This article is more than 1 year old

Three times as bad as malware: Google shines light on pay-per-install

New paper from academics and ad giant highlight size of problem

As some point you have probably downloaded a "free" piece of software only to find it has come with a whole host of other unwanted friends that go on to redirect your browser search bar or inject ads where there weren't any before.

This is the world of pay-per-install (PPI) and Google, along with New York University and the International Computer Science Institute, spent a year digging into the little-understood market, publishing their results in a paper [PDF] this week.

What they found over the course of 12 months makes for sobering reading: the issue of PPI is three times greater than malware: no less than 60 million download attempts every week. That's something that the authors say represents "a major security threat". They estimate as many as five per cent of all browsers have been affected.

Why is it such a big problem? Two reasons: first, it is not illegal. Companies that want their software on millions of people's system pay publishers to bundle it with legit software that the user then actively chooses to download and install.

That pushes the law right to its very boundaries but the fact that a number of big name companies, including Skype and Opera, are using this method to disburse their software is testament to the fact it is not a crime.

The second big reason that PPI is a so widespread is, of course, money. The authors note that one of the four large PPI outlets that they looked at took in $460m in revenue in 2014. With money like that, you can expect interest.


And sophistication. The paper notes that the download bundles come with a good degree of technical know-how. Variations in software to account for different operating systems and browsers are automatically installed. PPI publishers store between five and 50 different offers/bundles and provide whichever is most effective for your particular machine.

Some software builds in a 20-day delay before waking up so users don't immediately associate it with the free download they just installed. Some check in the computer's registry for anti-virus and that they're not already installed.

The team found a total of 15 PPI affiliate networks dotted around the globe providing a total of 160 software families. And it dug into pricing: the price you pay to have your software installed comes as a per-install cost and varies according to region and network. For one network, the cheapest cost was $0.06 or six cents for Vietnam, up to $1.50 per install for North America. The United States was persistently the most expensive market, followed next by the UK.

Despite efforts to block the installations from occurring, the PPI networks have a wide variety of ways to bypass their efforts. The paper's authors found that affiliates jump between domain names every seven hours in order to constantly stay ahead of blocking efforts. They incorporate technology to get past filters and virus scans.

Despite the team noting that 59 per cent of the software they discovered was flagged by anti-virus as "unwanted", that still means more than 40 per cent of it was getting past – and that's for systems with antivirus on.


As for where you can pick these delightful pieces of software up from: the greatest percentage of bundles came through freeware and shareware websites (11.8 per cent) but there were a wide range of other outlets: websites offering video games, file sharing, online video, operating systems, hacked and cracked software, and so on.

In short, if you are trying to download something for free that you know you should really be buying, chances are it will come with some unwanted extras that your system will not notice.

"PPI networks operated with impunity towards the interests of users, relying on a user consent dialogue to justify their actions," the report notes. "We hope that by documenting these behaviors the security community will recognize unwanted software as a major threat."

In a related blog post, Google noted that it was constantly improving and updating its "safe browsing" notices in order to flag up sites that includes this sort of software, and its Cleanup Tool that helps prevent their installation. It is also a part of the Clean Software Alliance which is building an industry-wide approach to blocking these sorts of downloads. ®

More about


Send us news

Other stories you might like