Home > Cyber News > The Pay-Per-Install Affiliate Business – Making Millions out of Adware

The Pay-Per-Install Affiliate Business – Making Millions out of Adware


There’s hardly an active online user who doesn’t know what a PUP is (mostly from first-hand experience). At best, potentially unwanted programs provide little to no benefit, and at worst, they can be quite harmful to your system. In addition to taking up space on your hard drive, they also slow down your computer, flood you with intrusive ads, and often change the settings of your browsers without your knowledge or permission. Unwanted software often comes along with adware and/or spyware bundled inside the installation package.

Related: The Thin Red Line between PUPs and Malware

Adware Continues to Be Malicious

A new research conducted in May 2019 confirms the malicious nature of adware and PUPs. Researchers Xavier de Carné de Carnavalet and Mohammad Mannan analyzed a well-known player in the adware business known as Wajam. The researchers investigated the evolution of Wajam in the course of nearly six years. As of 2016, revealed by the Office of the Privacy Commissioner of Canada, Wajam had “hundreds of millions of installations” and collected 400TB of private information from users, the report said.

Wajam has been around since 2013. In the past, it was advertised as a social search browser add-on that allows users to find what information has been searched online or shared by their friends on social platforms like Twitter and Facebook. As this is an ad-supported browser plug-in, Wajam is known to display various advertisements that some users find quite annoying. What turns Wajam into a potentially unwanted application is the risk of various infections involved with the pop-up, banner and in-text ads, which may lead the user to unverified and unsafe webpages.

In other words, Wajam has been known to inject ads into browser traffic, using techniques that malware operators use, such as man-in-the-browser (browser process injection) attacks seen in Zeus operations. Other examples include anti-analysis and evasion techniques, security policy downgrading and data leakage. Read more about the Wajam investigation.

How does the pay-per-install scheme work? As pointed out by Kevin Stevens in a report, Security Researcher at SecureWorks Counter Threat Unit, the Pay-Per-Install business model has been around for many years. When it first started, it was primarily used to distribute ads, whereas today it is mainly used to deliver spyware and malware threats.

The business is initiated by an affiliate interested in creating a network of infected computers. The said affiliate then signs up to a PPI site and receives a file from the PPI provider, which originally used to be a variant of an adware program. Then, the affiliate bundles the PPI-provided file with another program that could be hosted on their site. This is also known as a binder program that can combine the adware provided by the PPI site with a known program. The end goal is a victim downloading the program and getting the adware installed on their computer. When this happens, the said affiliate is paid per install.

If you have downloaded software, mostly freeware, you have definitely experienced adware, or the unexpected, intrusive pop-up advertisements that come out uninvited on your screen. PUPs are annoying and that’s a fact no one can deny, especially when there is a specific research to further illustrate the potential damage of these programs. According to this particular research we are about to engulf, unwanted software is part of highly profitable global industry, protected by layers of deniability. No wonder the bundle business is so successful!

The research we are talking about is described in a paper, “Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software“, and is carried out by researchers from Google, New York University, International Computer Science Institute. Researchers “explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software“.

What Is Commercial Pay-Per-Install (PPI)?

  • Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection.
  • As you can see, there’s a strong connection between pay-per-install practices and the spread of unwanted applications. Symantec researchers have previously dubbed pay-per-install “the new malware distribution network“, stressing on the fact that in the foreseeable past malware (like worms) was self-propagating with the help of server-side vulnerabilities. The research results also depict the deceptive practices of some commercial PPI operators that currently persevere, and will likely continue to do so in the future.

    Later the attack focus moved to client-side attacks and social engineering techniques (like phishing). In these attacks, user interaction is required – the potential victim needs to visit a compromised website, open an email attachment, etc. Even though these techniques definitely give results, they will not propagate malware or unwanted software on a larger scale.

    This is how the pay-per-install distribution model enters the market. The fact that it’s a grey area makes things quite complicated to deal with.

    The pay-per-install distribution model is based on revenue sharing and commission. Malware authors do not have the resources or bandwidth to spread their malware on a large scale. Instead they rely on a network of affiliates, who distribute the malware, and in return get paid a commission for every install. [via Symantec report]

    Needless to say, commercial PPI is a very effective monetization scheme where third-party programs are bundled with legitimate software. Besides the software the user initially wanted to install, he will also get a bonus – a piece of unwanted piece of code that will affect the performance of his system. The worst case scenario here is getting a piece of nasty malware. The best case scenario is the sudden appearance of ads or pop-up warnings regarding a detected threat (the well-known tech-support, rogue AV and scareware scams).

    However, those ads and pop-ups may later link to a compromised website loaded with exploits, which usually ends with ransomware distribution. Or sensitive information may be collected from users, which may later be exploited in further attacks, or can be sold on the black market. So any case scenario is bad enough for you to want to avoid it!

    During their research, the experts from Google, New York University, and the International Computer Science Institute focused on four PPI affiliates (Amonetize, InstallMonetizer, OpenCandy, and Outbrowse) and regularly downloaded software packages for various analyses. What surprised them most was the extent to which downloads are personalized to maximize the chances of their payload being delivered.

    What Are the Longest Running PPI Campaigns?

    Ad Injectors

    Ad injectors are designed to modify a user’s browsing experience and replace or insert additional advertisements that otherwise would not appear on a website. Most PPI networks have been observed to participate in the distribution of ad injectors.

    Browser Settings Hijackers

    These are threats designed to specifically alter the browser’s settings in a way to be persistent and difficult to remove.

    System Utilities

    These include scareware approaches designed to scare the victim into purchasing a rogue product. This category includes various speedup utilities and rogue security products.

    Why the Average User Should Care about the PPI Industry

    Did you know that PPI networks generally offer advertisers the option to pre-check whether an antivirus engine is present on the system prior to showing the advertiser’s offer? Sneaky, right? This pre-check is based on a blacklist of registry keys, file paths, and registry strings specified by the particular advertiser. The researchers made a list of 58 common anti-virus tokens that appear in a random sample of pre-check requirements, together with the names of the AV companies participating in VirusTotal.

    Then, they scanned all offer installation requirements for those tokens. What they concluded based on their dataset is that 20% take advantage of PPI downloader capabilities that prevent installs from happening on systems equipped with an AV solution. When an AV check is present, advertisers target an average of 3.6 AV families. What the researchers believe is that PPI networks support unwanted software developers as first-class business partners.

    What Can Be Done to Neutralize the Damage of PPI Campaigns?

    In a nutshell, the study reveals that PPI affiliate networks support and spread unwanted software such as:

    • Ad injectors
    • Browser settings hijackers
    • System utilities

    One method users often rely on to clean up their browsers is the Chrome Cleanup Tool. Prior to needing to use such a tool, you may want to consider a service like Google Safe Browsing. The service lets client applications check URLs against Google’s frequently updated lists of unsafe web resources. (Additional safety tips are available below the article).

    The unwanted installations are definitely more than imaginable – in total, the PPI ecosystem contributed to over 60 million weekly download attempts. The success is partially due to the fact that commercial PPI networks evolve in accordance with the AV market.

    Even though many AV solutions and browsers have started integrating signatures of unwanted software, the networks continuously attempt to evade these protections. However, the sole fact that an advertiser would cease an install when an AV is present on a system speaks volumes. Never underestimate the power of your antivirus program! And keep your ad-blocker on!

    Additional Security Tips against Unwanted Software and Malware

    • Use additional firewall protection. Downloading a second firewall is an excellent solution for any potential intrusions.
    • Your programs should have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
    • Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
    • Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
    • Disable File Sharing – recommended if you need file sharing between your computer to password protect it to restrict the threat only to yourself if infected.
    • Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
    • Consider disabling or removing Adobe Flash Player (depending on the browser).
    • Configure your mail server to block out and delete suspicious file attachment containing emails.
    • Never miss an update for your OS and software.
    • Turn off Infrared ports or Bluetooth.
    • If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
    • Employ a powerful anti-malware solution to protect yourself from any future threats automatically.

    Milena Dimitrova

    An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

    More Posts

    Follow Me:

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
    I Agree