Ad2Store redirections: the latest annoyance for mobile users

February 10, 2014 | BY

Online ads can be very aggressive and disruptive, not to mention they often carry malicious payloads aka malvertising.

You may have come across some strange situation on your smart phone or tablet where as you were browsing the web, the App Store or Play Store automatically popped up or even initiated a download for some random app.

It turns out this technique is not actually new per se (early reports from 2012 mention a similar behaviour which essentially hijacked your web session to trick you into installing unwanted apps).

More recently, Sarah Perez from TechCrunch wrote a nice article showing that many users were frustrated with such annoying ads and yet Apple or Google had yet to respond or comment on this subject.

What is most troubling about this is the fact that a specially crafted online advert is responsible for automatically switching the browser to a different program (the App/Play Store) with absolutely no user interaction required.

Case in point, when we visited Reddit and clicked on a thread. It opened up imgur, the picture hosting website where an ad loaded and then launched the App Store on its own, literally shoving the “Clash of Clans” app in our face.

 (Video best viewed in HD, full screen)

You are more likely to encounter such disruptive ads if you browse dodgy sites. But due to the nature of online advertising it may also happen on high-profile sites and blogs such as the ones mentioned in the TechCrunch article.

On iOS, this issue exists both in its native browser (Safari) as well as third-party browsers such as Google Chrome.


Figure 1: From browser to App Store: advert pushes install for an App.

For information, I am using the default security settings with Pop-up blocker enabled.


Figure 2: iOS settings for Safari.

In order to understand how this happened, I routed my smartphone through a proxy (Fiddler) and recorded the traffic:


Figure 3: Traffic capture reveals the culprit.

hastrk2[dot]com sends a 302 HTTP response with a specially crafted URL (itms-appss:// that results in the App Store popping up.

On Android, the process is quite similar, albeit with a different URL format:


Here is a general overview of what takes place (all other non related URLs were removed for clarity) showing the many bounces involved in this campaign:


Figure 4: Each URL is linked to the abusive Ad in a very long chain.

The slideshow below reveals how each web session from Figure 4 is tied to the next one:

This slideshow requires JavaScript.

The domain hastrk2[dot].com has been flagged by several people (spam leading to App Store) and is hosted by Amazon Web Services (IP: and could certainly be blocked if you wanted to prevent these unwanted redirections.

However, it would make more sense for Apple (in the name of ‘user experience’) to block all non user initiated requests to launch the App Store (or at least prompt the user before) and the same goes for Google with its Play Store.

Many layers of redirections make it harder to pinpoint which Ad network is directly responsible. But at the same time, aren’t all ad networks involved by not policing their third-party resellers well enough?

Greedy advertisers are pushing the envelope while there is no solution to stop this problem.

The app developers themselves may also turn a blind eye. They ought to know about those practices since they would be paying commissions for these affiliates. Or are they OK with that business model? For the record, our emails went unanswered.

It doesn’t appear anybody has found a name for this type of advertising/redirection, so I decided to come up with my own: Ad2Store.

As I was writing this article I came across another popular news site popping up the App Store on me again, showing that if we don’t put a stop on this soon it will quickly become widespread.

I’d like to thank my friend JP Taggart for helping me out with this project/video.

Update (Feb 18):  I have contacted Amazon for them to review hastrk2[dot]com, the one site known for these unwanted redirections. Since they are hosting it, I believe they ought to check whether it violates any of their guidelines. I am still waiting for their reponse and will update this post when I hear back from them.

In the meantime, I came across one of the apps being pushed and reading the reviews made it quite clear why this practice is a major problem for end users:

I had to download this app to stop the constant hijacking from websites to its page on the App Store.


People are so desperate they are actually installing the apps in the hope that the relentless redirections stop.

Update 2 (Feb 20): Amazon has replied to our request but is not going to take any action:

After looking into this and consulting with our legal department we do not consider this a violation of our Acceptable Use Policy.

This is somewhat disappointing but we do appreciate Amazon taking the time to review this and getting back to us with a response.

Our inquiry with the domain registrar for (GoDaddy) has been unanswered thus far.

Jérôme Segura @jeromesegura

  • Clayton Johnson

    Doesn’t happen on my Rooted Galaxy S4, but then of course with a custom rom and root you can install block lists. I’m sure it doesn’t happen because of said list I install. I have some advantages being a web host and being fully competent on the use of Linux and hosts files, but ANYONE who can read can learn how to do it off one of many sites.

  • korhal

    I think the point is that people shouldn’t HAVE to do that. Ad2Store redirects shouldn’t be happening in the first place.

  • jean alex

    i agree but I got galaxy s4 and I get pop ups all the time and it made me wanna get rid of my phone cause of it

  • buchacho

    Thank you for explaining this issue. It is very annoying and should be taken care of at the browser level.

  • Vishan Persaud

    Unfortunately they also seem to beat the iframes most sites have in place. As far as I know it looks like there is no way for a website to stop these.

  • Coldwind494

    Glad I finally found someone to explain this frankly creepy phone behaviour. The depths advertisers will sink to continually amaze me – and I speak as someone who’s willing to accept the ‘advertising pays for my free stuff’ tradeoff.

    But like many people, I’m only willing to accept it to the extent that it isn’t significantly disruptive. This practice most certainly is – not to mention exceptionally arrogant.

    The ‘solution’ being employed by people in downloading the guilty apps so they can leave negative feedback, while very tempting, is self-defeating, since the advertisers are working solely on the metric of download numbers. This response is only proving to them that this aggressive and high-handed approach does work.
    Perhaps Google and Apple could consider some sort of blacklist facility so that users can block individual apps’ pages from appearing? Apps might also show a public counter to show how many people have blacklisted an app? Of course such a system would immediately be exploited by advertisers to encourage blacklisting of competitor apps, but this would at least pit developers and the stores against the advertisers, instead of leaving the user to fight the battle. It might encourage some measure of restraint in advertising methods, at least around legitimate apps.

  • Jérôme Segura

    Thanks for your comment. I was shocked to see this happening and yet nobody really seemed to care. I certainly expect more from Apple to save the user from a terrible browsing experience.
    To be clear if I manually clicked the ad, then opening the App Store would be OK. But not without my consent…
    But it’s not just Apple… Amazon did not seem to think there was anything wrong with a server whose sole purpose was to serve traffic that would do this exact behaviour.
    There’s a lot of money at stake and advertisers are getting overwhelmingly aggressive. Not only is this annoying but it could also have serious security consequences!

  • Jérôme Segura

    I agree. This is a browser based behaviour that can be stopped. In fact, if another browser (other than the default Safari) on iOS was capable of doing that, I would bet many people would switch to it.


    Isn’t the fact they are hijacking our phones in itself a federal and hacking offence? Are they not using a website to violate our privacy? Apple installed U2 album on my phone without consent or my knowledge, what else are they doing without my knowledge or consent? If you or i did such things to other peoples phones we would be arrested and charged, why are these companies allowed to get away with it?

  • Bello Russo

    Huffpost and many other media now also has this virus behavior. Google having it’s way with us any each way it wants. FU, Google!

  • manofredearth

    The apps themselves shouldn’t be targeted for repercussions (yet) as a devious coder can easily just write code directing phone browsers to apps they wish to undermine. The services redirecting traffic should be warned then dealt with.

    I’ve been searching for answers around this issue for a year now, and this is as good as it gets unfortunately. It’s like no one cares, but it’s completely insidious.

  • Rich Horsfall

    So far I’ve been able to block the re-directs by restricting the APP Store in settings. The App Store disappears completely from the home screen. If this continues to work I’ll selectively turn on the App Store when I need something and restrict it again.

  • Tom

    I get this issue when visiting ign and polygon dot com. It started to happen recently. I sometimes see a giant sized ad blocking the entrance of these sites. After closing the window I can enter. The app store pop up redirect happens a lot. Sometimes it happens on any web page. I thought it was malware as no ads are shown on the web site that I am visiting. Sometimes the page I visit doesn’t redirect me if I return to it but does on the 1st visit. Any news on finding a solution? I feel like wiping out my phone. Note I hear it could be a bad cookie that has infected many websites. Clear the cache on safari and chrome to fix.

  • Isabella Rosselinni

    I was so annoyed with this Ad2Store websites, if I want to look at the webpage, I’ll save the url and open it in my laptop which has AdBlock and AdBlock Plus, that will allow me to browse peacefully.

    Btw I used to be disturbed by WeChat Ad2Store ads, and downloaded it and giving it a 1 rating, but I still keep getting the Ad2Stores, so I suppose it is not an effective way of stopping the annoying ads.

  • Jon Skarda

    Any possible way to find out companies/organizations responsible, post their contact information and then advertise a date on which all of us ****** off targets can flood them with phone calls and emails nonstop for a 24 hr period? It’d be at least a taste of the revenge that I’m craving?

  • dirgas

    Apparently opera(chrome)://flags/#disable-compositing-for-transition will do the trick most of the time as workaround. AFAIK compositing-for-transition may interact badly with serviceworkers.js and since transition flag was removed in Chrome41 then the last browser version should be installed over older one and will keep the flag settings.

  • Alexander van Rossum

    Apple didn’t “install” an album without your consent, they simply added the album to your library.

    In the cloud.

    It was your choice to download – or even play – it. It’s really not much different than spotify adding a new album.

  • Leisureguy

    When this happens to you download the game you are directed to then immediately rate that game (trash it as much as possible) give it zero stars if possible and make up horror stories about the damage it did to your device. Hopefully a few thousand reviews like that will send the message that this type of strong armed advertising might not be too enjoyable to potential customers. After you’re done trashing the app uninstall it. If possible leave a review without downloading it.

  • Nicholas DeShane

    I have a solution. Find the individuals personally responsible for writing the code and publicly burn them alive, better yet they may better learn their lesson via castration by acid and the icing is you do not even have the feel bad I mean it is not like these deplorable vile creatures are even people not really.

  • Dan Mckinley