152 Chrome Extensions Caught Hiding Ad Tracking, Faking Google Search Traffic, Researchers Reveal

CyberDefender 20 mins0

The modern web browser ecosystem remains a premier target for sophisticated traffic-manipulation campaigns that exploit the implicit trust users place in official software marketplaces. A comprehensive threat analysis recently exposed a highly coordinated, horizontally scaled network consisting of 152 Chrome Web Store extensions masquerading as “live wallpaper” customization utilities. Operating collectively across 38 distinct publisher accounts and anchoring to three main brand infrastructure backends (tabplugins.com, yowgames.com, and chromewallpaper.com), this campaign has successfully accrued over 105,000 installations. The core mechanism relies on an extreme disconnect between the extension’s regulatory disclosures and its actual run-time capabilities. While every single listing explicitly states on the Chrome Web Store dashboard that it does not collect or use consumer data, the operators’ linked legal privacy policies completely contradict this assertion, acknowledging the active logging of user IP addresses, Internet Service Providers (ISPs), interaction click counts, and referral structures to fuel programmatic revenue streams via platforms like Google AdSense, DoubleClick, and third-party advertising exchanges.

Horizontal Scaling and Mass-Production Infrastructure

To survive the automated compliance filters and manual curation checks deployed by extension marketplaces, the threat actors behind this operation abandoned traditional monolithic malware architectures in favor of a decentralized distribution strategy. By packaging an identical, highly standardized codebase into distinct programmatic variants and dispersing them across dozens of seemingly independent publisher handles—including accounts like ZainAhamed1994, gamingify009, deckapp.dev, wallpaperbg, and ExtNext—the campaign achieves substantial operational resilience. This defensive fracturing means that a single automated compliance take-down by security teams fails to paralyze the broader infrastructure, allowing parallel extensions to continue generating traffic unchecked. The underlying web backends further mirror this segmented architecture; while tabplugins.com serves as the primary nexus for a 54-listing subset using a modernized template, sister domains like yowgames.com and owhit.com (the target destination for chromewallpaper.com) act as independent monetized islands, isolating telemetry collection and ensuring that a domain block on one brand leaves the remaining digital real estate untouched.

Deceptive Attribution and Organic Traffic Forgery Mechanisms

The technical core of the newer 54-listing subset lies in its ability to manipulate digital marketing attribution metrics through systematic referral forgery. Within the background service worker architecture (js/bg.js), the extensions maintain hardcoded URLs designed to simulate legitimate human web navigation. Upon a fresh installation, the chrome.runtime.onInstalled listener initiates a new tab event pointing toward the operator’s brand page, embedded with tracking metrics explicitly declaring utm_source=google&utm_medium=organic. Far more manipulative, however, is the mechanism triggered during an uninstallation event. By utilizing the chrome.runtime.setUninstallURL API, the extension registers an outbound ping wrapped in an authentic google.com/url redirect path. This generated string contains pre-fabricated, signed ved and usg tokens—cryptographic identifiers typically generated exclusively by Google’s live search engine to track actual user interaction. When the browser hits this endpoint upon removal, it effectively launders the forced extension traffic, making the programmatic redirection appear to analytics platforms, ad exchanges, and downstream affiliate frameworks as a high-value, earned organic click originating straight from a human Google Search result.

Code-Level Behavior and Anti-Forensic Executions

A detailed static and dynamic binary analysis of the extension packages uncovers a curious and universal forensic footprint embedded into 100 percent of the discovered codebase. On every initial service-worker start-up, the file js/bg.js executes an automated routine utilizing the indexedDB.databases() promise chain to enumerate all client-side databases visible to the executing environment, subsequently executing an aggressive indexedDB.deleteDatabase() loop. Within the framework of Manifest V3 (MV3), an extension background service worker is sandboxed entirely to its own isolated origin (chrome-extension://<id>). Consequently, this anti-forensic purge remains inert regarding external website states, failing to modify target session cookies or third-party storage nodes; however, its universal implementation across the entire fleet serves as an unmistakable operational fingerprint. Additional indicators of rushed, automated assembly include broken image modes due to absent local assets, alongside a minor telemetry leak where the local DOM dynamically requests favicon elements from Google’s public s2/favicons API for every single custom user-saved shortcut, inadvertently exposing user browsing patterns to external logging servers.

Programmatic Ad Tech Integration and the Monetization Funnel

The ultimate objective of this sprawling horizontal architecture is the monetization of synthetic, falsely attributed traffic streams through advanced programmatic ad-tech stacks. The tabplugins.com infrastructure funnel redirects arriving victims to landing spaces that invoke a specific Prebid header-bidding wrapper (av-tabplugins.js) operated via the ad-tech vendor Advergic. This script actively hooks into major programmatic syndications—including Google Ad Manager networks 23301900962 and 23324153939, AppNexus/Xandr, PixFuture, and SmileWanted—triggering high-yield full-screen interstitial ad auctions alongside Google Analytics 4 tracking scripts. In parallel, the yowgames.com and owhit.com nodes bypass header-bidding intermediaries to serve direct Google AdSense programmatic banners via individual publisher profiles ca-pub-2685573472598175 and ca-pub-6596604135510481. By combining falsified search metrics with legitimate programmatic ad auctions, the operators extract top-tier advertising payouts from ad networks that believe they are serving impressions to deeply engaged, organically sourced human audiences.

Threat Mapping via the MITRE ATT&CK Framework

To systematically contextualize the operational behavior of this adware network, security teams can map its actions directly onto standard threat frameworks. The primary access and execution vector relies heavily on T1176.001 (Browser Extensions), establishing a persistent, silent foothold within the user’s everyday workspace. The masquerading of the uninstall redirects as official search paths leverages T1036 (Masquerading), effectively hiding malicious activity behind trusted Google domain headers. The persistent execution of the IndexedDB clearing routine highlights an explicit attempt at T1070 (Indicator Removal), seeking to reset the extension environment to dodge baseline local detection tools. Communication with the multi-brand command infrastructure relies on standard web architectures categorized under T1071.001 (Application Layer Protocol: Web Protocols). Finally, the orchestration of 38 distinct publisher profiles and multiple secondary domains demonstrates advanced execution of T1583.001 (Acquire Infrastructure: Domains), showing a highly calculated approach to programmatic infrastructure acquisition designed for maximum lifetime resilience.

Our Opinion on This Case

From a cybersecurity engineering and platform architecture standpoint, this 152-extension live wallpaper campaign exposes a massive structural blind spot within modern web browser extension marketplaces. Threat actors are clearly shifting away from overtly destructive malware payloads—such as keyloggers or banking trojans—and are instead mastering the art of “compliance evasion” through horizontal, multi-account mass production. By fracturing their deployment across 38 separate developer handles, the operators successfully exploit the latency inherent in manual review cycles and the isolation of automated sandbox detection.

What makes this case profoundly alarming is the sophisticated weaponization of the browser’s native developer features—like setUninstallURL—coupled with the precise spoofing of Google’s internal ved and usg cryptographic tracking signatures. This represents a dangerous transition into highly technical data-laundering fraud that severely pollutes the integrity of the global digital advertising economy. To combat this effectively, Google must evolve the Chrome Web Store security framework past primitive static code analysis and simple permission matching. There must be strict cross-verification algorithms that instantly flag absolute contradictions between dashboard data-privacy declarations, real-time client-side network telemetry, and linked privacy policy strings, alongside cryptographic integrity checks on out-of-ecosystem redirects to permanently mitigate attribution forgery.

Chrome Extension IDs

  1. laafpeklcnlfmjaofbndehkjpnccbhek Neymar – Football Live Wallpaper
  2. mnpacdigbockiilmilhbedciadenfdnb Satoru Gojo Manga Live Wallpaper
  3. iedplnnolciaofkakkjmcojnmklpfikg Porsche 911 – Sports Car Live Wallpaper (dead service worker)
  4. ipiabbhciknabpoihaakdahgghllelpj Satoru Gojo Live Wallpaper
  5. hijpkhinofkdobfagfbobnnoihmopgkk Hello Kitty Wallpapers HD New Tab
  6. famchdjojcnakamhkddkpaglnkonkfnl Pusheen Cat Wallpapers HD New Tab
  7. nomekamioepglinefhenifnbegjhfiai Peach & Goma Wallpapers HD New Tab
  8. jjngbcodoldjmpjpfbhfelaljbdlkekh Spider-Man Miles Morales Swing Live Wallpaper
  9. gfikbhpfjldbbikolkcimfgmejhdkjbe BMW M3 Neon Night Drive Live Wallpaper
  10. dbiamdajndfmpmmeklcbbnekhkdcakhf BMW Wallpapers
  11. pkdloppfapenphihgbldhjjlfhgnkmcg Death Note Anime Wallpapers HD New Tab
  12. imkepemaflommlonnppjobgdpokbfmoj Sonic Frontiers Starfall Live Wallpaper
  13. ibglidkppckhminbhbgcajomjplomcka Tanjiro – Demon Slayer Live Wallpaper
  14. gkbfokaephnaajnmpgiieidpfieamggb Neymar New Tab Wallpaper
  15. bcafgkhoifffmnoajkgmbhcojpabjffm Anime Car Drift Live Wallpaper
  16. ojeaociifmdciibodcifjjocdlbjjeep Choso Wallpapers New Tab
  17. npcghghfkbpgiamoifabankdnmopenni Anime Rain Live Wallpaper
  18. mjdhgndjbajnanfimjipafechjbakdhh Minecraft Sakura Pond Live Wallpaper
  19. lblgjffllphdepifdkfhlihddckhlkll Straw Hat Live Wallpaper Ghost of Tsushima
  20. laeciedchhnmnfhllplcgkfcdbdfgdhn Zenitsu Agatsuma Live Wallpaper
  21. jhnpoiikhnkjlfcffohfbkejnoojcopc Lamine Yamal Wallpapers HD Football
  22. ijbpegpcaiencppbgaldjflmllhhdfog FNAF Live Wallpaper
  23. icajjcahmgdpeilkbjbelkoinhonbaeb Ryomen Sukuna Sorcerer Live Wallpaper
  24. hichkepmmfdhhnagoejglmkdebinkcca Pochacco Live Wallpaper
  25. hfignegjmgkcmeipgbdpaihpbnjdkgbm Messi Wallpapers HD Football
  26. gfmgoodobmpmhoilhblgkocaehlkopod Kuromi Love Live Wallpaper
  27. geceobkknhgcbgnegnagckpnmfdfcppk Eren Yeager Live Wallpaper
  28. dnehmmlaljfhkdfekfbpljalkljgpmkj Black Clover New Tab Wallpaper
  29. dncncgaaalajgbijnalajojmmdmbdeci Jon Snow Wolf Live Wallpaper
  30. dmjbglakodlaodocplnbmhpdhngllhoe Kuromi Wallpapers HD New Tab
  31. djfpdmpoladfinglebbgkpcbiifhpmed Cinnamoroll Wallpapers HD New Tab
  32. decnpcihddaibncfimicaidmhmhfgpjb Hello Kitty Friends Live Wallpaper
  33. ahfhmnlfmhmnifjeejhcbaffgemmkoib Sung Jinwoo – Solo Leveling Live Wallpaper
  34. iccpkfpgkhinigpcaldpldkjpihcngin Corocoro Coronya Live Wallpaper
  35. cckipipbgopgoljcdhlfgcfcdkkonfbh Hollow Knight Silksong Live Wallpaper
  36. ocdgeajebolgofbpnlahdipclagnibpm Call of Duty Ghost Live Wallpaper
  37. gecgngeaifpeokmajbhcmdahkkfhpgic Itachi Uchiha Live Wallpaper
  38. jobeagkmmpfpepbabognchgecbehljag Hello Kitty Live Wallpaper Sanrio
  39. kfnbcjbhjiopgnlmigcigiooenpkkaib Minions Wallpapers New Tab
  40. nhdniddeikmpbapjcmcoaglhgepfmopb Nissan Skyline R34 Live Wallpaper
  41. ahheiepjhohjjdmbafjjhckninnlehlf Ferrari F1 Car Live Wallpaper
  42. adjkkoailfaklaipddajkpncbocgammd Real Madrid Emblem Live Wallpaper
  43. iingfcnnoibkdojcnfahhflafimjikce Dante Devil May Cry Live Wallpaper
  44. gelkonncfnniglodoncdmgcijikjdflg Labubi Live Wallpaper
  45. glmagbbbkofdibipgefimkdfbppgodee Chiikawa Wallpapers New Tab
  46. aeaaddfnednkbjbijieienagdilibjmo Ghost Modern Warfare Live Wallpaper
  47. jlnmbimmmnmejkjgaedggiignfciekim Kimetsu no Yaiba Wallpapers New Tab
  48. dbkhkbbjngadephedgpahlhomddaecef Miyamoto Musashi Live Wallpaper
  49. nmhgpefjpocdfcjenmecbnngbjbbcelp Kuromi Live Wallpaper
  50. bhefdfhbjonfechcjphjekhkdpaoddlo Ken Kaneki Tokyo Ghoul Live Wallpaper
  51. afblbdldehhbfnkjaekojkkinfcdkjgn Naruto – Kakashi Hatake Live Wallpaper
  52. mhekafflbaidbfikbjhdfioajiahflpg Astronaut Grok Black Hole Live Wallpaper
  53. nhjhcfdgfphedllolofcipdnjkjdihdj Hornet Hollow Knight Live Wallpaper
  54. phbankjceijddhfhcobljkjlcgmbfpoa Invincible Sky Flight Live Wallpaper
  55. npdbhfkphakcnjingllikjfclgabjipd Powerpuff Girls Live Wallpaper
  56. jbkmnkhkobkaegbhbeimoclnljmpknng Goku & Shenron Live Wallpaper
  57. afcjbeaomliemmngehinaekimohojokc Malenia – Elden Ring Live Wallpaper
  58. kbbpcmlmpdbipcmkhmbnipjkpnfijnda Hashibira Inosuke and Zenitsu Live Wallpaper
  59. begnlejfcmkjblajjeafpebgcbcojhin Kratos Live Wallpaper
  60. iipphhlmjmblpialebokpdpbnadodkbi Goku Rain Flame Live Wallpaper
  61. bilaomondbfgpbokppljiindmfnackcj Black Nissan GTR Rainy Night Live Wallpaper
  62. nppgecbeafccpgnhjjdlhpojicfjjblo My Hero Academia Wallpapers New Tab
  63. agfppecmpkdhfbilkkhonedjnjfnmimg Dipper & Mabel’s Adventures Live Wallpaper
  64. iincgojokhoknbhgjaljpihfegfpbjih Haikyuu Kenma Kozume Live Wallpaper
  65. hdhcdlpopaiajpcmpnednmohdnfdmclp My Melody Wallpapers New Tab
  66. ajmhcjfgeahcaccefbkmacaljjangjmc Gojo Blue Eyes Live Wallpaper
  67. pcokalkebdbbfpkcgejbpkjhliahlppa Berserker Armor Live Wallpaper
  68. eiencjmoddignmjiapafelkfgfmedppl Bumblebee Live Wallpaper
  69. agplicjllogkjijnddgfjincdaagkbno Lamine Yamal Galaxy Live Wallpaper
  70. hpgfgaaaageiokfojfajdgjkkbadofjo Arsenal FC Flag Live Wallpaper
  71. hneachchlcnnfkhdiepdpoojodpjlanp Rengoku Wallpapers New Tab
  72. pblgphhmhlnhfkeldhflcefpckgnalmf Kaonashi Live Wallpaper
  73. ggpncchenfmambejcehgjadnedckijaf Berserker Dark Armor Live Wallpaper
  74. lmaaoejgcoaieeddmdpjpmhmbpepnckf Haikyuu Wallpapers New Tab
  75. kmeneimgonibpggfkjihdghpaioikppd Gojo Reversal Red Live Wallpaper
  76. alhilbblgdfkklanmfkbjmhapagpneng Gachiakuta Wallpapers New Tab
  77. gjaahnaaehopcpdhgpjddonmkgffpmji Tiger Live Wallpaper
  78. dmeipihagdngmblfpfinkagindgfbmpo Purple Sakura Live Wallpaper
  79. bfdcbjeogfmagcoeihgbggacohalmffm Guts Beast of Darkness Live Wallpaper
  80. calbnkamaibciogbicgbgpocigocaofh Berserk Wallpapers New Tab
  81. ccbmjnepfjepehocnhdnddmaljhecjid Dr. Stone Wallpapers New Tab
  82. bdopholihfepohbcaifahepojljpihfb Anime Boy Wallpapers New Tab
  83. onfjapdgahmnajmbkacmifpciokicbkd Manchester United Flag Live Wallpaper
  84. iggbnejemgjglnmkfjipacpfnbblkhgc BMW M4 Wallpapers New Tab
  85. iagkmpcgnlcdabaheobkeffadmffoolm Ace Smile One Piece Live Wallpaper
  86. gjlebhdhmjiahfcefjanmjcipihapcob Lone Samurai Live Wallpaper
  87. cdokinnfpnmkkieepnnncahhgjkbnfip Porsche 911 Wallpapers New Tab
  88. bbggeccdbfplmmpdbjgmkkaofbjncnkc Minecraft Creeper Live Wallpaper
  89. pcadkpnfmffnldeidifelohmkebdddjn Autumn Lamborghini Live Wallpaper
  90. bifidmiaihofppodiocakodjjniiodcc Minato & Naruto Live Wallpaper
  91. dlfjpodlhgogdiokffnejehokghbdgca Hitsugaya Toshiro Live Wallpaper
  92. efdcnjhnhbnbcclppmfdgppjndkjince Nissan GTR Wallpapers New Tab
  93. pfoehpcdijnjnlbeekjpndlfengadhba Boruto Uzumaki Live Wallpaper
  94. loonegbofnbcimpgbhnhlmhgfaidodbf Bart Simpson Live Wallpaper
  95. gmcfalbhfnhpgffchgogpnlmdgalbeml Audi RS Wallpapers New Tab
  96. jlkogclddcocddkbgleneedobmfcflji Keroppi Wallpapers New Tab
  97. nlllgkfjdekpcibpgakffbdlgbbbfnkl GTA 6 Wallpapers New Tab
  98. feamnjpoiogkfkiihejgjlofhblfbebf Deadpool Live Wallpaper
  99. obpcedpondgemjpohgikkooejmnbkpnd Minecraft Sword Live Wallpaper
  100. aadfnjeeifjafcgmfdjacmllmokcalcc Chelsea FC Live Wallpaper
  101. lbjopcoldneclmibpaomiencfonnlghk Rengoku Live Wallpaper Demon Slayer
  102. pcolhdbpdenlnpdhbcodnfebjkbgidaf Sasuke Uchiha Wallpapers New Tab
  103. ccbogfjhjlbclkgglnmdjommgndhaack Pokemon Wallpapers New Tab
  104. ajhpfcgpnkmokhpkchoonflmbemhcece Mercedes-AMG Wallpapers New Tab
  105. dcfplngdkjdeadfbnnklpnfpannnbjpk Puss in Boots Live Wallpaper
  106. nplcbealebpofbdcgajeddfidbgbogao Honda CBR1000RR-R Live Wallpaper
  107. nolehnmgjhncihbcganldhggmlbjplin Saitama Live Wallpaper – One Punch Man
  108. ilicobgjklfepgokldofhpdolhkminom Lamborghini Autumn Live Wallpaper
  109. ocieoagpcmmebfhhgakmlijmdnifbcag Angry Birds Wallpapers New Tab
  110. dhlkhbfacnmldfohkfchjgkhkfolgapg Ducati Wallpapers New Tab
  111. iglemaflhcmkkepecnoibopljmocgmld Attack on Titan Wallpapers New Tab
  112. eibdnpjboejipjmbkodlbcjlmdjikpjf Porsche 911 Turbo Live Wallpaper
  113. noabkafiljbjmpbfafppbfclccikkafl Pink Hello Kitty Live Wallpaper
  114. inkcephcpbbfnikbgdklmnpjgbanginn Chibi Anime Wallpapers New Tab
  115. dfcklcdpnbecfbjipopoeigjipfmnmle Lionel Messi Power Live Wallpaper
  116. ieildpjdcdcakalhlckdlfcejfddgdcj Brook Live Wallpaper – One Piece
  117. eoilhlidnimmdpafpgiehnmeoedjagge Rick and Morty Wallpapers New Tab
  118. edmogjhhhoikmgdchmfgmdfnajnfpopf Denji Wallpapers New Tab
  119. fjeahbfapbkbpaeijlhjokafegcgakmm Mercedes-Benz E-Class Wallpapers New Tab
  120. bdjlclmlpcdhiclbimfhhgpgilbeboof Harley Davidson Wallpapers New Tab
  121. odkhdfbfgaogiiilllhhgaflifcppnge Mickey Mouse Wallpapers New Tab
  122. jcnjcmfpmcdhkhloilpalealdbofanko Lamborghini Urus Wallpapers New Tab
  123. nkpdoonhinmfijbgjhhehhoojicoagdi Baki Hanma Wallpapers New Tab
  124. hfnikhbgpncbgfjnnccinpbijbaekaon Fallout Vault Boy Live Wallpaper
  125. njgifpepampdppjhncejlkkbmnigpcdl Mob Psycho 100 Wallpapers New Tab
  126. cnnafooohihkcoenaemoplnapabpmaak Ghost of Yotei Live Wallpaper
  127. gjjpikdggjehfjlpgndjhjdnljenndig BMW 8 Series Wallpapers New Tab
  128. celcpebbklhbkakkmaiagcgdbfamcggo Guts Wallpapers New Tab (dead service worker)
  129. fnjofkjppepnhofinhhiobdigngbfaig Hunter x Hunter Wallpapers New Tab
  130. gpjofbomakaiicnnomapefkleamhphle PUBG Wallpapers New Tab
  131. nphllmhkkoiaelncflmenjabjcdhplje Aggretsuko Live Wallpaper
  132. lhhoicpajfbijboekonjnedpicpdijfe Dark Anime Wallpapers New Tab
  133. bipegidgofcllkbegbgeeoeodlglohof Naruto Live Wallpaper – Uzumaki Hokage
  134. goadfckeiedppmgdhbaceoiffbppkknf Care Bears Wallpapers New Tab
  135. gjpinhcpfmeokkonngflhkolacglkpmh Doom Rampage Live Wallpaper
  136. jfbalacimgcefdnniabmbejpgnhdhgng Izuku Midoriya Wallpapers New Tab
  137. jpmhndngfnbfdpgdbombckddiflphpao Cristiano Ronaldo Golden Live Wallpaper
  138. ojlbdnmdbhjgkljldaogkoabhabjoadg Gintoki Sakata Wallpapers New Tab (dead service worker)
  139. efhapddipneibbpcjogidfhbhhhlifdn Katsuki Bakugo Wallpapers New Tab
  140. joklccphgbkamedfgoeidmlcgjpdnlgj Kaiju No. 8 Wallpapers New Tab
  141. plbebfjeklpfmffhcknkhbbdpjfkoenc Animal Crossing – Dōbutsu no Mori Live Wallpaper
  142. jdjkbjmobobfehaohkkbenbnnaaocabc (delisted)
  143. imfibcedgmmmdikffoeipdnojhgbhjob (delisted)
  144. dljjhjgmkimljkfjboioacmepefoedlh (delisted)
  145. ijgfnklhknbjfjjbacefdgpjbkjdkfoc (delisted)
  146. ooiaicknajbjkknpnfchbgcdhmfligaj (delisted)
  147. objpdomhddblhffemlhmefbpelblakgn (delisted)
  148. kaihdoeelgmhphjindgnehgiekjeleip (delisted)
  149. dlppampnbpddlmkecbbgkgkhamchmfle (delisted)
  150. gnlmghadjomllhknpmaglmmkbabifaal (delisted)
  151. ljblneelmbapgfcbmphbnnkdofmnldjp (delisted)
  152. gdeeoecplcaghjdbpfiddgemdgdmnpbo (delisted)

CyberDefender