April threat levels maintain upward trend amid COVID-19

by Matt Gillis, on May 3, 2020 3:45:00 PM

In April, the Digital Media ecosystem (like many others) continued to navigate the choppy waters brought on by the pandemic. Our most recent blog post on March 30th highlighted the marked surge in malvertising during the month of March as the world attempted to digest the impacts of COVID-19.

The effects of COVID-19 included increases in traffic, which, combined with a decrease in ecpm, allowed bad actors to take advantage of market forces and inflict pain when the ecosystem needed it the least. These trends that began in mid-March continued to impact the ecosystem throughout April.

Understanding Shifts In Malicious Behavior

We have seen some dramatic shifts in behaviors of the bad actors over the first four months of 2020. Their exploits are unpredictable, and their supply path to end-users is constantly changing. In this post, we’ll share how bad actors are accelerating their efforts, adapting to the current environment, and attempting to evade detection.

Our data represents tens of thousands of global sites and apps that generate tens of billions of monthly page views. cleanAD behaviorally analyzes the execution of JavaScript on these pages at run-time, where we block malicious activity in real-time.

We hope this data will give you more insight into how bad actors are thriving during the quarantine. If there is something you’d like us to dig into, drop us a line at hello@clean.io. If you’re experiencing challenges with respect to malvertising on your sites and apps, we’re here to help!

Learn more about what is malvertising and how to protect your business.

Malvertising Threat Levels Remain Elevated in April


In April, the cleanAD Threat Network saw a more consistently elevated global threat level throughout the month than previously experienced in March. While one-day spikes still occurred in April, the baseline Threat Level is also persistently increasing. .

Peak threat level for April 2020 occurred on April 9: reaching approximately 64 times the baseline prior to the March shutdown.

Radical Changes in Malvertising Threats by Operating System


To evade detection, bad actors constantly change tactics – including changing the operating systems that they target. In January, the operating systems where we have been preventing malvertising attacks were largely split evenly between Android and iOS – accounting for over 86% of all threats prevented.

In February, the bad actors shifted focus to Windows devices. This changed quite rapidly as March and April have seen the lion’s share of ecosystem threats occurring on Android, accounting for almost 80% of all threats in the last 30 days on that operating system.

Chrome Mobile and Facebook Emerge as Browsers of Choice for Bad Actors


In January 2020, the threat landscape by browser was largely a level playing field. A total of 5 different browsers each held at least a 10% share of threats in the month. Over the course of the following three months, the threat landscape evolved, and certain browsers were leveraged for threats more than others.

In February, while Snapchat experienced a smaller share, Firefox stepped up and captured over 15% share of threats (up from being non-existent the month prior).

In March, Chrome Mobile and Facebook’s Embedded Browser started to separate from the pack while Snapchat’s Embedded Browser jumped back into the top 3 most frequently attacked browsers.

By April, the bad actors truly consolidated their volume, focusing on Chrome Mobile and Facebook which had a combined total of 75% of all blocked threats.

Malicious Activity Constantly Shifting Between SSPs


As publishers work with more and more partners to improve demand density during these challenging economic times, the risk of malicious ad fraud impacting users increases.

As suggested earlier in the post, bad actors often change tactics, moving around within the ecosystem to evade detection. Not only do they change operating systems and browsers, but they also rapidly move their threats through a variety of SSPs.

Each color on this chart represents a unique SSP: the variety of colors on this chart indicating that the problem is widespread. While the “Blue SSP” was the largest originating SSP for threats in both March and April, a few new SSPs rotated into the mix.

The “Purple SSP” had threat volumes accelerate in mid-April after becoming somewhat dormant since mid-March. Several other SSPs (including Red, Pink, Green, Orange, and Light Blue) became larger factors in allowing malvertiser’s access to impressions and devices.

cleanAD is the only anti-malvertising solution that uses behavioral analysis to detect and prevent malvertising in real-time, adapting to changing threats and scaling to meet increasing volume automatically. Try cleanAD free to see how easy malvertising prevention can be.

New call-to-action

Want to learn more about anti-malvertising solutions? Check out our latest eBook:

Choosing A Future-Proofed Anti-Malvertising Solution

Topics:Malvertising Data

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates