Cybersecurity researchers have unveiled a significant threat within the **Google Chrome** ecosystem: a cluster of 152 extensions designed to distribute a potentially unwanted program (PUP) family. These extensions, presented as 'new tab live wallpaper' add-ons, have collectively garnered 105,000 installations. The malicious network operates across 38 distinct **Chrome Web Store** publisher accounts and leverages three primary backend brands: `tabplugins[.]com`, `yowgames[.]com`, and `chromewallpaper[.]com`. ### Deceptive Privacy Practices **Socket** security researcher **Kush Pandya** highlighted a critical discrepancy: "Every listing declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: that the extensions log IP addresses, ISP, click counts, and referrers and share that data with **Google AdSense**, **DoubleClick**, and third-party ad partners." This blatant contradiction exposes users to unwanted data collection and privacy breaches, directly conflicting with the extensions' stated privacy assurances. ### Sophisticated Traffic Fraud Beyond data collection, a subset of these extensions employs advanced techniques to fabricate traffic origins. They define hard-coded URLs within a JavaScript file (`js/bg.js`) that activate during installation and uninstallation: * **Installation URL**: Includes **Urchin Tracking Module (UTM)** parameters such as `utm_source=google&utm_medium=organic&utm_campaign=tanjiro-demon-slayer-live-wallpaper`. This cleverly disguises an extension-initiated tab opening as an "organic" search, making it appear as if the user arrived from a genuine Google search. * **Uninstallation URL**: Utilizes a `google.com/url` redirect wrapper. This makes the uninstall action look like legitimate Google Search activity, complete with signed `ved` and `usg` tokens, mimicking a human clicking a Google search result. As **Socket** explained, "The visit is not a person who searched Google; it is the extension opening a tab on its own and stamping it 'arrived from Google organic search.'" ### Dormant Capabilities The JavaScript files also contain a dormant capability to enumerate and delete every **IndexedDB** database upon a service worker's start. While currently dormant, this feature could potentially be activated to clear user data or interfere with browser functionality. ### Financial Motivation and Origin The campaign is believed to be a "financially motivated commercial adware and traffic-attribution-fraud affiliate operation." Although the exact origin remains unconfirmed, circumstantial evidence suggests a possible link to Turkey. ### Affected Extensions (Partial List): Below are some of the identified extensions, illustrating the variety of themes used to lure users: * Neymar - Football Live Wallpaper (laafpeklcnlfmjaofbndehkjpnccbhek) * Satoru Gojo Manga Live Wallpaper (mnpacdigbockiilmilhbedciadenfdnb) * Porsche 911 - Sports Car Live Wallpaper (iedplnnolciaofkakkjmcojnmklpfikg) * Hello Kitty Wallpapers HD New Tab (hijpkhinofkdobfagfbobnnoihmopgkk) * Pusheen Cat Wallpapers HD New Tab (famchdjojcnakamhkddkpaglnkonkfnl) * Spider-Man Miles Morales Swing Live Wallpaper (jjngbcodoldjmpjpfbhfelaljbdlkekh) * BMW M3 Neon Night Drive Live Wallpaper (gfikbhpfjldbbikolkcimfgmejhdkjbe) * Death Note Anime Wallpapers HD New Tab (pkdloppfapenphihgbldhjjlfhgnkmcg) * Sonic Frontiers Starfall Live Wallpaper (imkepemaflommlonnppjobgdpokbfmoj) * Tanjiro - Demon Slayer Live Wallpaper (ibglidkppckhminbhbgcajomjplomcka) * Minecraft Sakura Pond Live Wallpaper (mjdhgndjbajnanfimjipafechjbakdhh) * Zenitsu Agatsuma Live Wallpaper (laeciedchhnmnfhllplcgkfcdbdfgdhn)