TY - GEN
T1 - Investigating commercial pay-per-install and the distribution of unwanted software
AU - Thomas, Kurt
AU - Elices Crespo, Juan A.
AU - Rasti, Ryan
AU - Picod, Jean Michel
AU - Phillips, Cait
AU - Decoste, Marc André
AU - Sharp, Chris
AU - Tirelo, Fabio
AU - Tofigh, Ali
AU - Courteau, Marc Antoine
AU - Ballard, Lucas
AU - Shield, Robert
AU - Jagpal, Nav
AU - Rajab, Moheeb Abu
AU - Mavrommatis, Panayiotis
AU - Provos, Niels
AU - Bursztein, Elie
AU - McCoy, Damon
PY - 2016/1/1
Y1 - 2016/1/1
N2 - In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and “cleanup” utilities dominate the software families buying installs. Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today.
AB - In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and “cleanup” utilities dominate the software families buying installs. Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today.
UR - http://www.scopus.com/inward/record.url?scp=85076460715&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85076460715&partnerID=8YFLogxK
M3 - Conference contribution
T3 - Proceedings of the 25th USENIX Security Symposium
SP - 721
EP - 738
BT - Proceedings of the 25th USENIX Security Symposium
PB - USENIX Association
T2 - 25th USENIX Security Symposium
Y2 - 10 August 2016 through 12 August 2016
ER -