Perpetrators are deliberately evading protections, say researchers from Google and NYU If you’ve ever downloaded software, chances are you’ve experienced an all-too-common surprise: ads or other unwanted programs that tagged along for the ride, only to pop up on your PC uninvited. Turns out there’s a highly lucrative global industry making it happen, with “layers of deniability” to protect those involved. That’s according to researchers from Google and New York University’s Tandon School of Engineering, who will present this week what they say is the first analysis of the link between so-called “pay-per-install” (PPI) practices and the distribution of unwanted software. Commercial PPI is a monetization scheme whereby third-party applications are surreptitiously bundled with legitimate ones. When users install the package they requested, they also get a stream of unwanted programs riding stowaway. They may find a barrage of ads overrunning the screen, for example, or a flashing pop-up warning of malware and peddling fake antivirus software. Alternatively, the system’s default browser may be hijacked so as to redirect to ad-laden pages. Making all this happen are networks of affiliates — brokers who forge the deals that bundle the extra software with popular applications and place download offers on well-trafficked websites. They get paid by PPI businesses directly, sometimes as much as $2 per install, the researchers found. Legitimate developers often don’t even know their products are being bundled with extra stuff. As part of their study, the researchers focused on four PPI affiliates, routinely downloading their software packages and analyzing the components. Most striking, they said, was the degree to which downloads are personalized to maximize the chances that their payload will be delivered. When an installer runs, the user’s computer is first “fingerprinted” to determine which adware is compatible. The downloader also searches for antivirus protection and factors those results into its approach. “They do their best to bypass antivirus, so the program will intentionally inject those elements — whether it’s adware or scareware — that are likeliest to evade whichever antivirus program is running,” said Damon McCoy, an assistant professor of computer science and engineering at NYU Tandon. Google has long tracked web pages known to harbor unwanted software offers and updates the Safe Browsing protection in its Chrome browser to warn users when they visit such pages. But PPI affiliates are constantly adjusting their tactics to avoid user protections while intentionally delivering unwanted software, the researchers said. Part of the problem is what the researchers call the “thin veil of consent” that users grant inadvertently when they download the software they want. “If you’ve ever downloaded a screen saver or other similar feature for your laptop, you’ve seen a ‘terms and conditions’ page pop up where you consent to the installation,” said McCoy. “Buried in the text that nobody reads is information about the bundle of unwanted software programs in the package you’re about to download.” The presence of a consent form allows these “stowaway software” businesses to operate legally, but what they thrust on users treads a fine line between unwanted software and malware, McCoy said. “We’re hoping to expose these business practices so people are less likely to get duped into flooding their computers with programs they never wanted.” The researchers’ paper, titled “Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software,” will be presented at the USENIX Security Symposium in Austin, Texas, later this week. Related content opinion Can your cloud backup provider fail? Cloud backup providers aren’t infallible. Be sure to ask hard questions of providers about their storage redundancy, geo-replication, data integrity measures, and disaster recovery capabilities. By Curtis Preston Apr 19, 2024 7 mins Backup and Recovery Cloud Computing Data Center news Cisco marries AI and security with cloud-based data center offering Cisco announces AI-based Hypershield, a self-upgrading security fabric that's designed to protect distributed applications, devices and data. By Michael Cooney Apr 18, 2024 5 mins Network Security Data Center how-to Shredding files on Linux with the shred command The shred command is a good option for removing files from a Linux system in a way that makes them virtually impossible to recover. By Sandra Henry-Stocker Apr 18, 2024 4 mins Linux news Intel announces edge AI processors New edge-optimized processors and FPGAs will power AI-enabled devices in vertical industries including retail, industrial and healthcare. By Andy Patrizio Apr 18, 2024 3 mins CPUs and Processors Edge Computing PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe