If you've ever downloaded software, chances are you've experienced an all-too-common surprise: ads or other unwanted programs that tagged along for the ride, only to pop up on your PC uninvited. Turns out there's a highly lucrative global industry making it happen, with "layers of deniability" to protect those involved.
That's according to researchers from Google and New York University's Tandon School of Engineering, who will present this week what they say is the first analysis of the link between so-called "pay-per-install" (PPI) practices and the distribution of unwanted software.
Commercial PPI is a monetization scheme whereby third-party applications are surreptitiously bundled with legitimate ones. When users install the package they requested, they also get a stream of unwanted programs riding stowaway. They may find a barrage of ads overrunning the screen, for example, or a flashing pop-up warning of malware and peddling fake antivirus software. Alternatively, the system's default browser may be hijacked so as to redirect to ad-laden pages.
Making all this happen are networks of affiliates -- brokers who forge the deals that bundle the extra software with popular applications and place download offers on well-trafficked websites. They get paid by PPI businesses directly, sometimes as much as $2 per install, the researchers found. Legitimate developers often don't even know their products are being bundled with extra stuff.
As part of their study, the researchers focused on four PPI affiliates, routinely downloading their software packages and analyzing the components. Most striking, they said, was the degree to which downloads are personalized to maximize the chances that their payload will be delivered.
When an installer runs, the user's computer is first "fingerprinted" to determine which adware is compatible. The downloader also searches for antivirus protection and factors those results into its approach.
"They do their best to bypass antivirus, so the program will intentionally inject those elements -- whether it's adware or scareware -- that are likeliest to evade whichever antivirus program is running," said Damon McCoy, an assistant professor of computer science and engineering at NYU Tandon.
Google has long tracked web pages known to harbor unwanted software offers and updates the Safe Browsing protection in its Chrome browser to warn users when they visit such pages. But PPI affiliates are constantly adjusting their tactics to avoid user protections while intentionally delivering unwanted software, the researchers said.
Part of the problem is what the researchers call the "thin veil of consent" that users grant inadvertently when they download the software they want.
"If you've ever downloaded a screen saver or other similar feature for your laptop, you've seen a 'terms and conditions' page pop up where you consent to the installation," said McCoy. "Buried in the text that nobody reads is information about the bundle of unwanted software programs in the package you're about to download."
The presence of a consent form allows these "stowaway software" businesses to operate legally, but what they thrust on users treads a fine line between unwanted software and malware, McCoy said. "We're hoping to expose these business practices so people are less likely to get duped into flooding their computers with programs they never wanted."
The researchers' paper(PDF), titled "Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software," will be presented at the USENIX Security Symposium in Austin, Texas, later this week.