Investigating commercial pay-per-install and the distribution of unwanted software

Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean Michel Picod, Cait Phillips, Marc André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and “cleanup” utilities dominate the software families buying installs. Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 25th USENIX Security Symposium
    PublisherUSENIX Association
    Pages721-738
    Number of pages18
    ISBN (Electronic)9781931971324
    StatePublished - Jan 1 2016
    Event25th USENIX Security Symposium - Austin, United States
    Duration: Aug 10 2016Aug 12 2016

    Publication series

    NameProceedings of the 25th USENIX Security Symposium

    Conference

    Conference25th USENIX Security Symposium
    CountryUnited States
    CityAustin
    Period8/10/168/12/16

    Fingerprint

    Computer viruses
    Telemetering
    Ecosystems
    Industry
    Pipelines
    Costs
    Malware

    ASJC Scopus subject areas

    • Information Systems
    • Safety, Risk, Reliability and Quality
    • Computer Networks and Communications

    Cite this

    Thomas, K., Elices Crespo, J. A., Rasti, R., Picod, J. M., Phillips, C., Decoste, M. A., ... McCoy, D. (2016). Investigating commercial pay-per-install and the distribution of unwanted software. In Proceedings of the 25th USENIX Security Symposium (pp. 721-738). (Proceedings of the 25th USENIX Security Symposium). USENIX Association.

    Investigating commercial pay-per-install and the distribution of unwanted software. / Thomas, Kurt; Elices Crespo, Juan A.; Rasti, Ryan; Picod, Jean Michel; Phillips, Cait; Decoste, Marc André; Sharp, Chris; Tirelo, Fabio; Tofigh, Ali; Courteau, Marc Antoine; Ballard, Lucas; Shield, Robert; Jagpal, Nav; Rajab, Moheeb Abu; Mavrommatis, Panayiotis; Provos, Niels; Bursztein, Elie; McCoy, Damon.

    Proceedings of the 25th USENIX Security Symposium. USENIX Association, 2016. p. 721-738 (Proceedings of the 25th USENIX Security Symposium).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Thomas, K, Elices Crespo, JA, Rasti, R, Picod, JM, Phillips, C, Decoste, MA, Sharp, C, Tirelo, F, Tofigh, A, Courteau, MA, Ballard, L, Shield, R, Jagpal, N, Rajab, MA, Mavrommatis, P, Provos, N, Bursztein, E & McCoy, D 2016, Investigating commercial pay-per-install and the distribution of unwanted software. in Proceedings of the 25th USENIX Security Symposium. Proceedings of the 25th USENIX Security Symposium, USENIX Association, pp. 721-738, 25th USENIX Security Symposium, Austin, United States, 8/10/16.
    Thomas K, Elices Crespo JA, Rasti R, Picod JM, Phillips C, Decoste MA et al. Investigating commercial pay-per-install and the distribution of unwanted software. In Proceedings of the 25th USENIX Security Symposium. USENIX Association. 2016. p. 721-738. (Proceedings of the 25th USENIX Security Symposium).
    Thomas, Kurt ; Elices Crespo, Juan A. ; Rasti, Ryan ; Picod, Jean Michel ; Phillips, Cait ; Decoste, Marc André ; Sharp, Chris ; Tirelo, Fabio ; Tofigh, Ali ; Courteau, Marc Antoine ; Ballard, Lucas ; Shield, Robert ; Jagpal, Nav ; Rajab, Moheeb Abu ; Mavrommatis, Panayiotis ; Provos, Niels ; Bursztein, Elie ; McCoy, Damon. / Investigating commercial pay-per-install and the distribution of unwanted software. Proceedings of the 25th USENIX Security Symposium. USENIX Association, 2016. pp. 721-738 (Proceedings of the 25th USENIX Security Symposium).
    @inproceedings{a05cf1b33dff4cae926aa74c1405869a,
    title = "Investigating commercial pay-per-install and the distribution of unwanted software",
    abstract = "In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and “cleanup” utilities dominate the software families buying installs. Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today.",
    author = "Kurt Thomas and {Elices Crespo}, {Juan A.} and Ryan Rasti and Picod, {Jean Michel} and Cait Phillips and Decoste, {Marc Andr{\'e}} and Chris Sharp and Fabio Tirelo and Ali Tofigh and Courteau, {Marc Antoine} and Lucas Ballard and Robert Shield and Nav Jagpal and Rajab, {Moheeb Abu} and Panayiotis Mavrommatis and Niels Provos and Elie Bursztein and Damon McCoy",
    year = "2016",
    month = "1",
    day = "1",
    language = "English (US)",
    series = "Proceedings of the 25th USENIX Security Symposium",
    publisher = "USENIX Association",
    pages = "721--738",
    booktitle = "Proceedings of the 25th USENIX Security Symposium",

    }

    TY - GEN

    T1 - Investigating commercial pay-per-install and the distribution of unwanted software

    AU - Thomas, Kurt

    AU - Elices Crespo, Juan A.

    AU - Rasti, Ryan

    AU - Picod, Jean Michel

    AU - Phillips, Cait

    AU - Decoste, Marc André

    AU - Sharp, Chris

    AU - Tirelo, Fabio

    AU - Tofigh, Ali

    AU - Courteau, Marc Antoine

    AU - Ballard, Lucas

    AU - Shield, Robert

    AU - Jagpal, Nav

    AU - Rajab, Moheeb Abu

    AU - Mavrommatis, Panayiotis

    AU - Provos, Niels

    AU - Bursztein, Elie

    AU - McCoy, Damon

    PY - 2016/1/1

    Y1 - 2016/1/1

    N2 - In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and “cleanup” utilities dominate the software families buying installs. Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today.

    AB - In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and “cleanup” utilities dominate the software families buying installs. Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today.

    UR - http://www.scopus.com/inward/record.url?scp=85076460715&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85076460715&partnerID=8YFLogxK

    M3 - Conference contribution

    AN - SCOPUS:85076460715

    T3 - Proceedings of the 25th USENIX Security Symposium

    SP - 721

    EP - 738

    BT - Proceedings of the 25th USENIX Security Symposium

    PB - USENIX Association

    ER -