Ad2Store Redirections: The Latest Annoyance for Mobile Users
Online ads can be very aggressive and disruptive, not to mention they often carry malicious payloads aka malvertising.
You may have come across some strange situation on your smart phone or tablet where as you were browsing the web, the App Store or Play Store automatically popped up or even initiated a download for some random app.
It turns out this technique is not actually new per se (early reports from 2012 mention a similar behaviour which essentially hijacked your web session to trick you into installing unwanted apps).
What is most troubling about this is the fact that a specially crafted online advert is responsible for automatically switching the browser to a different program (the App/Play Store) with absolutely no user interaction required.
Case in point, when we visited Reddit and clicked on a thread. It opened up imgur, the picture hosting website where an ad loaded and then launched the App Store on its own, literally shoving the “Clash of Clans” app in our face.
(Video best viewed in HD, full screen)
You are more likely to encounter such disruptive ads if you browse dodgy sites. But due to the nature of online advertising it may also happen on high-profile sites and blogs such as the ones mentioned in the TechCrunch article.
On iOS, this issue exists both in its native browser (Safari) as well as third-party browsers such as Google Chrome.
Figure 1: From browser to App Store: advert pushes install for an App.
For information, I am using the default security settings with Pop-up blocker enabled.
In order to understand how this happened, I routed my smartphone through a proxy (Fiddler) and recorded the traffic:
hastrk2[dot]com sends a 302 HTTP response with a specially crafted URL (itms-appss://itunes.apple.com/app/clash-of-clans/id529479190?mt=8) that results in the App Store popping up.
On Android, the process is quite similar, albeit with a different URL format:
Here is a general overview of what takes place (all other non related URLs were removed for clarity) showing the many bounces involved in this campaign:
Figure 4: Each URL is linked to the abusive Ad in a very long chain.
The slideshow below reveals how each web session from Figure 4 is tied to the next one: