Google Research Reveals Profitable, Pervasive Ad Injector Ecosystem

More than five percent of all unique IP addresses accessing Google sites included some kind of ad injector software, and there are more than 50,000 of those injector browser extensions in use today, according to new research from Google.

More than five percent of all unique IP addresses accessing Google sites included some kind of ad injector software, and there are more than 50,000 of those injector browser extensions in use today, according to new research from Google.

The company conducted the research over the course of several months last year as a way to find out more about the way that the ad injector ecosystem works and help find ways to better defend against them. Ad injectors aren’t always considered outright malicious, though many of them are. Their main reason for being is to inject ads into users’ browsers and drive pay-per-click traffic through a knot of affiliates, ad networks, and syndicators to sites owned by major advertisers. These companies typically don’t know that the traffic arriving at their sites is coming from these schemes.

“It all starts with software that infects your browser. We discovered more than 50,000 browser extensions and more than 34,000 software applications that took control of users’ browsers and injected ads. Upwards of 30% of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user’s activity to third parties for tracking. In total, we found 5.1% of page views on Windows and 3.4% of page views on Mac that showed tell-tale signs of ad injection software,” Kurt Thomas of Google’s spam and abuse team wrote in a post explaining the results of the research. 

“Next, this software is distributed by a network of affiliates that work to drive as many installs as possible via tactics like: marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns. Affiliates are paid a commision whenever a user clicks on an injected ad. We found about 1,000 of these businesses, including Crossrider, Shopper Pro, and Netcrawl, that use at least one of these tactics.”

The ad injectors pull in ads from a bunch of different companies that are the sources of so-called injection libraries. The most well-known of these is Superfish, which rose to infamy earlier this year after researchers discovered it pre-installed on Lenovo laptops and warned that it could be used for man-in-the-middle attacks after the password for the root certificate associated with it was cracked. The discovery set off a firestorm in the security and privacy industry and provoked ire from users, who had no idea the adware was on their machines.

Browser vendors issued fixes to remove the Superfish root CA from their software.

“Like other SSL interception software, Superfish seeks to add functionality to the Web by intercepting secure Web connections and injecting content into Web sites.  In order to be able to inject content into secure connections, it adds a trusted root certificate to the Windows and Firefox root stores.  With this trusted authority in place, Superfish can effectively create a fake ID for any website, so that it can convince Firefox that the browser is connected to the real website — even though it’s actually connected to Superfish,” Richard Barnes of Mozilla wrote at the time. 

Google’s research found that nearly 80 percent of all of the injected ads its system detected came from one of three main ad networks.

“Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns, and don’t know they are receiving traffic via unwanted software and malware. Ads originate from ad networks that translate unwanted software installations into profit: 77% of all injected ads go through one of three ad networks—,, and Publishers, meanwhile, aren’t being compensated for these ads,” Thomas said in his post.

To conduct the research, Google’s engineers wrote a custom detector for its sites that looked for injected ads. The software found tens of millions of injected ads over the course of the research project, and as a result removed 192 deceptive extensions from the Chrome Web store. Google also changed the way the browser identifies unwanted software and shows users a bold red warning when they’re trying to install such an injector.

“Most recently, we updated our AdWords policies to make it more difficult for advertisers to promote unwanted software on AdWords. It’s still early, but we’ve already seen encouraging results since making the change: the number of ‘Safe Browsing’ warnings that users receive in Chrome after clicking AdWords ads has dropped by more than 95%. This suggests it’s become much more difficult for users to download unwanted software, and for bad advertisers to promote it,” Thomas said.

Suggested articles