Nav: Home

NYU, Google researchers hack business model of adware, scareware, other unwanted software

August 04, 2016

BROOKLYN, New York - A team of researchers from Google and the New York University Tandon School of Engineering next week will offer the first public view into shady practices that deliver unwanted advertising and software bundled with legitimate downloads - a problem that occurs far more often than malware attempts. Their research suggests that some of the affiliates that distribute such software may be complicit in the scheme, which provides layers of deniability that they are installing unwanted software.

Few computer users have been spared the nuisance of unwanted software: Following what appears to be a legitimate software update or download, a barrage of advertisements overruns the screen, or a flashing pop-up warns of the presence of malware, demanding the purchase of what is often fraudulent antivirus software. On other occasions, the system's default browser is hijacked, redirecting to ad-laden pages.

Despite the prevalence of such unwanted software -- Google tracks more than 60 million attempted installs per week, three times the number of malware attempts -- the source of these installs and the business model underlying the practice were not well understood. The researchers from Google and New York University Tandon School of Engineering conducted the first analysis of the link between commercial pay-per-install (PPI) practices and the distribution of unwanted software.  

Kurt Thomas, a research scientist at Google, and Damon McCoy, an assistant professor of computer science and engineering at NYU Tandon, led a team of researchers from Safe Browsing and Chrome Security to investigate commercial PPI schemes as a main vehicle for moving unwanted software from developers to unwitting installers. Their paper, Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software, will be presented at the USENIX Security Symposium, a top computer security conference, in Austin, Texas, next week.

Commercial PPI is a monetization scheme wherein third-party applications -- often consisting of unwanted software such as adware, scareware, and browser hijacking programs -- are bundled with legitimate applications in exchange for payment to the legitimate software company. When users install the package, they get the desired piece of software as well as a stream of unwanted programs riding stowaway. Thomas, McCoy, and their colleagues cite reports indicating that commercial PPI is a highly lucrative global business, with one outfit reporting $460 million in revenue in 2014 alone. It should be noted that this revenue reflects a mix of both legitimate as well as unwanted software downloads.

"If you've ever downloaded a screen saver or other similar feature for your laptop, you've seen a 'terms and conditions' page pop up where you consent to the installation," McCoy explained. "Buried in the text that nobody reads is information about the bundle of unwanted software programs in the package you're about to download." The presence of a consent form allows businesses to operate legally, but McCoy classifies the extra applications as "treading a fine line between malware and unwanted software."

The report explains that PPI businesses operate through a network of affiliates-- brokers who forge the deals that bundle advertisements (often unwanted software) with popular software applications, then place download offers on well-trafficked sites where they're likely to be clicked on. Parties are paid separately -- meaning some legitimate developers do not know their products are being bundled with unwanted software -- and they are paid as much as two dollars per install.

To better understand the install process, the researchers gained access to four PPI affiliates by routinely downloading the software packages and analyzing the components. Among their more important discoveries was the degree to which such downloaders are personalized to maximize the chances that their payload will be delivered.

When an installer runs, the user's computer is "fingerprinted" to determine which adware is available to run on that particular machine. Additionally, the downloader searches for antivirus protection, factoring in the presence or absence of such protections in its approach. "They do their best to bypass antivirus, so the program will intentionally inject those elements -- whether it's adware or scareware -- that are likeliest to evade whichever antivirus program is running," McCoy said.

Google has long tracked web pages known to harbor unwanted software offers and continuously updates the Safe Browsing protection in its Chrome browser to warn users when they visit such pages. Yet research shows that PPI affiliates are also adjusting their tactics in an attempt to dodge Safe Browsing detection.

The researchers emphasize that these actions imply that PPI affiliates are directly catering to the unwanted software market, avoiding user protections while intentionally delivering unwanted software under a "thin veil of consent," as McCoy deems it. "We're hoping to expose these business practices so people are less likely to get duped into flooding their computers with programs they never wanted," he said.

The NYU Tandon School of Engineering dates to 1854, when the NYU School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, innovation and entrepreneurship. In addition to programs at its main campus in downtown Brooklyn, it is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai, and it operates business incubators in downtown Manhattan and Brooklyn.
-end-


NYU Tandon School of Engineering

Related Engineering Articles:

Engineering the meniscus
Damage to the meniscus is common, but there remains an unmet need for improved restorative therapies that can overcome poor healing in the avascular regions.
Artificially engineering the intestine
Short bowel syndrome is a debilitating condition with few treatment options, and these treatments have limited efficacy.
Reverse engineering the fireworks of life
An interdisciplinary team of Princeton researchers has successfully reverse engineered the components and sequence of events that lead to microtubule branching.
New method for engineering metabolic pathways
Two approaches provide a faster way to create enzymes and analyze their reactions, leading to the design of more complex molecules.
Engineering for high-speed devices
A research team from the University of Delaware has developed cutting-edge technology for photonics devices that could enable faster communications between phones and computers.
More Engineering News and Engineering Current Events

Best Science Podcasts 2019

We have hand picked the best science podcasts for 2019. Sit back and enjoy new science podcasts updated daily from your favorite science news services and scientists.
Now Playing: TED Radio Hour

Rethinking Anger
Anger is universal and complex: it can be quiet, festering, justified, vengeful, and destructive. This hour, TED speakers explore the many sides of anger, why we need it, and who's allowed to feel it. Guests include psychologists Ryan Martin and Russell Kolts, writer Soraya Chemaly, former talk radio host Lisa Fritsch, and business professor Dan Moshavi.
Now Playing: Science for the People

#537 Science Journalism, Hold the Hype
Everyone's seen a piece of science getting over-exaggerated in the media. Most people would be quick to blame journalists and big media for getting in wrong. In many cases, you'd be right. But there's other sources of hype in science journalism. and one of them can be found in the humble, and little-known press release. We're talking with Chris Chambers about doing science about science journalism, and where the hype creeps in. Related links: The association between exaggeration in health related science news and academic press releases: retrospective observational study Claims of causality in health news: a randomised trial This...