Advertising can sometimes be annoying — and sometimes it can be malicious. Businesses that make their money selling advertisements sometimes go too far trying to make sure you see their ads. Recently researchers found that one such business — a big digital-marketing agency — went as far as installing adware on 250 million computers running Windows and macOS all over the world.
What’s even worse, this adware is capable of turning into full-fledged malware that can divert users to malicious sites and drop malware on their computers. And no one seemed to notice it — until now.
The stealthy Fireball
Adware is a type of application that shows you ads or collects data about you for purposes of profiling you and selling that profile to advertising agencies, which, in turn, show you ads. The most common way adware sneaks onto computers is when it comes bundled with other software. Adware creators are willing to pay for the bundling, so some developers of free software are actually eager to bundle it with their products to monetize them.
However, bundling can look quite different depending on the developers. Whereas normally you are notified about additional software being installed alongside the app you want, Fireball, the adware in question, doesn’t prompt users or give them a chance to opt out of the installation — it just stealthily installs. It’s important to note that the bundled adware doesn’t necessarily install at the same time as the freeware program you were interested in. The adware might be dropped in later, when you’re less alert to potential installation issues.
Fireball is a browser hijacker, which means it modifies your browser to serve its creator’s purposes. The modification involves changing the homepage and the default search engine as well as blocking your attempts to change them back. The fake search engines Fireball sets as defaults contain tracking pixels that gather data about users to use for marketing purposes. Also, Fireball has the ability to execute any code on the infected computer and download browser extensions or other software.
What’s interesting is that despite its malicious nature, Fireball is signed with legitimate digital certificates, which makes it seem innocuous. It also implements other detection-evasion techniques to make it harder for security suites to find it and mark it as malicious. That’s why no one noticed the spreading epidemic for some time — Fireball seemed to be a totally legit app.