Security Blog
The latest news and insights from Google on security and safety on the Internet
Out with unwanted ad injectors
31. ožujka 2015.
Posted by Nav Jagpal, Software Engineer, Safe Browsing
It’s tough to read the New York Times under these circumstances:
And it’s pretty unpleasant to shop for a Nexus 6 on a search results page that looks like this:
The browsers in the screenshots above have been infected with ‘ad injectors’. Ad injectors are programs that insert new ads, or replace existing ones, into the pages you visit while browsing the web. We’ve received more than 100,000 complaints from Chrome users about ad injection since the beginning of 2015—more than network errors, performance problems, or any other issue.
Injectors are yet another symptom of “
unwanted software
”—programs that are deceptive, difficult to remove, secretly bundled with other downloads, and have other bad qualities. We’ve made
several
recent
announcements about our work to fight unwanted software via
Safe Browsing
, and now we’re sharing some updates on our efforts to protect you from injectors as well.
Unwanted ad injectors: disliked by users, advertisers, and publishers
Unwanted ad injectors aren’t part of a healthy ads ecosystem. They’re part of an environment where bad practices hurt users, advertisers, and publishers alike.
People don’t like ad injectors for several reasons: not only are they intrusive, but people are often tricked into installing ad injectors in the first place, via deceptive advertising, or software “bundles.” Ad injection can also be a security risk, as the
recent “Superfish” incident
showed.
But, ad injectors are problematic for advertisers and publishers as well. Advertisers often don’t know their ads are being injected, which means they don’t have any idea where their ads are running. Publishers, meanwhile, aren’t being compensated for these ads, and more importantly, they unknowingly may be putting their visitors in harm’s way, via spam or malware in the injected ads.
How Google fights unwanted ad injectors
We have a variety of policies that either limit, or entirely prohibit, ad injectors.
In Chrome, any extension hosted in the Chrome Web Store must comply with the
Developer Program Policies
. These require that extensions have a
narrow and easy-to-understand purpose
. We don’t ban injectors altogether—if they want to, people can still choose to install injectors that clearly disclose what they do—but injectors that sneak ads into a user’s browser would certainly violate our policies. We show people familiar red warnings when they are about to download software that is deceptive, or doesn’t use the right APIs to interact with browsers.
On the ads side,
AdWords advertisers
with software downloads hosted on their site, or linked to from their site, must comply with our
Unwanted Software Policy
. Additionally, both
Google Platforms program policies
and the
DoubleClick Ad Exchange (AdX) Seller Program Guidelines
, don’t allow programs that overlay ad space on a given site without permission of the site owner.
To increase awareness about ad injectors and the scale of this issue, we’ll be releasing new research on May 1 that examines the ad injector ecosystem in depth. The study, conducted with researchers at University of California Berkeley, drew conclusions from more than 100 million pageviews of Google sites across Chrome, Firefox, and Internet Explorer on various operating systems, globally. It’s not a pretty picture. Here’s a sample of the findings:
Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test.
More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed.
Thirty-four percent of Chrome extensions injecting ads were classified as outright malware.
Researchers found 192 deceptive Chrome extensions that affected 14 million users; these have since been disabled. Google now incorporates the techniques researchers used to catch these extensions to scan all new and updated extensions.
We’re constantly working to improve our product policies to protect people online. We encourage others to do the same. We’re committed to continuing to improve this experience for Google and the web as a whole.
Nema komentara :
Objavi komentar
Oznake
#sharethemicincyber
#supplychain #security #opensource
AI Security
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2026
tra
ožu
velj
sij
2025
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2024
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2023
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2022
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2021
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2020
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2019
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2018
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2017
pro
stu
lis
ruj
srp
lip
svi
tra
ožu
velj
sij
2016
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2015
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
sij
2014
pro
stu
lis
ruj
kol
srp
lip
tra
ožu
velj
sij
2013
pro
stu
lis
kol
lip
svi
tra
ožu
velj
sij
2012
pro
ruj
kol
lip
svi
tra
ožu
velj
sij
2011
pro
stu
lis
ruj
kol
srp
lip
svi
tra
ožu
velj
2010
stu
lis
ruj
kol
srp
svi
tra
ožu
2009
stu
lis
kol
srp
lip
ožu
2008
pro
stu
lis
kol
srp
svi
velj
2007
stu
lis
ruj
srp
lip
svi
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Follow
Nema komentara :
Objavi komentar