152 Chrome Wallpaper Extensions with 105K Installs Linked to Adware and Fake Traffic

Researchers uncovered 152 malicious Chrome extensions masquerading as wallpaper and new tab customization tools. The extensions, distributed across 38 publisher accounts on the Chrome Web Store, accumulated 105,000 combined installations before removal.

The threat actors operated three backend infrastructure domains: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. Each extension functioned as a potentially unwanted program (PUP) designed to inject unwanted advertisements and generate fake traffic for profit.

Users who installed these extensions experienced browser hijacking behaviors. The wallpaper add-ons delivered intrusive ads while silently manipulating web traffic to inflate view counts and engagement metrics. This technique, known as click fraud or traffic injection, generates revenue for threat actors while degrading performance and user experience.

The distributed nature of this campaign across dozens of publisher accounts suggests coordinated infrastructure rather than isolated malicious developers. Threat actors fragmented their operations to evade detection mechanisms and distribute risk. When one account faced suspension, others remained active and continued distribution.

Google removed the extensions from the Chrome Web Store following researcher disclosure. However, users who installed them beforehand retain the malicious code unless they manually uninstall the extensions. Chrome does not automatically remove extensions following Web Store delisting.

Organizations should audit employee browser extensions and enforce policies restricting installation to approved add-ons only. IT teams benefit from deploying browser management solutions that monitor and control extension behavior. Users should review installed extensions regularly and remove unfamiliar or unused tools.

This campaign reflects a broader trend of extension-based malware delivery. Threat actors exploit the trust users place in the Chrome Web Store and the convenience of add-ons to distribute PUPs at scale. The wallpaper theme provides plausible deniability while the infrastructure remains hidden behind legitimate-appearing backends.