PC Cleaning Tools

New Research: The Ad Injection Economy

Posted by Kurt Thomas, Spam & Abuse Research

In March, we outlined the problems with unwanted ad injectors, a common symptom of unwanted software. Ad injectors are programs that insert new ads, or replace existing ones, into the pages you visit while browsing the web. We’ve received more than 100,000 user complaints about them in Chrome since the beginning of 2015—more than any other issue. Unwanted ad injectors are not only annoying, they can pose serious security risks to users as well.

Today, we’re releasing the results of a study performed with the University of California, Berkeley and Santa Barbara that examines the ad injector ecosystem, in-depth, for the first time. We’ve summarized our key findings below, as well as Google’s broader efforts to protect users from unwanted software. The full report, which you can read here, will be presented later this month at the IEEE Symposium on Security & Privacy.

Ad injectors’ businesses are built on a tangled web of different players in the online advertising economy. This complexity has made it difficult for the industry to understand this issue and help fix it. We hope our findings raise broad awareness of this problem and enable the online advertising industry to work together and tackle it.

How big is the problem?

This is what users might see if their browsers were infected with ad injectors. None of the ads displayed appear without an ad injector installed.
To pursue this research, we custom-built an ad injection “detector” for Google sites. This tool helped us identify tens of millions of instances of ad injection “in the wild” over the course of several months in 2014, the duration of our study.
More detail is below, but the main point is clear: deceptive ad injection is a significant problem on the web today. We found 5.5% of unique IPs—millions of users—accessing Google sites that included some form of injected ads.
How ad injectors work
The ad injection ecosystem comprises a tangled web of different players. Here is a quick snapshot.
Examples of injected ads ‘in the wild’
 
How Google fights deceptive ad injectors
We pursued this research to raise awareness about the ad injection economy so that the broader ads ecosystem can better understand this complex issue and work together to tackle it.
Based on our findings, we took the following actions:
Most recently, we updated our AdWords policies to make it more difficult for advertisers to promote unwanted software on AdWords. It’s still early, but we’ve already seen encouraging results since making the change: the number of ‘Safe Browsing’ warnings that users receive in Chrome after clicking AdWords ads has dropped by more than 95%. This suggests it’s become much more difficult for users to download unwanted software, and for bad advertisers to promote it. Our blog post from March outlines various policies—for the Chrome Web Store, AdWords, Google Platforms program, and the DoubleClick Ad Exchange (AdX)—that combat unwanted ad injectors, across products.
We’re also constantly improving our Safe Browsing technology, which protects more than one billion Chrome, Safari, and Firefox users across the web from phishing, malware, and unwanted software. Today, Safe Browsing shows people more than 5 million warnings per day for all sorts of malicious sites and unwanted software, and discovers more than 50,000 malware sites and more than 90,000 phishing sites every month.
Considering the tangle of different businesses involved—knowingly, or unknowingly—in the ad injector ecosystem, progress will only be made if we raise our standards, together. We strongly encourage all members of the ads ecosystem to review their policies and practices so we can make real improvement on this issue.