Trust is an important facet of our online experience. We implicitly trust certain websites like Amazon, the BBC, The Guardian and will happily spend our time browsing these sites carefree.

It’s taken a while for us to get to this point having developed general rules of thumb along the way, rules like don’t go to dodgy websites, examine links carefully, beware of emails from unknown sources, but there is a particular attack vector which goes against our guiding principles.

Enter Malvertising

What is Malvertising?

A portmanteau of ‘malicious advertising’, malvertising is the practice of inserting malware into legitimate online ad networks to target a broad spectrum of users. It’s a particularly interesting form of attack vector that has grown in tandem with the proliferation of ad networks, enabling badactors to infiltrate the ‘safer’ grounds of highly reputable websites.

These ads can appear across both apps and websites and can seem perfectly normal, in fact, agents build their reputations with select ad platforms, ensure they pass initial screenings and then replace the harmless content for harmful.

The intention is to get potential victims to click on an ad that redirects them to a phishing site or infected server which executes an exploit kit on connection, thus infecting the device with malware. The more worrying trend is the rise in drive by downloads where the ad doesn’t even need to be clicked for the target to be infected. Google alone serves billions of ads on a daily basis, making the threat of malvertising enormous and something that needs to be factored into our online browsing behaviour.  

What’s the difference between malvertising and adware?

Malvertising is the delivery mechanism for malware whilst adware is a particular type of malware that loads advertisements onto your screen, normally within the browser.

Why is Malvertising such an issue on mobile devices?

Firstly, you’re probably thinking ‘who is actually clicking on ads?’. And you’re right to ask, people seldom click on pop up and banner ads intentionally. Unfortunately, malvertisements don’t differentiate between intentional and unintentional clicks. So if an ad is clicked, without the proper safeguards in place, malware is being loaded.

Take mobile games for example. It’s very easy to get lost in a game, tapping away at the screen and then accidentally clicking on an ad strategically placed next to the in-game menu.

The way mobile devices are inherently used makes them an attractive form factor for malvertising campaigns and it’s mainly because of our fingers. They’re effective at scrolling, but they’re a relatively blunt instrument for clicking precisely. It’s very easy to click the wrong thing on a mobile device. This imprecision is something that “malvertisers” capitalize on.

For instance, how many times have you been served an ad or pop up and it turns into a multiple choice quiz as to which cross you need to click to remove it? Aggressive malvertising campaigns take this a step further by delivering full screen ads that hide a browser’s back button to make sure targets feel well and truly trapped.

Mobile is an advantageous platform for threat actors as many users don’t have suitable web filtering or security apps in place to detect such threats; it’s something that security teams need to be wary of in a digital world that is inundated with ads.

What are some examples of malvertising campaigns?

RoughTed

RoughTed was a malvertising operation spotted in 2017 and was particularly noteworthy due to its ability to obfuscate itself and work around ad-blockers. It managed to evade traditional anti-virus software techniques by dynamically generating new URLs which made malicious domains difficult to track.

KS Clean

Ks Clean is another example of a malicious adware hiding itself within a mobile app. It targets users through malvertising and downloads immediately when a user clicks on an affected advertisement.

The download happens silently while the user is only shown a notification, seemingly from the phone itself, warning of a security issue. The notification asks the user to immediately install an upgrade. The only option given to the user is to hit ‘ok’ – no cancel button is available.

Once the user touches ‘ok’, the installation is able to finish and the adware gains administrative privileges. These privileges enable it to show unlimited pop-up ads to the user and makes it exceptionally difficult to uninstall.

What is being done to protect internet users from malvertising?

Given that 86% of Google’s revenue stems from advertising and over 90% of Facebook’s, malvertising poses a huge threat to the business models of ad network owners. Additionally, publishers have a vested interest in stopping malvertising campaigns since they too generate significant revenues from advertising. But more importantly, the trust people have in their websites will likely dwindle if they’re perceived as unsafe grounds. Both publishers and ad networks have their role to play in squashing malvertising.

The larger ad networks like Google have developed a host of proprietary technology to mitigate malvertising. In fact, Google has set up an anti-malvertising initiative to educate site owners, advertisers and the general population on the growing threat of malvertising. Additionally, Google forbids ads that exhibit malvertising behavior and released a number of updates to the Chrome browser, namely the prevention of iframe redirects, tab-under behavior and misleading UI.

Despite efforts being made, Google’s DoubleClick network (now part of Google’s Marketing Platform) was abused to deliver a cryptocurrency malvertising campaign in early 2018.

Keeping in mind that even Google, undoubtedly the dominant player in the digital advertising space, has its frailties, publishers need to thoroughly vet the third parties they work with to the ensure robust processes are in place.

Another difficulty for publishers is that a website and advertising activity typically falls within the remit of marketing. Addressing security threats isn’t an inherent skill set for modern marketers, even digital marketers. However, what marketers can do is work with the necessary parties to plug security holes as quickly as possible.

Malvertising is a real problem and one that needs to be addressed by all parties involved. An IAB study in 2015 calculated that malvertising costs the digital advertising industry $1.1 billion per year. It’s an attack vector that is growing and security teams need to ensure they have the right measures in place to protect their employees and their sensitive corporate data.

Mobile Malware Report 2017

Malware, one of the hottest topics in enterprise mobile security, and yet, many still fail to fully comprehend the risk. This report will take you through the most common malware infection vectors, the different types of mobile malware currently plaguing organizations, and how to take the appropriate steps to protect your mobile estate.

Download the report