January 16, 2018 | Mobile Advertising | by Christopher Hendrickson

Malvertising & Mobile Pop-ups: What Publishers Can Do

The rapid rise of intrusive and dangerous mobile pop-ups has left the industry trying to find a solution. Here is the story of where these ads came from, what they are capable of, and how publishers can help.

Poor Ad Formats: A Long Story
In the early days of the internet, when each click of the mouse appeared to bring with it a cascade of flashing ads, pop-ups, and other undesirable changes, frustrating experiences were part and parcel of browsing online.

But, interestingly, the pop-up window had noble origins related to brand safety: the first pop-up ad was created by Ethan Zuckerman so that brands running ads on a page would not be directly associated with that page’s content. However, Zuckerman’s invention was rapidly adapted for misuse and it continues to be abused today. The pop-up is such a nuisance that browsers have long integrated pop-up blockers into their browsers.

The (potential) final nail in the coffin for the pop-up (and other poor ad formats) will arrive on February 15, when Chrome begins to block ads on domains that violate new standards from the Coalition for Better Ads.

But while the end of the battle against pop-up windows on desktop is on the horizon, a new and relentless wave of mobile pop-ups are having extremely negative impacts on user experiences, the credibility of publishers, and even the security of devices.

Mobile Pop-Ups: The Origins
The ad tech industry changes quickly, meaning it can be tough to keep up with developments and changes. These intrusive pop-up ads have leveraged this fact to spread quickly, and have the potential to redirect users to other domains, block the browser’s back button, and even continue to redirect users after the user has attempted to close the ad.

These innocent ads can carry malicious JavaScript components, and have come about largely due to a number of third-party ad servers that do not vet their ads meticulously enough. The fact that many publishers heavily rely on these third-party ad servers to monetize their sites has also been responsible for the large spread. Will Strafach, and iOS security researcher and President of Sudo Security Group, says “ad purchasers are apparently not well-vetted enough and are given too much leeway with regards to JavaScript code execution. I would like to see ad exchanges crack down on this type of aggressive code with a better screening process.”

Given that these pop-up ads are capable of redirecting users to unrelated domains, users can potentially find themselves on pages that install malware on devices. And what’s more, these pop-ups were traditionally only found on lower-tier publications but have since spread to the likes of Twitter and Facebook. Because of the scale of the issue, users, browsers, demand providers, and publishers are all working to find a solution.

What Publishers Can Do

Be compliant with new standards from The Coalition For Better Ads
These new standards are aiming to eradicate the most frustrating ad experiences that exist on both desktop and mobile. From February 15th onwards, Chrome will block all ads on domains where non-compliant ads are found for more than 30 days.

Diligently track ad experiences
Publishers need to make sure that they are receptive to feedback when it comes to ad experiences that users have. Being responsive and examining an ad configuration in light of user feedback or even your own experiences is important.

Report poor experiences
Publishers should feel comfortable enough to escalate any issues that they experience to the relevant ad networks. This could potentially have bigger impacts beyond individual websites too, given that ad networks will be able to investigate and stem the flow of poor ads.

The Marfeel team will keep you updated on the changes and developments on this topic, so be sure to subscribe to updates from the blog by using the form below.