Pay-per-impression? Not impressed.

And by “not impressed” I mean that there’s a good chance that impression an advertiser paid for was coerced and likely causing bad will for the advertiser, which is pretty much the opposite of what was intended.

Implicit in the value of online ads are the assumptions that ad impressions are targeted by interest and that clicks are real-world manifestations of that user interest. While these assumptions hold true in the legit ad market (and given the nature of surveillance ads these days I’m being generous in my use of the word “legit”), they are utterly broken in a vast number of cases. Unfortunately, it’s difficult if not impossible for advertisers paying the bill to tell the difference.

Researchers at MalwareBytes recently announced reemergence of something they call Fake jquery infection. Large swaths of the Web depend on the real jquery — a very popular Javascript library — so impersonating it is a good way to sneak past malware detectors. The fake version infects mobile devices with malicious adware that turns the phone’s lock screen into a full-screen ad delivery system that users cannot disable. It is also very good at evading detection by not installing on devices other than phones.

Whereas the previous malware campaign delivered Fake jquery in apps, the new implementation delivers it through visits to compromised web sites. Malicious apps have a relatively short lifetime since they are removed on detection and app stores aggressively scan for malware. Compromised web sites, on the other hand, tend to be those whose administrators fail to apply patches and because of this infections tend to be much more durable there.

The result of this is that users by the millions find that their phones constantly display full screen ads when locked and that normal interactions to unlock or turn off the screen tend to result in unwanted ad clicks. While it’s true that some of these clicks lead to sites that install more malware, a great many of them simply serve up legitimately placed ads.

The reasons for this are obvious. The intent of malware is to compromise the device to then steal credentials or install things like banking trojans which then require additional steps to monetize, all while evading anti-malware. The chance of monetization relatively low for the level of complexity required. Compare to malicious adware in which only one level of compromise is required, the malware by design resembles the legitimate advertising delivery pipeline, and the monetization is direct. Render the ad, get paid. Get the user to click, even an accidental or coerced click, and get paid.

Consider also that the usual justification for ads is that they fund free content. By some accounts ads are what keeps the Internet running. But ads that display on a device’s lock screen don’t fund anything but the hacker and the ad broker. They don’t keep the internet running if they aren’t served alongside any content. In fact, to the extent that they burn up the device’s battery and bandwidth they do the opposite of keeping the internet running — no content is funded and the user is much more likely to find themselves holding a lifeless brick incapable of viewing content until they can get a recharge.

What is often left out of these discussions is the question of who pays the hacker who delivers the Trojan to the device? Certainly not the advertiser because the activity of the Trojan drives up the advertising cost while reducing the value. There are several layers of middlemen in the ad delivery pipeline and players in at least one of those layers can earn more money by engaging the hackers to deliver their ads and splitting the money. The other possibility is that the hackers are now directly playing in the ad delivery pipeline so they get the full cut of fees at that level. The point being that either someone in the otherwise legit ad delivery pipeline is knowingly paying hackers to deliver ad impressions, or else the ad delivery pipeline is so permeated with hacker activity that it can no longer be considered legitimate.

I’m old enough to remember when users of illicit drugs were admonished that their drug habit funded organized crime and terrorism. Welcome to the digital age where pretty much everything you do funds organized crime and terrorism — and occasionally also the online content that you consume for free. At least the drug users had the option to quit if they didn’t like where their money was going.

Personally, I find it difficult to scrape up much sympathy for the online advertising industry. Violation of user trust and privacy so permeates the business model of online surveillance-based advertising that it is hard to tell whether malware has invaded the ad delivery pipeline, or whether ad delivery has simply become the legitimate veneer over a sophisticated malware industry. Indeed, a review of the malware catalog of any security vendor turns up adware classified as malicious listed adjacent and in near equal numbers to malware that looks like or delivers ads. Online advertising and organized crime have executed a successful merger while everyone was busy looking at ads.

When your business model is indistinguishable from that of organized crime, it’s going to be a bit difficult to weed out the bad actors. It’s also kind of a clue that you are doing something wrong.

Remember when “targeted” advertising meant picking a periodical, or billboard, or show that attracted your target audience and putting ads there? We can still do that. As an example, friend of mine runs a technical conference and puts banners from the event’s sponsors on the web site. Sponsors know who the audience is and can provide a hotlink that tracks referrals directly. The ads themselves are static images. No Javascript, no cookies, no Flash, no executable anything, no tracking other than through referral headers, and best of all no monetization stream to hijack and thus no crime. Can we just do that already?

We would have to invent better alternatives if the malvertising revenue stream dried up, and reason suggests that it will. Or at least that it should. The more that malware dilutes the ad delivery pipeline, the less valuable advertising becomes. Indeed, it is the advertisers who are the public face of hijacked lock screens and to the extent that these tactics generate ill will it is those advertisers who bear the brunt, receiving in effect negative value for their ad dollars. Who would pay for that? Even with assurances that the ads were placed as stipulated in the contract, who at this point both knows how the sausage is made and believes with confidence that placements are authentic and auditable?

Advertisers, it’s your money funding this crime wave and you are receiving ever-diminishing return on that investment. By participating you paint targets on the backs of your target market and guess what — we are not impressed. Do yourself and your market a favor and find ways to get your message to us that doesn’t endanger us. You might find that doing so helps you as much as it helps us.

WebSphere MQ security guy! My Tweets/views are my own. Also blogging at and

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium


Premature Cyber Escalation

OpenAVN 📈 Exponential Protection

{UPDATE} Solitaire Zello Walkie Hack Free Resources Generator

Weekly Update #1

Why and How You Should Sign All Your Git Commits

EasyFi collaborates with EPNS to power smart alerts for protocol users

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


WebSphere MQ security guy! My Tweets/views are my own. Also blogging at and

More from Medium

Is YouTube Dying Or Is YouTube Dead Already —

Prime editing: The new CAShable gene editing

An image of DNA in a helix.

Notes on “Decolonising the Curatorial” in Babylon Britain

“Drag Is All Over the World, including Rochester, NY”