Recent findings have unveiled a concerning issue involving 152 Chrome extensions that clandestinely monitor user data and fabricate Google search traffic to boost ad revenue. Despite assurances of no data collection, these extensions engage in deceptive practices, raising significant privacy concerns.
Uncovering the Deceptive Extensions
Socket’s Threat Research Team discovered that these extensions, branded as ‘live wallpaper’, are part of a coordinated effort to manipulate new-tab pages. This tactic is used to convert extension-generated visits into seemingly legitimate search traffic, thereby distorting analytics for advertisers and Google itself.
The extensions are developed from a single source code but are disseminated through 38 different publisher accounts and three brands, namely tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com, redirecting to owhit[.]com. Popular themes such as anime and sports wallpapers are used to attract users, with installations estimated at around 105,000, though this figure is likely an underestimation due to Chrome’s reporting methods.
Privacy Misrepresentation
Contrary to their Chrome Web Store privacy declarations, these extensions log extensive user data including IP addresses, browser types, and ISP information. This data is shared with Google AdSense, DoubleClick, and other third-party ad partners, contradicting the stated privacy policies.
A subset of 54 extensions employs a more advanced strategy to impersonate Google search attribution. Upon installation, a background service worker triggers a new tab that appears as if the user accessed it through a genuine Google search, thus corrupting analytics with false traffic data.
Implications and Security Measures
Operating under 38 publisher accounts, the network leverages Google Ad Manager and AdSense accounts to falsely inflate traffic metrics, enhancing perceived credibility to advertisers. The extensions do not insert ads into random websites but rather redirect users to domains like tabplugins[.]com, which are monetized through intensive programmatic advertising.
Researchers have identified specific anti-forensic behaviors, such as the deletion of IndexedDB databases to prevent tracking. This, along with a syntactically flawed bg.js file in some variants, suggests hasty mass production of these extensions, which still manage to pass store reviews.
This operation highlights a significant threat to user privacy and data integrity. For users, the primary risk is involvement in fraudulent traffic measurement rather than direct device compromise. Security teams are advised to look for shared characteristics among these extensions to mitigate the threat.
For more updates on cybersecurity and privacy, follow us on Google News, LinkedIn, and X.
