How Annoying Adware Makes Companies Money

You might not know it, but you are consenting to a download you probably didn’t want

Illustration: R. A. Di Ieso
Aug 05, 2016 at 3:47 PM ET

It’s happened to everyone: you go to download some kind of new software, and before you do, a long list of terms and conditions in tiny font pops up. You don’t read a word and hit ‘agree.’ What you might not realize is that along with the program you think you’re getting, you’re downloading a bit of unwanted adware, too.

So what does that unwelcome guest do? Researchers from New York University and Google teamed up to figure out just how adware operates on a user’s computer. They will present a paper about their work next week at the USENIX Security Symposium in Austin, Texas.

The term adware (the combination of “advertisement” and “malware”) usually refers to advertisements that are either aggressively displayed on a screen or surreptitiously downloaded to a user’s computer. Once they’re on a computer, the adware can do things like collect a user’s information to then push more targeted ads, or bombard her with pop-ups for legitimate products. Some people don’t mind it, but others feel that the software violates the sanctity of their private data on their own computers.

But adware a little different from other types of computer viruses like spyware because adware collects a user’s data only after the user has given his or her consent. “If you’ve ever downloaded a screen saver or other similar feature for your laptop, you’ve seen a ‘terms and conditions’ page pop up where you consent to the installation,” Damon McCoy, a professor of computer science and engineering at NYU Tandon School of Engineering and one of the study authors explained in a press release. “Buried in the text that nobody reads is information about the bundle of unwanted software programs in the package you’re about to download.” That consent is what allows the businesses making the adware to operate legally, he added.

Adware shockingly common, which makes it extremely lucrative—the researchers cite reports that estimate that adware companies raked in $460 million in 2014 alone, nearly triple the income of companies that generate malware. And though for years Google has been tracking some of the sites where adware commonly lurks, they don’t know much about the companies propagating the ads.

To better understand the business model for adware companies, the researchers looked at a particular kind of adware that is bundled with real software, so users download what they wanted plus the extra adware surprise. The researchers targeted four specific adware providers by repeatedly downloading their adware then taking apart the code that came with it.

The researchers found that when the software was being installed, it would take a quick read of what’s on the computer. That would not only help it zero in on ads personalized for the user, but also to dodge any security measures that might be in place. From the perspective of the adware companies, doing this “fingerprinting” makes a lot of sense, since they get paid every time their software is downloaded. And they’re adapting their software very quickly to new security measures, evolving to skirt Google’s Safe Browsing detection, for example.

By exposing this “thin veil of consent” upon which these businesses rely in order to operate legally, the researchers hope that users can better prevent downloading unwanted adware.