Cybersecurity experts have unveiled a network of 152 Google Chrome extensions masquerading as live wallpaper add-ons, which are actually distributing a potentially unwanted program (PUP) family. These extensions have collectively been downloaded over 105,000 times, presenting significant privacy concerns for users.
Network of Extensions and Publishers
This collection of extensions is managed by 38 different publisher accounts on the Chrome Web Store and is linked to three brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. Some notable extensions in this network include ‘Neymar – Football Live Wallpaper’ and ‘Satoru Gojo Manga Live Wallpaper,’ among others.
Each extension claims not to collect or utilize user data, yet their privacy policies contradict this by admitting to logging user IP addresses, ISPs, and browsing behaviors. This data is subsequently shared with advertising entities such as Google AdSense and DoubleClick.
Deceptive Tactics and Traffic Manipulation
The identified extensions deploy deceptive tactics by embedding two specific URLs within their JavaScript files. These URLs are activated during installation and uninstallation processes, disguising actions as organic search activities. For instance, upon installation, the extension uses a URL with Urchin Tracking Module (UTM) parameters, mimicking organic search traffic.
Similarly, the uninstallation process employs a google.com URL redirect, simulating genuine Google Search activity. This manipulation creates a facade of legitimate search traffic, although it’s merely the extension initiating these actions autonomously.
Potential Impact and Financial Motivation
The campaign is deemed financially motivated, categorized as a commercial adware and traffic-attribution-fraud affiliate operation. Although the exact origins of this network remain undetermined, some indications suggest a possible connection to Turkey.
Furthermore, these extensions possess a dormant capability to enumerate and erase IndexedDB databases upon the initiation of a service worker, posing additional security risks.
Given the widespread installation of these extensions, users are advised to scrutinize their browser add-ons and ensure they are downloading from trusted sources. This incident underscores the importance of vigilant cybersecurity practices and the ongoing need for monitoring browser extensions.
Moving forward, understanding these threats and implementing protective measures is crucial to safeguarding user privacy and maintaining the integrity of online interactions.
