152 Background Chrome Extensions with 105K Installs Linked to Adware and Fake Traffic
Cybersecurity researchers discovered a network of 152 Google Chrome extensions that act as live wallpaper new tab add-ons to distribute a potentially unwanted program (PUP) family.
The collection includes 38 Chrome Web Store publisher accounts and three product backends: tabplugins[.]com, games[.]com, and chromewallpaper[.]com. They have been uploaded a combined 105,000 times. The names of other extensions are listed below –
- Neymar – Football Live Wallpaper (laafpeklcnlfmjaofbndehkjpnccbhek)
- Satoru Gojo Manga Live Wallpaper (mnpacdigbockiilmilhbedciadenfdnb)
- Porsche 911 – Sports Car Live Wallpaper (deceased service worker) (iedplnnolciaofkakkjmcojnmklpfikg)
- Satoru Gojo Live Wallpaper (ipiabbhcinknabpoihaakdahgghlllelpj)
- Hello Kitty Wallpapers HD New Tab (hijpkhinofkdobfagfbobnnoihmopgkk)
- Pusheen Cat Wallpapers HD New Tab (famchdjojcnakamhkddkpaglnkonkfnl)
- Peach & Goma Wallpapers HD New Tab (nomekamioepglinefhenifnbegjhfiai)
- Spider-Man Miles Morales Swing Live Wallpaper (jjngbcodoldjmpjpfbhfelaljbdlkekh)
- BMW M3 Neon Night Drive Live Wallpaper (gfikbhpfjldbbikolkcimfgmejhdkjbe)
- BMW Wallpapers (dbiamdajndfmpmmeklcbbnekhkdcakhf)
- Death Note Anime Wallpapers HD New Tab (pkdloppfapenphihgbldhjjlfhgnkmcg)
- Sonic Frontiers Starfall Live Wallpaper (imkepemaflommlonnppjobgdpokbfmoj)
- Tanjiro – Demon Slayer Wallpaper (ibglidkppckhminbhbgcajomjplomcka)
- Neymar New Tab Wallpaper (gkbfokaephnaajnmpgiieidpfieamggb)
- Anime Car Drift Wallpaper (bcafgkhoifffmnoajkgmbhcojpabjffm)
- New tab for Choso wallpapers (ojeaociifmdciibodcifjjocdlbjjeep)
- Anime Rain Live Wallpaper (npcghfkbpgiamoifabankdnmopenni)
- Minecraft Sakura Pond Live Wallpaper (mjdhgndjbajnanfimjipafechjbakdhh)
- Grass Background Live Wallpaper The Ghost of Tsushima (lblgjffllphdepifdkfhlihddckhlkll)
- Zenitsu Agatsuma Live Wallpaper (laeciedchhnmnfhllplcgkfcdbdfgdhn)
“Every listing declares in the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: that it logs IP addresses of extensions, ISP, click rates, and referrers and shares that data with Google AdSense, DoubleClick, and third-party ad partners,” said Socket security researcher Kush Pandya.
In addition, a subset of indexed extensions defines two hard-coded URLs in a JavaScript file (“js/bg.js”) that run during install and uninstall –
- The installation URL includes the Urchin Tracking Module (UTM) parameters “utm_source=google&utm_medium=organic&utm_campaign=tanjiro-demon-slayer-live-wallpaper” thus hiding the extension that opens the tab to the installation as an “organic” search.
- The output URL is google.com/url which is a redirect wrapper that passes the output as a real Google Search function.
Organic search on search engines like Gook refers to unpaid listings on the search engine results page (SERP) generated by algorithms. Their placement is based on parameters such as relevance, authority, and search engine optimization (SEO), and is different from sponsored results.
The idea of this extension, says Socket, is to create that signal, which is actually equivalent to making the origin of its traffic.
“A visit isn’t someone who’s searched Google; it’s an extension that opens a tab on its own and stamps it ‘from a Google organic search,'” the company explained.
“The output ping goes further, masking the destination in the google.com/url format that Google uses for actual search results clicks, including the signed ved and usg tokens, so the hit looks like someone clicking on a Google result.”
The JavaScript files are also included with invalid enumeration capabilities and remove all the IndexedDB database information that was found at the start of the service operation.
The campaign is considered a “commercially motivated adware and traffic-attribution-fraud affiliate,” though its true origins are unknown. The available condition indicators suggest that it may have originated in Turkey.
