Adware.

Adware injects advertisements into the user experience — pop-ups, banners, search-result hijacks, or redirects — typically to generate revenue for its operator. It is often bundled with free utilities, browser extensions or pirated software, and frequently includes tracking components that report browsing habits. While not always malicious in the strict sense, aggressive adware degrades performance, undermines privacy, and can serve as a stepping stone for more harmful payloads.

The Superfish incident shows how dangerous "just ads" can be. From late 2014, Lenovo pre-installed Superfish VisualDiscovery on consumer laptops to inject shopping ads. To insert ads into encrypted pages, it installed a self-signed root CA certificate and ran a local TLS proxy — a deliberate man-in-the-middle on the user's own HTTPS traffic. Because the proxy (built on Komodia's SDK) shipped the same private key on every machine and that key's password was trivially cracked, any attacker on the same network could impersonate any HTTPS site without warnings. CISA issued alert TA15-051A in February 2015, and Lenovo released removal tools. Fireball (Check Point, 2017) similarly turned browsers into ad-revenue zombies at scale.

Defences include installing only from reputable sources, reviewing browser-extension permissions, ad/script blockers, anti-PUP scanners, removing unnecessary bundled software, and auditing the system trust store for unexpected root certificates.

flowchart TD
  A[Free utility / bundled installer /<br/>pre-installed OEM software] --> B[Adware installed]
  B --> C[Inject ads: pop-ups,<br/>banners, search hijack]
  B --> D[Track browsing habits]
  B --> E[Install rogue root CA<br/>+ local TLS proxy]
  E --> F[Decrypt HTTPS to inject ads<br/>= man-in-the-middle]
  F --> G[Shared key → anyone can<br/>spoof any site e.g. Superfish]
  C --> H[Defences: anti-PUP scan, ad blocker,<br/>extension review, audit trust store]
  E --> H