defensive
adware
malware
PUA

What Is Adware: Types, Risks, Real Cases and How to Remove It

What adware is, types (legitimate, aggressive, malicious, mobile), real cases (Fireball, Lenovo Superfish, ad fraud) and how to remove it in enterprise.

SecraMay 10, 202611 min read

Adware is software that displays unsolicited advertising to the user and collects browsing data for advertising purposes. Some variants also redirect web traffic to advertisers controlled by the distributor. Lives on the border between annoying software and malware: a significant share of adware isn't strictly illegal and gets labelled by antivirus tools as PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program), while the more aggressive variants get close to spyware (a neighbouring category within types of malware) and banking malware.

This guide explains what adware specifically is, the four types appearing in investigations (declared legitimate, aggressive, malicious, mobile), the real risks both for home users and enterprise, documented cases (Fireball, Lenovo Superfish, ad fraud campaigns), how it gets detected, how to remove it step by step and why a modern antivirus blocks it before it reaches the endpoint.

What adware is

Adware is software whose primary or secondary purpose is to display advertising to the user, redirect their browsing to advertisers or collect data for advertising purposes. The four properties that identify it:

  1. Advertising monetisation as the distributor's business model.
  2. Installation frequently with dubious consent: bundled with free software, fake installers, cracks, browser extensions.
  3. Persistence in the system via typical mechanisms: browser extensions, Windows services, startup agents, default browser modification.
  4. Variable impact: from occasional pop-up ads to browser hijacking and capture of sensitive data.

What it gives the distributor:

  • Advertising revenue. Pay-per-click, pay-per-install, redirection to affiliate networks.
  • Browsing data. History, searches, shopping habits. Resold to data brokers.
  • Pixel tracking. Device fingerprinting for targeted ads.
  • Pre-installation on hardware via OEM bundles (Lenovo Superfish is the paradigmatic case).

What distinguishes it from pure malware:

  • Some variants are legally recognised as software with ambiguous consent, not criminal.
  • Doesn't always steal credentials or damage data, although aggressive variants get close.
  • The user usually signs EULAs that authorise part of the behaviour, even if they sign without reading.

Four types by severity

Declared legitimate adware

Free software financed by showing advertising and declaring it at installation. Historical examples: free versions of mobile apps, Windows downloads with opt-in ads, Spotify Free with advertising between tracks. The border with legitimate freemium is blurry but it exists.

Low risk if the user is aware. Modern platforms (Apple App Store, Google Play, Microsoft Store) impose rules on transparency and consent that have reduced abuses.

Aggressive adware (PUP/PUA)

Programs that show many more ads than expected, modify browser configuration (home page, search engine, extensions), add unwanted toolbars and persist even after apparent uninstallation.

Typical vector: bundling with free software installers. The user installs a video decoder and, without noticing, also installs three browser extensions and two Windows services. Classic families: Conduit, Babylon, MyWay, Mindspark, OpenCandy.

Modern antivirus labels them as PUP/PUA and lets the user remove them. Microsoft Defender blocks them by default since 2020.

Malicious adware

Crosses the line into malware. Behaviours:

  • Browser hijacker: completely hijacks the browser, redirects searches to controlled sites that serve more ads or malware.
  • Click fraud: simulates clicks on ads from the victim's machine generating revenue for the distributor.
  • Browsing data capture: cookies, forms, banking credentials in some cases.
  • Additional malware distribution: the adware serves as initial payload downloading trojans or stealers.

Families: Fireball (2017), Adload (macOS), DealPly, ChromeBack, Vonteera.

Mobile adware

The fastest-growing category 2022-2026. Android applications mainly (iOS is more controlled by App Store), but also iOS via malicious configuration profiles or alternative stores.

Typical behaviours: push notification spam, full-screen ads on opening any app, battery drain from background threads, SMS premium subscriptions without explicit consent.

Documented families: HiddenAds, FakeAdsBlock, Joker (subscriptions), BatBat (mass Play Store campaigns 2023-2024). Google has removed thousands of apps from Play Store for aggressive adware, but the problem keeps reproducing because the entry barrier is low.

Real risks

Adware has a reputation as "annoying but harmless". In 2026 that view is obsolete.

For home users:

  • Degraded performance and consumed battery.
  • Privacy compromised by mass tracking.
  • Chain risk: adware serves as gateway for trojans or stealers.
  • Unwanted premium subscriptions on mobile.
  • Banking information capture in aggressive variants.

For enterprise:

  • Slow endpoints with issues generating IT service tickets.
  • Cookies and authenticated sessions to corporate resources potentially leaked.
  • Exposure to malvertising: malicious ads that serve zero-day exploits.
  • Reduced SOC visibility when advertising traffic noise saturates logs.
  • Reputational risk if adware comes preinstalled on corporate equipment (Lenovo Superfish case).
  • NIS2/GDPR non-compliance if the personal data the adware exfiltrates falls within regulatory scope.

Documented real cases

Cases worth keeping in mind.

Fireball (2017). Operation by Rafotech (Chinese digital marketing firm) that infected approximately 250 million machines. Distributed adware bundled with free installers. Browser hijacker functionality plus capability to download and execute arbitrary code. Check Point classified it as malware, not PUP, because of remote execution capabilities.

Lenovo Superfish (2014-2015). Adware preinstalled on Lenovo consumer laptops. Injected ads into HTTPS sessions by installing its own root certificate on the system. Generated a massive MitM vulnerability for months. Lenovo issued removal tools after public pressure and regulators. Paradigmatic case of preinstalled adware crossing into serious security risk.

Adload (macOS, 2017-present). Active adware family on macOS, distributed by fake Flash Player and similar installers. Persistent, capable of evading XProtect initially, requiring successive rounds of Apple updates. Its historical success is an example that macOS isn't immune.

Joker campaigns (Android, 2017-present). Apps on Play Store with hidden SMS premium subscription functionality without consent. Google has removed hundreds of applications; developers publish new variants continuously.

HiddenAds (Android, 2020-present). Apps that hide their icon after installation and show full-screen ads periodically. Millions of installs accumulated on Play Store before mass removals in 2022-2023.

Ad fraud botnets (Methbot, 3ve, Migalo). Industrial variant. Botnets of thousands of compromised machines simulating clicks and ad views to defraud advertising networks. Estimated economic damage in billions of dollars collectively. Structured operators with direct monetisation.

How it gets distributed

Realistic vectors, ordered by frequency:

  • Installation bundles. The free installer of a PDF converter includes default-checked options adding toolbars and services. Vector number one on Windows desktop.
  • Fake Flash, Java, codec installers. Compromised pages showing a pop-up that "your Flash is outdated". The installer is adware or pure malware.
  • Cracks and keygens. Pirate software that arrives with embedded adware.
  • Unverified browser extensions. Chrome Web Store and Firefox Add-ons remove adware frequently, but the entry barrier is low.
  • Mobile store apps. Especially Android. iOS reduces the risk but doesn't eliminate it (configuration profiles, alternative stores).
  • Malvertising. Malicious ads served by legitimate networks that redirect to adware download pages.
  • OEM pre-installation. New hardware with manufacturer software falling into the adware category (Superfish case).

How it gets detected and removed

For isolated home users:

  1. Modern antivirus. Microsoft Defender, Bitdefender, ESET, Malwarebytes. Free versions are usually enough for commodity adware.
  2. Specific anti-malware scan. Malwarebytes Free is a classic reference for removing PUP/PUA the main antivirus doesn't touch.
  3. Browser extension review and uninstall of unrecognised ones.
  4. Browser reset to default configuration if there's active browser hijacker.
  5. Manual review of registry and services on Windows: Run keys, scheduled tasks, suspicious services. Sysinternals Autoruns helps.
  6. Clean reinstall if the problem persists after several attempts. In 2026 it's still the safest defensive answer for persistent cases.

For corporate environment:

  1. Enterprise EDR / antivirus with PUA/PUP policies enabled. Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne include behavioural detection.
  2. Restrictive software installation policy. Standard users without admin permissions can't install most adware.
  3. Inventory and baseline of allowed browser extensions via GPO/MDM.
  4. Web filtering that blocks suspicious download categories.
  5. Threat hunting on browser hijacker patterns in DNS and proxy logs.
  6. Training for employees on free installers and cracks.

Adware lives in a legal grey zone.

  • Adware with informed and proportionate consent: legal. Accepted EULAs, declared purpose, transparent monetisation model.
  • Adware with deceptive consent (buried opt-out, undisclosed bundle): GDPR infringement if processing personal data, sanctionable by the AEPD. Cases regularly archived with regular fines.
  • Adware without real consent: illegal. Constitutes at least an infringement of article 197 of the Penal Code when collecting personal data, plus GDPR.
  • Adware with browser hijacker or exfiltration: crosses into pure malware. Penalties from 6 months to 6 years.
  • Lenovo Superfish case: the US FTC sanctioned for installation without informed consent and for creating a MitM vulnerability. In EU it would have been additionally sanctioned by the AEPD and equivalent authorities.

Compliance fit

Adware on corporate endpoints can materialise risks covered by current frameworks:

  • NIS2 (article 21). Malicious software protection, configuration management. Persistent adware is a sign of a weak anti-malware programme.
  • DORA (article 9). ICT risk management in financial services. Endpoints with adware expose credentials and sessions to external tracking.
  • ISO 27001:2022 (control 8.7). Malware protection. The PUA/PUP category falls within scope.
  • ENS Royal Decree 311/2022 (op.exp.6). Malicious code protection.
  • GDPR. If adware exfiltrates personal data without legal basis, a notifiable infringement.

Frequently asked questions

Is adware malware?

Depends on the variant. Declared legitimate adware isn't malware. Aggressive adware (PUP/PUA) sits in a grey zone, technically annoying but not necessarily illegal. Malicious adware (browser hijacker, data capture, click fraud) is malware in the technical and legal sense. The border gets determined by real consent and the binary's capabilities.

Should my antivirus block adware?

Modern antivirus detects PUP/PUA by default since approximately 2018-2020. If your device shows persistent ads and the antivirus doesn't alert, the PUA/PUP category is probably disabled in configuration, or the variant is new and not classified. Activating PUA blocking and scanning with a second antivirus (Malwarebytes) usually solves it.

How do I know if I have adware?

Classic symptoms: browser with home page or search engine changed without your intervention, frequent pop-ups even on sites that don't normally have them, unexpected redirects when clicking, general slowdown, battery lasting less. On mobile: full-screen notifications when opening apps, unauthorised premium subscriptions.

Is adware common on macOS or Linux?

macOS yes, especially the Adload family. Linux desktop is a minority and adware is practically non-existent. The idea that "Apple is immune" is false: macOS has its own adware ecosystem that Apple combats with XProtect and notarisation signing.

How does adware differ from a normal web ad tracker?

The web tracker lives in the browser, gets served by sites you visit and gets governed by cookies, fingerprinting and the page's rules. The browser controls it (incognito mode, blockers, privacy mode). Adware lives in the operating system, persists outside the browser and operates independently of the visited page. The defence against trackers is ad blockers and privacy mode; the defence against adware is antivirus and installation policy.

Why don't antivirus programs remove all adware automatically?

For legal considerations. Part of the adware has an EULA signed by the user and the antivirus can't assume the installation is unauthorised without risk of false positives. The PUP/PUA category requires active user decision, not automation. That's why manual activation is required in some products.

Is Lenovo Superfish still an isolated case?

Not entirely. Similar cases have appeared later with smaller impact: HP with Conexant 2017, several Android manufacturers with preinstalled bloatware, specific cases with Xiaomi and Huawei. The industry has improved, but the OEM bundle model is still present.

  • Types of malware: broader family where adware occupies its own category with a blurry border.
  • What is a trojan: aggressive adware sometimes gets delivered as a module inside trojans.
  • What is a keylogger: another software layer that can arrive embedded in aggressive bundles.
  • What is an EDR: control that detects and blocks adware on corporate endpoints.
  • What is ransomware: opposite scenario in severity, although some modern families mix adware and pure malware.
  • NIS2 in Spain: how to comply: the framework requiring operational anti-malware covering also PUA/PUP.

Adware defence at Secra

At Secra we cover adware risk as part of the anti-malware configuration audit and software policy on corporate endpoints: EDR configuration review (PUA/PUP activated, reactive or aggressive policy), privilege policy and installation restriction, baseline of allowed browser extensions via GPO/MDM, web filtering and empirical validation via Red Team that tests whether the organisation detects common PUP installers. If your organisation has endpoints with recurring performance issues, suspicions of browser hijacker on part of the staff or has never reviewed the EDR PUA/PUP policy, get in touch via contact.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Meet the team →Our security research →

Share article

Related Articles

defensive

How to Avoid Phishing: Practical 2026 Guide for Businesses

How to avoid phishing in 2026: signs to recognise it, technical measures (MFA, DMARC, email filter) and response plan if you've fallen for one.

2026-05-1612 min
defensive

SIEM vs SOAR vs XDR: Differences and How to Combine

SIEM, SOAR and XDR explained with clear differences: what each does, where they overlap, when to choose one or another and how to combine them.

2026-05-1612 min
defensive

Systems and Network Hardening: Frameworks and Practice

What systems and network hardening is: definition, CIS and NIST frameworks, hardening as code, common mistakes and fit with ENS, NIS2 and ISO 27001.

2026-05-1610 min