Add injectors are a major nuisance causing pop-ups and web page redirection against your will. More than 5% of people visiting Google sites have at least one ad injector installed, and they run on Windows and Mac!
Add injectors are malware programs that are deceptive, difficult to remove, secretly bundled with other downloads, and have other bad qualities. Google's made several recent announcements about their work to fight unwanted software via Safe Browsing, and now they're sharing some updates on their efforts to protect you from injectors as well.
People don’t like ad injectors for several reasons: not only are they intrusive, but people are often tricked into installing ad injectors in the first place, via deceptive advertising, or software “bundles.” Ad injection can also be a security risk, as the recent “Superfish” incident showed.
But, ad injectors are problematic for advertisers and publishers as well. Advertisers often don’t know their ads are being injected, which means they don’t have any idea where their ads are running. Publishers, meanwhile, aren’t being compensated for these ads, and more importantly, they unknowingly may be putting their visitors in harm’s way, via spam or malware in the injected ads.
How Google fights unwanted ad injectors
We have a variety of policies that either limit, or entirely prohibit, ad injectors.
In Chrome, any extension hosted in the Chrome Web Store must comply with the Developer Program Policies. These require that extensions have a narrow and easy-to-understand purpose. We don’t ban injectors altogether—if they want to, people can still choose to install injectors that clearly disclose what they do—but injectors that sneak ads into a user’s browser would certainly violate our policies. We show people familiar red warnings when they are about to download software that is deceptive, or doesn’t use the right APIs to interact with browsers.
On the ads side, AdWords advertisers with software downloads hosted on their site, or linked to from their site, must comply with our Unwanted Software Policy. Additionally, both Google Platforms program policies and theDoubleClick Ad Exchange (AdX) Seller Program Guidelines, don’t allow programs that overlay ad space on a given site without permission of the site owner.
To increase awareness about ad injectors and the scale of this issue, we’ll be releasing new research on May 1 that examines the ad injector ecosystem in depth. The study, conducted with researchers at University of California Berkeley, drew conclusions from more than 100 million page views of Google sites across Chrome, Firefox, and Internet Explorer on various operating systems, globally. It’s not a pretty picture. Here’s a sample of the findings:
- Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test.
- More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed.
- Thirty-four percent of Chrome extensions injecting ads were classified as outright malware.
- Researchers found 192 deceptive Chrome extensions that affected 14 million users; these have since been disabled. Google now incorporates the techniques researchers used to catch these extensions to scan all new and updated extensions.