Google finds 1 in 25 page-views are ad-injected – and Chrome Store saturated with adware
Thu 7 May 2015
A new study from Research at Google has determined that as much as 1 in 25 pageviews on the web contain ads that are not supposed to be there – and most are supplied by the notorious Superfish adware.
Ad injection hit the headlines in February of this year when Robert Graham at Errata Security published a report detailing how Superfish adware bundled with certain models of Lenovo laptop was using a self-signing, locally installed certificate to help it to inject ads into even secure web pages, prompting embarrassment at Lenovo and the ultimate issuing of a removal tool for the offending software.
The new report, led by Google research scientist Kurt Thomas, transforms perception of the practice from an opportunistic hack to a veritable industry in its own right, led by market leader Superfish.
The paper concludes: “We found that ad injection has entrenched itself as a cross- browser monetization platform impacting more than 5% of unique daily IP addresses accessing Google – tens of millions of users around the globe,”
The report also illustrates how malicious entry points of ad injection use ‘obscurity in numbers’ – the researchers identified 50,870 Google Chrome extensions in the Chrome Store which enabled ad injection, in addition to 34,407 Windows binaries which did likewise. Of these 38% and 17% respectively are classed as ‘explicitly malicious’.
Perhaps most interestingly the report recommends review of browser extensions which have the capability of injecting content into a web-page, urging browser developers to ‘harden their environments against side-loading extensions or modifying the browser environment without user consent,”
Many of the most popular browser add-ons provide their functionality by intervening at the Document Object Model (DOM) level of a loading web page. Many of the most popular ad-blockers interfere with output HTML in this way in order to hide or cloak regular web-page advertising.
The report also advises that sites should switch to HTTP Strict Transport Security (HSTS), a web security policy framework which prevents the kind of ‘downgrade’ attacks that the NSA, as it transpires, have been exploiting for some years, representing as it does an additional layer of security on top of Google’s recommendation of late last year that sites should switch to https (instead of http), SSL-certificated operation – an act of security which Mountain View has promised to reward with a corresponding increase in search ranking.