[Jazmac]

Ad-injecting software made headlines in February with news of Superfish adware being pre-loaded on Lenovo PCs. But Superfish is not the only game in town.

Google teamed up with the University of California, Berkley and Santa Barbara for a new report that tracked incidents of this sometimes malicious software across the search giant's network.


Researchers followed computers visiting Google sites from June to October 2014. In those five months, "we found 5.5 percent of unique IPsmillions of usersaccessing Google sites...included some form of injected ads," Google spam and abuse researcher Kurt Thomas wrote in a a blog post.

Specifically, they detected 5,339,913 different IP addresses infected with adware. About 3.9 percent were courtesy of Superfish, followed by Jollywallet at 2.4 percent (though this was before the Superfish/Lenovo deal was revealed).

These companies, according to Thomas, manage advertising relationships with a handful of ad networks and shopping programs. Superfish, for example, will choose which ads to show, and when a visitor clicks on one, or even buys the product, Superfish makes a profitonly a fraction of which it shares with affiliates.

"Ad injectors' businesses are built on a tangled web of different players in the online advertising economy," Thomas wrote. "This complexity has made it difficult for the industry to understand this issue and help fix it."

In the joint study, researchers plotted what they called a "click-chain," which was produced from an ad injected on Google. A query for Android, for example, triggered Superfish to fetch a list of embeddable advertisements, like a Best Buy offer. The research team clicked the ad, which started a redirect chain through multiple intermediaries, before arriving at the advertised Best Buy page.

It's worth noting, the study said, that ad injectors "cheekily view this as yet another opportunity for profit"Superfish overloads BestBuy.com with rogue advertisements, despite having been paid by the superstore to deliver traffic.

The first sample of Superfish activity dates back to September 2012, though Google counted a substantial drop in injections last fall, when the Chrome Web Store removed deceptive extensions.

"We hope our findings raise broad awareness for this problem," Thomas said of adware, "and enable the online advertising industry to work together and tackle it."