JavaScript Mobile App Hijacking Still Going On

JavaScript Mobile App Hijacking Still Going On

Never trust an ad network. Or really, never let someone you don’t completely trust have an open door to put JavaScript on your website.

That seems to be the message if you look at what’s been going on with websites that redirect users to Apple App Store install pages. This happened to me this morning.

I was reading this article, out of a link posted in Twitter:

This was an article on salon.com. And then, without me touching/clicking anything it redirected me to the Spotify install page:

Wow, so how did this happen? There are plenty of stories about this kind of thing from the past few weeks. Some of the apps mentioned in these stories are Candy Crush, Jelly Splash, Clash of Clans, Game of War and Zelda Dungeon. Now Spotify. I’m guessing that the people driving this nefarious non-user-initiated traffic are NOT the makers of these apps but instead some kind of app install intermediaries/agents. In the above case, most of the ad units on the page were Google’s, but there are other bits of code from a variety of other companies. Here are screenshots of what other ads were showing on the page in the same session I got “popped-up” on.

I couldn’t definitely say where the issues are coming from, but in one of the above stories:

“NBC Sports, which had a nearly identical problem on Jan. 1, [2014], said the redirects were caused by ad inventory sold by Google. “