Google scans websites for downloadable executable files or software that could negatively affect the user experience. Malicious and unwanted software are binaries that can be downloaded or applications that run on websites and affect their visitors. In the Security Issues report, you can see the list of suspicious files hosted on your site.
What is malicious software?
Noxious programming is any product or portable application that is explicitly intended to hurt clients or harm PCs, cell phones, or the product that sudden spikes in demand for them. This sort of programming performs noxious activities, like introducing destructive projects (eg infections) or programming without clients’ assent. Now and again site proprietors don’t understand that their downloadable documents are considered malware, so they may unconsciously have those pairs.
What is unwanted software?
Undesirable programming is executable records or portable applications that act in misleading or startling ways, or in any case hurt clients while perusing or utilizing their gadgets. For instance, programming that makes changes the landing page or other program settings without your solicitation, or applications that release private or individual data without informing you.
For more information on how Google protects users from unwanted software, see the Not the download you’re looking for warning post on Google’s online safety blog.
In the “Security Issues” report, the term “malicious software” refers to web software that runs without explicit user action. On the other hand, “malicious downloads” refers to, among others, malicious or unwanted programs that users download manually.
Solve the problem
Check that your site or app follows the guidelines, then request a review with the Security Issues report.
If you see warnings on your mobile app, you can file an appeal.
Check that you are not in violation of the Unwanted Software Policy and follow the guidelines in this article. The list of guidelines included is not exhaustive, but it does capture behavior that, if it occurs, may cause warnings to be displayed to users who download your app or visit your site. In the “Security Issues” report, you can see a list of suspicious files hosted on your site.
Don’t distort reality
It clearly explains to users what the software is for. Users must be able to deliberately download the software by clicking on an advertisement that clearly indicates what they are downloading. Ads that lead users to download the software must not be misleading or contain inaccurate information, such as:
- The ad only contains the words “Download” or “Play” with no information about the advertised software.
- The ad contains a “Play” button that actually triggers a download.
- The ad looks similar to the publisher’s website and indicates that it is offering content (for example, a movie), when in fact it leads to software unrelated to the ad.
- Check out information about social engineering in our online security blog.
Deliver what is advertised. You have to clearly inform about the function and intentions of the program. If your software collects user data or inserts advertisements into their browser, make this clear and do not try to hide this information as if it were something unimportant.
Explain to users clearly and explicitly what changes your software will make to the browser and to the system. Allows users to review and approve all installation options, as well as all major changes. The main user interface of the program should clearly display the components of the binary and their main functions. The binary has to offer users an easy way to skip installing bundled components. For example, hiding these options or enclosing them in barely visible text are not considered acceptable techniques.
Use third-party recommendations only if you have the appropriate authorization. Do not use logos of other companies or the Government to endorse or recommend a product if you are not authorized to do so.
Don’t scare users. False information about the status of users’ equipment should not be given through the software. For example, it should not be claimed that the system has serious security problems or is infected with viruses. Nor should it indicate that the software offers a service that it does not provide or that it cannot provide, such as increasing the speed of the computer. For example, certain computer cleaning or optimization software should not be advertised as “free” if you need to pay for the advertised services and components.
Use the Google Settings API if your program changes Chrome settings. Any changes to users’ default search settings, home page, or new tab page must be done via Chrome’s Settings Override API. To use it, a Chrome extension is required, which must be installed in compliance with the corresponding policies.
Allows browser and operating system dialog boxes to warn users. Don’t disable browser or operating system alerts, especially if they inform users that there are going to be changes to them.
We recommend that you sign your code. Although the fact that a binary is not signed is not a reason to classify it as unwanted software, we recommend that programs have a valid and verified code signature issued by a code signing authority showing verifiable information from the publisher.
Do not discount the protection and security measures offered by TLS/SSL connections. Applications should not install authority certificates or root certificates, nor intercept SSL/TLS connections, unless this operation is done by experts to debug or analyze the software. Learn more in the corresponding entry on the Google Security Blog.
Protect user data. Software, including mobile apps, should only share users’ private data with servers to the extent necessary for the apps to function. In addition, the user must be informed of these data transfers, which must always be encrypted.
Do no damage. Your binary must respect the user’s browsing experience, and not make it worse. Downloadable binaries must adhere to the following common policies:
- Do not modify the function to reset the browser. Learn more about the Chrome browser settings reset button.
- Do not circumvent or suppress operating system or browser interface controls to change settings. Your program must adequately warn users of changes to browser settings and allow them to monitor those changes. If you need to change Chrome settings, use the Settings API. Learn more in this Chromium blog post.
- Use an extension to change features of Google Chrome. Try not to modify the behavior of the browser with other programming tools. For example, your program should not insert ads into the browser using DLLs (dynamic link libraries). You should also not implement proxy servers that intercept traffic, use tiered service providers to intercept user actions, or insert a new interface into each web page by modifying the Chrome binary.
- Your product and component descriptions must not scare users or make false or misleading claims. For example, the product must not claim, if it is not true, that the system has serious security problems or that it contains viruses. Programs (such as registry cleaners) should not display alarming messages about the status of a user’s computer or device, or claim to optimize their computer.
- The uninstall process should be simple, easy to find, and not intimidating. Your program should include properly labeled instructions for recovering previous browser or system settings. The tool to uninstall your program should remove all components without dissuading users from continuing with the process. For example, if a user decides to uninstall your program, there should be no allegation of possible detrimental effects on the user’s system or privacy.
Avoid bad company. If your software includes other components, you should make sure that none of them violate the recommendations just explained.