- 961
- 254
Researchers at Socket discovered 152 malicious Chrome extensions disguised as live wallpapers for new tabs. The extensions collected user data and were likely used for ad fraud.
The researchers report that a total of 152 extensions were installed more than 105,000 times. All of them disguised themselves as tools for decorating new browser tabs (primarily offering various live wallpapers featuring anime characters, game heroes, cars, and celebrities).
The campaign targeted 38 developer accounts in the Chrome Web Store and was associated with three platforms: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. A full list of malicious extensions can be found in Socket's report. Initially, the researchers' attention was drawn to the fact that the extensions' descriptions in the Chrome Web Store claimed not to collect or use user data, while their privacy policies stated otherwise. According to the documentation, the extensions record IP addresses, ISP information, click counts, and referral sources, then transmit this data to advertising partners, including Google AdSense and DoubleClick. Furthermore, some of the detected extensions contained hidden mechanisms that were activated during installation and uninstallation. Researchers discovered that, upon installation, the extensions automatically opened a special page with UTM tags, creating the illusion for analytics systems that the user had accessed the site through Google's organic search results. Another trick was related to uninstallation: upon uninstallation, some extensions sent a special request through Google's infrastructure using google.com/url. To analytics systems, this request appeared as if the user had clicked a link from a search result.
[td]"This isn't a person who simply found the site through a Google search. The extension automatically opens the tab and marks the visit as organic," the researchers explain. They claim the entire scheme was aimed at falsifying traffic sources.[/td]In other words, the extensions artificially created signals that advertising and analytics systems typically associate with real visitors, allowing campaign operators to artificially influence traffic metrics and traffic origins.
Researchers also discovered an inactive IndexedDB function in the extension code. When the service worker is launched, it can list and delete all detected IndexedDB databases. While this mechanism isn't currently being used, its presence suggests additional capabilities incorporated by the malware authors.
Socket believes this is a commercial operation involving advertising fraud and manipulation of traffic sources. A precise attribution for this campaign has not been established, but indirect evidence points to a possible connection between the hackers and Turkey.
The researchers report that a total of 152 extensions were installed more than 105,000 times. All of them disguised themselves as tools for decorating new browser tabs (primarily offering various live wallpapers featuring anime characters, game heroes, cars, and celebrities).
The campaign targeted 38 developer accounts in the Chrome Web Store and was associated with three platforms: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. A full list of malicious extensions can be found in Socket's report. Initially, the researchers' attention was drawn to the fact that the extensions' descriptions in the Chrome Web Store claimed not to collect or use user data, while their privacy policies stated otherwise. According to the documentation, the extensions record IP addresses, ISP information, click counts, and referral sources, then transmit this data to advertising partners, including Google AdSense and DoubleClick. Furthermore, some of the detected extensions contained hidden mechanisms that were activated during installation and uninstallation. Researchers discovered that, upon installation, the extensions automatically opened a special page with UTM tags, creating the illusion for analytics systems that the user had accessed the site through Google's organic search results. Another trick was related to uninstallation: upon uninstallation, some extensions sent a special request through Google's infrastructure using google.com/url. To analytics systems, this request appeared as if the user had clicked a link from a search result.
Researchers also discovered an inactive IndexedDB function in the extension code. When the service worker is launched, it can list and delete all detected IndexedDB databases. While this mechanism isn't currently being used, its presence suggests additional capabilities incorporated by the malware authors.
Socket believes this is a commercial operation involving advertising fraud and manipulation of traffic sources. A precise attribution for this campaign has not been established, but indirect evidence points to a possible connection between the hackers and Turkey.