{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:23Z","timestamp":1777806083593,"version":"3.51.4"},"reference-count":35,"publisher":"SAGE Publications","issue":"4","license":[{"start":{"date-parts":[[2019,6,14]],"date-time":"2019-06-14T00:00:00Z","timestamp":1560470400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2019,7,18]]},"abstract":"Advertisements are the fuel that runs many online services such as websites or mobile apps, but also adversaries started to abuse ads for financial gains. Nowadays, online advertising companies track users all over the web in order to create successful online ads campaigns specifically tailored for a target audience. A popular phenomenon on the Internet, so-called adware, abuses online advertisements by maliciously injecting or replacing ads on websites. As many consider ads to be quite privacy intrusive, much work has gone into studying the effects of online advertisements on users\u2019 privacy. However, only little work has been done so far into analyzing the privacy implications of adware.<\/jats:p>\n In this work, we shed light on the capabilities, mainly concerning tracking and personal data exfiltrating, of adware and potentially unwanted programs (PUPs), at scale. To this end, we capture the communication of adware\/PUPs in the Firefox browser on the application level to circumvent lower-level encryption (e.g., TLS). Using this framework for capturing the network traffic, we dynamically analyze the communication of over 16,000 adware or potentially unwanted program samples. We find that around 37% of requests issued by the analyzed samples contain some kind of personal information. Furthermore, we identify the services used by adversaries and provide insights on the used tracking techniques.<\/jats:p>","DOI":"10.3233\/jcs-191287","type":"journal-article","created":{"date-parts":[[2019,6,14]],"date-time":"2019-06-14T15:46:15Z","timestamp":1560527175000},"page":"459-481","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":1,"title":["Analyzing leakage of personal information by malware"],"prefix":"10.1177","volume":"27","author":[{"given":"Tobias","family":"Urban","sequence":"first","affiliation":[{"name":"Institute for Internet Security, Westphalian University of Applied Sciences, NRW, Germany. E-mails:\u00a0,\u00a0"},{"name":"Horst G\u00f6rtz Institute for IT Security, Ruhr-University Bochum, NRW, Germany. E-mails:\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dennis","family":"Tatang","sequence":"additional","affiliation":[{"name":"Horst G\u00f6rtz Institute for IT Security, Ruhr-University Bochum, NRW, Germany. E-mails:\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thorsten","family":"Holz","sequence":"additional","affiliation":[{"name":"Horst G\u00f6rtz Institute for IT Security, Ruhr-University Bochum, NRW, Germany. E-mails:\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Norbert","family":"Pohlmann","sequence":"additional","affiliation":[{"name":"Institute for Internet Security, Westphalian University of Applied Sciences, NRW, Germany. E-mails:\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2019,6,14]]},"reference":[{"key":"ref001","doi-asserted-by":"crossref","unstructured":"G.\u00a0Acar, C.\u00a0Eubank, S.\u00a0Englehardt, M.\u00a0Juarez, A.\u00a0Narayanan and C.\u00a0Diaz, The web never forgets: Persistent tracking mechanisms in the wild, in: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201914, ACM, New York, NY, USA, 2014, pp.\u00a0674\u2013689, http:\/\/doi.acm.org\/10.1145\/2660267.2660347. ISBN 978-1-4503-2957-6.","DOI":"10.1145\/2660267.2660347"},{"key":"#cr-split#-ref002.1","doi-asserted-by":"crossref","unstructured":"G.\u00a0Acar, M.\u00a0Juarez, N.\u00a0Nikiforakis, C.\u00a0Diaz, S.\u00a0G\u00fcrses, F.\u00a0Piessens and B.\u00a0Preneel, FPDetective: Dusting the web for fingerprinters, in: Proceedings of the 2013 ACM SIGSAC Conference on Computer &","DOI":"10.1145\/2508859.2516674"},{"key":"#cr-split#-ref002.2","unstructured":"Communications Security, CCS '13, ACM, New York, NY, USA, 2013, pp.\u00a01129-1140, http:\/\/doi.acm.org\/10.1145\/2508859.2516674. ISBN 978-1-4503-2477-9."},{"key":"ref003","unstructured":"Inc.\u00a0Alexa Internet, Top 500 Global Sites, http:\/\/www.alexa.com\/topsites, 2017."},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"S.\u00a0Arshad, A.\u00a0Kharraz and W.\u00a0Robertson, Identifying extension-based ad injection via fine-grained web content provenance, in: Research in Attacks, Intrusions, and Defenses: 19th International Symposium, RAID 2016, Paris, France, September 19\u201321, 2016, Proceedings, F.\u00a0Monrose, M.\u00a0Dacier, G.\u00a0Blanc and J.\u00a0Garcia-Alfaro, eds, Springer International Publishing, Cham, 2016, pp.\u00a0415\u2013436, https:\/\/doi.org\/10.1007\/978-3-319-45719-2_19. ISBN 978-3-319-45719-2.","DOI":"10.1007\/978-3-319-45719-2_19"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"K.\u00a0Boda, \u00c1.M.\u00a0F\u00f6ldes, G.G.\u00a0Guly\u00e1s and S.\u00a0Imre, User tracking on the web via cross-browser fingerprinting, in: Proceedings of the 16th Nordic Conference on Information Security Technology for Applications, NordSec\u201911, Springer-Verlag, Berlin, Heidelberg, 2012, pp.\u00a031\u201346, http:\/\/dx.doi.org\/10.1007\/978-3-642-29615-4_4. ISBN 978-3-642-29614-7.","DOI":"10.1007\/978-3-642-29615-4_4"},{"key":"ref006","unstructured":"D.\u00a0Bonderud, WoT privacy breach: Trust tanks as browser add-on caught selling user data, https:\/\/securityintelligence.com\/news\/wot-privacy-breach-trust-tanks-as-browser-add-on-caught-selling-user-data, 2017, Accessed: 2017-10-31."},{"key":"ref007","doi-asserted-by":"publisher","DOI":"10.1509\/jmkr.40.3.249.19241"},{"key":"ref008","unstructured":"Check Point, Charger malware calls and raises the risk on Google Play, 2017, https:\/\/blog.checkpoint.com\/2017\/01\/24\/charger-malware\/."},{"key":"ref009","unstructured":"DomainState, Domain tools, stats, news, forum and directory, https:\/\/www.domainstate.com\/registrar-stats.html, 2017, Accessed: 2017-08-09."},{"key":"ref010","unstructured":"P.\u00a0Eckersley, How unique is your web browser? in: Proceedings of the 10th International Conference on Privacy Enhancing Technologies, PETS\u201910, Springer-Verlag, Berlin, Heidelberg, 2010, pp.\u00a01\u201318, http:\/\/dl.acm.org\/citation.cfm?id=1881151.1881152. ISBN 3-642-14526-4, 978-3-642-14526-1."},{"key":"ref011","doi-asserted-by":"crossref","unstructured":"S.\u00a0Englehardt and A.\u00a0Narayanan, Online tracking: A 1-million-site measurement and analysis, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201916, ACM, New York, NY, USA, 2016, pp.\u00a01388\u20131401, http:\/\/doi.acm.org\/10.1145\/2976749.2978313. ISBN 978-1-4503-4139-4.","DOI":"10.1145\/2976749.2978313"},{"key":"ref012","unstructured":"M.\u00a0Foundation, Add-ons for Firefox, https:\/\/addons.mozilla.org\/, 2017, Accessed: 2017-07-05."},{"key":"ref013","unstructured":"G.\u00a0Inc., Google safe browsing APIs (v4), https:\/\/developers.google.com\/safe-browsing\/, 2017, Accessed: 2017-08-04."},{"key":"ref014","unstructured":"GreatFire, Blocked sites in China\u00a0\u2013 Bringing transparency to the great firewall of China, https:\/\/en.greatfire.org\/search\/blocked, 2017."},{"key":"ref015","doi-asserted-by":"crossref","unstructured":"T.\u00a0Hupperich, D.\u00a0Maiorca, M.\u00a0K\u00fchrer, T.\u00a0Holz and G.\u00a0Giacinto, On the robustness of mobile device fingerprinting: Can mobile users escape modern web-tracking mechanisms? in: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, ACM, New York, NY, USA, 2015, pp.\u00a0191\u2013200, http:\/\/doi.acm.org\/10.1145\/2818000.2818032. ISBN 978-1-4503-3682-6. doi:10.1145\/2818000.2818032.","DOI":"10.1145\/2818000.2818032"},{"key":"ref016","doi-asserted-by":"crossref","unstructured":"T.\u00a0Hupperich, D.\u00a0Tatang, N.\u00a0Wilkop and T.\u00a0Holz, An empirical study on online price differentiation, in: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, CODASPY \u201918, ACM, New York, NY, USA, 2018, pp.\u00a076\u201383, http:\/\/doi.acm.org\/10.1145\/3176258.3176338. ISBN 978-1-4503-5632-9.","DOI":"10.1145\/3176258.3176338"},{"key":"ref017","unstructured":"N.\u00a0Jagpal, E.\u00a0Dingle, J.P.\u00a0Gravel, P.\u00a0Mavrommatis, N.\u00a0Provos, M.A.\u00a0Rajab and K.\u00a0Thomas, Trends and lessons from three years fighting malicious extensions, in: Proceedings of the 24th USENIX Conference on Security Symposium, SEC\u201915, USENIX Association, Berkeley, CA, USA, 2015, pp.\u00a0579\u2013593, http:\/\/dl.acm.org\/citation.cfm?id=2831143.2831180. ISBN 978-1-931971-232."},{"key":"ref018","unstructured":"A.\u00a0Kapravelos, C.\u00a0Grier, N.\u00a0Chachra, C.\u00a0Kruegel, G.\u00a0Vigna and V.\u00a0Paxson, Hulk: Eliciting malicious behavior in browser extensions, in: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC\u201914, USENIX Association, Berkeley, CA, USA, 2014, pp.\u00a0641\u2013654, http:\/\/dl.acm.org\/citation.cfm?id=2671225.2671266. ISBN 978-1-931971-15-7."},{"key":"ref019","unstructured":"P.\u00a0Kotzias, L.\u00a0Bilge and J.\u00a0Caballero, Measuring PUP prevalence and PUP distribution through pay-per-install services, in: 25th USENIX Security Symposium (USENIX Security 16), USENIX Association, Austin, TX, 2016, pp.\u00a0739\u2013756, https:\/\/www.usenix.org\/conference\/usenixsecurity16\/technical-sessions\/presentation\/kotzias. ISBN 978-1-931971-32-4."},{"key":"ref020","doi-asserted-by":"crossref","unstructured":"A.\u00a0Kurtz, H.\u00a0Gascon, T.\u00a0Becker, K.\u00a0Rieck and F.C.\u00a0Freiling, Fingerprinting mobile devices using personalized configurations, in: Proceedings on Privacy Enhancing Technologies (PoPETs) 2016(1) 2016, pp.\u00a04\u201319, http:\/\/www.degruyter.com\/view\/j\/popets.2016.2016.issue-1\/popets-2015-0027\/popets-2015-0027.xml.","DOI":"10.1515\/popets-2015-0027"},{"key":"ref021","unstructured":"W.S.\u00a0LLC, WOT API | WOT (Web of Trust), https:\/\/www.mywot.com\/en\/api, 2017, Accessed: 2017-10-31."},{"key":"ref022","unstructured":"K.\u00a0Mowery and H.\u00a0Shacham, Pixel perfect: Fingerprinting canvas in HTML5, in: Proceedings of the Web 2.0 Security & Privacy Workshop (W2SP), M.\u00a0Fredriksonn, ed. IEEE Computer Society, New York, NY, USA, 2012, pp.\u00a01\u201312."},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"N.\u00a0Nikiforakis, A.\u00a0Kapravelos, W.\u00a0Joosen, C.\u00a0Kruegel, F.\u00a0Piessens and G.\u00a0Vigna, Cookieless monster: Exploring the ecosystem of web-based device fingerprinting, in: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP \u201913, IEEE Computer Society, Washington, DC, USA, 2013, pp.\u00a0541\u2013555. ISBN 978-0-7695-4977-4. doi:10.1109\/SP.2013.43.","DOI":"10.1109\/SP.2013.43"},{"key":"ref024","doi-asserted-by":"crossref","unstructured":"L.\u00a0Olejnik, G.\u00a0Acar, C.\u00a0Castelluccia and C.\u00a0Diaz, The leaking battery, in: Revised Selected Papers of the 10th International Workshop on Data Privacy Management, and Security Assurance, Vol.\u00a09481, Springer-Verlag, New York, 2016, pp.\u00a0254\u2013263, http:\/\/dx.doi.org\/10.1007\/978-3-319-29883-2_18. ISBN 978-3-319-29882-5.","DOI":"10.1007\/978-3-319-29883-2_18"},{"key":"ref025","unstructured":"E.\u00a0Parliament and the Council, Directive 2009\/136\/EC, 2009."},{"key":"ref026","unstructured":"R.M.\u00a0Smith,\n The web bug faq\n , Nov 11 (1999), 4."},{"key":"ref027","unstructured":"A.\u00a0Soltani, S.\u00a0Canty, Q.\u00a0Mayo, L.\u00a0Thomas and C.J.\u00a0Hoofnagle, Flash cookies and privacy, in: AAAI Spring Symposium: Intelligent Information Privacy Management, Association for the Advancement of Artificial Intelligence, Palo Alto, CA, USA, 2010, pp.\u00a01\u20136, http:\/\/dblp.uni-trier.de\/db\/conf\/aaaiss\/aaaiss2010-5.html#SoltaniCMTH10."},{"key":"ref028","doi-asserted-by":"crossref","unstructured":"O.\u00a0Starov and N.\u00a0Nikiforakis, Extended tracking powers: Measuring the privacy diffusion enabled by browser extensions, in: Proceedings of the 26th International Conference on World Wide Web, WWW \u201917, International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 2017, pp.\u00a01481\u20131490. ISBN 978-1-4503-4913-0. doi:10.1145\/3038912.3052596.","DOI":"10.1145\/3038912.3052596"},{"key":"ref029","unstructured":"StatCounter, GlobalStats browser market share, http:\/\/gs.statcounter.com\/, 2017, Accessed: 2017-08-09."},{"key":"ref030","doi-asserted-by":"crossref","unstructured":"K.\u00a0Thomas, E.\u00a0Bursztein, C.\u00a0Grier, G.\u00a0Ho, N.\u00a0Jagpal, A.\u00a0Kapravelos, D.\u00a0Mccoy, A.\u00a0Nappa, V.\u00a0Paxson, P.\u00a0Pearce, N.\u00a0Provos and M.A.\u00a0Rajab, Ad injection at scale: Assessing deceptive advertisement modifications, in: Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP \u201915, IEEE Computer Society, Washington, DC, USA, 2015, pp.\u00a0151\u2013167. ISBN 978-1-4673-6949-7. doi:10.1109\/SP.2015.17.","DOI":"10.1109\/SP.2015.17"},{"key":"ref031","unstructured":"K.\u00a0Thomas, J.A.E.\u00a0Crespo, R.\u00a0Rasti, J.M.\u00a0Picod, C.\u00a0Phillips, M.A.\u00a0Decoste, C.\u00a0Sharp, F.\u00a0Tirelo, A.\u00a0Tofigh, M.A.\u00a0Courteau, L.\u00a0Ballard, R.\u00a0Shield, N.\u00a0Jagpal, M.A.\u00a0Rajab, P.\u00a0Mavrommatis, N.\u00a0Provos, E.\u00a0Bursztein and D.\u00a0McCoy, Investigating commercial pay-per-install and the distribution of unwanted software, in: 25th USENIX Security Symposium (USENIX Security 16), USENIX Association, Austin, TX, 2016, pp.\u00a0721\u2013739, https:\/\/www.usenix.org\/conference\/usenixsecurity16\/technical-sessions\/presentation\/thomas. ISBN 978-1-931971-32-4."},{"key":"ref032","doi-asserted-by":"crossref","unstructured":"T.\u00a0Urban, D.\u00a0Tatang, T.\u00a0Holz and N.\u00a0Pohlmann, Towards understanding privacy implications of adware and potentially unwanted programs, in: Computer Security, J.\u00a0Lopez, J.\u00a0Zhou and M.\u00a0Soriano, eds, Springer International Publishing, Cham, 2018, pp.\u00a0449\u2013469. ISBN 978-3-319-99073-6. doi:10.1007\/978-3-319-99073-6_22.","DOI":"10.1007\/978-3-319-99073-6_22"},{"key":"ref033","unstructured":"VirusTotal, Free online virus, malware and URL scanner, https:\/\/virustotal.com\/, 2017, Accessed: 2017-07-24."},{"key":"ref034","doi-asserted-by":"crossref","unstructured":"M.\u00a0Weissbacher, E.\u00a0Mariconti, G.\u00a0Suarez-Tangil, G.\u00a0Stringhini, W.\u00a0Robertson and E.\u00a0Kirda, Ex-ray: Detection of history-leaking browser extensions, in: Proceedings of the 33st Annual Computer Security Applications Conference, ACM, New York, NY, USA, 2017, pp.\u00a01\u201313, ACM publishing.","DOI":"10.1145\/3134600.3134632"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191287","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191287","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191287","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:18Z","timestamp":1777495518000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191287"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,6,14]]},"references-count":35,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2019,7,18]]}},"alternative-id":["10.3233\/JCS-191287"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191287","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,6,14]]}}}