What is adware? How it works and how to protect against it

Adware is deceptive software that earns its creators money through fraudulent user clicks. Fortunately, it's one of the the most detectable types of malware.

CSO  >  Adware  >  Browser windwows containing malicous code
Murat Gocmen / Matejmo / Getty Images / IDG

Adware definition

Adware is a category of software applications that displays advertisements on computers or changes search results in browsers to earn money for their creators from user clicks. This category of programs has been around for decades and has mutated over time. Some adware applications are purely malicious and don't ask for user consent at all while others fall in a grey zone where users are notified about their installation through confusing user agreements or through enabled-by-default installation options.

Some security companies place the less deceptive adware programs in a larger category called potentially unwanted programs or applications (PUP/PUA), and they can come bundled with other features that might impact the user's internet browsing or computer use experience.

Adware programs can change the browser's home page and the default search engine, can inject rogue results into search pages and can also inject rogue advertisements into legitimate websites or trigger persistent pop-up windows in the browser. The goal of their creators is to earn commission money fraudulently by abusing pay-per-click or pay-per-view advertising schemes.

Large and legitimate advertising networks have more advanced fraud detection mechanisms, so adware creators often use obscure ad delivery platforms that don't have strict user agreements and don't block abuse attempts. This causes many of the advertisements these programs push to be of low quality: pornographic content, fake alerts that trick users to buy or install applications that are not needed, various diet pills, work-at-home schemes and other questionable content.

Even though the number of adware detections decreased last year according to a report from antivirus firm Malwarebytes, adware remains one of the most common types of unwanted applications found on computers.

"At the end of the day, the driving financial force of the internet itself has been advertising," says Adam Kujawa, director of the Malwarebytes Labs, the malware intelligence team at antivirus firm Malwarebytes. "Cybercriminals are completely aware of the potential value in pushing advertisements, so I'd say a pretty big chunk of the cybercrime world devotes themselves to distributing advertising or adware-type malware."

What is the risk from adware?

Adware programs are not as dangerous as computer Trojans, worms, rootkits and other forms of malware, but they negatively impact the user's experience and making computers and browsers run slower. They also serve as a means for cybercriminals to fund other malicious campaigns and can ultimately serve as a backdoor into computers through which other threats can be delivered or data can be stolen.

How adware spreads

Adware can come in different forms: as standalone programs installed on computers or in the form of browser extensions and toolbars. Many mobile applications behave like, and can be categorized as, adware.

A common way for attackers to install adware programs on computers is through botnets that are used as distribution platforms for various malicious programs. The creators of such botnets offer distribution services to other cybercriminals on a pay-per-install basis. Because of this, an adware infection can often be a sign of other more serious threats also being present on a computer.

Adware is also distributed through torrents and other file sharing websites by masquerading as cracked installers and key generators for commercial programs or games. Rogue or malicious advertisements are also used to push adware programs. This includes fake prompts for Flash Player and other software updates that are supposedly required to display the websites users are trying to access.

Malicious actors also distribute adware as browser extensions and there have been numerous cases over the years where add-ons with adware behavior made their way into the official Chrome Web Store or Mozilla Add-on Repository. Browser makers like Google and Mozilla have tried to crack down on such abuse by modifying the acceptable terms and conditions for third-party extensions and limiting where add-ons can be installed from. However, attackers continue to find ways around those restrictions.

For example, there has been an increasing number of cases where attackers used shell companies to buy existing browser extensions from their original developers and then modified them to start displaying ads or to hijack search results. Such attacks are hard to block because extensions update automatically through the browser and attackers are abusing an existing trust relationship between users and the previous extension owners. From a user perspective, changes in extension ownership are not very transparent and there are no warnings or notifications when this happens.

Finally, adware-like components, including browser toolbars or extensions, might also come bundled with legitimate applications. Sometimes their presence is made clear during the program's installation, as a means to financially support the application, and the user can opt out. However, in many cases, the adware component is enabled by default and the software developer makes it hard or confusing to deselect it.

What is the difference between adware and PUP/PUA?

According to Kujawa, there is usually a fine line between what is considered a PUP/PUA and what is considered adware. PUP/PUA are usually legitimate applications that are doing things that are somewhat shady, like making it difficult to uninstall or opt out of advertising components, while adware is software whose sole purpose is to display ads or to hijack search results and which often uses deceptive ways to land on people's computers.

However, because of this fine line, there might be cases where different security vendors categorize the same applications differently -- as PUP/PUA or as adware -- depending on how strict their categorization criteria are. From an end-user perspective this can be confusing, so it's generally best to err on the side of caution and treat PUP/PUA detections the same as you would adware.

In the mobile world, there are many applications that are supported through advertising and this is a legitimate and popular way to monetize applications that are otherwise free to use. Developers who build free apps usually integrate third-party advertising kits into their apps and don't really have control over what that third-party code does. There have been cases where legitimate app developers have integrated SDKs that turned out to be malicious and were used to deploy aggressive adware on phones.

How to protect against adware

First, users should always run an up-to-date antivirus program on their computer. This is the first line of defense against all types of computer threats and even though antivirus programs are not a silver bullet, they do help to weed out the majority of malicious and questionable applications.

"Adware is easy to detect," Kujawa says. "It's not super stealthy for the most part. There are a few families out there that do a bit more advanced things and are more on the malware side than the PUP side, but for the most part adware is pretty easy to detect and it's one of our most commonly detected types of malware."

User behavior is also very important when it comes to avoiding adware and malware infections in general. This includes downloading and installing programs only from trusted sources, such as the software developers' own websites, instead of torrent and file sharing sites. Users should avoid downloading cracked and pirated programs or key generators.

Sites that offer unauthorized online sports or movie streaming, as well as games, movies and music and other pirated content also often ask users to install adware. The more you're moving to things that are not necessarily legal, the higher the chances of encountering adware, Kujawa says.

When installing legitimate freeware applications, users should carefully read the installation prompts and deselect third-party advertising components if they don't want them. These toolbars and other components often come enabled by default so users need to opt out rather than opt in.

When installing browser extensions and add-ons from the official repositories, it's best to read the latest user reviews. If they display rogue behavior, someone likely reported it in the comments.

Browser extensions in general have a lot of power and access to sensitive data inputted into websites, so consider carefully whether you really need a particular extension. It's good practice to periodically review the list of installed extensions and remove those you don't need anymore. This can help you avoid security risks if abandoned extensions change ownership and go rogue.

Users should be wary of the various prompts for software updates and other warnings that appear while browsing the web and check whether they're from trusted sources, such as locally installed applications. Flash Player, Java and other plug-ins are usually updated automatically as well as most popular applications, so web-based prompts for software updates are typically scam attempts.

The websites you visit have no way of knowing that your computer is infected with malware or that it's running slower and could use some optimization, so ignore such alerts when you see them on the web. They are just meant to trick you into installing adware or malware.

As long as there is a way to make money from something, cybercriminals will try to exploit it. Since online advertising drives the web, adware programs and adware attacks will continue to exist for a long time to come.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!