Ad2Store Redirections: The Latest Annoyance for Mobile Users


woman sitting on a couch, looking at her smart phone in disgust

Written by Jérôme Segura for Malwarebytes.org, Malvertising

Online ads can be very aggressive and disruptive, not to mention they often carry malicious payloads aka malvertising.

You may have come across some strange situation on your smart phone or tablet where as you were browsing the web, the App Store or Play Store automatically popped up or even initiated a download for some random app.

It turns out this technique is not actually new per se (early reports from 2012 mention a similar behaviour which essentially hijacked your web session to trick you into installing unwanted apps).

New Poll: Companies that force mobile users to endure the

nuisance of pesky "Ad2Store" malvertising are...

More recently, Sarah Perez from TechCrunch wrote a nice article showing that many users were frustrated with such annoying ads and yet Apple or Google had yet to respond or comment on this subject.

What is most troubling about this is the fact that a specially crafted online advert is responsible for automatically switching the browser to a different program (the App/Play Store) with absolutely no user interaction required.

Case in point, when we visited Reddit and clicked on a thread. It opened up imgur, the picture hosting website where an ad loaded and then launched the App Store on its own, literally shoving the “Clash of Clans” app in our face.

(Video best viewed in HD, full screen)

You are more likely to encounter such disruptive ads if you browse dodgy sites. But due to the nature of online advertising it may also happen on high-profile sites and blogs such as the ones mentioned in the TechCrunch article.

On iOS, this issue exists both in its native browser (Safari) as well as third-party browsers such as Google Chrome.

Example of annoying Ad2Store redirect by Clash of Clans on smartphone

Figure 1: From browser to App Store: advert pushes install for an App.

For information, I am using the default security settings with Pop-up blocker enabled.

Screenshot of iPhone settings to block pop ups

In order to understand how this happened, I routed my smartphone through a proxy (Fiddler) and recorded the traffic:

Screenshot 1 of what happens when a website malvertising redirects you to the AppStore

hastrk2[dot]com sends a 302 HTTP response with a specially crafted URL (itms-appss://itunes.apple.com/app/clash-of-clans/id529479190?mt=8) that results in the App Store popping up.

On Android, the process is quite similar, albeit with a different URL format:

market://details?id=com.zoosk.zoosk&hl=en&referrer=utm_campaign%3DO1_3I_AN_XX_CA%252A007119_020868_000000_2514_1271%26mat_click_id%3Dd53619e84e977c58a8-20140203-3188

Here is a general overview of what takes place (all other non related URLs were removed for clarity) showing the many bounces involved in this campaign:

Screenshot 2 of what happens when a website malvertising redirects you to the AppStore

Figure 4: Each URL is linked to the abusive Ad in a very long chain.

The slideshow below reveals how each web session from Figure 4 is tied to the next one:

1 googletag.png
Screenshot 3 of what happens when a website malvertising redirects you to the AppStore
Screenshot 4 of what happens when a website malvertising redirects you to the AppStore