When it comes to malware, ad injectors may seem relatively benevolent at first. They put an ad on your Google Search page that didn’t belong there, for example. That’s annoying, but doesn’t seem dangerous. But ad injection was pretty much what Lenovo’s Superfish was doing and that created plenty of security issues for users. Indeed, the research, which is based on the analysis of 100 million pageviews across Google’s sites from Chrome, Firefox and Internet Explorer, classified about a third of these injectors as “outright malware.”
Given that these kinds of ad injectors are often bundles with legitimate software — and desktop developers and download sites often see them as a relatively easy way to make a bit of extra money with their installers and download wrappers — it’s easy enough to install one of them inadvertently.
Google and the Berkeley researchers found that ad injectors are now available on all major platforms and browsers. Out of those 5 percent of users that have at least one installed, one-third actually had four of them running simultaneously and half were running two. Clearly, there is a group of users that is a bit more prone to catching one of these than others.
Google says it is publishing these numbers (and a more detailed research report on May 1) to raise awareness about ad injectors.
“Unwanted ad injectors aren’t part of a healthy ads ecosystem,” Google Safe Browsing engineer Nav Jagpal writes in today’s announcement. “They’re part of an environment where bad practices hurt users, advertisers and publishers alike. ”
Given that these programs inject themselves between the browser and the website, and change the website’s code, browsers have a hard time figuring out which ads are legitimate and which ones are not.
“In broader terms, the question of just who ultimately controls the information presented to users is of great and increasing importance – it’s one of the most vital issues the digital world faces,” UC Berkeley EECS professor Vern Paxson noted in a statement today. “Ad injection undermines the integrity of user interactions and surreptitiously inserts control separate from either of the communicating parties. Thus it represents one of the “fronts” in this key struggle.”
Google says it has already banned 192 Chrome extensions that affected 14 million users based on this research and it is now using the same techniques the researchers used to scan all new and updated extensions in the Chrome Web Store.
Google’s advertising and browser extension policies pretty much ban deceptive ad injectors — as do most other ad networks — but most of the companies that build them aren’t exactly about following the rules. It’s also worth noting that ad networks often also don’t know that their ads are being used in this way.
Unless Google and other browser and advertising vendors find a technical solution to this problem, chances are it’ll never fully go away.