The malware exploits known as malware-infected ads, or malvertising, have been around for decades, but new reports point to a steady rise in lethality.

With malvertising, the infected ads are typically placed on legitimate ad networks, which makes them more difficult to spot and remove. The technique continues to use more and more sophisticated mechanisms for getting their infections spread throughout the web and keep them running for a long time. The exploits can operate in one of several ways, including intercepting a user’s clickstream on random hyperlinks and substituting them with redirects to advertising websites.

One of the more popular and enduring malvertising campaigns has been the Angler Exploit. It has infected various ad networks, such as Yahoo’s back in 2015, and is still actively seen. The exploit is quite dangerous, since the malware is downloaded by just viewing the banner ad on a web page, without any further user action.

These malware-infected ads are also very profitable, since the ads are typically seen by thousands or even millions of viewers, and that can add up. One criminal, a Ukrainian national, was extradited several years ago for distributing more than a 100 million infected ads.

A 2021 report by Digital Citizens Alliance found that ad-supported exploits generated $1.3 billion in annual revenues. Essentially, the malware ads are masquerading as normal ads in the ad networks and using the network as a distribution and funds collection system.

One effort, called the HiddenAds campaign, has been in and out of the Google Play Store and amassed tens of millions of downloads during its reign. These were targeted toward Android users and could subscribe their victims to paid services without their permission, collecting commissions or the entire monthly billings. The mobile malware strains are particularly annoying, since often the ads are purposely designed to block the entire phone’s screen or operate in the background, or both.

The new threats include a series of more clever lures, such as “you may have already won” types of ad campaigns or enticing potential victims to be able to watch free movies or have victims purchase phony gift cards. These have been documented in a recent report from GenDigital Inc.’s Avast that examined its own telemetry collected from millions of its antivirus customers.

They found that malvertising and malicious browser push notifications have witnessed a dramatic increase, with malvertising accounting for nearly 4% of desktop exploits. These lures typically lead toward a phishing attack to steal account credentials or to poison a business’ brand, for example.

These environmental checks have come a long way since earlier threats such as the DealPly malvertising did back in 2019. DealPly is still very much around and Avast found it consituted a third of all adware strains found across its telemetry.

Another study by AdSecure, a security firm that specializes in finding and neutralizing these kinds of threats, found five of the more popular user experience violations in these attacks (shown below). These included deliberate landing page errors, or hijacking another webpage, or changing app permissions, among other methods.

For example, a malware-laced ad could ask a user to be allowed camera access when it is installed, hoping that most users won’t be paying attention. The attacker can then use the camera to take pictures of sensitive data or identify the person using the device.

AdSecure

Combating malvertising

Another recent report from Malwarebytes Labs documented new ways of operations. Like many general-purpose malware strains, these new malvertising campaigns first check to see what kind of environment the user is running. That can include the time of day in the local time zone, or using a VPN, a virtual machine instance, or if a user has previously visited the home website that is being used to distribute the malware.

If any of these conditions is satisfied, the malware doesn’t operate. According to the report, “by using better filtering before redirecting potential victims to malware, threat actors ensure that their malicious ads and infrastructure remain online longer.”

These tricks are tough to track down, says Andrew Reed, a product marketing manager, in a recent blog post for ad network security firm HumanSecurity. “No longer are ads performing the same way in both a sandbox and user environment, nor are bad actors using the same URLs, creative or methods numerous times.”

And the fact is, he says, “Malvertising isn’t going away anytime soon.” He recommends potential advertisers pre-screen their ads to ensure they haven’t been infected, along with blocking potential malicious domains or IP addresses. In addition, he recommends doing a more thorough behavioral analysis of each ad.

Images: Pixabay, AdSecure