In a year-long study in conjunction with New York University, researchers at Google found that unwanted software unwittingly downloaded as part of a bundle to be a larger problem for users than malware. Google Safe Browsing currently generates three times as many Unwanted Software (UwS) warnings than malware warnings, over 60 million per week.

The study found that the pay-per-install (PPI) scheme, whereby a company succeeds in monetizing end user access by paying $0.10 to $1.50 every time their software in installed on a new device, to be the primary source of unwanted software proliferation. To get a payout from a commercial PPI organization, companies bundle regular software with unwanted software, which is then unwittingly downloaded by the user.

Types of unwanted software (UwS, pronounced ‘ooze’) fall into five categories: ad injectors, browser settings hijackers, system utilities, anti-virus, and major brands. While estimates of UwS installs are still emerging, studies suggest that ad injection affects 5% of browsers, and that deceptive extensions in the Chrome Web store affect over 50 million users. 59% of the bundles studied were flagged by at least one anti-virus engine as potentially unwanted.

Ad injectors, browser setting hijackers, and scareware presenting as  system clean-up utilities dominate the commercial PPI landscape. Google found that the bundles were promoted through fake software updates and spoofed brands, “Techniques openly discussed on underground forums as ways to trick users into unintentionally downloading software and accepting the installation terms.”

PPI advertisers also use deceptive promotional tools to attract users to download their bundles. These include misrepresenting known brands, fake software updates, or fake video codecs, all of which can manipulate a user into a download of unwanted software.

The study also showed that commercial PPI networks actively work to evade detection in order to support their business model. One of these methods is ‘fingerprinting’ a user’s machine prior to installation. Over 20% of the PPI advertisers studied use specialized PPI downloaders that detect an environment hostile to the UwS – one where antivirus or VM detection will notify the end user that potentially dangerous software is included in their bundle.