That Chrome Wallpaper Extension Could Be Adware

Over 105,000 Chrome users installed 152 wallpaper extensions that secretly push adware and generate fake traffic for attackers.

Cybersecurity researchers have uncovered a large-scale adware campaign operating through the Google Chrome Web Store. The campaign involves a network of 152 different Chrome extensions, all disguised as live wallpaper add-ons. These extensions have been installed by over 105,000 users. The network is extensive, spanning 38 separate publisher accounts and linked to three primary backend domains. Once installed, these seemingly harmless extensions deliver a Potentially Unwanted Program (PUP), a type of software that performs unwanted actions without the user's explicit consent. The primary function of this PUP is to generate fake web traffic and display intrusive advertisements, benefiting the operators of the campaign financially. This operation highlights a persistent threat where popular, simple applications are used as a cover for malicious activity.

This discovery is a critical reminder for IT and security teams about the risks associated with browser extensions. While many extensions provide useful functionality, they can also serve as a gateway for malware into a corporate network. Adware of this nature can degrade system performance, compromise user privacy by tracking browsing habits, and potentially expose the network to more severe threats by creating security vulnerabilities. For businesses, the presence of such unvetted software on employee devices represents a significant compliance and security risk. The campaign's structure, using numerous publisher accounts, demonstrates a sophisticated effort to evade detection and remain on the Chrome Web Store, making manual oversight challenging.

The use of appealing themes like live wallpapers is a common social engineering tactic designed to lower a user's guard. Attackers frequently exploit popular app categories to distribute malware because users are more likely to install them without close inspection. This incident underscores the importance of a proactive security posture, which includes educating users about the dangers of installing extensions from unknown developers and implementing policies to manage and restrict browser add-ons. Organizations should regularly audit installed extensions and consider using an allowlist to ensure that only approved and vetted tools are used on company devices. Constant vigilance is necessary as attackers continuously refine their methods for bypassing app store security checks.