operation and affiliate fraud scheme for traffic spoofing. Indicators point to origins in Turkey. The approach enables operators to artificially generate organic traffic and thereby falsify advertising revenue or misrepresent the source of website visits.
Source: www.it-daily.net · Published 16 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.7.1.