Towards Understanding Privacy Implications of Adware and Potentially Unwanted Programs

  • Tobias UrbanEmail author
  • Dennis Tatang
  • Thorsten Holz
  • Norbert Pohlmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11098)


Web advertisements are the primary financial source for many online services, but also for adversaries. Successful ad campaigns rely on good online profiles of their potential customers. The financial potentials of displaying ads have led to the rise of malicious software that injects or replaces ads on websites, in particular, so-called adware. This development leads to continuously further optimized and customized advertising. For these customization’s, various tracking methods are used. However, only little work has gone into privacy issues emerging from adware.

In this paper, we investigate the tracking capabilities and related privacy implications of adware and potentially unwanted programs (PUPs). Therefore, we developed a framework that allows us to analyze any network communication of the Firefox browser on the application level to circumvent encryption like TLS. We use this framework to dynamically analyze the communication streams of over 16,000 adware or potentially unwanted programs samples that tamper with the users’ browser session. Our results indicate that roughly 37% of the requests issued by the analyzed samples contain private information and are accordingly able to track users. Additionally, we analyze which tracking techniques and services are used by attackers.


Adware Potentially unwanted programs Privacy 



This work was partially supported by the Ministry of Culture and Science of the German State of North Rhine-Westphalia (MKW grant 005-1703-0021 “MEwM”) and partially supported by the German Federal Ministry of Education and Research (BMBF grants 16KIS0395 “secUnity” and 01IS14009B “BD-Sec”). We would like to thank the anonymous reviewers for their valuable feedback.


  1. 1.
    Bucklin, R.E., Sismeiro, C.: A model of web site browsing behavior estimated on clickstream data. J. Mark. Res. 40(3), 249–267 (2003)CrossRefGoogle Scholar
  2. 2.
    Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: Proceedings of the 26th International Conference on World Wide Web, WWW 2017, pp. 1481–1490. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2017)Google Scholar
  3. 3.
    Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 674–689. ACM, New York (2014)Google Scholar
  4. 4.
    Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: User tracking on the web via cross-browser fingerprinting. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 31–46. Springer, Heidelberg (2012). Scholar
  5. 5.
    Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1388–1401. ACM, New York (2016)Google Scholar
  6. 6.
    Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). Scholar
  7. 7.
    Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Fredriksonn, M. (ed.) Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP), pp. 1–12. IEEE Computer Society, New York, May 2012Google Scholar
  8. 8.
    Arshad, S., Kharraz, A., Robertson, W.: Identifying extension-based ad injection via fine-grained web content provenance. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 415–436. Springer, Cham (2016). Scholar
  9. 9.
    LLC, WS: WOT API—WOT (Web of Trust) (2017). Accessed 31 Oct 2017
  10. 10.
    Kotzias, P., Bilge, L., Caballero, J.: Measuring PUP prevalence and PUP distribution through pay-per-install services. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 739–756. USENIX Association, Austin (2016)Google Scholar
  11. 11.
    Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 641–654. USENIX Association, Berkeley (2014)Google Scholar
  12. 12.
    Thomas, K., et al.: Ad injection at scale: assessing deceptive advertisement modifications. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 151–167. IEEE Computer Society, Washington (2015)Google Scholar
  13. 13.
    Weissbacher, M., Mariconti, E., Suarez-Tangil, G., Stringhini, G., Robertson, W., Kirda, E.: Ex-Ray: detection of history-leaking browser extensions. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 1–13. ACM, New York (2017)Google Scholar
  14. 14.
    Mozilla Foundation: Add-ons for Firefox (2017). Accessed 05 July 2017
  15. 15.
    Bonderud, D.: WOT privacy breach: trust tanks as browser add-on caught selling user data (2017). Accessed 31 Oct 2017
  16. 16.
    Smith, R.M.: The web bug faq. Nov 11, 4 (1999)Google Scholar
  17. 17.
    Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). Scholar
  18. 18.
    Hupperich, T., Maiorca, D., Kührer, M., Holz, T., Giacinto, G.: On the robustness of mobile device fingerprinting: can mobile users escape modern web-tracking mechanisms? In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pp. 191–200. ACM, New York (2015)Google Scholar
  19. 19.
    Kurtz, A., Gascon, H., Becker, T., Rieck, K., Freiling, F.C.: Fingerprinting mobile devices using personalized configurations. Proc. Priv. Enhanc. Technol. (PoPETs) 2016(1), 4–19 (2016)CrossRefGoogle Scholar
  20. 20.
    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 541–555. IEEE Computer Society, Washington (2013)Google Scholar
  21. 21.
    Hupperich, T., Tatang, D., Wilkop, N., Holz, T.: An empirical study on online price differentiation. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, CODASPY 2018, pp. 76–83. ACM, New York (2018)Google Scholar
  22. 22.
    Jagpal, N., et al.: Trends and lessons from three years fighting malicious extensions. In: Proceedings of the 24th USENIX Conference on Security Symposium, SEC 2015, pp. 579–593. USENIX Association, Berkeley (2015)Google Scholar
  23. 23.
    Alexa Internet: Top 500 global sites (2017).
  24. 24.
    Soltani, A., Canty, S., Mayo, Q., Thomas, L., Hoofnagle, C.J.: Flash cookies and privacy. In: AAAI Spring Symposium: Intelligent Information Privacy Management, pp. 1–6. Association for the Advancement of Artificial Intelligence, Palo Alto (2010)Google Scholar
  25. 25.
    European Parliament: The Council: Directive 2009/136/ec (2009)Google Scholar
  26. 26.
    Acar, G., et al.: FPDetective: dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 1129–1140. ACM, New York (2013)Google Scholar
  27. 27.
    Thomas, K., et al.: Investigating commercial pay-per-install and the distribution of unwanted software. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 721–739. USENIX Association, Austin (2016)Google Scholar
  28. 28.
    VirusTotal: Free online virus, malware and url scanner (2017). Accessed 24 July 2017
  29. 29.
    GreatFire: Blocked sites in China - bringing transparency to the great firewall of China (2017).

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Tobias Urban
    • 1
    • 2
    Email author
  • Dennis Tatang
    • 2
  • Thorsten Holz
    • 2
  • Norbert Pohlmann
    • 1
  1. 1.Institute for Internet-SecurityGelsenkirchenGermany
  2. 2.Ruhr-University BochumBochumGermany

Personalised recommendations