152 Chrome Wallpaper Extensions Exposed as Adware with 105K Installs

Cybersecurity researchers at Socket have uncovered a sprawling network of 152 Google Chrome extensions posing as live wallpaper and new tab add-ons that covertly distribute a potentially unwanted program (PUP) family. Collectively installed around 105,000 times, the cluster spans 38 separate Chrome Web Store publisher accounts and routes activity through three brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. Among the popular lures are extensions like "Neymar - Football Live Wallpaper," "Satoru Gojo Manga Live Wallpaper," "Porsche 911 - Sports Car Live Wallpaper," and "BMW M3 Neon Night Drive Live Wallpaper"—all themed around anime, gaming, and automotive fans to maximize their reach.

Despite each listing explicitly claiming on the Chrome Web Store that it will not collect or use user data, the linked privacy policy admits the opposite. According to Socket researcher Kush Pandya, the extensions log IP addresses, ISPs, click counts, and referrers, then share that data with Google AdSense, DoubleClick, and other third-party ad partners. Users concerned about hidden trackers can review their exposure with a browser fingerprint test to see how uniquely identifiable their setup is, and verify that their browser isn't leaking network metadata through a DNS leak test.

The deception goes deeper than data harvesting. A sub-cluster of the extensions hardcodes two URLs inside a JavaScript file ("js/bg.js") that fire on install and uninstall events. The install URL is appended with UTM parameters such as "utm_source=google&utm_medium=organic&utm_campaign=tanjiro-demon-slayer-live-wallpaper," making the extension's post-install tab open look like a genuine organic search. The uninstall URL wraps a google.com redirect to disguise removals as legitimate Google Search activity—a tactic designed to inflate ad revenue and poison analytics for publishers. The infrastructure behind these schemes can be investigated further with a WHOIS lookup on the offending domains.

This campaign underscores how browser extensions remain a fertile attack surface for low-effort, high-reward adware operations. Users who have installed wallpaper or theme extensions in recent months should audit their Chrome browser immediately, remove any unfamiliar add-ons, and run a privacy checkup to identify lingering exposure. Chrome Web Store reviewers and Google security teams continue to face pressure to catch these coordinated networks before they scale past six-figure install counts.