105K Chrome – Security researchers say a network of 152 Chrome extensions posing as wallpaper and new-tab tools quietly logged user data, then manufactured “Google organic search” traffic for ad-driven revenue—reaching more than 105,000 installs across 38 Chrome Web Store p
For many people. the appeal of Chrome extensions is simple: a new look for the browser. a fresh wallpaper. a nicer new-tab page. But a discovered network of 152 Chrome extensions is showing how that small convenience can be turned into surveillance—and into fake web traffic designed to look valuable.
Socket’s Threat Research Team found extensions disguised as live wallpaper and new-tab customization tools. Across 38 different Chrome Web Store publisher accounts, the extensions amassed more than 105,000 installations. The themes were familiar and broad—anime characters. football stars. sports cars. and video games—yet researchers say they were built from a shared codebase. pointing to a coordinated campaign rather than independent projects.
The operation was linked to three backend brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com.
The extensions promised privacy, but Socket says the paperwork didn’t match the behavior. On their Chrome Web Store pages, the listings claimed they would not collect or use user data. The privacy policies attached to those listings, Socket found, told a different story.
“Every listing declares on the Chrome Web Store that it will not collect or use user data. while the linked privacy policy admits the opposite: that the extensions log IP addresses. ISP. click counts. and referrers and share that data with Google AdSense. DoubleClick. and third-party ad partners. ” Socket security researcher Kush Pandya said.
Researchers said the logged details included IP addresses, browser types, internet service providers, timestamps, click activity, and information about users’ devices.
But the campaign didn’t stop at collecting information. Socket also described a subset of extensions that automatically opened web pages after installation. Those pages used tracking tags meant to make the visits appear to originate from Google’s unpaid search results.
Uninstalling wasn’t clean either. Socket said the extensions used a specially crafted Google redirect link meant to imitate a real click from Google Search. The company explained that the “visit” wasn’t the result of someone searching.
“The visit is not a person who searched Google; it is the extension opening a tab on its own and stamping it ‘arrived from Google organic search. ‘” the company said. Socket added that the uninstall ping went further. wrapping the destination in the exact google.com/url format Google uses for real search-result clicks. including the signed ved and usg tokens. so the hit looks like a human clicking a Google result.
Socket said this traffic could be used to make operator-controlled websites look more popular to advertisers and affiliate programs.
There were other red flags, too. Socket found a dormant capability that could delete IndexedDB databases accessible to the extension whenever its service worker started. Researchers said the feature did not appear to erase important data in current versions because the extensions stored their settings elsewhere. though the capability was present across many of the extensions.
Socket also reported signs that some versions were pushed out quickly. A few contained broken JavaScript files that prevented parts of their background logic from running, yet those versions still passed Chrome’s review process.
Socket described the overall scheme as a “financially motivated commercial adware and traffic-attribution-fraud affiliate operation.” The researchers said the exact people behind the network remain unknown, though available indicators suggest it may have originated in Turkey.
For users, Socket’s recommendation is blunt: immediately review installed Chrome extensions and remove any unfamiliar wallpaper or new-tab tools. The guidance includes checking Chrome’s extension manager for unknown add-ons. removing unused or suspicious extensions. reviewing privacy policies of installed extensions. and monitoring browser behavior for unexpected new tabs or redirects.
If you’re used to customizing Chrome without thinking too hard, this discovery forces a different habit—because in this case, the browser’s “new look” was also a pathway for hidden data collection and artificially manufactured traffic.
Chrome extensions adware fake Google traffic traffic attribution fraud Socket Threat Research Team Kush Pandya Chrome Web Store privacy policy mismatch Google AdSense DoubleClick IndexedDB deletion