About 5% of Google visitors have at least one ad injector installed, according to the company.
Ad injectors are programs that insert extra ads, or replace existing ads, on Web pages. They may be acquired through malware, deception, inadequate disclosure, or deliberate disregard for online risks. Lenovo in February disavowed the Superfish ad injector that was on notebooks it shipped during the final three months of 2014, after it came to understand the security implications of the software.
Google plans to publish research next month about the extent of ad injectors, and has shared some of its findings in a blog post. Among the 5% of people visiting Google sites who have ad injectors on their systems, half of those have at least two ad injectors installed, and almost one third have at least four installed.
In the blog post, Google software engineer Nav Jagpa referred to ad injectors as "unwanted software," a term that stops short of the designation "malware" and avoids "adware" and "malvertising." However, he noted that 34% of the Chrome extensions injecting ads were classified as malware.
Google's research is based on data from 100 million page views of Google sites around the globe through Chrome, Firefox, and Internet Explorer on Mac and Windows systems. The company found ad injectors affecting the three browsers and two operating systems tested. Ad injectors can be installed through browser extensions or add-ons, or through other software.
"People don't like ad injectors for several reasons: Not only are they intrusive, but people are often tricked into installing ad injectors in the first place, via deceptive advertising, or software 'bundles,'" explained Jagpal in his blog.
Jagpal pointed out that ad injectors present problems for advertisers and publishers, too, by preventing them from knowing where their ads are running and by running ads that offer no compensation and that may harm website visitors.
Google doesn't ban ad injectors outright from its Chrome Web Store. It allows people to install those that clearly document what they do, perhaps because denying users the tools to alter code in their browsers could ban desirable user-instigated page modifications. But the company does require that those making Chrome extensions adhere to policies that prohibit deceptive or malicious behavior.
Google also requires AdWords advertisers to adhere to its Unwanted Software Policy. And it prohibits Google Platform users and DoubleClick Ad Exchange sellers from overlaying ad space on a website without the site owner's permission.
After analyzing data from 800,000 users at 70 companies from January 1 through November 30, 2014, Cisco Security Research found that the number of individuals with malicious browser add-ons ranged from 711 to 1,751 during any given month. Cisco suggested such malware is optimized for survivability and long-term financial gain, rather than rapid, mass distribution, which tends to attract security countermeasures.
According to a research paper published last year, "The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements," most ad networks "send only a small degree of malicious advertisements." However, on one ad network, 3% of the ads were malicious. Not all malicious ads result in infections -- the paper cites 9% as suggested rate of infection after exposure to malicious ads.
Last May, a US Senate report on the online advertising industry found that the complexity of the online advertising ecosystem prevents consumers from avoiding malicious advertising and impedes industry accountability.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.