Malvertising Statistics: Attacks on Browsers & Devices in Q2 2020
by Marshall Moritz, on Jul 27, 2020 5:45:00 PM
This series explores each of our Q2 Smart Report findings in more depth and detail. Explore all articles in this series:
- How COVID has Affected Key Malvertising Statistics in Q2 2020
- How Attackers Used SSPs & DSPs to Execute Attacks in Q2 2020
- Malvertising Statistics: Attacks on Browsers & Devices in Q2 2020 (this article)
- Full Q2 2020 Smart Report
Q2 data shows the way in which bad actors selectively attack different browsers and devices. Always on the lookout for vulnerabilities, Q2 data shows how attackers specifically target their attacks towards certain Browsers, Devices, and Operating Systems.
Ad Pricing Across Devices
Before we dive into the malvertising statistics and data from Q2 2020, let’s take some time to review ad pricing across the ecosystem.
Some important data points to keep in mind are:
- Mobile advertising is expected to make up a staggering 75% of all digital ad spending by 2022. (source)
- In 2020, the mobile advertising market is expected to exceed $200 billion globally. (source)
- Average CPM for iOS Banners in 2019 was between $0.20 and $2.00. (source)
- Average CPM for iOS Interstitials in 2019 was between $3.00 and $5.00. (source)
- Average CPM for Android Banners in 2019 was between $0.15 and $1.50. (source)
- Average CPM for Android Interstitials in 2019 was between $2.00 and $4.00. (source)
- In general CPM costs for all of the above mobile placements are trending downward. (source)
- Average CPM for Google AdWords in 2020 is around $2.80. (source)
There are a few takeaways from all of this data that are helpful as we begin to dive into the attack trends we saw in Q2 2020.
First, the usage of mobile devices by end-users continues an upward trend. More people are viewing content through apps and via mobile devices than ever.
Second, the digital advertising market is shifting dramatically toward mobile. More advertisers are spending on mobile, it has surpassed desktop advertising, and the gap is continuing to grow in favor of mobile.
Third, advertising prices on mobile are often lower than on desktop. Average CPMs for interstitials on both iOS and Android are lower than the average CPM for Google AdWords, the most popular desktop ad provider.
Mobile Device & Browser Usage
Let’s also take some time to look at browser and device usage trends before looking at malvertising trends.
Some important data points to keep in mind are:
- ChromeOS holds about 70% of the mobile device operating system market share. (source)
- Chrome Mobile holds 64% of the mobile browser market share. (source)
- As of 2018 Facebook achieved a mobile browser market share of around 10 percent in many states and was on the rise. (source)
- 50.1% of the time spent on mobile is done using social media apps in 2020. (source)
- Facebook is the most popular social media application, with users spending an average of 2 hours and 24 minutes each day Facebook’s mobile app. (source)
There are a few takeaways from all of this data that are helpful as we begin to dive into the attack trends we saw in Q2 2020. The most important thing to keep in mind is where the majority of mobile users are spending their time, and it is overwhelmingly on Facebook and Chrome’s mobile browser.
Q2 Device & Browser Malvertising Attack Trends
Browser Attack Trends
Based on the data above, it comes as little surprise that Facebook’s embedded browser and Chrome Mobile were the most attacked in the ecosystem.
In Q2 the combination of Chrome Mobile and Facebook’s embedded browser accounted for 59.33% of all browser attacks.
Malvertisers, being the opportunists that they are, look for potential victims in the easiest of places, where they are spending most of their time, and for the cheapest investment.
In Q2 2020 we found that 7 of the top 10 attacked browsers were mobile, and mobile browsers overall overwhelmingly held the lead in terms of threat levels.
Given the cost of advertising in the mobile ecosystem compared to desktop pricing, it isn’t surprising to see malvertisers taking the path of least resistance. They have chosen to live where advertising is cheaper, making it easier to maintain profit margins for their activities.
Q2 Operating System Trends
In Q2 2020, bad actors focused on Android devices as their primary OS. Android OS accounted for a total 58.57% of attacks across the quarter.
Again, given the global usage of Android and Chrome devices, malvertisers are choosing to launch campaigns where there is a larger audience of potential victims.
Q2 Operating System Attack Shifts
Across the whole of Q2, we noticed that bad actors rotated efforts between chrome and iOS.
This is indicative, similar to the activity we saw with SSP threat levels across Q2, of small probing attacks followed by larger-scale campaigns. Bad actors will shift the primary focus of their activities after a period of time to avoid following the same patterns long enough to be caught.
While we see attacks across all devices, most attacks are consistently focused on mobile devices. Mobile allows access to more ads at lower price points, making it easier for malvertisers to turn a profit.
It also follows that Android accounted for 58.57% of all threats in Q2; as it is generally less expensive than iOS inventory, and more popular globally, it allows bad actors access at lower price points to turn a profit at the expense of users.
Protecting mobile is key.
Bad actors continue to focus more heavily on mobile in their attacks, so protecting user experience on mobile devices will be an important initiative.
Focus on embedded browsers.
Embedded browsers, particularly Facebook, continue to hold the highest threat vector. Finding ways to preserve user experience in embedded browsers is of utmost importance.
Ensuring user experience in-app will continue to rise in importance for app developers to keep in mind as well as multi-screen publishers.
Read the full Q2 2020 Smart Report.