152 Chrome Extensions Caught Harvesting Data, Faking Traffic

A coordinated network of 152 Chrome extensions has been caught secretly logging user data and generating fake Google search traffic—all while their Chrome Web Store listings claimed they collected no user information whatsoever.

Socket's Threat Research Team uncovered the operation, which spans 38 publisher accounts and three interconnected domains. The extensions, disguised as "live wallpaper" new-tab replacements featuring anime, games, football, and car themes, have accumulated approximately 105,000 combined installs.

How the Scheme Works

The extensions operate on two fronts: covert data collection and search traffic fraud.

Despite privacy disclosures stating "the extensions do not collect or use user data," the actual privacy policies buried on the operators' websites reveal they harvest:

• IP addresses and ISP information
• Browser type and device details
• Timestamps and referring pages
• Click counts and installed software inventory

This data flows to Google AdSense, DoubleClick, Google Analytics, and unnamed third-party advertisers.

A subset of 54 extensions went further, implementing sophisticated attribution spoofing. Background workers automatically opened tabs with utm_source=google&utm_medium=organic parameters, and uninstall events triggered redirect URLs formatted to mimic authentic Google search clicks. This laundered extension-generated visits into "organic search" traffic, deceiving analytics systems and inflating the apparent value of the traffic for ad revenue.

The Infrastructure Behind the Campaign

Three domains coordinate the operation:

• tabplugins[.]com
• yowgames[.]com
• chromewallpaper[.]com (redirects to owhit[.]com)

Each domain operates distinct Google Ad Manager or AdSense accounts, suggesting an organized effort to distribute risk and maximize revenue across multiple advertising relationships.

All 152 variants share identifying technical fingerprints: MV3 architecture with background workers that run IndexedDB cleanup loops, plus install-time navigation to operator domains. This shared codebase made the campaign easier to identify once researchers spotted the pattern.

Browser Extension Risks Persist

This discovery highlights ongoing risks in browser extension ecosystems. We've covered similar supply chain threats in the Arch Linux AUR compromise where 400 packages distributed rootkits and infostealers by spoofing trusted publishers—a tactic mirroring how these Chrome extensions spread across 38 fake accounts.

The Hola browser supply chain attack demonstrated how browser-adjacent software can silently install cryptominers. And for users seeking legitimate software, social media has become a distribution vector—the Vidar infostealer campaign used TikTok and Instagram Reels to lure victims with fake software tutorials.

Recommended Actions

Security teams and individual users should take immediate steps:

1. Audit installed extensions and remove any new-tab wallpaper extensions from tabplugins[.]com, yowgames[.]com, or chromewallpaper[.]com
2. Reset browser settings to verify default search engine and new-tab configurations haven't been modified
3. Review extension permissions for any that request broad access to browsing data or all URLs
4. Monitor for behavioral indicators such as unexpected tab opens or redirects during browsing

For organizations, consider implementing browser extension whitelisting through Chrome Enterprise policies. The ExtensionInstallBlocklist policy can prevent installation of extensions not explicitly approved.

The Broader Ad Fraud Problem

This campaign represents a slice of a massive industry. Ad fraud costs advertisers billions annually, with sophisticated operations constantly evolving to evade detection. The search traffic laundering technique is particularly insidious—it pollutes analytics for advertisers trying to measure genuine organic reach and undermines trust in Google's traffic attribution.

Google has removed malicious extensions when reported, but the whack-a-mole nature of enforcement means new variants regularly appear. The use of 38 separate publisher accounts suggests the operators anticipated takedowns and distributed their presence to maintain persistence.

Why Browser Extensions Remain Risky

Extensions operate with privileged access to browser data. Even extensions that appear benign can be compromised through developer account takeovers, acquisition by malicious parties, or hidden functionality that activates after installation.

For guidance on protecting yourself from malicious software distributed through browser extensions and other channels, review established security practices around permission management and software source verification.

The 105,000 affected users represent a fraction of Chrome's user base, but each installation represents a compromised browsing session with data flowing to unknown third parties. Check your extensions today.