Adware turns a tidy profit for those who sneak it into downloads

Perpetrators are deliberately evading protections, say researchers from Google and NYU

If you've ever downloaded software, chances are you've experienced an all-too-common surprise: ads or other unwanted programs that tagged along for the ride, only to pop up on your PC uninvited. Turns out there's a highly lucrative global industry making it happen, with "layers of deniability" to protect those involved.

That's according to researchers from Google and New York University's Tandon School of Engineering, who will present this week what they say is the first analysis of the link between so-called "pay-per-install" (PPI) practices and the distribution of unwanted software.

Commercial PPI is a monetization scheme whereby third-party applications are surreptitiously bundled with legitimate ones. When users install the package they requested, they also get a stream of unwanted programs riding stowaway. They may find a barrage of ads overrunning the screen, for example, or a flashing pop-up warning of malware and peddling fake antivirus software. Alternatively, the system's default browser may be hijacked so as to redirect to ad-laden pages.

Making all this happen are networks of affiliates -- brokers who forge the deals that bundle the extra software with popular applications and place download offers on well-trafficked websites. They get paid by PPI businesses directly, sometimes as much as $2 per install, the researchers found. Legitimate developers often don't even know their products are being bundled with extra stuff.

As part of their study, the researchers focused on four PPI affiliates, routinely downloading their software packages and analyzing the components. Most striking, they said, was the degree to which downloads are personalized to maximize the chances that their payload will be delivered.

When an installer runs, the user's computer is first "fingerprinted" to determine which adware is compatible. The downloader also searches for antivirus protection and factors those results into its approach.

"They do their best to bypass antivirus, so the program will intentionally inject those elements -- whether it's adware or scareware -- that are likeliest to evade whichever antivirus program is running," said Damon McCoy, an assistant professor of computer science and engineering at NYU Tandon.

Google has long tracked web pages known to harbor unwanted software offers and updates the Safe Browsing protection in its Chrome browser to warn users when they visit such pages. But PPI affiliates are constantly adjusting their tactics to avoid user protections while intentionally delivering unwanted software, the researchers said.

Part of the problem is what the researchers call the "thin veil of consent" that users grant inadvertently when they download the software they want.

"If you've ever downloaded a screen saver or other similar feature for your laptop, you've seen a 'terms and conditions' page pop up where you consent to the installation," said McCoy. "Buried in the text that nobody reads is information about the bundle of unwanted software programs in the package you're about to download."

The presence of a consent form allows these "stowaway software" businesses to operate legally, but what they thrust on users treads a fine line between unwanted software and malware, McCoy said. "We're hoping to expose these business practices so people are less likely to get duped into flooding their computers with programs they never wanted."

The researchers' paper, titled "Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software," will be presented at the USENIX Security Symposium in Austin, Texas, later this week.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleYork University

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Katherine Noyes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place