Google’s Safe Browsing service, used by Chrome, Firefox, and Safari, generates 60 million monthly warnings to users about deceptive software installations. This is three times more than the number of warnings shown by the service for malware. Google and New York University (NYU) performed a study on all types of deceptive software and ads out there in order to better identify how to fight against them.
Over the course of a year, Google and NYU discovered that four of the largest pay-per-install (PPI) advertising networks routinely distributed unwanted ad injectors, browser settings hijackers, and scareware flagged by over 30 antivirus engines. These bundles were promoted through fake software updates, phony content lockers, and spoofed brands. All of these methods were being discussed openly on underground forums.
Google reminded us that not all software in a bundle can be classified as unwanted software. Users may want to install only one of the programs in the bundle, but they often get stuck with multiple other programs and tools on their PCs that they didn’t intend to install.
This usually happens when users try to “express install” a program, only to later realize that multiple programs and other tools suddenly appeared on their PCs. It’s only when they choose “custom installation” that they can see all the programs that will be installed as well. That’s where the users can also stop those programs from installing, by unchecking them from the list.
Google and NYU determined that there are three parties that enable the pay-per-install distribution model: advertisers, affiliate networks and publishers.
The advertisers are usually the developers of software tools. They care about having a good return on their advertising investment, and bundling provides such returns. The cost per install ranges fro $0.10 in South America to $1.50 in the United States. When they can’t recover their investment, they take advantage of practices such as ad injection, selling search traffic, or levying subscription fees. Google identified 1,211 such advertisers paying for installs.
The affiliate networks are the middlemen between the advertisers and the publishers willing to bundle their software with other programs. The affiliate networks provide the tracking technology to check how many installs were performed, but also the tools to avoid Google’s Safe Browsing and anti-virus detection. The researchers found at least 50 such affiliate networks.
The publishers are the ones who make available the bundles and promote them on download portals, through organic page traffic, or even through deceptive ads. The study found 2,518 publishers distributing through 191,372 web pages.
For a year, the researchers monitored four of the top pay-per-install affiliate networks and collected 446K offers related to 843 unique software packages. The most commonly bundled software in those packages were unwanted ad injectors, browser settings hijackers, and scareware that asked users for $30-$40 to fix urgent issues in their machines, as seen in the image below:
The researchers found that 59% of the pay-per-install bundled offers were flagged by at least one antivirus as potentially wanted software. The publishers of such bundled software have also resorted to password-protecting their files so Google’s Safe Browsing can’t detect what type of files are in the archives.
Other Safe Browsing-avoiding tactics include fake video codecs, software updates and misrepresented brands.
Google has been constantly improving the Safe Browsing service, which is one of the reasons why Mozilla is adopting its protections against unwanted software. It also has an aggressive policy against advertisers that try to mislead users into downloading unwanted software.
Beyond that, the company is also trying to work with other stakeholders in the industry, including anti-virus companies and bundling platforms, to distribute “clean software.” The initiative aims to create industry-wide standards that give users clear choices when installing software, while at the same time blocking deceptive ads.