Crafty downloads: they had you at 'free'

Security researchers from Google have published the results of a year-long investigation into the practice of pay-per-install software bundling - and they aren't impressed.

So-called free software can end up delivering PUPs to the victim.
So-called free software can end up delivering PUPs to the victim.

You find some free software on the internet and think, I'll give this a try – maybe it will do that thing I've always wanted my computer to do. Two clicks and it's downloading, a few more quick clicks to authorise it to be installed and, voilà, you're done.

Only problem is that you've been “done” as well. If you aren't careful, in your haste to download that ‘free' software you wanted, you'll also have downloaded and authorised potentially unwanted programs (PUPs) which can range from useful and mostly-harmless to annoying and malicious.

Why is it that people's brains switch off and their defences fall at the first mention of the word “free”?

Age-old problem 

The problem has been around almost as long as the internet itself, but the techniques are getting more pernicious and the organisations behind the distribution of these PUPs becoming more sophisticated.

The commoditisation of third-party software downloads is known as pay-per-install (PPI) and like that other famous PPI scandal, the goal is to get consumers to take things that they didn't really want.

This prompted a team of 18 researchers from Google, New York University and the International Computer Science Institute to look into the issue of PPI and together they studied the market for over a year to tease out how it works.

They concluded that deceptive distribution practices are being employed by the pushers of pay per install software and this is leading to an epidemic of computers infected with unwanted software.

In their research paper, “Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software”, they said that PUPs – including ad injectors, browser hijackers and users trackers – are a leading threat facing computer users today.

Even seemingly innocuous software packages will consume system resources and lead to ever-decreasing performance as they accumulate in the system.

The researchers said the incidence of unwanted software installations is three times greater than malware. Ad injection is thought to plague five percent of users while deceptive browser add-ons in the Google Chrome Store may have affected 50 million users.

Unwanted software could, of course, be taken to include malware but the researchers concentrated on commercial pay-per-install (PPI) that relies on users giving permission – either willingly or as a result of trickery – for the software to be installed.

Scott Pendlebury, lead threat intelligence analyst for UK and Ireland at Fujitsu, agrees that PPI is a shady practice. “That is clear from not only the generally poor quality of software that comes with that which the user intended to install, but also in how the installers of these programs use trickery and subversion to fool a user into installing the bloat, too,” he said.

Nonetheless, commercial PPI is a well-established process for monetising the downloading of free software. It involves software developers, often giving away free software, accepting payments to bundle third-party software as part of the installation process.

Mixed pedigree

As David Navin, corporate security specialist at Smoothwall, pointed out, even Google has used it to promote the installation of its Chrome toolbar. “When used effectively, it can offer added value for the software provider, but as always these kind of things get abused and as we can see, it has now been commoditised which is the cause of the problem,” he said.

The commodisation of PPI is being driven by the development of PPI affiliate networks. Like advertising networks, they make it easier for third-party software developers to find distributors for their product more easily. PPI affiliate networks signup developers and distributors and then act as brokers to match the two and facilitate the bundling of the PUPs with the distributor's software.

For this service they can be paid between $0.10 and $1.50 (7p to £1) per successful install. The software developers are looking for customers who may then pay for an upgrade to their software once they've gotten a taste of what it can do.

Exponents of PPI point to its usage by legitimate software developers and say it can help support the “free” software industry. Even if you go to download a free copy of Java, you will find it automatically offers to set your search engine to Yahoo! for free. You can be sure that Oracle, the owner of Java, isn't doing that out of the goodness of its heart.

The problem occurs when third parties use it to effectively smuggle their software onto users' computers – by giving consent to install the software that they do want, the user unwittingly authorises the installation of unwanted software as well.

“Unfortunately, this all too common user experience is the profit vehicle for a collection of private and publicly companies that commoditise software bundling,” the researchers wrote.

One company involved in software bundling earned $US 460 million (£320m), according to a 2014 report in the Wall Street Journal.

Software bundling has become so slick that companies operate affiliation networks to facilitate distribution, and in the paper, the researchers identified 15 networks, choosing four of the largest to investigate in more depth. These were Amonetize, InstallMonetizer, OpenCandy (developed by SweetLabs) and Outbrowse.

We attempted to contact each company for this article. InstallMonetizer which had a message on its website announcing that after five-and-a-half years in business, it had ceased trading. None of the other three companies responded.

A family affair 

Following these four companies over the course of 2015, the researchers said they discovered that commercial PPI distributes around 160 software families per week, 59 percent of which could be classified as unwanted – unwanted being defined for the purposes of the research as being flagged on VirusTotal by one or more anti-virus companies as “unwanted”.

The researchers claimed that PPI networks actively work to identify vulnerable computers and users, describing the networks as “first-class partners” of the third-party software developers. They found that the networks will “actively fingerprint a victim's machine”, seeking out anti-virus software and virtualised environments and selecting offers that are most likely to go undetected.

Software developers pay between $0.10 (£0.06) and $1.50 (£1.00) for successful installations, with prices varying according to the location of the target machine.

The researchers claimed that their paper represents the first investigation of commercial PPI internal operations and how they facilitate the distribution of unwanted software. They have also shown, they said, that in addition to deceiving users, “commercial PPI installers and distributors knowingly attempt to evade user protections”.

Security experts agree there is little that can be done to reverse the tide of PPI.

Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SC, "Software bundling is almost as old (or probably even older) than spam.” Like with spam and ransomware, PPI is not so much a technical as economic problem. “You cannot really do anything about this, as you cannot change the fundamental laws of economy and human behaviour. By technical means you can significantly reduce the problem, but you cannot stop it,” he said.

David Navin at Smoothwall told SC, “Unfortunately, unless legal action is taken against the companies facilitating these transactions, the way to control it is with the end users. A good method is to ensure that administrators have to approve the installation of any new software to avoid unknowing staff members installing unwanted software.”

The researchers' claim that PPI companies were deliberately circumventing security software drew nods of recognition from our commentators:

David Navin: “It wouldn't be a surprise if the PPI distributors are trying to circumvent security software, as it's a barrier to entry for them and so of course they would try overcome that. However, security companies have to be aware of the risk and ensure there are appropriate measures in place to stop this.”

Pendlebury: “Although the bundled software is considered 'unwanted' and may not necessarily enact traditional malicious activity, the methods used to ensure the evasion of AV detection mirror that of more malicious software. Additionally, the toolbars, ad injectors, clean-up utilities and so on have a negative effect on the user experience by slowing systems down, interrupting and invading their session and communicating private information back to the distributors.”

He added: “As with any business, the primary focus is on growing its bottom line, so at the forefront of any PPI distributor's mind is how to ensure that AV vendors do not pick up their installers as malicious. To have AV solutions raise an alarm on a user's system after a file download would have the effect of the user not re-visiting the site to download further software, ultimately decreasing their profits.”

Kolochenko observed: “Speaking about circumventing the security software – such practice exists, however some cyber-security companies use software bundling themselves to promote their own products."

Ultimately it's down to the vigilance of the consumer to prevent these downloads.

Pendlebury said: “End-user education is key to keep systems from falling foul of unwanted software being present on their machines. Crucially, any piece of software should be downloaded from its source. In other words, if the latest version of Adobe Flash is to be downloaded it should be retrieved from Adobe's website.

“As well as this, if a piece of software has been downloaded from a file distributor, users must be very careful with the installation process. A favourite trick of PPI installers is to hide the additional software within the ‘advanced options' menu. Most users will not check within this part of the installer which allows the bloat to be installed without making any mention of it to the user.”

Further proof, if it was needed, that the internet is the modern day Wild West, filled with thieves, ne'er-do-wells and snake oil salesmen just waiting to take advantage of the naive.   

You must be a registered member of SC Magazine to post a comment.

RECENT COMMENTS

Sign up to our newsletters

FOLLOW US