• by Laurie Sullivan  @lauriesullivan, August 8, 2016

Google researchers worked with experts at New York University (NYU) to analyze deceptive installation practices of unwanted ad injectors that insert ads into Web pages, and browser setting hijackers that change search settings without the content of the user.

The one-year study by Google and NYU Tandon School of Engineering of affiliate networks running pay-per-install programs (PPI) found that nearly 60% of offers bundled with these programs are flagged as unwanted, and that in aggregate drove 60 million weekly download attempts with tens of millions of installs detected in the last year. These sites can run ad injectors.

The study shows that about 50 PPI affiliate networks support and distribute unwanted software that includes ad injectors, browser-setting hijackers, and system utilities. The study estimates that about 2,518 publishers are in the ecosystem, and some may participate unwillingly or unknowingly in multiple PPI networks distributing through 191,372 Web pages.

The browser-setting hijackers modify a victim’s default browser behavior, typically to change the default tab or search engine to a property controlled by the hijacker. They sell the traffic to search engines and potentially track user behavior. The study points to Conduit Search, which came pre-installed on Lenovo machines in 2014, but also says that some hijackers profit by doubling as ad injectors.

The ad injectors modify a user’s browser to replace or insert additional advertisements that otherwise would not appear on a Web site. Every PPI network monitored participates in the distribution of ad injectors. The study identifies Wajam, Canada; Eorezo, France; and Crossrider, Israel. These ad injectors recoup costs by using display ads until searchers finally click on the link.

The findings suggest that users searching for freeware, video games, torrents, cracks, and anti-virus software are highly likely to encounter PPI downloaders. About 58% of the sites cater to English-speaking audiences, followed by 10% from Russian-speaking audiences. The top five include: Freeware and Shareware at 11.8% share, followed by video games at 10.6%; file sharing and hosting at 7.3%; online video at 7%; and operating systems with 4.3%. The remainder of the list can be found here.