Malicious 152 Chrome Extensions Caught Spoofing Google Organic Search Traffic

Severity

Medium

Researchers have uncovered a large-scale malicious browser extension campaign involving 152 Google Chrome extensions designed to generate fraudulent Google organic search traffic while collecting user-related data.

The operation, identified by Socket’s Threat Research Team, spanned 38 separate Chrome Web Store publisher accounts and was linked to three primary backend brands: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. The extensions were presented as legitimate “live wallpaper” and new-tab customization tools and accumulated approximately 105,000 installations.

Although the Chrome Web Store listings claimed that no user data was collected, researchers found that the extensions gathered information in the background, including IP addresses, Internet Service Provider (ISP) details, click activity, and referrer information. According to the operators’ external privacy policy, this data was shared with advertising and analytics partners, including Google AdSense, DoubleClick, and other third parties.

The most significant malicious activity was observed in 54 extensions associated with the TabPlugins brand. The behavior originated from the extensions’ service worker component, which executed predefined URLs when the extension was installed or removed.

Upon installation, affected extensions automatically opened a new browser tab directing users to a TabPlugins landing page containing parameters commonly used to identify traffic originating from Google organic search results. This activity caused automated visits generated by the extensions to be recorded as legitimate search traffic.

Researchers also identified a mechanism triggered during extension removal that generated requests designed to mimic legitimate clicks from Google Search Engine Results Pages (SERPs). By creating software-generated interactions that resemble real user activity, the operation artificially manipulated web analytics and advertising attribution systems.

The campaign incorporated several techniques intended to hinder detection and disruption. An anti-forensic routine embedded within the extensions attempted to remove IndexedDB data on startup, while the operators distributed nearly identical extensions across dozens of separate publisher accounts to reduce the impact of takedown efforts.

Further analysis revealed that the supporting infrastructure was distributed across multiple Cloudflare accounts and hosting providers. Researchers believe the operation was designed to generate and monetize artificial web traffic through advertising platforms, while simultaneously collecting user-related data from affected systems.

The scale of the campaign, combined with its use of deceptive browser extensions and traffic manipulation techniques, highlights the continued abuse of browser extension ecosystems as a method for data collection, advertising fraud, and user tracking.

Recommendations

Organizations and users are advised to take the following precautions to reduce exposure to similar threats:

Review installed browser extensions regularly and remove extensions that are no longer required or originate from untrusted publishers.
Verify the legitimacy, permissions, and privacy practices of browser extensions before installation.
Limit the installation of browser extensions to approved and business-required tools where possible.
Monitor browser environments for extensions requesting excessive permissions or exhibiting unexpected behavior.
Educate users on the risks associated with installing browser extensions from unfamiliar developers, even when distributed through official extension marketplaces.

IOCs

tabplugins[.]com
yowgames[.]com
chromewallpaper[.]com
owhit[.]com
147[.]79[.]120[.]202
92[.]112[.]198[.]22

Source

https://gbhackers.com/malicious-152-chrome-extensions-google-search/