Google Investigation: Ad Injection Is Infesting Millions of Devices


Ad Injection Robs Publishers of Revenue, Can Place Ads on Websites That Don't Have Any
Google released a disturbing report Thursday detailing the deceptive practices of so-called commercial pay-per-install companies, which it says are responsible for shoehorning unwanted ads into a user's browser.
Much of the report focuses on ad injection, which is often delivered through software installation or browser extensions. Ad injection is unsanctioned media that can damage both the advertiser's and publisher's reputation. The practice is capable of delivering ads on any website even if it does not run ads, and can rob publishers of revenue by removing their ads and replacing them with bottom of the barrel creatives.
The practice of distributing ad injectors is relentless, too, as Google says pay-per-install (PPI) networks drove more than three billion download attempts during the search giant's year-long investigation. The 18-page report says that despite its efforts to warn users, shady PPI networks successfully installed "tens of millions" of downloads during its investigation.
"Estimates of the incident rate of unwanted software installs on desktop systems are just emerging," the report says. "Prior studies suggest that ad injection affects as many as 5% of browsers and that detection in the Chrome Web Store affects over 50 million users."
"Prominent strains include ad injectors that laden a victim's browser with advertisements, browser setting hijackers that sell search traffic, and user trackers that silently monitor a victim's browsing behavior," according to the report.
Still, not all PPI companies are bad, and some do drive legitimate downloads of software consumers want.
For Google's investigation, however, the company zeroed in on four PPI companies it considered to be the worst: Amonetize, InstallMonetizer, OpenCandy and Outbrowse. PPI networks manage all business relationships with software owners who pay them to distribute unwanted software, among other things.
nstallMonetizer has since closed its doors. Amonetize, which is based in the Isle of Man, did not respond for comment. Its website says its "technology also supports browser changes, including changing the user's homepage, search provider and adding extensions or plugins. Campaigns can also include customized popups and dialog boxes."
Both OpenCandy and Outbrowse could not be reached for comment.
"The major takeaway from our perspective is that sometimes there is a misaligned incentive in the PPI model, where [distributors] are solely focused on trying to drive installs because they get upwards of a $1.50 for a successful install," said Kurt Thomas, a research scientist at Google. "And [software owners] are basically incentivised to recuperate that cost through whatever means possible. The consequence is nobody is looking out for the user in the middle of this because no one has to deal with the fallout of the user's system being bloated with unwanted software."
These software developers pay PPI networks for bundling their software into popular utilities that "cleanup" a user's computer or video players such as VLC, for example. The cost per install ranges anywhere from $.10 in South America to $1.50 in the U.S., the report said. These developers will then recuperate the initial sunk cost of installs by monetizing users via display ads and shopping helpers until a victim finally uninstalls the injector, should they succeed, the report said.
The report found major brands including Opera, Skype and Yahoo being associated with the worst four PPI networks. Opera, for example, is said to do business with all of the PPI networks investigated in the report, while Skype is said to have worked with OpenCandy and Outbrowse. Yahoo, meanwhile, was named for working with Outbrowse to drive installs of its search toolbar, the report said.
Both Skype and Yahoo did not respond to request for comment.
The study was done in partnership with New York University and the International Computer Science Institute.