Palo Alto Networks Unit 42 has reported a Chrome Web Store adware campaign built around live wallpaper and new-tab extensions. The researchers said they tracked three publishing accounts, Ovkas, Gameograf, and Kidswallpapers/Owhit, and identified more than 50 wallpaper extensions tied to adware behavior.
The extensions look like harmless personalization add-ons, but Unit 42 says they can open affiliate-tracked pages after installation, set uninstall tracking URLs, inject remote HTML popups, and in some cases delete browser IndexedDB storage. The campaign is a useful reminder that a cosmetic browser add-on can still behave like a potentially unwanted program when it controls new-tab traffic and redirects.
What Unit 42 Found
According to the Unit 42 threat-intelligence note, the extensions collectively had more than 30,000 installs. The researchers connected them to adware affiliate marketing and ad fraud, where browser traffic can be pushed to pages the user did not deliberately choose to visit.
- Publisher accounts: Ovkas, Gameograf, and Kidswallpapers/Owhit.
- Distribution domains:
chromewallpaper[.]com,gameograf[.]com,ovkas[.]com, andowhit[.]com. - Behaviors called out by Unit 42: affiliate redirects after install, uninstall tracking, remote HTML popup injection, and IndexedDB deletion.
- Sample extension IDs:
abcidfelbbfbijdeilhlgmgejdbappaj,belplhjdnniinakggihimnikmhiijenk,dbfgidnodecgmmademfkaddkjidikobd,fnfaggodhehejkigojefdehaffoneokd,jnnkcihkpoljaejgnmaohgbodpdmfmdg, andpkmjadcejhbaahnlaooacmfkfflpkcic.
Why IndexedDB Deletion Matters
IndexedDB is browser storage used by many web apps for offline files, cached media, drafts, and larger local data. Deleting it is more than ordinary cache cleanup: it can force apps to redownload data, break offline workflows, or remove local state a user expected to keep.
Unit 42 says the Owhit wallpaper extensions deleted IndexedDB to force a re-download cycle for stored wallpaper videos. Gameograf extensions were also described as having higher-severity behavior because of remote HTML injection and IndexedDB deletion. That combination moves the issue beyond simple annoying ads and closer to browser-control abuse.
Quick Check for Chrome Users
- Open
chrome://extensionsand remove wallpaper, live wallpaper, animated background, cursor, or new-tab add-ons you do not clearly remember installing. - Check whether the publisher, extension name, or support site mentions Ovkas, Gameograf, Kidswallpapers, Owhit, or the domains listed above.
- If Chrome keeps opening unexpected tabs, new-tab pages, affiliate redirects, or popups, review the broader pop-up ads and browser notifications cleanup steps.
- After removing a suspicious extension, restart Chrome and make sure browser sync does not reinstall it on another device.
- If redirects began after installing software or a browser add-on, compare the behavior with recent fake-download cases such as hidden TDS click hijacking and malvertising that pushes adware apps.
Takeaway
A wallpaper extension does not need broad system access to create real cleanup problems. If it controls new-tab behavior, opens tracked redirects, injects remote content, or wipes browser storage, remove it and treat the browser as potentially modified by adware.
