Investigating commercial pay-per-install and the distribution of unwanted software

314 views

Published on

Slides for the Usenix security 2016 talk about PPI install.

In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and “cleanup” utilities dominate the software families buying installs. Developers of these families pay $0.10–$1.50 per install—upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week—nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today.

Published in: Internet
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
314
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Investigating commercial pay-per-install and the distribution of unwanted software

  1. 1. Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panos Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy INVESTIGATING COMMERCIAL PAY-PER-INSTALL
  2. 2. Security, Privacy, and Abuse Research Unwanted software Millions of users with symptoms of unwanted software. How was it installed?
  3. 3. Security, Privacy, and Abuse Research Commercial pay-per-install Practice of bundling several additional applications.
  4. 4. Security, Privacy, and Abuse Research Deceptive promotions Users deceived into unintentionally installing unrelated software.
  5. 5. Security, Privacy, and Abuse Research Year-long investigation into businesses profiting from bundling: Relationships with unwanted software Deceptive promotional tools Negative impact on users Get the community on board to tackle unwanted software Our work
  6. 6. Security, Privacy, and Abuse Research BEHIND THE SCENES1
  7. 7. Security, Privacy, and Abuse Research Pay-per-install affiliate model Advertisers: software developers willing to buy installs.
  8. 8. Security, Privacy, and Abuse Research PPI affiliate network: middle-man that create download manager. Advertisers PPI Network $$$ Pay-per-install affiliate model
  9. 9. Security, Privacy, and Abuse Research Publishers: popular software developers or websites that distribute bundles for a fee. Advertisers PPI Network Publishers $$$ $$ Pay-per-install affiliate model
  10. 10. Security, Privacy, and Abuse Research PPI bundle generator
  11. 11. Security, Privacy, and Abuse Research Decentralized distribution can lend itself to abuse. Advertisers PPI Network Publishers $$$ $$ Pay-per-install affiliate model
  12. 12. Security, Privacy, and Abuse Research MONITORING PPI NETWORKS2
  13. 13. Security, Privacy, and Abuse Research Over 50 PPI programs in operation Outbrowse Open Candy Amonetize Install Monetizer
  14. 14. Security, Privacy, and Abuse Research Crawl pricing data
  15. 15. Security, Privacy, and Abuse Research Upon launching a PPI bundle... Fingerprint system & request offers Report successful installs Optional splash screen post-install C&C domain
  16. 16. Security, Privacy, and Abuse Research Device fingerprinting Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=5.1.30514.0&Sysid=CEAEEB CAA03CB3EC62DC488C72EBF446&X64=N&admin=Y&browser=ChromeHTML&cavp=&chver=47.0.2526.80&cmdl=OYU N0152part1rar__11652_i1815985212_il1207335.exe&dprod=CC83E1275C52718800E7B151A55F92&dprod4=8D CC9AFDA6C9A3D6202D6D292AA245&exe=OYUN0152part1rar__11652_i1815985212_il1207335&ffver=&lang_Df ltUser=0409&mac=MDAyMzQ1Njc4OTAyMDAwMAA%3D&machg=YzExMTBlZGQtZmQxZS00ZTIwLTg0NzctMmJjMjg2YmQ1 ODNiAA%3D%3D&name=Sk9ITi1QQwA%3D&netfs=0&ts=1452339517&ver=1.1.5.26 Collect system details for targeting and fraud detection: Example: Browser OS Is Admin? MAC Addr Machine IDIP
  17. 17. Security, Privacy, and Abuse Research Building milkers Build milkers to simulate request from Chrome, IE; Windows 7 system.
  18. 18. Security, Privacy, and Abuse Research Building milkers Build milkers to simulate request from Chrome, IE; Windows 7 system. Executable URL Do-not-install criteria
  19. 19. Security, Privacy, and Abuse Research Analysis pipeline
  20. 20. Security, Privacy, and Abuse Research Dataset PPI Network Milking Period Offers Unique Outbrowse Jan 8, 2015 -- Jan, 7, 2016 107,595 584 Amonetize Jan 8, 2015 -- Jan, 7, 2016 231,327 356 InstallMonetizer Jan 11, 2015 -- Jan, 7, 2016 30,349 137 OpenCandy Jan 9, 2015 -- Jan, 7, 2016 77,581 134 Total Jan 8, 2015 -- Jan, 7, 2016 446,852 1,211
  21. 21. Security, Privacy, and Abuse Research ANALYSIS3
  22. 22. Security, Privacy, and Abuse Research Distinct advertisers per week 160 software families each week
  23. 23. Security, Privacy, and Abuse Research Most frequent advertisers Browsefox 4 363 Conduit 3 327 CouponMarvel 1 300 Smartbar 3 294 Brand PPI Networks Days Active Speedchecker 2 365 Uniblue 4 327 OptimizerPro 4 302 Systweak 3 249 Ad Injectors Browser Settings Hijackers Cleanup Utilities Wajam 4 365 Vopackage 3 365 Youtube Dwnldr 3 365 Eorezo 2 365
  24. 24. Security, Privacy, and Abuse Research Other advertisers Brand PPI Networks Days Active AVG Toolbar 2 333 LavaSoft 1 305 Comodo 4 153 Qihoo 360 2 144 Opera 4 340 Skype 2 176 Yahoo Toolbar 1 27 AOL Toolbar 1 25 Anti-virus Brandname Software
  25. 25. Security, Privacy, and Abuse Research VirusTotal labels 59% of weekly offers flagged by at least 1 AV
  26. 26. Security, Privacy, and Abuse Research Anti-virus detection (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWAREAvast')!=0) (g_ami.CheckRegKey(g_hkcu, 'SOFTWAREAvast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SoftwareAVAST Software')!=0) (g_ami.CheckRegKey(g_hkcu, 'SoftwareAVAST Software')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWAREAvira')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWAREClassesavast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWAREESET')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'AppEventsSchemesAppsAvast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SYSTEMCurrentControlSetServicesavast! Antivirus ')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWAREMicrosoftWindowsCurrentVersionUninstallAvast')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE{C1856559-BA5C-41B7-961C-677E89A2C490}')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE{0D40F91C-41DE-4E06-8B14-ABCCF7A51495}')!=0) (g_ami.CheckRegKey(g_hklmg_hk64, 'SOFTWARE{8B261394-6C7D-4CFC-A767-E02F34A60D8B}')!=0) HKEY_LOCAL_MACHINE SOFTWAREOpenVPN HKEY_LOCAL_MACHINE SOFTWAREVMware,*Inc. HKEY_LOCAL_MACHINE SOFTWAREOracleVirtualBox| 20% of advertisers use some AV/VM detection Advertiser-specified installation criteria avoids hostile AV:
  27. 27. Security, Privacy, and Abuse Research Price per install Price ranges $0.10–$1.50
  28. 28. Security, Privacy, and Abuse Research USER IMPACT4
  29. 29. Security, Privacy, and Abuse Research Unwanted software warnings
  30. 30. Security, Privacy, and Abuse Research Weekly user warnings 60M warnings every week
  31. 31. Security, Privacy, and Abuse Research Compared to other threats... 3x more warnings than malware
  32. 32. Security, Privacy, and Abuse Research Existing installs Tens of millions of detected unwanted installs
  33. 33. Security, Privacy, and Abuse Research Existing installs Conduit 20.9% Y Elex 13.4% Y Multiplug 5.1% Y Crossrider 4.6% Y Browsefox 3.8% Y My PC Backup 2.8% Y Systweak 2.8% Y Mobogenie 2.4% Y Smartbar 2.2% Y Wajam 1.8% Y Top families Fraction of installs PPI advertiser? Of the tens of millions of installs: Top 10 programs detected on user machines
  34. 34. Security, Privacy, and Abuse Research DECEPTIVE DISTRIBUTION5
  35. 35. Security, Privacy, and Abuse Research Promotional tools
  36. 36. Security, Privacy, and Abuse Research Domain cycling Distribution sites cycle every 1-7 hours
  37. 37. Security, Privacy, and Abuse Research Safe Browsing evasion
  38. 38. Security, Privacy, and Abuse Research Takeaways Unwanted software massive commercial ecosystem: Tens of millions of users affected Pay-per-install primary distribution vector Misaligned incentives for advertisers, publishers
  39. 39. THANKS! kurtthomas@google.com
  40. 40. Security, Privacy, and Abuse Research Top regions impacted India 8.2% Brazil 7.2% Vietnam 6.4% United States 6.2% Turkey 5.1% Thailand 3.3% Pakistan 3.2% Mexico 2.6% Indonesia 2.5% Philippines 2.5% Country Fraction of warnings

×