152 Chrome “live wallpaper” extensions on the Chrome Web Store have been caught secretly logging user data and faking Google “organic search” traffic to inflate ad revenue, despite promising they do not collect any data.
This adware‑adjacent campaign abuses new‑tab extensions to launder extension‑generated visits into what appears to be legitimate search traffic, polluting analytics for advertisers and Google alike.
Socket’s Threat Research Team uncovered a coordinated family of 152 new‑tab “live wallpaper” Chrome extensions built from a single codebase but spread across 38 publisher accounts and three brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com (which redirects to owhit[.]com).
The extensions use popular themes such as anime, games, football, and car wallpapers to attract installs, and together they report around 105,000 users. However, Chrome’s rounded install buckets make this only a lower‑bound estimate.
On their Chrome Web Store “Privacy practices” tab, the listings state that the extensions do not collect or use user data, do not sell data, and do not transfer data for unrelated purposes.
Chrome Extensions Hide Tracking and Fake Traffic
However, the linked privacy policy clearly states that it logs IP addresses, browser type, ISP, timestamps, referring pages, click counts, and details about the user’s device and installed software, which are shared with Google AdSense, DoubleClick, Google Analytics, and unnamed third‑party ad partners.
A 54‑extension subset built on the newer tabplugins template takes this further by forging Google organic‑search attribution.
On install, the background service worker automatically opens a tab to tabplugins[.]com with utm_source=google&utm_medium=organic, causing analytics to record the visit as if the user discovered the site via a normal Google search result instead of an extension‑forced navigation.
On uninstall, the extension fires a crafted https://www.google.com/url?…&url=https://tabplugins.com/…&ved=…&usg=… redirect, mimicking the exact format and signed tokens Google uses for real search‑result clicks, so the uninstall ping is indistinguishable from a human clicking a Google result.
This allows the operator to present extension‑generated traffic as high‑value “organic search” visits, inflating perceived popularity and trustworthiness to advertisers and affiliate programs.
Every analyzed family member also exhibits undisclosed anti‑forensic behavior. On each service‑worker start, the background script enumerates and deletes every IndexedDB database accessible to the extension’s own origin.
In this build, the extension stores its settings in localStorage. It does not use IndexedDB, so the wipe currently destroys nothing.
However, it remains a strong fingerprint and demonstrates a built‑in capability to reset any future IndexedDB‑based telemetry within the extension silently.
The same Deleted IndexedDB database: log string, install‑navigation behavior, and setUninstallURL pattern appear across 141 retrievable service‑worker scripts tied to 152 total extension IDs, with 11 already delisted.
According to Socket Research, some variants even include a syntactically broken bg.js file that prevents the background logic from executing, suggesting rushed mass production of the extensions despite successfully passing store review.
The extensions do not inject ads into arbitrary websites. Instead, they redirect users to operator-controlled domains that are heavily monetized through programmatic advertising.
One such domain, tabplugins[.]com, operates a WordPress-based extension catalog integrated with a Prebid header-bidding stack from Advergic (avads[.]live).
Feeding ad exchanges including Google Ad Manager, Xandr/AppNexus, PixFuture, and SmileWanted, while using Google Analytics 4 and FOU Analytics for user tracking.
Archived snapshots of yowgames[.]com and owhit[.]com shows direct Google AdSense and Analytics integrations with their own publisher IDs and GA4 properties, reusing boilerplate privacy language about DoubleClick and third‑party advertisers.
The result is a financially motivated traffic‑fraud operation that turns silent new‑tab installs into what appear to be genuine Google search visits, at the expense of user privacy and measurement integrity.
For users, the main risk is enrollment in deceptive traffic measurement and undisclosed telemetry, not device‑level compromise.
Security teams should hunt for a shared fingerprint: an MV3 extension with a background worker that logs the deleted IndexedDB database, runs an indexedDB.databases().then(... deleteDatabase ...) loop, and opens utm_source=google&utm_medium=organic tabs on install.
Additional indicators include an uninstall URL pointing to a google.com/url wrapper that redirects to tabplugins[.]com, yowgames[.]com, chromewallpaper[.]com, or owhit[.]com.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
