The Pay-Per-Install Affiliate Business - Making Millions out of Adware

The Pay-Per-Install Affiliate Business – Making Millions out of Adware

pay-per-install-unwanted-software-downloads-stforum

There’s hardly an active online user who doesn’t know what a PUP is (mostly from first-hand experience). At best, potentially unwanted programs provide little to no benefit, and at worst, they can be quite harmful to your system. In addition to taking up space on your hard drive, they also slow down your computer, flood you with intrusive ads, and often change the settings of your browsers without your knowledge or permission. Unwanted software often comes along with adware and/or spyware bundled inside the installation package.

Related: The Thin Red Line between PUPs and Malware

If you have downloaded software, mostly freeware, you have definitely experienced adware, or the unexpected, intrusive pop-up advertisements that come out uninvited on your screen. PUPs are annoying and that’s a fact no one can deny, especially when there is a specific research to further illustrate the potential damage of these programs. According to this particular research we are about to engulf, unwanted software is part of highly profitable global industry, protected by layers of deniability. No wonder the bundle business is so successful!

The research we are talking about is described in a paper, “Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software“, and is carried out by researchers from Google, New York University, International Computer Science Institute. Researchers “explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software“.

What Is Commercial PPI?

  • Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We [the researchers] develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved.
  • Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection.

As you can see, there’s a strong connection between pay-per-install practices and the spread of unwanted applications. Symantec researchers have previously dubbed pay-per-install “the new malware distribution network“, stressing on the fact that in the foreseeable past malware (like worms) was self-propagating with the help of server-side vulnerabilities. The research results also depict the deceptive practices of some commercial PPI operators that currently persevere, and will likely continue to do so in the future.

Related: Here’s How Ransomware Is Evolving in 2016

Later the attack focus moved to client-side attacks and social engineering techniques (like phishing). In these attacks, user interaction is required – the potential victim needs to visit a compromised website, open an email attachment, etc. Even though these techniques definitely give results, they will not propagate malware or unwanted software on a larger scale.

Related: Vishing, Smishing and Phishing

This is how the pay-per-install distribution model enters the market. The fact that it’s a grey area makes things quite complicated to deal with.

The pay-per-install distribution model is based on revenue sharing and commission. Malware authors do not have the resources or bandwidth to spread their malware on a large scale. Instead they rely on a network of affiliates, who distribute the malware, and in return get paid a commission for every install. [via Symantec report]

Needless to say, commercial PPI is a very effective monetization scheme where third-party programs are bundled with legitimate software. Besides the software the user initially wanted to install, he will also get a bonus – a piece of unwanted piece of code that will affect the performance of his system. The worst case scenario here is getting a piece of nasty malware. The best case scenario is the sudden appearance of ads or pop-up warnings regarding a detected threat (the well-known tech-support, rogue AV and scareware scams).

Related: How to Identify Rogue AV in 2016

However, those ads and pop-ups may later link to a compromised website loaded with exploits, which usually ends with ransomware distribution. Or sensitive information may be collected from users, which may later be exploited in further attacks, or can be sold on the black market. So any case scenario is bad enough for you to want to avoid it!

Related: Click-Ad-Fraud Kovter Malware

During their research, the experts from Google, New York University, and the International Computer Science Institute focused on four PPI affiliates (Amonetize, InstallMonetizer, OpenCandy, and Outbrowse) and regularly downloaded software packages for various analyses. What surprised them most was the extent to which downloads are personalized to maximize the chances of their payload being delivered.

Related: How to Remove Amonetize Adware

What Are the Longest Running PPI Campaigns?

Ad Injectors

Ad injectors modify a user’s browsing experience to replace or insert additional advertisements that otherwise would not appear on a website. Every PPI network we monitor participates in the distribution of ad injectors.

Browser Settings Hijackers

Settings hijackers modify a victim’s default browser behavior, typically to change the default tab or search engine to a property controlled by the hijacker.[…] Examples include Conduit Search (e.g., Search Protect) which came preinstalled on Lenovo machines in 2014.

System Utilities

System utilities attempt to upsell users using potentially deceptive practices, with some meeting anti-virus definitions of scareware. This category includes “speedup” utilities like Speedchecker and Uniblue that present nebulous claims such as “Attention! 2203 items are slowing down your PC” or “your system registry health status is dangerous.”

Anti-Virus Software

Four anti-virus products are distributed via the PPI ecosystem: AVG, LavaSoft, Comodo, and Qihoo. We cannot determine whether these companies directly purchase installs from commercial PPI affiliate networks.

Major Brands

A small number of major software brands including Opera, Skype, and browser toolbars are distributed via PPI. Based on the affiliate codes embedded in the download URLs for Opera, it appears that Opera directly interacts with PPI operators to purchase installs rather than relying on intermediate affiliates.

Why the Average User Should Care about the PPI Industry

Did you know that PPI networks generally offer advertisers the option to pre-check whether an antivirus engine is present on the system prior to showing the advertiser’s offer? Sneaky, right? This pre-check is based on a blacklist of registry keys, file paths, and registry strings specified by the particular advertiser. The researchers made a list of 58 common anti-virus tokens that appear in a random sample of pre-check requirements, together with the names of the AV companies participating in VirusTotal.

Then, they scanned all offer installation requirements for those tokens. What they concluded based on their dataset is that 20% take advantage of PPI downloader capabilities that prevent installs from happening on systems equipped with an AV solution. When an AV check is present, advertisers target an average of 3.6 AV families. What the researchers believe is that PPI networks support unwanted software developers as first-class business partners.

What Can Be Done to Neutralize the Damage of PPI Campaigns?

In a nutshell, the study reveals that PPI affiliate networks support and spread unwanted software such as:

  • Ad injectors
  • Browser settings hijackers
  • System utilities

One method users often rely on to clean up their browsers is the Chrome Cleanup Tool. Prior to needing to use such a tool, you may want to consider a service like Google Safe Browsing. The service lets client applications check URLs against Google’s frequently updated lists of unsafe web resources. (Additional safety tips are available below the article).

The unwanted installations are definitely more than imaginable – in total, the PPI ecosystem contributed to over 60 million weekly download attempts. The success is partially due to the fact that commercial PPI networks evolve in accordance with the AV market.

Even though many AV solutions and browsers have started integrating signatures of unwanted software, the networks continuously attempt to evade these protections. However, the sole fact that an advertiser would cease an install when an AV is present on a system speaks volumes. Never underestimate the power of your antivirus program! And keep your ad-blocker on!

Additional Security Tips against Unwanted Software and Malware

  • Use additional firewall protection. Downloading a second firewall is an excellent solution for any potential intrusions
  • Your programs should have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
  • Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
  • Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
  • Disable File Sharing – recommended if you need file sharing between your computer to password protect it to restrict the threat only to yourself if infected.
  • Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
  • Consider disabling or removing Adobe Flash Player (depending on the browser).
  • Configure your mail server to block out and delete suspicious file attachment containing emails.
  • Never miss an update for your OS and software.
  • Turn off Infrared ports or Bluetooth.
  • If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
  • Employ a powerful anti-malware solution to protect yourself from any future threats automatically.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.