Pierluigi Paganini April 03, 2015

Google has announced serious actions to prevent ad injectors that compromise the integrity of users’ browsing experience across the globe.

Google has declared “war” on programs that compromise the integrity of users’ browsing experience across the globe.  In a recent blog post featured on Google’s Online Security Blog, Google has released information surrounding research that they have been performing during the first quarter of 2015.

“To increase awareness about ad injectors and the scale of this issue, we’ll be releasing new research on May 1 that examines the ad injector ecosystem in depth.”

This research was performed as a collaborative effort between Google and researchers at the University of California Berkeley; but before we dive into the numbers and other statistical information, you may be curious as to what exactly is an ad injector.  To keep it simple, an

To keep it simple, an ad injector is a program that performs its injection activities between even legitimate websites, and the user’s web browser.

What these programs do can be drawn from their classification: They display advertisements on the web pages that the user browses to.  They either inject brand new advertisements on web pages that are often legitimate websites that otherwise would not display advertisements if not for the ad injector program being active.  However, they can also modify existing advertisements found (again, on any website, legitimate or illegitimate) with other advertisements specified by the program.

While ad injectors are generally classified as PUPs (Potentially Unwanted Programs) and weigh more toward the benign side of software (as opposed to explicitly being declared to be malware), the consequences of such programs being active can be quite severe.  They are often bundled with legitimate programs, therefore, most users are not aware of what is going on behind the scenes when installing a legitimate program with an ad injector bundled within the “legitimate” installer.  However, many ad injectors can be classified as malware, and perform more malicious activities or rather, be a part of a much more severe issue (i.e. higher-severity classification of malware such as a component of a Trojan).

Advertisements have also been leveraged as exploitation vectors for malicious authors, especially in recent times, such as the recent rebirth and exponential growth of ransomware found in-the-wild.

Google has already had preventive measures in place to combat ad injectors, general malware, known malicious websites, and other threats that we commonly encounter as we browser the web, but the data gathered and analyzed during the Google-led ad injector research reveals greater insight into these programs, especially in terms of calculating overall statistics.

Google released some initial metrics surrounding their research, which encompassed the analysis of over 100 million logged pageviews across websites owned by Google.  This data was acquired from users browsing the web utilizing three browsers: Google Chrome, Mozilla Firefox, and Internet Explorer. These users were located around the globe, and ad injectors were discovered on two operating systems, Microsoft’s Windows operating system and Apple’s Mac operating system.

Out of the total number of unique users that browsed the tracked Google-owned sites during this study, it was determined that more than 5% of these users were infected with at least one ad injector.  Google stated that of the 5% of affected users, 1/3 of them had at least four ad injectors installed on their device, and ½ of them had at least two ad injectors installed.

Google determined that thirty-four percent of Google Chrome extensions found to be injecting advertisements could be classified, as Google put it, “as outright malware”.  Google also stated that they have already found approximately 192 Chrome extensions that attempted to deceive users, and that these extensions affected approximately 14 million users.  Google has since disabled these benign or malicious extensions, and we can only speculate that there are many more extensions that will perish under Google’s crusade versus ad injectors.

More granular information, and an official release of Google’s research regarding ad injectors is expected to be released on May 1 of this year.

About the Author Michael Fratello

Edited by Pierluigi Paganini

(Security Affairs –  ad injectors, malware)