What Is Adware? How It Works, Detection, and Removal

A user's browser homepage changes on its own. Every search now routes through a domain nobody recognizes, the new-tab page is stuffed with ads, and a toolbar appeared that no one installed. The endpoint is not encrypted, no data alarm has fired, and the user can still work. The triage instinct says low priority. That instinct is half right, and knowing which half is the difference between closing a ticket and missing a foothold.

That behavior is adware: software that exists to put advertisements in front of a user without their real consent, and to make money from the views, clicks, and tracking data it generates. It is the noisiest, most visible class of unwanted software, which is exactly why it gets dismissed. The same "free installer" that bundled the toolbar often bundled several other things.

This guide covers what adware is and how it differs from legitimate ad-supported software, from spyware, and from a potentially unwanted program; how it gets onto a host; what it does once it runs; the families worth knowing; and how a defender detects, removes, and prevents it. It is written for blue teamers: SOC analysts triaging the alert, and DFIR responders deciding whether a browser hijack is the whole story or the first artifact.

What is adware?

Adware is software that displays, injects, or redirects to advertisements the user did not ask for, usually while tracking browsing behavior to target those ads and earn revenue per impression, click, or install. The name is a contraction of "advertising-supported software." Its purpose is commercial, not destructive: it monetizes attention and data, not extortion or sabotage.

Most security vendors do not file adware under "virus." They file it under PUP or PUA, for potentially unwanted program or potentially unwanted application. This is a real industry category, not a hedge. Microsoft Defender flags it as PUA, Malwarebytes as PUP, and Kaspersky, F-Secure, and others maintain dedicated adware detection families. The classification matters operationally: a PUA detection is lower-confidence-malicious than a trojan hit, which is why these alerts often land in a separate, lower-priority queue. The most common form of PUP is adware.

The reason it sits in a gray zone is consent. The line between adware and a legitimate, ad-supported program is whether the user knowingly agreed to the ads in exchange for free software. A free mobile game that shows ads you accepted in a clear prompt is ad-supported software. The same ads, installed silently alongside a video converter with no disclosure and no clean uninstall path, are adware. The behavior can be identical. What changes the label is consent, transparency, and how hard the thing is to remove.

That gray zone is why adware survives: it is profitable, usually not illegal, and just useful-looking enough that a user clicks through the install. For a defender, the useful frame is not "is this technically malware" but "did the user consent, and what else came with it."

Adware vs. spyware vs. PUP

Three terms get used interchangeably and should not be. They overlap, but the distinction is about primary intent, and intent drives how you treat the alert.

The clean separation: adware wants your eyeballs and your browsing profile so it can sell ads. Spyware wants your secrets. PUP is the bucket both fall into when the hostile intent is not clear-cut.

It gets messy in practice, and that is the part to internalize. Adware that aggressively tracks browsing, fingerprints the device, and exfiltrates a detailed behavioral profile has crossed into spyware territory regardless of the label. The Fireball case below is exactly this: classed as adware because it monetized search, but built to run arbitrary code and download further payloads, which is malware behavior by any definition. Treat the label as a starting hypothesis. What the sample actually does on the host decides how you handle it.

How adware gets onto a device

Adware almost never arrives as a standalone download a user chose. It rides in on something else. The vectors, in rough order of how often a SOC sees them:

• Software bundling. The dominant vector. It is packaged inside the installer for a free program the user actually wanted: a media player, a PDF tool, a converter, a "driver updater." The installer offers the bundled component pre-checked, often behind a "recommended" or "express" path that hides the opt-out. This is the pay-per-install economy, where the freeware author gets paid for each bundled install they push through.
• Malvertising. Malicious or poisoned advertisements on otherwise legitimate sites redirect the user to a fake download or trigger a drive-by. The ad network is abused to deliver the very thing it pretends to be selling.
• Fake and cracked installers. Trojanized copies of popular software, cracks, keygens, and "free" versions of paid tools, distributed through search results, torrents, and fake download portals. The crack works just enough to look legitimate while the adware installs alongside it. This is a primary delivery path for macOS adware in particular.
• Browser extensions. An extension that promises coupons, a better new-tab page, or "ad blocking" while injecting its own ads, redirecting searches, and harvesting browsing data. These spread through extension stores and through bundling.
• Mobile app stores. On Android, adware ships inside apps that work as advertised but display aggressive out-of-app ads, sometimes when the screen is off. Google has repeatedly removed batches of such apps from the Play Store, including 600 apps pulled for disruptive ads and a separate group of 85 adware apps with more than eight million combined installs.

The common thread is consent laundering. The user agreed to install something, so the install looks authorized, and the adware hides inside that authorization. The same mechanism that makes adware "not technically malware" is the one that gets it onto the host.

What adware does once it runs

Behavior splits into two jobs: show ads and gather the data that makes those ads pay. The visible symptoms map to the first job; the quiet ones map to the second.

• Ad injection. It inserts advertisements into web pages that did not contain them, so a clean site renders with extra banners and in-text ad links that the site owner never placed.
• Pop-ups and pop-unders. Unsolicited ad windows, including ones that open behind the active window to dodge immediate notice.
• Browser hijacking. It changes the homepage, the default search engine, and the new-tab page to attacker-controlled or revenue-generating destinations. This is the single most reliable artifact of an adware infection and the one users report.
• Search redirection. Queries are routed through an intermediary search provider that injects sponsored results and skims the click revenue, then forwards to a real engine so the user often does not notice.
• Unwanted toolbars and extensions. New browser toolbars or extensions appear without the user installing them, each one another surface for ads and tracking.
• Tracking and profiling. It records browsing history, search terms, and sometimes device identifiers, building a behavioral profile to target ads and to sell. This is where adware reaches toward spyware.
• Resource and performance cost. Constant ad rendering and background tracking slow the device, drain battery on mobile, and on metered connections drive up data usage.

For the defender, the behaviors that matter most are not the pop-ups. They are the persistence (the hijack survives a browser restart and often a reboot) and the network activity (the host now talks to ad and tracking infrastructure on a schedule). Those are the same artifact classes you hunt for any malware, which is why a real adware investigation is more than "uninstall the toolbar."

Adware families worth knowing

Naming a few real families makes the category concrete and shows how wide the "just ads" label stretches.

Fireball. Check Point reported in 2017 that Fireball had infected an estimated 250 million computers worldwide and was present on roughly one in five corporate networks it sampled. It hijacked browsers, swapped the default search engine for fake search pages, and tracked web traffic to generate ad revenue. It was operated by Rafotech, a large digital marketing agency based in Beijing, and spread by bundling with Rafotech freeware such as Deal Wifi and Mustang Browser. The detail that matters: Fireball could also run arbitrary code and download further malware on the infected host. It was filed as adware because that was its business model, but it carried full malware capability. That gap between label and capability is the whole reason a SOC should not auto-close the alert.

Gator / GAIN. One of the earliest large-scale adware operations. Gator, released in 1999 by the Gator Corporation (renamed Claria Corporation in 2003), ran the Gator Advertising Information Network, which displayed pop-up ads and tracked browsing to target them. At its peak it was installed on tens of millions of machines and drew a wave of lawsuits from publishers whose sites it covered with competing ads. Gator is the template the bundled-adware industry copied.

macOS adware (Adload, Bundlore, Shlayer). Adware is not a Windows-only problem. On macOS, Adload and Bundlore are long-running adware families that inject ads and hijack search, frequently arriving through fake installers and cracked software. Shlayer is the related dropper: a trojan that poses as a Flash Player update and installs adware payloads like those two. The distinction matters because the dropper and the payload are detected and remediated as separate things.

The pattern across all of these: "adware" describes a revenue model, not a capability ceiling. Some adware is a nuisance toolbar. Some, like Fireball, is malware with an ad business attached.

How to detect adware

Detection runs on two levels: the obvious user-reported symptoms, and the artifacts a defender confirms.

User-visible signs are the cheap tell: a changed homepage or default search engine, a flood of pop-ups, a new toolbar or extension nobody installed, search results that redirect through an unfamiliar provider, a noticeably slower device, and on mobile, fast battery drain and unexplained data usage. These are enough to suspect an infection, not enough to scope it.

What a defender actually checks:

• EDR and antivirus detections. It shows up as PUA or PUP detections, or under named adware families. The trap is that these land in a low-priority queue and get bulk-closed. Read what the detection names, because a PUA hit on a host that also has an unexplained scheduled task is not just an ad nuisance.
• Browser extension and setting audits. Enumerate installed extensions and the homepage, search, and new-tab settings across browsers on the host. This is where it lives, and the unauthorized extension is the clearest indicator of compromise.
• Installed programs and persistence. Check recently installed programs, browser-helper objects, scheduled tasks, services, and run keys. It persists like any other software, and the persistence artifact tells you when it landed and what else landed with it.
• Network telemetry. Beaconing to ad and tracking domains, search traffic routed through an unexpected intermediary, and DNS to known ad-fraud infrastructure. This separates an active infection from a stale, dead toolbar.
• Sample triage. When the host matters or the family is unknown, pull the binary or extension and run malware analysis on it. Static and sandbox analysis answer the question that decides triage: is this an ad nuisance, or does it download and execute other code like Fireball did?

The investigative point: treat the detection as a thread to pull, not a verdict to file. The questions are how it got installed, what it was bundled with, and whether it can do more than show ads. The last answer decides whether this is a closed ticket or an open incident.

How to remove adware

Removal is straightforward for a commodity nuisance and an incident-response problem for anything with deeper capability. Match the response to what detection found.

For a confirmed nuisance infection:

1. Uninstall the program. Remove the bundled application through the OS add/remove programs interface. Note what else was installed in the same window; bundles rarely drop one thing.
2. Remove malicious browser extensions. Delete the unauthorized extensions and toolbars from every browser on the host.
3. Reset browser settings. Restore the homepage, default search engine, and new-tab page, and clear the settings that were changed. A full browser reset is faster than chasing each hijacked setting when several were touched.
4. Run an anti-malware scan. Use EDR or a reputable anti-malware tool to catch components the manual steps missed and to confirm the host is clean.

When triage shows the sample could run code, download payloads, or arrived alongside other detections, escalate to incident response: isolate the host, scope what else was installed in the same session using the indicators, and reimage rather than clean if the capability or the bundle is unclear. The cost of being wrong about an "it's just adware" call is treating a foothold as a cleanup.

How to prevent adware

Prevention targets the install path, because the whole strategy is riding in on a consented install.

• Control software sources. Restrict installs to vetted sources and an internal software catalog. Most bundled adware comes from free downloads off the open web and from cracked software, so cutting that path removes the dominant vector.
• Application allowlisting and least privilege. Users without local admin cannot complete most of these installs. Allowlisting stops unapproved installers outright.
• Manage browser extensions. Enforce an extension allowlist or block sideloaded extensions through browser management policy. The extension surface is where a lot of it lives.
• Email and web filtering. Block known adware and malvertising infrastructure at the proxy and DNS layer, and filter the phishing lures and fake-download pages that deliver it.
• EDR with PUA detection enabled. Keep potentially-unwanted-application detection turned on rather than suppressed, and review the queue instead of bulk-closing it.
• User awareness. Teach users to decline bundled "optional" offers, to use custom rather than express installs, and to avoid cracked software. The pre-checked bundle box is defeated by a user who reads the install screen.

The theme is the same as in detection: adware exploits consent, so prevention is about removing the chances to consent to something hidden.

The bottom line

Adware is software that pushes unwanted ads and tracks browsing to monetize them, riding onto hosts through bundled installers, malvertising, fake software, and rogue extensions. Most vendors file it as a PUP or PUA, a step below outright malware, and most of the time the symptoms are loud and the impact is a nuisance plus a privacy cost.

The mistake is letting that low-priority label make the decision for you. Adware uses the same delivery channels as serious malware, comes bundled with whatever else the installer carried, and in cases like Fireball ships with the ability to run arbitrary code. The label describes a business model, not a capability limit. For a blue teamer, the discipline is to treat an adware detection as a question, how did it get installed, what came with it, and can it do more than show ads, and to scope the host before closing the ticket.