{"id":1307,"date":"2026-06-15T11:45:59","date_gmt":"2026-06-15T11:45:59","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1307"},"modified":"2026-06-15T11:45:59","modified_gmt":"2026-06-15T11:45:59","slug":"152-chrome-wallpaper-extensions-with-105k-installs-linked-to-adware-and-fake-traffic","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1307","title":{"rendered":"152 Chrome Wallpaper Extensions with 105K Installs Linked to Adware and Fake Traffic"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Jun 15, 2026<\/span><\/span><span class=\"p-tags\">Browser Security \/ Privacy<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjXEEp49DrIDRyHxMpdUoO-A9TL3T6P-7mUwImILVRSRl940D39uZbouVIhM1j8ZVEpxfTskTrLB5qrDDQ07yp7TFGTXSBhQqlwNLyN49sCW38MZds5YQP_c1lhrkl0aizSaU0ZpBpf9NS3WGD9k5BZhh52ZDuyrtxSwUrXgkjRnWMAgLq3FT6dLG0sCAfh\/s1700-e365\/chrome-traffic.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have discovered a network of 152 Google Chrome extensions that act as new tab live wallpaper add-ons to distribute a potentially unwanted program (PUP) family.<\/p>\n<p>The cluster spans 38 separate Chrome Web Store publisher accounts and three brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. They have been collectively installed 105,000 times. The names of some of the extensions are listed below &#8211;<\/p>\n<ul>\n<li>Neymar &#8211; Football Live Wallpaper (laafpeklcnlfmjaofbndehkjpnccbhek)<\/li>\n<li>Satoru Gojo Manga Live Wallpaper (mnpacdigbockiilmilhbedciadenfdnb)<\/li>\n<li>Porsche 911 &#8211; Sports Car Live Wallpaper (dead service worker) (iedplnnolciaofkakkjmcojnmklpfikg)<\/li>\n<li>Satoru Gojo Live Wallpaper (ipiabbhciknabpoihaakdahgghllelpj)<\/li>\n<li>Hello Kitty Wallpapers HD New Tab (hijpkhinofkdobfagfbobnnoihmopgkk)<\/li>\n<li>Pusheen Cat Wallpapers HD New Tab (famchdjojcnakamhkddkpaglnkonkfnl)<\/li>\n<li>Peach &amp; Goma Wallpapers HD New Tab (nomekamioepglinefhenifnbegjhfiai)<\/li>\n<li>Spider-Man Miles Morales Swing Live Wallpaper (jjngbcodoldjmpjpfbhfelaljbdlkekh)<\/li>\n<li>BMW M3 Neon Night Drive Live Wallpaper (gfikbhpfjldbbikolkcimfgmejhdkjbe)<\/li>\n<li>BMW Wallpapers (dbiamdajndfmpmmeklcbbnekhkdcakhf)<\/li>\n<li>Death Note Anime Wallpapers HD New Tab (pkdloppfapenphihgbldhjjlfhgnkmcg)<\/li>\n<li>Sonic Frontiers Starfall Live Wallpaper (imkepemaflommlonnppjobgdpokbfmoj)<\/li>\n<li>Tanjiro &#8211; Demon Slayer Live Wallpaper (ibglidkppckhminbhbgcajomjplomcka)<\/li>\n<li>Neymar New Tab Wallpaper (gkbfokaephnaajnmpgiieidpfieamggb)<\/li>\n<li>Anime Car Drift Live Wallpaper (bcafgkhoifffmnoajkgmbhcojpabjffm)<\/li>\n<li>Choso Wallpapers New Tab (ojeaociifmdciibodcifjjocdlbjjeep)<\/li>\n<li>Anime Rain Live Wallpaper (npcghghfkbpgiamoifabankdnmopenni)<\/li>\n<li>Minecraft Sakura Pond Live Wallpaper (mjdhgndjbajnanfimjipafechjbakdhh)<\/li>\n<li>Straw Hat Live Wallpaper Ghost of Tsushima (lblgjffllphdepifdkfhlihddckhlkll)<\/li>\n<li>Zenitsu Agatsuma Live Wallpaper (laeciedchhnmnfhllplcgkfcdbdfgdhn)<\/li>\n<\/ul>\n<p>\u00abEvery listing declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: that the extensions log IP addresses, ISP, click counts, and referrers and share that data with Google AdSense, DoubleClick, and third-party ad partners,\u00bb Socket security researcher Kush Pandya <a href=\"https:\/\/socket.dev\/blog\/152-chrome-live-wallpaper-extensions-hid-ad-tracking#Attribution\">said<\/a>.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>What&#8217;s more, a sub-cluster of the identified extensions defines two hard-coded URLs in a JavaScript file (\u00abjs\/bg.js\u00bb) that are activated during install and uninstall operations &#8211;<\/p>\n<ul>\n<li>The install URL includes the Urchin Tracking Module (UTM) parameters \u00abutm_source=google&amp;utm_medium=organic&amp;utm_campaign=tanjiro-demon-slayer-live-wallpaper\u00bb thereby disguising the extension opening a tab on install as an \u00aborganic\u00bb search.<\/li>\n<li>The uninstall URL is a google.com\/url redirect wrapper that masquerades the uninstall as genuine Google Search activity.<\/li>\n<\/ul>\n<p>Organic search on search engines like Gook refers to the unpaid listings on a search engine results page (SERP) generated by algorithms. Their placement is based on parameters like relevance, authority, and search engine optimization (SEO), and is different from sponsored results.<\/p>\n<p>The idea behind these extension, Socket said, is to artificially create that signal, which essentially amounts to fabricating the origin of its own traffic.<\/p>\n<p>\u00abThe visit is not a person who searched Google; it is the extension opening a tab on its own and stamping it &#8216;arrived from Google organic search,'\u00bb the company explained.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-threat-report-m\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFlTC7RrRZGiFAgASS0noWSL0qsQGFVp8-Hvuw9yp3X3VKRuTcb5SsPX09wJzrdIM6pu1_5lS4EeZp7Sx4iYBpNJkrGnpr08yyaS1HQ5_5TxaCsP6O0OtHNuOkesn6CbNjao1GPulCJk-uljYMSfMZfBYNrngpe669t7jlRn1FqiEnXhsFD1WVkpaYIVgh\/s728-e100\/ai-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThe uninstall ping goes a step further, wrapping the destination in the exact google.com\/url format Google uses for real search-result clicks, including the signed ved and usg tokens, so the hit looks like a human clicking a Google result.\u00bb<\/p>\n<p>The JavaScript files also come equipped with a dormant capability to enumerate and delete every IndexedDB database it can find upon a service worker start.<\/p>\n<p>The campaign is assessed to be a \u00abfinancially motivated commercial adware and traffic-attribution-fraud affiliate operation,\u00bb although its exact provenance remains unknown. Available circumstantial indicators suggest it could have originated from Turkey.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Jun 15, 2026Browser Security \/ Privacy Cybersecurity researchers have discovered a network of 152 Google Chrome extensions that act as new tab live wallpaper add-ons to distribute a potentially&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1308,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[2044,2046,182,361,150,2045,312,1267,2043],"class_list":["post-1307","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-105k","tag-adware","tag-chrome","tag-extensions","tag-fake","tag-installs","tag-linked","tag-traffic","tag-wallpaper"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1307"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1307\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1308"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}