Connect with us

Hi, what are you looking for?


Malware & Threats

Google Report Unmasks Ad Injection Economy

More than five percent of unique IPs visiting Google-owned websites had at least one ad injector installed, according to a new study.

More than five percent of unique IPs visiting Google-owned websites had at least one ad injector installed, according to a new study.

“Our results reveal that ad injection has entrenched itself as a cross-browser monetization platform that impacts tens of millions of users around the globe,” according to a report from Google and a team of researchers that will be presented at the IEEE Symposium on Security and Privacy later this month. “Our client-side telemetry finds that 5.5% of unique daily IP addresses visiting Google properties have at least one ad injector installed. The most popular,, injects ads into more than 16,000 websites and grossed over $35 million in 2013 according to financial reports.”

The researchers found that all of the top ad injectors are organized as affiliate programs that “decouple advertisement selection from third parties responsible for taking hold of a client’s browser,” according to the paper.

Of the top affiliates for each program, the most popular browser plugins such as ShopperPro, PlusHD and Yontoo. The injected ads hit the user’s machine in a number of ways. In the report, the researchers found 50,870 Chrome extensions and more than 34,000 software applications served as unwanted ad injectors.

“Upwards of 30% of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user’s activity to third parties for tracking,” blogged Kurt Thomas of Google. “In total, we found 5.1% of page views on Windows and 3.4% of page views on Mac that showed tell-tale signs of ad injection software.”

“Next, this software is distributed by a network of affiliates that work to drive as many installs as possible via tactics like: marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns,” he blogged. “Affiliates are paid a commission whenever a user clicks on an injected ad. We found about 1,000 of these businesses, including Crossrider, Shopper Pro, and Netcrawl, that use at least one of these tactics.”

The researchers also found that ad injectors source their ads from about 25 businesses that offer injection libraries. Superfish and Jollywallet are by far the most popular of these, and appeared in 3.9 percent and 2.4 percent of Google views, respectively.

Advertisement. Scroll to continue reading.

“The ad injection ecosystem profits from more than 3,000 victimized advertisers—including major retailers like Sears, Walmart, Target, Ebay—who unwittingly pay for traffic to their sites,” blogged Thomas. “Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns, and don’t know they are receiving traffic via unwanted software and malware. Ads originate from ad networks that translate unwanted software installations into profit: 77% of all injected ads go through one of three ad networks—,, and Publishers, meanwhile, aren’t being compensated for these ads.”

In response to the situation, Google has removed 192 deceptive Chrome extensions that affected 14 million users with ad injection from the Chrome Web Store. The company also added improved protections in Chrome to detect unwanted software and reached out to the advertisers affected by ad injection to alert them about deceptive practices and the ad networks involved, blogged Thomas. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...