Cybersecurity researchers have uncovered a network of 152 Google Chrome extensions posing as live wallpaper add-ons that distribute a potentially unwanted program (PUP) family. The extensions span 38 separate Chrome Web Store publisher accounts and three brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. They have been collectively installed 105,000 times.
According to Socket security researcher Kush Pandya, every extension declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: the extensions log IP addresses, ISP, click counts, and referrers and share that data with Google AdSense, DoubleClick, and third-party ad partners.
A sub-cluster of the identified extensions defines two hard-coded URLs in a JavaScript file that are activated during install and uninstall operations. The install URL includes Urchin Tracking Module (UTM) parameters to disguise the extension opening a tab on install as an organic search. The uninstall URL is a google.com/url redirect wrapper that masquerades the uninstall as genuine Google Search activity. The campaign is assessed to be a financially motivated commercial adware and traffic-attribution-fraud affiliate operation, with circumstantial indicators suggesting it could have originated from Turkey.
CVEs: CVE-2026-11645
Malware: PUP
Products: Google Chrome, Google AdSense, DoubleClick
Original source: thehackernews.com