Google goes on the Offensive versus Ad Injectors

Google has announced serious actions to prevent ad injectors that compromise the integrity of users’ browsing experience across the globe.

Google has declared “war” on programs that compromise the integrity of users’ browsing experience across the globe.  In a recent blog post featured on Google’s Online Security Blog, Google has released information surrounding research that they have been performing during the first quarter of 2015.

“To increase awareness about ad injectors and the scale of this issue, we’ll be releasing new research on May 1 that examines the ad injector ecosystem in depth.”

This research was performed as a collaborative effort between Google and researchers at the University of California Berkeley; but before we dive into the numbers and other statistical information, you may be curious as to what exactly is an ad injector.  To keep it simple, an

To keep it simple, an ad injector is a program that performs its injection activities between even legitimate websites, and the user’s web browser.

What these programs do can be drawn from their classification: They display advertisements on the web pages that the user browses to.  They either inject brand new advertisements on web pages that are often legitimate websites that otherwise would not display advertisements if not for the ad injector program being active.  However, they can also modify existing advertisements found (again, on any website, legitimate or illegitimate) with other advertisements specified by the program.

While ad injectors are generally classified as PUPs (Potentially Unwanted Programs) and weigh more toward the benign side of software (as opposed to explicitly being declared to be malware), the consequences of such programs being active can be quite severe.  They are often bundled with legitimate programs, therefore, most users are not aware of what is going on behind the scenes when installing a legitimate program with an ad injector bundled within the “legitimate” installer.  However, many ad injectors can be classified as malware, and perform more malicious activities or rather, be a part of a much more severe issue (i.e. higher-severity classification of malware such as a component of a Trojan).

Advertisements have also been leveraged as exploitation vectors for malicious authors, especially in recent times, such as the recent rebirth and exponential growth of ransomware found in-the-wild.

Google has already had preventive measures in place to combat ad injectors, general malware, known malicious websites, and other threats that we commonly encounter as we browser the web, but the data gathered and analyzed during the Google-led ad injector research reveals greater insight into these programs, especially in terms of calculating overall statistics.

Google released some initial metrics surrounding their research, which encompassed the analysis of over 100 million logged pageviews across websites owned by Google.  This data was acquired from users browsing the web utilizing three browsers: Google Chrome, Mozilla Firefox, and Internet Explorer. These users were located around the globe, and ad injectors were discovered on two operating systems, Microsoft’s Windows operating system and Apple’s Mac operating system.

Out of the total number of unique users that browsed the tracked Google-owned sites during this study, it was determined that more than 5% of these users were infected with at least one ad injector.  Google stated that of the 5% of affected users, 1/3 of them had at least four ad injectors installed on their device, and ½ of them had at least two ad injectors installed.

Google determined that thirty-four percent of Google Chrome extensions found to be injecting advertisements could be classified, as Google put it, “as outright malware”.  Google also stated that they have already found approximately 192 Chrome extensions that attempted to deceive users, and that these extensions affected approximately 14 million users.  Google has since disabled these benign or malicious extensions, and we can only speculate that there are many more extensions that will perish under Google’s crusade versus ad injectors.

More granular information, and an official release of Google’s research regarding ad injectors is expected to be released on May 1 of this year.

About the Author Michael Fratello

Michael Fratello is a Security Engineer employed by CipherTechs, Inc., a privately held information security services provider located in downtown Manhattan, New York.  Specializing in Penetration Testing and Digital Forensics, Michael, a St. John’s University graduate majoring in Computer Security Systems, has developed a passion for information security and often spends his free time studying, programming, and researching the exponentially growing number of threats found in-the-wild today.

Edited by Pierluigi Paganini

(Security Affairs –  ad injectors, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta stopped covert operations from Iran, China, and Romania spreading propaganda

Meta stopped three covert operations from Iran, China, and Romania using fake accounts to spread…

18 hours ago

US Treasury sanctioned the firm Funnull Technology as major cyber scam facilitator

The U.S. sanctioned Funnull Technology and Liu Lizhi for aiding romance scams that caused major…

1 day ago

ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

ConnectWise detected suspicious activity linked to a nation-state actor, impacting a small number of its…

1 day ago

Victoria’s Secret ‘s website offline following a cyberattack

Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats…

2 days ago

China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware

Google says China-linked group APT41 controlled malware via Google Calendar to target governments through a…

2 days ago

New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.

GreyNoise researchers warn of a new AyySSHush botnet compromised over 9,000 ASUS routers, adding a…

2 days ago