The Discovery
Security researchers at Socket’s Threat Research Team have identified a coordinated network of 152 Chrome Web Store extensions that secretly intercept user data and fabricate search traffic. These extensions, primarily marketed as live wallpaper tools for new tabs, were built from a single codebase but distributed across 38 different publisher accounts and three brand domains: tabplugins.com, yowgames.com, and chromewallpaper.com. While Chrome reports approximately 105,000 total users, the actual number may be higher due to rounded install count reporting. The extensions attract users with popular themes including anime, sports, and nature imagery.
Data Collection and Traffic Manipulation
Although each extension’s Chrome Web Store privacy listing claims no user data is collected, their linked privacy policies tell a different story. The policies acknowledge collection of IP addresses, browser types, timestamps, referring pages, and device details, which are then shared with Google AdSense, DoubleClick, Google Analytics, and unnamed third party ad partners. A subset of 54 extensions goes further by forging organic search attribution. Upon installation, the background service worker automatically opens a tab to tabplugins.com with parameters that make the visit appear to come from a legitimate Google search. Even upon uninstallation, the extensions fire a crafted redirect that mimics the exact format of a real Google search result click, making it nearly impossible for analytics systems to distinguish the activity from a human user. This campaign pollutes advertising metrics and undermines the integrity of search traffic data.
Source: Cyber Security News
