Back to Silas S. Brown's home page
Web statistics services can be harmful
Anatomy of a shady advertising network
If using Chrome on Android you may be browsing a benign website with no obvious advertising, only to find that when you tap on a link it opens a new tab to falsely say you've won something, or falsely claim "Virus detected on your phone, click OK to start the cleaning process" which also replaces the tab of the site you were browsing (presumably accessing it viawindow.opener
) and prevents you from pressing Back to resume reading that site.
In one case I managed to catch how this rude interruption of an apparently calm website was being done, and it's not pretty.
The original page was written by a hobbyist about programming a certain old computer (certainly nothing to suggest malicious advertising deals), so I was expecting to uncover a case of the original site's server having been compromised i.e. broken into, and I planned to alert the hobbyist's ISP once I'd figured out some details about this break-in.
But the 'hijack' vector turned out to be much more mundane than that: the webmaster of the original site had used a statistics service called NedStatBasic (aka Motigo or WebStats4U) which had asked him to embed some Javascript that fetched instructions from their third-party server. Motigo's terms and conditions said "By ordering the service level 'Free of charge' you...allow Motigo to advertise on your...website" (they might not have said this when the webmaster originally signed up, but he evidently didn't check for changes), and also said they work with advertising companies called Captify and Eyeota. They also had an indemnification clause, trying to pass legal responsibility for any bad behaviour of their service back to the original webmaster.
The Motigo script created several The I am most certainly not going to recommend that original
webmaster's site to anyone, because I cannot in good conscience
recommend a site that has become associated with so much intrusive false
advertising. I'm not even sure I'd want to recommend a different site
that happens to include that site in a "links" section. (I did attempt to contact the webmaster about this, but the email address they listed was no longer valid.) It would be a pity if an otherwise good resource were
tainted in this way by being hosted on a server that's paid for by aggressive advertising, but it's doubly a pity that all
this was because the original webmaster signed up to
a mere statistics service that doesn't even pay his hosting
bills. He wanted statistics about his readers, but at this rate he won't have any readers, because they'll be taken out of his site and put off from returning as soon as they try to tap one of his links. If you ran a library or bookshop, would you accept someone's offer to count your visitors if they reserved the right to grab said visitors by the scruff of the neck and drag them off to unsavoury places the moment they started to look at any of your items?
Third-party statistics services are simply not worth the risk.
Based on the above experience I'd certainly suggest blocking This proxy approach has the disadvantage of requiring a settings change on each device that uses your network, but it does mean you can block HTTPS sites at the domain level (tinyproxy detects the browser's div
s with id
"motigoDown the rabbit hole
Motigo's added "pop-under" div
s contained scripts from mirando.de
fetching 302-redirects from an nginx server that inspects the browser's
User-Agent string (Lynx wasn't redirected unless run with
-useragent
); the eventual page had an iframe
with source
on Ad
(which had no homepage and cloaked
their whois
data, so we can't easily see which company is
responsible), which served Javascript (from an OpenResty server) that
eventually resulted in a 302 redirect to kuaptrk.com
(registered to
Mundo Media Ltd of Canada), and from there to an https
page on
ads.diamonds
(one of the newer TLDs) who had again cloaked their whois
, this time
by using a proxy company in Hong Kong.
ads.diamonds
page contained Javascript to manipulate the
history of the "pop-under" window (in case the user tried to use Back to
close the tab on Android?) before loading another page---a different one
every time---that refreshed to trackmedia101.com
(again cloaked via
HK) which eventually redirected to one of several places, e.g.:
The fake "virus detected" message was coming from a site called
browser.
(cloaked via Panama; their www.
site displayed a "domain parked" message, while accessing browser.
at top level redirected to a random 'get-rich-quick' scheme or "install our
extension" or whatever); the 'TrackSafe' URL provided to Android refreshed
to tracking.
(again whois-cloaked, displaying a
"domain parked" message from their www server but redirecting to a random
site from tracking.
); on Android this refreshed to
tracking.
(a "mobile user acquisition platform"
registered in Berlin, telling application owners they can get more users to
install their programs), and this refreshed to app.appsflyer.com
(which said it can "attribute every install to the right campaign or media source", which is false if they have no way to count how many people declined after accidentally following an install link), and this 302-redirected to a market://
URL to offer to install a shopping program called "Wish" programmed by ContextLogic Inc of San Francisco (who also owned wish.com
);
trackmedia101.com
(when given a different URL by
ads.diamonds
) redirected to a page on
trck.
(note the missing a
in
track
, perhaps designed to subvert simple 'ad-blocking' checks?)
which executed some Javascript to compute the next URL (called "click
verify", presumably on the assumption that a non-Javascript crawler wouldn't
be able to traverse it unless specially programmed for their style of
obfuscation) and then to viralapps.club
to advertise applications
that are "trending" (or at least that the company would like to be
trending);mobileplay.me
which redirected
to billyaffcontent
which redirected to
billmscurlrev
which doctored the history and did other strange
Javascript things before redirecting back through trackmedia101
to a page on trk.
(registered to AdXperience in
France) which then went to control
(an "analytics
platform" for advertisers), which redirected to the Google Play page
for Audible's audiobooks application (did they know what kind of
advertising 'ecosystem' they were signing up to?);forcati
(cloaked whois) which served truncated
video-playing code or redirected to fake competition prizes;global
which redirected to another
app
page and a market://
URL for a
taxi-ordering program;apk
, and some sites that didn't load at
all.wsjpnxdm8u.top
registered to a certain Lei Gao in Ningyang,
Shandong and hosted on Amazon. This server was returning 404s to all other
URLs. Another, similar message ("corrupted with virus and battery has been
damaged") was served from inbox-msg-cg000.gdn
(falsely claiming to
be Google; actually hosted on Amazon and registered to a company in
Bangkok); this site contained code to activate the phone's vibration (as did
some of the fake "you have won" sites), and falsely threatens the user with
"permanent lockdown" unless they install "Turbo Cleaner" from
Google Play, an application which, as far as I could tell from its
.class
files, didn't seem to do anything useful, but presumably
they were hoping its in-app advertisements might get them more revenue than
they were spending to spread it. And I didn't see that they'd compromised
any ordinary web servers to do this, although we can't rule out the possibility
that they found a way to bypass billing on the advertising network, since
advertising money spent for the sole purpose of raising other advertising
money does seem a bit wasteful if they don't have a particularly effective
'multiplier' in the middle.
Don't be used
Some routers can be set to block some of these sites (see below), but the obvious
takeaway for responsible webmasters is don't use 'free' statistics
services if you value your reputation. Use Analog or similar instead, or
if your ISP doesn't give you the logs then write your own call to another
server if you must know; personally I don't mind not being given the logs at
all---it means I'm not tempted to fret about how many computers opened this or
that one of my pages, which are just here for reference anyway.
Router blocking
If an Android device is being used on Wi-Fi, the router attached to the access point might be able to help block advertising networks that carry malicious payloads. Many consumer routers can be configured to block on the browser's outgoing Host:
header, which covers only sites that don't yet use HTTPS; to go beyond that the router would have to interfere with DNS lookups, or block IPs (which change).ads.diamonds
and trackmedia101
if not the others.
prod.
, edge
, launch
and taboola.com
so I'd suggest blocking those four also (they weren't all responsible, but as a consumer I'd sooner 'overblock' than check specifically which one it was---which shows that browser-commandeering advertising is bad not only for the site it appears on and the advertising network that carries it, but also for any other advertising networks used by the same sites).
2mdn.net
, doubleverify.com
(ironically claiming to be in the business of "brand safety" but perhaps they were tricked), springserve.com
, betrad.com
, b2rrns9dgbx56tf5kc
, reactrjs.com
(not to be confused with ReactJS), xpanama.net
, quantserve.com
(supposedly just an analytics site, but as shown above I no longer trust such claims) and scorecardresearch
so I suggest summarily blocking those as well. But some of them are HTTPS sites, meaning you'd need a router that lets you change the DHCP DNS server (I was not able to prevent browser takeover by simply blocking this set of sites on an off-the-shelf router).
instui201.info
and 1-1ads.com
so I suggest blocking those too.
amazon-adsystem.com
redirecting to a malicious page-replacing script, so I suggest blocking Amazon Ads too as they clearly had poor quality-control that weekend.
ad.fx168api.com
and js.qyqc4s.com
trying to download an apk
, so they also go on the block-list for poor quality control.
i89o780.xyz
and 88jo3157.xyz
; these were being redirected to at the HTTP level by a couple of domains 'spamming' Google search results by scraping app names from Play Store and republishing them, then changing their behaviour when a real browser arrives.
outloginequity.com
for displaying an advertisement with a dirty image on an unrelated site.
various
for carrying malicious page-replacing advertising in August 2021.
fertilizer
for carrying malicious page-replacing advertising in November 2022.
pocket
for carrying malicious page-replacing advertising in January&nbs;2024.
Blocking with a Raspberry Pi
Android's Wi-Fi settings has a per-connection "Advanced options" that let you set a proxy for the browser to use when on that Wi-Fi network. Therefore if your router's blocking options are insufficient, you could apt-get install tinyproxy
on a Raspberry Pi (with a static IP), set Filter
in /etc/tinyproxy.conf
to a file containing the domains you want to block (restart or send SIGHUP
to make it re-read this file), and set this IP and port 8888 in the Advanced options of your home Wi-Fi network on the Android device (long tap on the connection, select "Modify network" and enable the advanced options). Remember to use iptables
or other access controls if you've set your router to send ``DMZ'' traffic to the Raspberry Pi. If tinyproxy sometimes gets "stuck", you could cron
a periodic /etc/init.d/tinyproxy restart
or try something else like ngx_
(likely to require compiling from source).
CONNECT
request and denies it).
Copyright and Trademarks
All material © Silas S. Brown unless otherwise stated.
Android is a trademark of Google LLC.
Google is a trademark of Google LLC.
Google Play is a trademark of Google LLC.
Javascript is a trademark of Oracle Corporation in the US.
Raspberry Pi is a trademark of the Raspberry Pi Foundation.
Wi-Fi is a trademark of the Wi-Fi Alliance.
Any other trademarks I mentioned without realising are trademarks of their respective holders.