Google Researchers Find PPI Affects 3X More Users Than Malware

An academic research project between Google and NYU documented the world of commercial pay-per-install and found a security issue larger than malware.

pay per install

Pay-per-install (PPI) software may be the new bane of the security world.

Seventeen Google engineers, along with Damon McCoy, an assistant professor at the New York University Tandon School of Engineering and member of the International Computer Science Institute, studied the issue and have published an 18-page paper that they'll present at the USENIX Security Symposium Aug. 11.

The PPI problem works like this: You want a piece a software and download it from Company X; but unknown to you, a number of other actors have paid Company X to let them hop in the trunk and sneak a ride inside on their download.

The paper's authors tracked four of the largest commercial PPI networks, classified the software families they bundled together, looked at the distribution techniques they use and measured the impact on end users.

"While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection," they wrote in their abstract, estimating that PPI networks drive more than 60 million download attempts each week.

Put another way, PPI hurts three times as many users as malware does.

The unwanted software includes, they wrote, "ad injectors that laden a victim's browser with advertisements, browser settings hijackers that sell search traffic, and user trackers that silently monitor a victim's browsing behavior."

Earlier studies estimate that these extensions affect more than 50 million users.

Rather than blackmarket PPI, the report authors believe commercial PPI companies may be to blame, incentivized by the additional revenue. One of the largest PPI outfits, said the paper, reported $460 million in revenue in 2014.

The World of PPI

In this world, there are so-called advertisers, which own software that they pay third parties to distribute, and publishers, which create or distribute the software applications. When an install is successful, the publisher receives a fraction of the bid the advertiser paid to be included.

There are also PPI affiliate networks, which are the bridges between the advertisers and the publishers, handling payments but also determining—once inside a system—what exactly to install.

"This entails fingerprinting an end user's system to determine any risk associated with anti-virus as well as to support geo-targeted installations," the report explains. "Similarly, the PPI network dictates the level of user consent when it installs an advertiser's binary, where consent forms a spectrum between silent installs to opt-out dialogues. In some cases, Advertisers can customize the installation dialogue and thus play a role in user consent."

There are also resellers: PPI affiliate networks that aggregate publishers' install traffic and resell it to larger affiliate networks. These help to simplify a process where the victim isn't "primed to download a bundle," the paper explains, by providing things like banner ads and "butter bars"—for example, a "Your Flash player is out of date" button.

While the researchers' investigation was extensive, they did face limitations. For example, because they work exclusively with U.S. IP addresses, it biased their perspective on non-U.S. traffic and offers. Also, because they weren't participating directly, they weren't privy to exact per-install pricing details, though they found the range to run from $0.02 to $1.50, with U.S. installs fetching the highest rates.

Between June 1, 2014, and Jan. 7, 2016, Safe Browsing warnings occurred an average of 35 million times a week and displayed 28 million interstitial web pages (ads that are displayed before the desired content page).

The five countries receiving the most Safe Browsing warnings were India (8.2 percent), Brazil (7.2), Vietnam (6.4) the United States (6.2) and Turkey (5.1).

The largest offender by far, as detected by the Chrome Cleanup Tool on Windows, was the browser settings hijacker Conduit, which accounted for 20.9 percent of unwanted software installs. It was followed by Elex (13.4 percent) and ad injector Multiplug (5.1 percent).

"As anti-virus and browsers move to integrate signatures of unwanted software into their malware removal tools and warning systems, we showed evidence that commercial PPI networks actively attempted to evade user protections in order to sustain their business model," the authors wrote in conclusion. "These practices demonstrate that 14 PPI affiliate networks operated with impunity towards the interests of users, relying on a user consent dialogue to justify their actions—though their behaviors may have changed since the conclusion of our study. We hope that by documenting these behaviors the security community will recognize unwanted software as a major threat."

In an Aug. 4 post on the Google Security Blog, Research Scientist Kurt Thomas and Software Engineer Juan A. Elices Crespo noted that on June 14, Google hosted a Clean Software Summit that brought together members of the antivirus industry, bundling platforms and the Clean Software Alliance, a group consisting of members of the antivirus industry, software platforms and parties that profit from PPI.

Together, they "laid the groundwork for an industry-wide initiative" to provide users with clear, safe choices when installing software.

They added, "We continue to advocate on behalf of users to ensure they remain safe while downloading software online."

The USENIX conference will begin Aug. 10 in Austin, Texas.