A recent investigation has uncovered a network of 152 Chrome extensions, primarily offering ‘live wallpaper’ features, that have been secretly logging user data and fabricating Google search traffic to inflate ad revenue. These extensions, despite claiming not to collect user data, have been found to engage in deceptive practices that compromise user privacy and pollute advertising analytics.
The extensions in question are distributed across 38 publisher accounts and three brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. They attract users by offering themes such as anime, games, football, and car wallpapers, collectively reporting around 105,000 users. However, due to Chrome’s rounded install metrics, this figure is a conservative estimate.
On their Chrome Web Store listings, these extensions assert that they do not collect or use user data, do not sell data, and do not transfer data for unrelated purposes. Contradicting these claims, the linked privacy policies reveal that they log IP addresses, browser types, ISPs, timestamps, referring pages, click counts, and details about the user’s device and installed software. This information is shared with Google AdSense, DoubleClick, Google Analytics, and unnamed third-party ad partners.
A subset of 54 extensions built on the newer tabplugins template goes further by forging Google organic-search attribution. Upon installation, the background service worker automatically opens a tab to tabplugins[.]com with parameters that cause analytics to record the visit as if the user discovered the site via a normal Google search result. This manipulation allows the operator to present extension-generated traffic as high-value ‘organic search’ visits, inflating perceived popularity and trustworthiness to advertisers and affiliate programs.
Additionally, these extensions exhibit undisclosed anti-forensic behavior. On each service-worker start, the background script enumerates and deletes every IndexedDB database accessible to the extension, potentially erasing evidence of their activities.
This discovery highlights the ongoing challenges in maintaining the integrity of browser extension ecosystems. Users are advised to exercise caution when installing extensions, especially those that request broad permissions or come from less-known publishers. Regular audits of installed extensions and a critical evaluation of their privacy policies can help mitigate potential risks.
For developers, this incident underscores the importance of transparency and ethical practices in extension development. Adhering to stated privacy policies and avoiding deceptive behaviors are crucial to maintaining user trust and the overall health of the browser extension marketplace.
