Google clamps down on ad injectors after 100,000 Chrome users complained
Naked Security Naked Security

Google clamps down on ad injectors after 100,000 Chrome users complained

Google has taken a heavy hand to ad injectors after a study revealed 34% of surveyed ads were peddling malware and 192 "deceptive Chrome extensions" were discovered.

Google ad injectorGoogle has picked a fight with ad injectors – programs that insert adverts into the pages you visit while browsing the web – following complaints from more than 100,000 of its Chrome users.

The search giant accumulated the huge pile of grumbles in just three months, demonstrating how users viewed the annoying and sometimes dangerous, browser-based ad injectors as a major gripe, surpassing concerns over performance issues and network errors.

Writing for Google’s online security blog, software engineer Nav Jagpal said ad injectors are “part of an environment where bad practices hurt users, advertisers, and publishers alike,” adding that:

People don’t like ad injectors for several reasons: not only are they intrusive, but people are often tricked into installing ad injectors in the first place, via deceptive advertising, or software "bundles".

Here’s an example of ad injectors on a Google site for a search for ‘Nexus 6’:

Google Injected

Jagpal was keen to point out that the blame for ad injectors should not lie solely with advertisers – many, he said, were unaware that their adverts were being injected at all and so had no idea where some of their ads were running.

Publishers are also victims in some senses he said, pointing out how they were not being compensated for displaying injected ads, and may be completely unaware that visitors to their sites were being put at risk by spam or injected malware.

So what is Google going to do about this menace?

Jagpal says the company already had policies in place that limited or prohibited ad injectors but, to further understand the issues, it commissioned a survey from the University of California, Berkeley.

The study crawled through data obtained from over 100 million page views of Google sites, using the Chrome, Firefox and Internet Explorer browsers.

The survey’s full findings will be made public on 1 May as part of an awareness program about ad injectors but, in the meantime, Google said of the data that came back: “It’s not a pretty picture”.

The study, which was conducted on machines running both Windows and OS X, found ad injectors on both operating systems and in each of the three tested browsers.

Around 1 in 20 people visiting Google sites had at least one ad injector installed. Of those, half of the sample had a minimum of two injectors installed and nearly a third had four or more.

34% of Chrome extensions injecting ads were classified as outright malware.

The researchers also discovered 192 “deceptive” Chrome extensions affecting 14 million users, all of which have since been disabled.

Google says it has implemented techniques used in the research to better enable it to scan all new extensions, as well as old ones which get updated.

Commenting on the findings, Jagpal said:

We're constantly working to improve our product policies to protect people online. We encourage others to do the same. We're committed to continuing to improve this experience for Google and the Web as a whole.

That’s not to say Google will completely ban ad injectors though – it says users should have the freedom to install them if they wish – but the injectors must be completely transparent about what they do and not overlay website ad space without permission from the site’s owner.

However, sneaky injectors that are designed to slip ads, or worse, into a user’s browser will not be welcome and Google says such software will definitely find itself in unwanted software policy territory.

To help users avoid installing rogue ad injectors in the future, Google will deploy its familiar red warning notice which will advise Chrome users that the web page is attempting to install ad-injecting software without having the correct browser APIs in place.

Image of syringe licensed under Creative Commons.