Ad injection is a tangled web, Google study reveals

News by Tom Reeve

A study by Google and the University of California claims to shed light on the ecosystem behind ad injector malware, revealing the relationships between ad injectors, intermediaries and advertisers.

“Ad injectors' businesses are built on a tangled web of different players in the online advertising economy. This complexity has made it difficult for the industry to understand this issue and help fix it,” wrote Kurt Thomas, spam and abuse researcher, Google.

The study, said to be the first of its kind, found that 5.5 percent of users were using browsers infected with ad injector software. To tease out this data, Google built an ad injection detector to run on Google sites. “This tool helped us identify tens of millions of instances of ad injection ‘in the wild' over the course of several months in 2014, the duration of our study,” he said.

Thomas summarised the ad injection ecosystem:

  • Software: more than 50,000 browser extensions and 34,000 software applications were found that took control of users' browsers and injected ads. Around 30 percent were described as malicious because in addition to injecting ads, they also stole credentials, hijacked search queries and reported users' activities to third parties.
  • Distribution: a network of around 1000 affiliates drives as many installs as possible via marketing, bundling software with popular downloads, malware and social advertising campaigns, driven by a commission payment system that rewards the affiliates whenever a user clicks on an ad.
  • Injection libraries: 25 businesses provide the library of ads that the ad injectors rely on, managing advertiser relationships and deciding which ads to display as well as paying affiliates for clicks.
  • Ads: most of the advertisers were described as victims of the system. Major retailers are paying for traffic to their sites, unable to ascertain the method by which the visitors were sourced. “Because advertisers are generally only able to measure the final click that drives traffic to their sites, they're often unaware of many preceding twists and turns, and don't know they are receiving traffic via unwanted software and malware,” Thomas wrote.

“Seventy-seven percent of all injected ads go through one of three ad networks—,, and,” he added.

He said that Google has taken steps to secure its Chrome browser. It is also alerting affected advertisers about the deceptive practices and ad networks. “This reflects a broader set of Google Platforms program policies and the DoubleClick Ad Exchange (AdX) Seller Program Guidelines that prohibit programs overlaying ad space on a given site without permission of the site owner,” he said.

“Considering the tangle of different businesses involved — knowingly, or unknowingly — in the ad injector ecosystem, progress will only be made if we raise our standards, together. We strongly encourage all members of the ads ecosystem to review their policies and practices so we can make real improvement on this issue,” he concluded.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews