152 Chrome Extensions Caught Faking Google Organic Search Traffic

Socket’s Threat Research Team has uncovered a coordinated family of 152 ‘live wallpaper’ Chrome extensions that secretly logged user data and faked Google organic search traffic to inflate ad revenue. Built from a single codebase but spread across 38 separate Chrome Web Store publisher accounts, with 141 still live at the time of analysis, the network reached roughly 105,000 combined installs before Socket published its findings on 12 June 2026. Because the extensions are standard Chromium add-ons, the same code runs in Edge, Brave, Opera, and Vivaldi, not Chrome alone.

The campaign is an adware-adjacent operation, but the mechanism that makes it relevant to anyone working in search is the traffic fraud: it launders silent software installs into what analytics platforms read as legitimate Google organic search visits.

How the extensions faked organic search traffic

The extensions presented themselves as new-tab and live-wallpaper tools, with names like “Neymar - Football Live Wallpaper” (the network’s most-installed, at around 10,000) and “Porsche 911 - Sports Car Live Wallpaper”. The traffic fraud ran through two distinct mechanisms, on install and on uninstall.

On installation, the service worker force-opened a tab tagged with hard-coded UTM parameters, utm_source=google&utm_medium=organic, so that analytics platforms attributed the visit to Google organic search rather than to the extension. As Socket put it: “The visit is not a person who searched Google; it is the extension opening a tab on its own and stamping it ‘arrived from Google organic search.’”

On uninstall, the extensions set a setUninstallURL pointing at a spoofed google.com/url redirect carrying forged ved and usg tokens, the signed parameters Google appends to real search-result clicks. That wrapped the operator’s own domain in Google’s legitimate redirect format, making the exit ping look like a genuine organic click too. The forgery was concentrated in the tabplugins[.]com cluster, the largest of the three brands at 109 extensions.

This is “traffic laundering”: converting installs and uninstalls into falsely attributed organic visits. The fabricated signal is exactly what advertisers and affiliate programmes pay a premium to acquire, which is the operation’s apparent commercial motive. Users were funnelled to ad-monetised brand pages, the tabplugins cluster running a Prebid header-bidding stack into Google Ad Manager, the yowgames and owhit pages wired directly to Google AdSense.

The privacy contradiction

Every extension in the network declared “no data collected” on its Chrome Web Store listing. The operator’s linked privacy policy said otherwise, admitting to logging “internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages”, then sharing that telemetry with Google AdSense, DoubleClick, and third-party ad partners. The extensions also leaked users’ saved new-tab shortcut domains through favicon requests.

They shipped an undisclosed anti-forensic routine too: a function in js/bg.js that enumerated and deleted IndexedDB databases on every service-worker start. In this build it deleted nothing (the extensions stored state in localStorage), but it represents undisclosed capability present across the network, and its console string, “Deleted IndexedDB database:”, was the shared fingerprint Socket used to identify every variant.

Attribution

The code was scattered across 38 publisher accounts and three brand domains: tabplugins[.]com (109 extensions), yowgames[.]com (19), and chromewallpaper[.]com (13, redirecting to owhit[.]com). Spreading identical templates across isolated accounts and fragmenting the backend across separate Cloudflare accounts and hosting providers is a deliberate design to resist cascading takedowns. Socket security researcher Kush Pandya assessed the campaign as a “financially motivated commercial adware and traffic-attribution-fraud affiliate operation” whose exact provenance is unknown, with circumstantial indicators (Turkish-language patterns in contact emails) pointing to a possible Turkish origin rather than a confirmed actor. One named extension owner disputed the report, calling their operation legitimate and describing the ChromeWallpaper redirect as a security measure.

Note also that the 105,000 figure is a floor, not a precise count: the Chrome Web Store rounds install numbers into buckets at and above 1,000, so the network’s true reach is an order-of-magnitude estimate.

What this means for SEOs and analytics

The practical takeaway is about trusting your own data. If extension networks can inject fake utm_source=google&utm_medium=organic visits into the web at scale, then organic traffic in GA4 and other analytics tools is not automatically clean. A spike in “organic” sessions that does not correspond to impressions or clicks in Google Search Console is a warning sign worth investigating.

Cross-referencing analytics organic numbers against Search Console performance data is the most reliable check: Search Console reports what Google actually served and what users actually clicked, so it is not fooled by client-side UTM spoofing. Discrepancies between the two, organic sessions in analytics with no matching Search Console clicks, are the signature this kind of fraud leaves behind.

It is also a reminder that Chrome Web Store listings claiming “no data collected” are self-declared and not verified at scale. The 105,000 users here trusted that declaration; the linked privacy policy contradicted it outright.

There is a sharper version of this risk for SEOs specifically: our own browsers are usually loaded with extensions. SERP scrapers, on-page audit overlays, schema validators, keyword tools, and metric injectors all want broad read access to the pages we visit, which is exactly the permission profile that makes a hijacked extension dangerous. And these tools are a known target. In March 2026 the popular “Save Image as Type” extension, with over a million users, was bought from its original developer and pushed a malicious update that hijacked retail affiliate links for commission fraud, the same monetisation model as the wallpaper network. Google kept it flagged as “Featured” until it was removed. A clean, well-reviewed extension can turn malicious overnight through an ownership change, with no action required from the user who installed it. Audit the extensions in your working profile periodically, remove anything you no longer use, and treat broad host permissions as a cost to justify rather than a default to accept.

The same playbook hit the server side weeks earlier. In April 2026 Wordfence documented a critical backdoor (CVE-2026-6443, CVSS 9.8) across the “Essential Plugins” WordPress portfolio: a buyer had quietly acquired the 30-plus plugins, planted a dormant backdoor, and eight months later activated it to inject spam pages and redirects served only to Googlebot, invisible to site owners. That is malicious cloaking aimed squarely at search, and it is a reminder that the buy-trusted-software-then-weaponise-it risk spans every component in your stack, plugins and themes as much as browser extensions.

Sources

• 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic — Socket
• 152 Chrome Wallpaper Extensions with 105K Installs Linked to Adware and Fake Traffic — The Hacker News
• Malicious 152 Chrome Extensions Caught Spoofing Google Organic Search Traffic — GBHackers
• A list of over 150 Chrome wallpaper extensions caught faking Google traffic & tracking users — PiunikaWeb
• Chrome Extension “Save Image as Type” Was Hijacked, Putting Over 1 Million Users at Risk — gHacks
• Someone bought 30 WordPress plugins and planted a backdoor in all of them — Anchor Hosting
• Essentialplugin Plugins (Various Versions) — Injected Backdoor (CVE-2026-6443) — Wordfence Intelligence