152 Chrome \u201clive wallpaper\u201d extensions on the Chrome Web Store<\/a> have been caught secretly logging user data and faking Google \u201corganic search\u201d traffic to inflate ad revenue, despite promising they do not collect any data.<\/p>\n This adware\u2011adjacent campaign abuses new\u2011tab extensions to launder extension\u2011generated visits into what appears to be legitimate search traffic, polluting analytics for advertisers and Google alike.<\/p>\n Socket\u2019s Threat Research Team uncovered a coordinated family of 152 new\u2011tab \u201clive wallpaper\u201d Chrome extensions built from a single codebase but spread across 38 publisher accounts and three brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com (which redirects to owhit[.]com).<\/p>\n The extensions use popular themes such as anime, games, football, and car wallpapers to attract installs, and together they report around 105,000 users. However, Chrome\u2019s rounded install buckets make this only a lower\u2011bound estimate.<\/p>\n On their Chrome Web Store \u201cPrivacy practices\u201d tab, the listings state that the extensions do not collect or use user data, do not sell data, and do not transfer data for unrelated purposes.<\/p>\n However, the linked privacy policy clearly states that it logs IP addresses, browser type, ISP, timestamps, referring pages, click counts, and details about the user\u2019s device and installed software, which are shared with Google AdSense, DoubleClick<\/a>, Google Analytics, and unnamed third\u2011party ad partners.<\/p>\n A 54\u2011extension subset built on the newer tabplugins template takes this further by forging Google organic\u2011search attribution.<\/p>\n On install, the background service worker automatically opens a tab to tabplugins[.]com with\u00a0utm_source=google&utm_medium=organic, causing analytics to record the visit as if the user discovered the site via a normal Google search result instead of an extension\u2011forced navigation.<\/p>\n On uninstall, the extension fires a crafted\u00a0https:\/\/www.google.com\/url?\u2026&url=https:\/\/tabplugins.com\/\u2026&ved=\u2026&usg=\u2026\u00a0redirect, mimicking the exact format and signed tokens Google uses for real search\u2011result clicks, so the uninstall ping is indistinguishable from a human clicking a Google result.<\/p>\n This allows the operator to present extension\u2011generated traffic as high\u2011value \u201corganic search\u201d visits, inflating perceived popularity and trustworthiness to advertisers and affiliate programs.<\/p>\n Every analyzed family member also exhibits undisclosed anti\u2011forensic behavior. On each service\u2011worker start, the background script enumerates and deletes every IndexedDB database accessible to the extension\u2019s own origin.<\/p>\n In this build, the extension stores its settings in localStorage. It does not use IndexedDB, so the wipe currently destroys nothing.<\/p>\n However, it remains a strong fingerprint and demonstrates a built\u2011in capability to reset any future IndexedDB\u2011based telemetry within the extension silently.<\/p>\n The same\u00a0Deleted IndexedDB database:\u00a0log string, install\u2011navigation behavior, and\u00a0setUninstallURL\u00a0pattern appear across 141 retrievable service\u2011worker scripts tied to 152 total extension IDs, with 11 already delisted.<\/p>\n According to Socket Research<\/a>, some variants even include a syntactically broken The extensions do not inject ads into arbitrary websites. Instead, they redirect users to operator-controlled domains that are heavily monetized through programmatic advertising.<\/p>\n One such domain, Feeding ad exchanges including Google Ad Manager, Xandr\/AppNexus, PixFuture, and SmileWanted, while using Google Analytics 4 and FOU Analytics for user tracking.<\/p>\n Archived snapshots of yowgames[.]com and owhit[.]com shows direct Google AdSense<\/a> and Analytics integrations with their own publisher IDs and GA4 properties, reusing boilerplate privacy language about DoubleClick and third\u2011party advertisers.<\/p>\n The result is a financially motivated traffic\u2011fraud operation that turns silent new\u2011tab installs into what appear to be genuine Google search visits, at the expense of user privacy and measurement integrity.<\/p>\n For users, the main risk is enrollment in deceptive traffic measurement and undisclosed telemetry, not device\u2011level compromise.<\/p>\n Security teams should hunt for a shared fingerprint: an MV3 extension with a background worker that logs the deleted IndexedDB database, runs an Additional indicators include an uninstall URL pointing to a Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi6KqwEHQ9mV2jZiYSooMWffaWVFb9eOeqdltOWJRtiIDVqhM8Q5n_M8uurwSzbmmGnddSXaY6hWEM6Q5MaP_grb646icm77zyCyt1gdiiXpI9agXllcvvh4UoZ_fqsnGjSvayLTCNAQnFJTcE8v9wXgeqL16Jv1SgQWv4iDAdBIlh8wPxemYfIG4OssXw\/s1600\/Screenshot%25202026-06-13%2520105748%2520%25281%2529.webp?ssl=1\")
Chrome Extensions Hide Tracking and Fake Traffic<\/strong><\/h2>\n
![\"\nThe](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgJnvCjCZ76bmOQGwasF5abU0Rs6XD4fp9OEMtB0OxOIPROzvZsR6BMuA_9GdTBYFzG9pBX_hfZRFfziu2EKE1Wl1a1BMm17L_sf8e8QcfEhRDHz4FHAtZxUcOmccU10ws3CdP0iTT1UTw-f3g71uBUAosdXPceDnOVE4NTd6-lpN-eV74I76Tezg8UPbA\/s1600\/Screenshot%25202026-06-13%2520105808%2520%25281%2529.webp?ssl=1\")
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigB7pbfPH_mUPNRU-BSyJgWBDOJZ_POMUBSDJyhZ__bsyu-BvLPuz7STIrdw6-WVOJNRG9lr1TI9rmrMVgd5Sm9SVw6m5KDCJ8P8z5lNxWKFhhKbCQ8RT4jKLtL9w33Nb74QjfP4zSC5fGVtuIOzkjx9tB_NYLKnbPFh3erpgTMkefkmlzmpGzlD0rQbM\/s1600\/Screenshot%25202026-06-13%2520110029%2520%25281%2529.webp?ssl=1\")
bg.js<\/code> file that prevents the background logic from executing, suggesting rushed mass production of the extensions despite successfully passing store review.<\/p>\ntabplugins[.]com<\/code>, operates a WordPress-based extension<\/a> catalog integrated with a Prebid header-bidding stack from Advergic (avads[.]live<\/code>).<\/p>\nindexedDB.databases().then(... deleteDatabase ...)<\/code> loop, and opens utm_source=google&utm_medium=organic<\/code> tabs on install.<\/p>\ngoogle.com\/url<\/code> wrapper that redirects to tabplugins[.]com<\/code>, yowgames[.]com<\/code>, chromewallpaper[.]com<\/code>, or owhit[.]com<\/code>.<\/p>\n