facebook twitter

In April, the Digital Media ecosystem (like many others) continued to navigate the choppy waters brought on by the pandemic. Our most recent blog post on March 30th highlighted the marked surge in malvertising during the month of March as the world attempted to digest the impacts of COVID-19. 

The effects of COVID-19 included increases in traffic, which, combined with a decrease in ecpm, allowed bad actors to take advantage of market forces and inflict pain when the ecosystem needed it the least. These trends that began in mid-March continued to impact the ecosystem throughout April.

Understanding Shifts In Malicious Behavior

We have seen some dramatic shifts in behaviors of the bad actors over the first four months of 2020. Their exploits are unpredictable, and their supply path to end-users is constantly changing. In this post, we’ll share how bad actors are accelerating their efforts, adapting to the current environment, and attempting to evade detection.   

Our data represents tens of thousands of global sites and apps that generate tens of billions of monthly page views. clean.io behaviorally analyzes the execution of JavaScript on these pages at run-time, where we block malicious activity in real-time.

We hope this data will give you more insight into how bad actors are thriving during the quarantine. If there is something you’d like us to dig into, drop us a line at [email protected] If you’re experiencing challenges with respect to malvertising on your sites and apps, we’re here to help!

Learn more about what is malvertising and how to protect your business.

Malvertising Threat Levels Remain Elevated in April

clean.io Global Threat Level - March & April 2020 Malvertising

In April, the clean.io Threat Network saw a more consistently elevated global threat level throughout the month than previously experienced in March. While one-day spikes still occurred in April, the baseline Threat Level is also persistently increasing. .

Peak threat level for April 2020 occurred on April 9: reaching approximately 64 times the baseline prior to the March shutdown. 

Radical Changes in Malvertising Threats by Operating System

clean.io malvertising threat level per operating systems

To evade detection, bad actors constantly change tactics – including changing the operating systems that they target. In January, the operating systems where we have been preventing malvertising attacks were largely split evenly between Android and iOS – accounting for over 86% of all threats prevented.

In February, the bad actors shifted focus to Windows devices. This changed quite rapidly as March and April have seen the lion’s share of ecosystem threats occurring on Android, accounting for almost 80% of all threats in the last 30 days on that operating system.

Chrome Mobile and Facebook Emerge as Browsers of Choice for Bad Actors

clean.io malvertising threat level per browser

In January 2020, the threat landscape by browser was largely a level playing field. A total of 5 different browsers each held at least a 10% share of threats in the month. Over the course of the following three months, the threat landscape evolved, and certain browsers were leveraged for threats more than others.

In February, while Snapchat experienced a smaller share, Firefox stepped up and captured over 15% share of threats (up from being non-existent the month prior).

In March, Chrome Mobile and Facebook’s Embedded Browser started to separate from the pack while Snapchat’s Embedded Browser jumped back into the top 3 most frequently attacked browsers.

By April, the bad actors truly consolidated their volume, focusing on Chrome Mobile and Facebook which had a combined total of  75% of all blocked threats.

Malicious Activity Constantly Shifting Between SSPs

Threat Concentration by SSP March and April 2020

As publishers work with more and more partners to improve demand density during these challenging economic times, the risk of malicious ad fraud impacting users increases.

As suggested earlier in the post, bad actors often change tactics, moving around within the ecosystem to evade detection. Not only do they change operating systems and browsers, but they also rapidly move their threats through a variety of SSPs.

Each color on this chart represents a unique SSP: the variety of colors on this chart indicating that the problem is widespread. While the “Blue SSP” was the largest originating SSP for threats in both March and April, a few new SSPs rotated into the mix.

The “Purple SSP” had threat volumes accelerate in mid-April after becoming somewhat dormant since mid-March. Several other SSPs (including Red, Pink, Green, Orange, and Light Blue) became larger factors in allowing malvertiser’s access to impressions and devices.

clean.io is the only anti-malvertising solution that uses behavioral analysis to detect and prevent malvertising in real-time, adapting to changing threats and scaling to meet increasing volume automatically. Try clean.io free to see how easy malvertising prevention can be.Try clean.io Free For 30-Days

Want to learn more about anti-malvertising solutions? Check out our latest eBook:

Choosing A Future-Proofed Anti-Malvertising Solution