Cybersecurity researchers have identified a network of 152 Google Chrome extensions masquerading as live wallpaper add-ons, collectively installed over 105,000 times. These extensions are linked to potentially unwanted programs (PUPs) and are associated with 38 separate Chrome Web Store publisher accounts and three backend brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com.
Despite claiming not to collect user data, the extensions’ privacy policies reveal that they log IP addresses, internet service providers, click counts, and referrers. This data is shared with Google AdSense, DoubleClick, and third-party advertising partners.
A subset of these extensions employs deceptive tactics to manipulate web traffic analytics. During installation, they open a new tab with a URL containing Urchin Tracking Module (UTM) parameters, falsely indicating that the visit originated from an organic Google search. Upon uninstallation, they use a Google URL redirect wrapper to make the uninstall action appear as genuine Google Search activity. This strategy fabricates traffic sources, misleading analytics tools and potentially inflating the extensions’ perceived popularity.
These findings underscore the persistent threat posed by malicious browser extensions. Users are advised to exercise caution when installing extensions, especially those from unverified developers. Reviewing privacy policies and requested permissions can help identify potentially harmful add-ons. Additionally, regularly monitoring installed extensions and removing those that are unnecessary or suspicious can mitigate risks associated with such deceptive practices.
