- A cluster of 152 Google Chrome extensions has been discovered distributing a potentially unwanted program (PUP) and committing attribution fraud.
- The extensions, which act as live wallpaper add-ons, have been installed over 105,000 times and misrepresent their data collection practices.
- The operation uses hidden code to fabricate search traffic origin and delete local browser databases, suggesting a financially motivated adware campaign.
On June 15, 2026, cybersecurity researchers uncovered a network of 152 malicious Google Chrome extensions posing as live wallpaper add-ons. This widespread campaign, according to reports, uses three brand backends to distribute a potentially unwanted program (PUP).
The extensions, operating under 38 publisher accounts, falsely claim they do not collect user data. However, their privacy policies admit to logging IP addresses and sharing information with ad partners like Google AdSense.
Consequently, a sub-cluster of these add-ons contains hard-coded JavaScript URLs activated during installation and removal. The install URL includes UTM parameters to disguise the activity as organic Google search traffic.
Meanwhile, the uninstall URL is wrapped in a google.com/url format to mimic a genuine search result click. “The visit is not a person who searched Google; it is the extension opening a tab on its own and stamping it ‘arrived from Google organic search,'” the investigating company explained.
Furthermore, the JavaScript files possess a dormant capability to delete every IndexedDB database upon service worker start. The campaign is assessed as a financially motivated commercial adware and traffic-attribution-fraud operation.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
