Google Research Reveals Depth of Deceptive Software Problem

Written by: Mike Yang

LAS VEGAS–After a year-long study of affiliate networks running pay-per-install programs, which often include shareware, ad-injectors, and other unwanted software, Google and NYU found that nearly 60 percent of offers bundled with these programs are flagged as unwanted and that the networks drive about 60 million download attempts every week.
PPI networks are large, complex affiliate organizations that will bundle several developers’ apps with their own and then receive a payment for each successful install. In many cases, these networks rely on deceptive or confusing dialog boxes and installation instructions in order to push users into installing the apps. Many of the apps installed through these networks are classified as potentially unwanted software, a broad term that can include things such as ad-injectors, toolbars, shareware, and useless computer utilities.
“In recent years, unwanted software has risen to the forefront of threats facing users. Prominent strains include ad injectors that laden a victim’s browser with advertisements, browser settings hijackers that sell search traffic, and user trackers that silently monitor a victim’s browsing behavior,” the new report from Google and the NYU School of Engineering says.
“Estimates of the incident rate of unwanted software installs on desktop systems are just emerging: prior studies suggest that ad injection affects as many as 5% of browsers [34] and that deceptive extensions escaping detection in the Chrome Web Store affect over 50 million users.”

“There are a multitude of deceptive behaviors currently pervasive to software bundling.”

During the year that they studied the affiliate networks, the researchers came across more than 50 affiliate networks that are pushing PPI unwanted software and tools that help defeat antimalware detection. The researchers focused on four networks in particular, and collected 446,000 PPI offers of 883 different apps. There was a lot of scareware and ad-injectors in that sample set, as well as browser hijackers.

“Taken as a whole, we found 59% of weekly offers bundled by pay-per-install affiliate networks were flagged by at least one anti-virus engine as potentially unwanted. In response, software bundles will first fingerprint a user’s machine prior to installation to detect the presence of “hostile” anti-virus engines,” Kurt Thomas, a research scientist, and Juan A. Elices Crespo, a software engineer, at Google said in a post on the research.

“Furthermore, in response to protections provide by Google Safe Browsing, publishers have resorted to increasingly convoluted tactics to try and avoid detection, like the defunct technique…of password protecting compressed binaries.”
The software-bundling behavior used in these affiliate networks is at the heart of their programs, and is one of the things that makes it difficult for users to determine whether they should install a given app.

“Paired with deceptive promotional tools like fake video codecs, software updates, or misrepresented brands, there are a multitude of deceptive behaviors currently pervasive to software bundling,” the Google post says.

Google held an event recently to work on setting guidelines for clean software and bundling and the company said there is work going on in the software industry to make things clearer for users.

“Together, we laid the groundwork for an industry-wide initiative to provide users with clear choices when installing software and to block deceptive actors pushing unwanted installs,” Thomas and Crespo said.