TechGuard Blog

Fed up with Pop-up Ads Hijacking your Mobile Device?

You’ve got 5 minutes between meetings. So, you pull up Snapchat to check on your family. Before you can click on your kid’s feed, an ad pops up and won’t go away. You can’t even back out of it. You must force stop the app and then relaunch it. By the time it reloads, the 5 minutes are up, and you have to begin the next meeting still wondering if your son or daughter is staying out of trouble online.

Ads have a way of getting in the middle of things. Pop-up ads, banner ads, redirect ads, prestitial ads, interstitial ads, and the list goes on. And for some reason, popups seem particularly invasive on mobile devices, where the display is already so small that a pop-up often hijacks the whole screen. Not only are you dealing with pesky legit ads from advertising companies but also malware laced ads from nefarious actors trying to make a quick buck.

With revenue being the end game, legit advertising networks are launching more aggressive and intrusive mobile advertising methods by including functionality in apps to display ads in the notification bar, adding bookmarks, or creating search engine shortcuts to the home screen. To exacerbate the problem, the underlying javascript code is not always vetted, opening up vulnerabilities for the nefarious to exploit.

Let’s face it, we rely upon our mobile devices to deliver the content we want, including visiting sites where we input and view sensitive data. “Pop-up ads may be lead generators for many businesses, but those which take over a user’s ability to view a site altogether are leading to lost revenue and potential malware hosts,” Inspired eLearning’s IS-GRC Specialist Jennifer Mick points out.

The good news is Google, Facebook, the Interactive Advertising Bureau (IAB) and others formed the Coalition for Better Ads to establish global ad standards. Senior VP Sridhar Ramaswamy for Google Ads & Commerce announced last year that Chrome will stop showing ads (including those owned or served by Google) on websites that are not compliant with the Better Ads Standards from 2018.

Unfortunately, cyber criminals have a way of ignoring regulatory standards and aren’t interested in actually advertising anything. Their malicious agenda can take many forms. Our Snapchat user above was likely hit by a bulky redirect that couldn’t load the phony page because it was already downloading a trojan (aka backdoor). A hacker might try other malicious actions, including:

  • Collect and send GPS coordinates, contact lists, e-mail addresses etc. to third parties
  • Send SMSs to premium-rate numbers
  • Subscribe infected phones to premium services
  • Record phone conversations and send them to attackers
  • Take control over the infected phone
  • Download other malware onto infected phones
  • “Push notifications ads” delivering alerts to a phone’s notification bar – when the user swipes to pull down the notification bar from the top of the screen, an ad shows up under Notifications.
  • “Icon ads” inserted onto a phone’s start screen – when the user touches the icon, it usually launches a search engine or a web service.
  • Send users on a detour to phishing sites that collect personal data
  • Redirect users to pages containing malicious code

Since most websites choose to work with advertising networks rather than individual advertisers, ads are automatically aimed at targeted audiences as well as littered across all sorts of websites, even the more reputable ones. Moreover, the advertiser or operator of the page doesn’t keep track of where these ads exactly appear much-less whether the ads are running malicious scripts.

How does this affect me as a consumer?

Since ads are being driven by two main camps, consumers are being hit with a double whammy. Apart from a paid subscription of Youtube Red or a Google Contributor ‘ad removal pass,’ consumers will be hard put to escape pop-up ads. Ad-blockers, NoScripts, and others can reduce the number of ads users are plagued with, but they are not fool-proof.

Moreover, technically speaking, an ad hijacking your browser isn’t actually a “hack,” in the sense that it doesn’t exploit a software vulnerability. Instead, it relies on the attacker’s ability to submit and run ads that contain redirecting JavaScript with click bait interesting enough to entice the general public to click.

Since redirecting mobile ads could create a jumping off point for attackers, the average joe must be vigilant and aware of what they are clicking. Advertising networks do not discriminate against age groups; if anything, they will target the younger set even more as youngsters are all about speed and are click happy. So, educating our young users on secure cyber habits is vital as well.

What can I do as a business?

Advertising networks sell their advertising space to the highest bidder without checking the ads submitted to them for JavaScript code that facilitates redirects so that pop-up ads can be delivered quickly. These mobile redirects delay user access to content or put them off loading it altogether which results in negative advertising.

Will Strafach, the president of Sudo Security Group, suggests that the best long-term solution is for ad networks to vet content more assertively to not allow so much leeway with JavaScript code execution and be more responsive to complaints. Businesses, including publishers, may have to hold ad exchanges to a higher standard so that they will crack down on this type of aggressive code with a better screening process.

What can I do as a user?

As malware writers try to earn money for their bad deeds, they will use increasingly clever techniques to try and trick users into clicking on their baited links and installing their malicious apps. So as users, we need to be especially alert while accessing online content on our devices.

Keeping security at the forefront, just as you would lock your car doors, the following cyber habits may prevent you from succumbing to clicking on a pop-up ad with malicious injected code:

  • Install vetted mobile ad blockers to help avoid the pop-ups.
  • Utilize known browsers that have increasingly incorporated protections to limit malicious intrusions, like Chrome, Samsung native browser, iOS Safari, etc.
  • Research apps before installing, even reading the reviews will hint at whether the app sounds fishy.
  • If an app requires more permissions to access functionality of your device than the free app you downloaded requires, then take a hard pass.
  • If you are willing to pay, Youtube Red and Google Contributor Ad Removal passes will block all ads except the ones you choose to opt-in for.

If nothing else, think twice before installing untrusted software or clicking on strange looking links!!

Remember, mobile redirects are systemic and need to be addressed at scale. While these issues are being addressed, now is the time to educate your users with TechGuard® S.H.I.E.L.D’s™ award-winning Cybersecurity Awareness Training Solution.  Don’t delay, get the message out there: “If you see a weird notification that entices you to play blackjack interrupting your daily newsfeed, THINK before you click!”

© 2018 Inspired eLearning, LLC. All Rights Reserved.