Three times as bad as malware: Google shines light on pay-per-install

New paper from academics and ad giant highlight size of problem

As some point you have probably downloaded a "free" piece of software only to find it has come with a whole host of other unwanted friends that go on to redirect your browser search bar or inject ads where there weren't any before.

This is the world of pay-per-install (PPI) and Google, along with New York University and the International Computer Science Institute, spent a year digging into the little-understood market, publishing their results in a paper [PDF] this week.

What they found over the course of 12 months makes for sobering reading: the issue of PPI is three times greater than malware: no less than 60 million download attempts every week. That's something that the authors say represents "a major security threat". They estimate as many as five per cent of all browsers have been affected.

Why is it such a big problem? Two reasons: first, it is not illegal. Companies that want their software on millions of people's system pay publishers to bundle it with legit software that the user then actively chooses to download and install.

That pushes the law right to its very boundaries but the fact that a number of big name companies, including Skype and Opera, are using this method to disburse their software is testament to the fact it is not a crime.

The second big reason that PPI is a so widespread is, of course, money. The authors note that one of the four large PPI outlets that they looked at took in $460m in revenue in 2014. With money like that, you can expect interest.


And sophistication. The paper notes that the download bundles come with a good degree of technical know-how. Variations in software to account for different operating systems and browsers are automatically installed. PPI publishers store between five and 50 different offers/bundles and provide whichever is most effective for your particular machine.

Some software builds in a 20-day delay before waking up so users don't immediately associate it with the free download they just installed. Some check in the computer's registry for anti-virus and that they're not already installed.

The team found a total of 15 PPI affiliate networks dotted around the globe providing a total of 160 software families. And it dug into pricing: the price you pay to have your software installed comes as a per-install cost and varies according to region and network. For one network, the cheapest cost was $0.06 or six cents for Vietnam, up to $1.50 per install for North America. The United States was persistently the most expensive market, followed next by the UK.

Despite efforts to block the installations from occurring, the PPI networks have a wide variety of ways to bypass their efforts. The paper's authors found that affiliates jump between domain names every seven hours in order to constantly stay ahead of blocking efforts. They incorporate technology to get past filters and virus scans.

Despite the team noting that 59 per cent of the software they discovered was flagged by anti-virus as "unwanted", that still means more than 40 per cent of it was getting past – and that's for systems with antivirus on.


As for where you can pick these delightful pieces of software up from: the greatest percentage of bundles came through freeware and shareware websites (11.8 per cent) but there were a wide range of other outlets: websites offering video games, file sharing, online video, operating systems, hacked and cracked software, and so on.

In short, if you are trying to download something for free that you know you should really be buying, chances are it will come with some unwanted extras that your system will not notice.

"PPI networks operated with impunity towards the interests of users, relying on a user consent dialogue to justify their actions," the report notes. "We hope that by documenting these behaviors the security community will recognize unwanted software as a major threat."

In a related blog post, Google noted that it was constantly improving and updating its "safe browsing" notices in order to flag up sites that includes this sort of software, and its Cleanup Tool that helps prevent their installation. It is also a part of the Clean Software Alliance which is building an industry-wide approach to blocking these sorts of downloads. ®

Similar topics

Other stories you might like

  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading
  • What do you mean you gave the boss THAT version of the report? Oh, ****ing ****balls

    Say what you mean

    NSFW Who, Me? Ever written that angry email and accidentally hit send instead of delete? Take a trip back to the 1990s equivalent with a slightly NSFW Who, Me?

    Our story, from "Matt", flings us back the best part of 30 years to an era when mobile telephones were the preserve of the young, upwardly mobile professionals and fixed lines ruled the roost for more than just your senior relatives.

    Back then, Matt was working for a UK-based fixed-line telephone operator. He was dealing with a telephone exchange which served a relatively large town. "I ran a reasonably ordinary, read-only command to interrogate a specific setting," he told us.

    Continue reading
  • Chinese tech minister says he's 'dealt with' 73,000 websites that breached the law

    Ongoing crackdown saw apps 1.83 million apps tested, 4,200 told to clean up their act, pop-up ads popped

    China's Minister of Industry and Information Technology, Xiao Yaqing, has given a rare interview in which he signalled the nation's crackdown on the internet and predatory companies will continue.

    The interview, reported in state-controlled organ Xinhua, reveals that China's recent crackdowns on inappropriate content and companies with monopolistic tendencies have both bitten – hard.

    The nation investigated 1.83 million apps to ensure they don't infringe users' rights. Some 4,200 illegal apps found to require "rectification".

    Continue reading

Biting the hand that feeds IT © 1998–2021