It is extraordinarily rare for a company of AppLovin’s size to be caught placing software on users’ devices without their consent. The closest parallel is the 2005 revelation of Sony installing DRM software onto users’ computers without notice, without a EULA, and even when users pressed Cancel. That misconduct triggered enforcement by multiple state attorneys general, private lawsuits, seven-figure settlements, recall of affected CDs, and lasting reputational damage for Sony.
A similar trajectory is plausible for AppLovin. If others come to share my view that AppLovin installed apps without user permission, the company will be a pariah in online advertising. Trust in AppLovin’s auctions, privacy practices, and overall integrity would collapse. Some advertisers currently pay AppLovin both to sell them ad placements and to measure the effectiveness of those ads—which would suddenly seem ill-advised. Allegations in investors’ spring 2025 critiques—previously dismissed as speculation—would become more credible. If critics were right about AppLovin’s install practices, allegations about misbehavior in ad targeting, bid handling, and auction integrity are plausible too.
Google may also react strongly. AppLovin’s tactics circumvent Android security and Play Store protections—similar to other abuses Google previously punished (e.g. its 2018 removal of Cheetah Mobile apps). Google could respond by disabling or removing apps that connect to AppHub, by disabling or removing apps that were installed by AppHub, or by alerting users. Imagine a pop-up: “Your carrier preloaded your device with an install helper that lets third parties install apps without your consent. Google has detected 7 such apps on your device. Would you like to disable the helper and remove those apps?” The impact on AppLovin would be severe. In fact user complaints specifically ask Google to take action: “I believe this is illegal and am going to report it to Google as well.” (Rachel H), “This is nefarious and should be deplatformed by Google” (Colleen Ember), “Google needs to know about this” (Johnson David), “This should be banned from the Google Play store!” (Philip Mecham). With AppLovin intruding onto users’ devices—not “just” draining advertisers’ budgets—there is a strong case for Google to act.
Reading a draft of this article, some people asked about the revenue and profit implications. Rough calculations say the numbers are material:
Android holds >70% global market share, but high-value users skew toward iPhone. Suppose Android accounts for ~40% of value-weighted usage.
Of Android devices, AppLovin’s manufacturer and carrier deals may cover ~40%, giving ~16% of devices where installs could occur without consent.
AppLovin claims an audience >1 billion devices. If AppLovin placed just two unwanted apps on each device each year, that would be ~300 million installs per year.
At $1 per install (a fraction of AppLovin’s estimated average), that’s $300 million of revenue annually. With no payment to carriers, manufactures, or source apps, this revenue drops straight to the bottom line, yielding about 20% of AppLovin’s 2024 net profit.
The true impact could be larger. Legal fees, settlements, and regulatory penalties will weigh on earnings. Distrust among advertisers and partners could impede future business. Device manufacturers and carriers may have been prepared to look the other way, but are unlikely to let AppLovin continue once these problems come to the fore. And if Google disables AppHub or warns users, AppLovin risks losing not just future revenue but also its installed base.
I gathered 208 distinct complaints centered around the same problem: while a user played one game, another game was installed without consent. Representative examples:
“Instead of giving people the option to download the games when tapping on advertisements, the games automatically download to the device when the ads are tapped.” (PanPizz, October 31, 2023, emphasis added)
“I was watching ads on the webtoons app and it seems that rather than prompting a download through the play store. The advertisements for wordscape and tower war are basically auto downloading themselves to my phone. (Merlin2v, January 23, 2024, emphasis added)
“whenever I get an advertisement on IbisPaint, that app automatically downloads onto my phone” (BlackberriedGoat, September 4, 2023, emphasis added)
“you click anywhere and it automatically installs, doesn’t go through Google Play” (Punkminkis, January 5, 2024, emphasis added)
“I accidentally click on an ad when trying to click the x or skip button and the next thing I know I’m getting a notification that says tap to launch game.” (Disastrous-Jury4328, January 16, 2024, emphasis added)
“Multiple times after watching an ad in Hero wars: Alliance I’ve found a new game installed on my phone when I DID NOT touch anything to download and install.” (GreggAlan, March 16, 2024, emphasis added)
“Accidentally touch the screen during ad play and the game being advertised will be automatically installed without your consent.” (Lukas Landing, December 19, 2023, emphasis added)
“Optional ads also install other games WITHOUT PERMISSION. I’ve had to uninstall spam games over and over.” (Graham Curnew, August 9, 2024, emphasis added)
“Three times now I’ve gotten that ad for Tower War and any 30 seconds after the ad is over I get a push notification that Tower War has finished installing and is ready to play.” (JetJaguardYouthClub, August 24, 2023, emphasis added)
Some complaints specifically attribute unwanted installations to AppLovin or AppHub:
“It somehow installed apps from AppHub. How do I access AppHub to remove unwanted apps?” (Pomonian, May 25, 2025)
“Partnered with AppLovin, which if you misclick on their ads it automatically installs the game for you unless you notice and manually stop it” (Doom Clasher, July 3, 2024)
“Try deleting the app “apphub” … I noticed a notification saying it automatically downloaded apps” (Fadelsart, December 23, 2023)
Others users attribute the installs to install helpers such as Content Manager, Device Manager, or AppSelector that device manufacturers and carriers allow AppLovin to use for installs. (Details from code analysis.) It is logical that users attribute the installations to install helpers. For one, Android notifications routinely announce that an app has been installed, and give the name of the responsible install helper. Two, if a user checks Android Settings > Apps, the section “App details” will reference the name of the install helper. Three, the app that triggers the install helper is present neither in the notification nor in Settings > Apps > … > App details, making it less likely that users will reference AppHub except on those devices where AppHub itself has installation permissions and does not use a separate install helper.
Credibility of user complaints
The user complaints are credible based on both consistency and level of detail. A few users might be mistaken—for example, by tapping “install” and later forgetting. But the volume and similarity of complaints, from hundreds of independent users, reveals a broader pattern.
More than merely discuss unwanted installations, many of the complaints give details consistent with my code analysis. For example, users overwhelmingly report that installations occur when they receive ads (see the top bulleted list above), which exactly matches what my code analysis indicates.
Some complaints address alternative explanations such as a user accidentally approving an installation. Complaints deny that with specific details that make their denials credible:
“Happened to me with royal match. I clicked the x. Yet it downloaded the game. Yes I would know if I clicked install or not.” (Sunfish1988, February 13, 2024, emphasis added)
“I sorted thru my apps shortly before downloading Wordscapes last month, so I know I had no unwanted games on my phone at that time. Since then I’ve deleted 4 new games that I did not consent to download or even realize were downloaded.” (Jadiegirl, January 24, 2024, emphasis added)
“I noticed that whenever the game had a trial and I touched the screen it would slash to the screen that looked like Google Play and the Install Button would have the word “Cancel” on it as though I’d initiated the download (which I didn’t).” (Thotiana777, April 25, 2024, emphasis added)
“the ads for other games are very predatory and self install without permission if you miss the ‘x’ to close them by a milimeter” (Thin Richard, April 23, 2025, emphasis added)
Complaint with screenshot attributing installations to AppHub
A few complaints are include screenshots showing the problem. For example, Reddit user Guilty_Astronaut5344 preserved a post-install notification attributing three unwanted installs to AppHub.
Complaints reporting countdown timer, and showing the countdown in video and screenshot
Other complaints are particularly credible because they match even more specific details from the AppLovin code. For example, three users reported countdowns leading to automatic install:
“Just today I’ve seen them implement a 5-second “countdown” to the program installing the game, but stopping the countdown STILL INSTALLS THE GAME WITHOUT YOUR CONSENT.” (PanPizz, October 31, 2023)
“I’ve come across some really shitty ad tactics that will auto install the app they’re pushing if you click anywhere on the screen before the timeout. Even if you just back out, if you don’t actually hit cancel install then you’ll get some stupid questionable games installed …” (dontthink19, January 7, 2024)
“Mobile game ads can now just install themselves without you tapping Install, wish is now replaced by ‘Install now’ if you want the game 5 seconds sooner. Hitting the X instead of Cancel still installs the game” (nascarsteve, December 10, 2023)
Not only does the general concept of a countdown-to-install match what I found in AppLovin code, the first and third comments also mention the duration of the countdown, from 5 seconds. This matches the “AutoInstallDelay” default countdown duration listed in AppLovin code. (The code sets a duration of 5e3, meaning 5×103=5000 milliseconds, matching the complaints.) Remarkably, user dontthink19 faced the countdown-to-install ads often enough, and predictably enough, that he was able to capture one such installation on video – showing an ad, then the countdown to install, then the app installed, then him uninstalling it, all in a single continuous video file. Key screenshots from dontthink19’s video:
0:03 Start of advertisement promoting Weapon Master0:19 Conclusion of advertisement promoting Weapon Master0:20 “X Install Screen” for Weapon Master, which opened automatically, and says it will “Install in 5s”0:31 Confirmation of Weapon Master installed. Small text at center reads “Weapon Master” “Tap now here to launch!”0:39 Weapon Master is indeed installed, albeit available for uninstall
The countdown videos and screenshots also match yet other details from AppLovin code. In the countdown-to-install screen, notice the unusual label “Install in 5s” (using the abbreviation “s” for seconds, with no space between the number and the letter s). This exactly matches the pattern in AppLovin code I found—further confirming that AppLovin is responsible for this installation.
Complaints about installation upon clicking x
Numerous users report that clicking an x, or trying to click an x, nonetheless causes an app to install. Combining source code and user complaints, two types of complaints are at risk of being combined:
Users who received what I call the X Install Screen (step 3 in the Weapon Master sequence above), and who tapped the X in that screen (which is an installation pathway in the IsOneClickInstallOnCloseEnabled JavaScript logic).
“Mobile game ads can now just install themselves without you tapping Install, wish is now replaced by ‘Install now’ if you want the game 5 seconds sooner. Hitting the X instead of Cancel still installs the game” (nascarstevebob – December 10, 2023, emphasis added)
“Even if you just back out, if you don’t actually hit cancel install then you’ll get some stupid questionable games installed …” (dontthink19, January 7, 2024, emphasis added)
“It definitely auto-installs. I’ve tested it because I was wondering where tf all these random shitty game apps were coming from in my phone. I don’t click anything, and if you don’t select “cancel” when it starts installing, the game will install. If you try to exit out, it does not count and will still install the game.” ([deleted] – January 22, 2024, emphasis added)
Many others, such as the following, could be either type 1 or type 2 above—but either way, indicate users’ dissatisfaction at installations occurring when users try to exit and decline.
“There are now ads that autoinstall other apps on your phone! They look like interactive/minigame ads, but touching ANYTHING – the close button, trying to pull up the phone navigation bar to exit WS – will trigger these apps to start installing.” (Star Donovan – February 2, 2024 on Google Play, emphasis added)
“the straw that broke the camel’s back was how exiting the ads forces you to download them. I’ve deleted 5 apps I did mot want to download.” (Casey Kristin Frye – December 23, 2023 on Google Play, emphasis added)
“They run adds on other games, you click to close out the automatic install, surprise you’ve downloaded the game for the 59th time!” (Luke Williams – September 17, 2024 on Google Play, emphasis added)
“Game installed itself by me trying to exit an add on another game” (Ian Kelley – June 23, 2024 on Google Play, emphasis added)
“It installed itself into my phone when I tried to exit an app that was showing an ad for this. This is super shady on their part and should be looked into” (Parker Abegg – December 14, 2023 on Google Play, emphasis added)
Scores of similar complaints
The following list presents 208 relevant complaints from Play Store, Reddit, and other online discussions. Some complaints are excerpted to the relevant section, but spelling and punctuation are unchanged.
I had this problem too and managed to Google some suggestions that seem to have prevented this from happening again. I don’t recall the instructions exactly but the short version is that my phone manufacturer (in my case, Motorola) had some pre-installed app(s) that allow auto installation from ads. I couldn’t uninstall the apps but I disabled all the suspicious ones/likely suspects based on my Google-fu, and that seems to have done the trick.
I was playing a game when an ad popped up and it showed one of those scam “free” money ads and it somehow installed itself without me pressing anything. I didnt accidentally click on the ad or anything, it just automatically installed when the ad started playing.
I’ve had that happen and I’m sure I didn’t install it by mistake. I checked the app that installed the adware and it was my Telco provider app that installed the ads, and they installed all at the same time, it’s annoying as shit.
I was having the similar problem with ads showing Klondike Farm Adventures. Without even touching the screen it would automatically download and it was downloading not through Google Play Store but through Samsung game store.
This game (or its ads) can illegally download and install games onto your device without your consent or knowledge. These games (all from different developers) suddenly appear on my phone on the very last screen. They’re nothing I’d ever play. I’ve never even heard of “Tiledom” or “2248 Numbers Merge,” by Funvent Studios or Play Simple Games. This is the 3rd time this game has done this. I don’t know how, but I’m sure it’s this game.
Recent update just pumped it onto my phone and without me allowing it, it’s going through and installing dozens of pos mobile games. It’s invisible to the user and cannot be disabled or uninstalled.
Ads pop up and install games without being prompted. Pop up ads are frustrating. They open without being clicked and navigate away from the game. Sometimes installing new games without being prompted…very frustrating
My phone just started installing random apps to my secure folder. It is called ‘AppHub’ but I can not see the any app called ‘AppHub’ both main stetting -> App and secure folder setting app. Do anyone facing the same problem? I m sure these app were malicious and asked the root permission :/
My phone just started installing random apps to my secure folder. It is called ‘AppHub’ but I can not see the any app called ‘AppHub’ both main setting -> App and secure folder setting app.
It installs other apps from the ads it shows you. AUTOMATICALLY WITHOUT MY PERMISSION!
Note: Game developer did not deny forced installations: “Hey! We’re not huge fans of ads either, but we can’t keep our game free without them. They help us develop new features, maintain the app, and release updates. We’d love it if you changed your mind. Come back soon!”
Wrong. It definitely auto-installs. The little “X” pops up, but when you click it – you just clicked on the ad (NOT an “install” button) and it installs. I’ve just now had to uninstall two crappy games from my phone, Merge Mansion and some other crap. This is infuriating and should not be legal as it is bypassing my security settings and installing things without my permission.
Your ads are auto installing apps in the background… You stopped it for a while now it started again. This needs to stop!!! update, ads are getting worse.. false X seem to be the standard..
BEWARE OF OTHER APPS BEING INSTALLED WITHOUT YOUR PERMISSION… written by people who use full screen ads to install various other apps [MOB CONTROL game app] ****** when you try to click the [x] button to close the pop up ad it vanishes (w/ split second timing) and is replaced by an OK button
i keep getting ads for this game with a fake x. When i click the x, it automatically installs this game without my permission. I’ve had to uninstal it 5 times now
Caution: this game’s ads will automatically download games without your permission. It did this to me with 4 apps that played as ads. I had to manually go in and uninstall.
somehow the games in the ads install themselves. When I try to click on “x” to close the add, it connects to a website or play store and even before I can close them, voila, those games are installed on your phone. Be very careful!!
Partnered with AppLovin, which if you misclick on their ads it automatically installs the game for you unless you notice and manually stop it, inflating their download count. I did not knowingly download this “game.” I did not click “install.” How is this even legal?
Careful with this game. If you even try to stop an ad between gameplay, it will automatically install other games on your phone without asking. I had about a dozen games in my phone without even realizing it. I uninstalled those as well as this game. Never again.
I get this a lot. If I don’t click anything, the app installs itself on my phone. If I click the ‘x’, the app auto installs on my phone. The only way I can make it stop is to press the cancel button.
this application have so much control on device that it automatically installs other games on device without permission. This is sheer violation of privacy and recommended not to be installed.
Help! Device Manager is auto-iinstalling apps from ads. Some games from google play have ads that auto download applications. I traced it back toT-Mobile’s Device Manager allowing malicious ads to auto install applications. That’s right, just watching the ad downloads an app. T-mobile has made it impossible to disable this app. I am fearful of this massive security hole. I am scared of malicious apps being downloaded. I have seen other complaints over the last few months. What can I do fix this major security hole? … All I know is that the malware ads come from something called applovin. … It is just too much of a security risk that that T-Mobile has created with their Device Manager allowing allowing 3rd parties to automatically download and install of potential malware.
Then I noticed that whenever the game had a trial and I touched the screen it would slash to the screen that looked like Google Play and the Install Button would have the word “Cancel” on it as though I’d initiated the download (which I didn’t). When I tried to hit cancel it would go back to the trial play thing and back and forth until I just X’ed out of it.
They utilize ads in other games to AUTOMATICALLY INSTALL this trash on your phone. Absolute slimiest tactic to get me to play your garbage game I’ve ever seen.
If you accidentally touch an ad, it automatically installs an app on your phone.
Note: Game developer did not deny forced installations: “Thank you for reporting this problem with our tower war tactical game. We will try to fix it as soon as possible so that you can continue to enjoy it.”
I can’t leave reviews of the apps that are auto download in fact when I look at app info they say the apps are downloaded by device manager and not google play.
I found an app called Content Manager on my Samsung S24 that I bought through T-Mobile. There was an option there that says “Allow Install of New Apps” and I turned it off, and the ad installs stopped. I think it’s seriously f-ed up that things like this are allowed.
I accidentally downloaded this just by clicking on an AD. JUST BY CLICKING ON IT. Not to be confused with accidentally pressing the download button on the AD. These advertisements are getting scummier and shadier by the day. What’s next? Are you going to turn wordscapes into a self reinstalling virus? We live in the lamest dystopia possible.
I watched an ad for Wordscapes for a different game I play and they INSTALLED this app WITHOUT my PERMISSION!! I didn’t click on anything and even if I accidentally did (I didn’t), Wordscapes doesn’t have the right to download their app onto my phone without my permission!!! I believe this is illegal and am going to report it to Google as well. **I deleted it when I saw it was downloaded onto my phone, but had to reinstall it to make this review**
Multiple times after watching an ad in Hero wars: Alliance I’ve found a new game installed on my phone when I DID NOT touch anything to download and install.
It’s been happening to me constantly and I’m so tired of it. Can’t figure out how to kill that function or at least make the damn thing wait for a prompt so I can say no. I’m on a Samsung Android with all of my security settings as recommended (apps only from Play or Samsung Store, ask permission before downloading or updating apps on any network, etc.). I’ve filed a few customer support requests with Snowprint, who have always been helpful and offer apologies but don’t seem to have solved the issue. Block Blast, Merge Mansion, Overmortal, Wordscapes… The list goes on.
It’s not coool, nor should it be legal for your ads to automatically install games on my phone.
Note: Game developer did not deny forced installations: “Thank you for reporting this problem with our tower war tactical game. We will try to fix it as soon as possible so that you can continue to enjoy it.”
I freaking hate this BS. I have searched every setting possible and can not figure out how to turn it off or prevent it. I have noticed that it only does it through Galaxy Store. Not Play. If anyone has figured out how to stop it, lmk.
An ad played for this game and without any input on my end, INSTALLED ITSELF ON MY PHONE. This is ridiculous how dare you install your product on my phone without my permission. The ad played. I did not touch it didn’t even touch my phone screen and still it’s on my phone. This is neither legal nor ethical and it is extremely concerning as to what this game is. If this happens again I will be seeking legal action against your company. Absolutely ridiculous.
I get this app as an ad, and when I try to close the ad and I fail, it doesn’t just take me to the play store to download it, it actually force installs on my phone without me giving permission to download app or install. I don’t like the fact this app is force installing on my phone from ads and not from the play store. I would give this game a try if it didn’t force me to install it and actually gave me a choice instead. Absolutely unacceptable, acting like a virus rather than an app.
One of many games that have taken the ad program where it will install itself on your device when you close the ad. If it weren’t for that it would be a good game. But just auto installing itself on your device is something that defines what a Virus is.
This ap has installed itself without my permission after seeing an ad in another game. This is nefarious and should be deplatformed by Google for this behavior.
Installed without my consent. It was installed during an ad from another app with no way to cancel or even see it installing. I didn’t even notice until my phone said, “Moving to game hub.” If their ads install the app without consent, what else will this completely untrustworthy company will install while app is installed? No thank you.
YES. I sorted thru my apps shortly before downloading Wordscapes last month, so I know I had no unwanted games on my phone at that time. Since then I’ve deleted 4 new games that I did not consent to download or even realize were downloaded. Very sketchy. I’ll be watching my apps closely from now on. I obviously like Wordscapes, but if this continues to happen, I’ll probably delete it.
Disappointed has started those auto install adds where it starts installing and you have to cancel and ended up with 2 unwanted games so just Uninstalled this app after playing for a long time.
Hello, so I was watching ads on the webtoons app and it seems that rather than prompting a download through the play store. The advertisements for wordscape and tower war are basically auto downloading themselves to my phone. When I checked to see what store installed it, it says it was installed by Device manager.
Does anyone else seem to have apps downloaded to their device after playing Wordscapes? I seem to have some of the apps on my phone now that appear in the ads, but did not download them.
It happens to me on the mobile games I play. I accidentally click on an ad when trying to click the x or skip button and the next thing I know I’m getting a notification that says tap to launch game. I get it so many times with fishdom and I just got it with tile match.
WARNING THIS APP IS MALWARE IT AUTO-INSTALLED ON MY DEVICE THEY USE A SPECIFIC AD THAT AUTO-INSTALLS ON YOUR DEVICE IT IS NOT AN ACCIDENT AVOID THIS APP
I’ve come across some really shitty ad tactics that will auto install the app they’re pushing if you click anywhere on the screen before the timeout. Even if you just back out, if you don’t actually hit cancel install then you’ll get some stupid questionable games installed … It’s happened to me 3 times now. I’m looking for new games to play and when ads are served in that manner, I’ve had to go back and uninstall them. They don’t magically install themselves. You misclick on the ad and it opens up to a timer you have to cancel or it’ll get installed
Note: With video at https://imgur.com/a/YzXCWzV showing 5-second countdown followed by auto-install. Countdown narrative and 5 second threshold match AutoInstallDelay in code.
Game is decent. However, last night one of the adds turned out to be self installing malware. It took me 20 mins to remove the malware and everything it installed.
I’ve seen the ads OP is talking about. It’s got a quick download or something, you click anywhere and it automatically installs, doesn’t go through Google Play.
One of your ads was installing this game without my permission, and when it was done, it booted up in front of my phone game. Stop doing this. This is outrightfully idiotic.
Ads that download an app on to my device if I click anywhere are offensive and dangerous. Having 30+ second, phased, unskippable ads, that download apps on to my device is downright insulting.
Wordscapes currently has an AD going around on other apps that will FORCE INSTALL THE GAME DURING THE AD AND IT CANNOT BE CANCELLED. These predatory ADs were found in a game called Water Sort. Wordscapes forced installed their app on my device without permission multiple times and they should be FINED.
I was playing another game and this ad showed up i tried to click the x it took me to the download and started it automatically I then hit cancel thinking nothing of it then later check my phone and it was installed against my consent
I’ve had this happen to me with the tower war playable ad about a dozen times. They updated their ad a couple weeks ago and it stopped, but a couple days ago they changed the ad back and it is happening again.
Installed itself. While playing a different game, I got an ad for this game and thought I closed it. A couple minutes later I got a notification that it was done installing.
I got an ad for it and then a long lasting black screen with an install button. The x mark is so small that you are likely to miss it. Turns out the WHOLE SCREEN is an install button and it automatically installs, even if you hit cancel. Very shady.
Try deleting the app “apphub” (i had to search it in the settings of the phone to actually find the app) I noticed a notification saying it automatically downloaded apps (this was a notification from the phone itself on the day of purchase) and saw this “apphub” app that says it “provides a friction free download service for in-game ad choices” and it immediately set off a red flag for this issue we’ve been having. So far it seems to have worked but I will update if it happens again. The worst part about it is that I have parental controls set up on my child’s phone and it was bypassing them to auto-download these ads despite my approval being necessary to download anything.
DONT HAVE YOUR GARBAGE “GAME” 1-TAP INSTALL WHEN ALL I’M TRYING TO DO IS X PAST YOUR AD. I DONT WANT YOUR GARBAGE, STOP INSTALLING YOUR TRASH ON MY PHONE.
This thing keeps getting installed on my phone without my knowledge. I have to uninstall it regularly. It’s got ads on my other apps and somehow gets installed by itself! Google needs to know about this.
He’s right, I’ve had three games auto install. It happens on the ads that play extra long credits. Typically, you won’t be awarded for the completion of the add and another add will play. This literally happened to me today for the third time.
Yeah this is a thing I’ve been having happen recently. The apps install themselves. Even if you don’t click the X to end the ad, the still install themselves. … they fully go and install themselves at the end of the video. It’ll show the download bar at the top and the app will be with all the other apps.
Mobile game ads can now just install themselves without you tapping Install, wish is now replaced by ‘Install now’ if you want the game 5 seconds sooner. Hitting the X instead of Cancel still installs the game
I’ve had idk how many game ads lately send me to the app store when I tried closing them. In fact, I KNOW I didn’t download anything, and recently found 2 apps on my phone that had gotten downloaded. Had to have happened in the past couple days. Never opened them, promptly deleted them. Just annoyances. Especially when they’re things I’d NEVER use like insta or tiktok.
Instead of giving people the option to download the games when tapping on advertisements, the games automatically download to the device when the ads are tapped. No consent is given to the users when it comes to when they want to download the games or not, as soon as you tap on the ad it downloads for you. … AppLovin are now essentially baiting you with a demo and then forcing the full game down your throats. Just today I’ve seen them implement a 5-second “countdown” to the program installing the game, but stopping the countdown STILL INSTALLS THE GAME WITHOUT YOUR CONSENT. …
Security threat! Automatically installs from ads without permission or consent, then starts sending push notifications. uninxstalled immediately without launching. No means no!
Game was good and fun for a while until I noticed that if you clicked the ad accidentally, you run the risk of having some of the apps automatically installed. Ended up with 2 games that I did not want on my phone. BS practice.
Why does the game download apps whenever I watch an ad?” “This only started to happen recently. I would have my phone on the side and watch the dragon TV ads and whenever I was done, there would be an app installed.
this stupid game keeps getting automatically installed by ads in other games. I do not want to play this game and your disgusting tactics of forcing a download that I DO NOT WANT ON MY PHONE border on criminal.
An ad for this app keeps popping up on my phone. When I try to close it, the app installs. Please do something about this glitch. No that doesn’t help. If I don’t want an app and I’m trying to close an ad, I would expect that it not automatically download on my phone regardless.
This app keeps installing itself every time I watch an ad for it. Even if I do not touch my screen at all throughout the whole ad, it still installs itself after playing. I’ve deleted this app both too many and not enough times. I will continue deleting it.
I will never use this app. The developers push deceptive ads in other applications that automatically install Wordscapes on your phone when you try to close the ad. This is deceptive behavior and I’ve reported this to the Play store.
Ad automatically installed an app? … So it’s as the title says. I played an ad in the game, and it automatically installed an app (It was bricks and balls) I never left the AR app and I only realized it happened because I got a notification that said “click to launch the bricks and balls app. … So I went and checked and…yep it had been installed.
Ad for this game appeared and while trying to x out of it, accidentally clicked the ad. A minute later i receive a notification that Wordscapes installed. Never clicked on an install button. Shady practices.
This game literally installed itself while I was trying to make an ad go away in Brotato. No redirect to the play store. No confirmation on the install. you miss the x on the corner and now you have a new game installed that you never asked for. absolute scumbag design. 0 out of 10.
Game itself is fun, you ruin it with ads for apps that auto install on your device. I can deal with ads you can close but not ones that install themselves and you have to close your game to go uninstall the unwanted app.
The problem that I am seeing now is that when you encounter an ad, it automatically installs the game listed in the ad. This is happening every time I play the game. I am ready to delete the game at this point. The frustration of having to uninxstall the latest game you force download is too much.
Disabled on both our phones the day we got home with them. But woke up a few days ago with screen like OP posted (both phones). Somehow the app selector got turned back on without our knowledge.
You can disable AppSelector and you’ll never see those again (at least I’ve been through a few updates now and I haven’t seen it). I always recommend people uninstall or disable AppHub and AppSelector. One of those apps will also just straight up install apps on your behalf without your knowledge, so if you don’t get rid of those two apps and you see random apps mysteriously appear, that’s why. They’re T-Mobile malware that gets preinstalled on carrier versions of android devices that T-Mobile sells. AT&T and Verizon do the same thing unfortunately.
Hello, for the past two or three days, whenever I get an advertisement on IbisPaint, that app automatically downloads onto my phone. Does anyone have this issue / know how to fix this?
Three times now I’ve gotten that ad for Tower War and any 30 seconds after the ad is over I get a push notification that Tower War has finished installing and is ready to play. Sure enough, there’s the game, loaded onto my phone without my permission. The only thing I clicked on was the “x” to close the ad once it was done. Kinda creeps me out that an ad can bypass the store and just install unwanted crap on your phone
several Game ads will auto-install the games, no input or knowledge of it happening from you, you simply have several new “games” in you menu. Spyware/virus/predatory behavior.
Nope, T-Mobile does for a fact install it automatically as does every other carrier with their own version. I set up my own S23 Ultra. I’m always very careful with every prompt that pops up, I read it carefully, uncheck anything opting me into spying or other malware features, etc. Yet after setup I was finding random apps being installed on my device and the App Hub, AppSelector, and AppManager were all culprits that I did NOT opt in to.
HATE THE AUTO INSTALL ADS! YOU DO NOT HAVE PERMISSION TO INSTALL APPS ON MY PHONE! AS I TRY TO CLOSE THE ADS, IT WILL AUTO INSTALL APPS TO MY PHONE. GET RID OF THOSE ADS!
Every time an ad plays for this game, while I’m playing a game that I enjoy, it is automatically installed on my device. If this continues, I am willing to start a class action lawsuit. It isn’t legal to use these practices, and I consider it harassment
This ad if accidentally clicked doesn’t even take you to the store to ask if you wanted to download. It just installs. That’s crazy invasive to your device, like a bug. Or a parasite. Once again, marketing work being done by ignorant sales kids who don’t understand law.
Fun game but ads are extremely intrusive. If you try to exit the ad, other games are autoinstalled which can open your device to viruses or other bad actors.
They use other apps to install RM without permission to boost their numbers. I now uninstalled this app at least 7 times – all ads from other apps that unethically installed without permission.
There are now ads that autoinstall other apps on your phone! They look like interactive/minigame ads, but touching ANYTHING – the close button, trying to pull up the phone navigation bar to exit WS – will trigger these apps to start installing. Sometimes you can cancel w/i 1 second, other times there is no cancel so you have to remove these malicious installations later.
I did not choose to install this on my device. The mobile ad for this would not allow me to exit and then this installed without my permission. I understand advertising is important but do not trust an app this invasive.
It definitely auto-installs. I’ve tested it because I was wondering where tf all these random shitty game apps were coming from in my phone. I don’t click anything, and if you don’t select “cancel” when it starts installing, the game will install. If you try to exit out, it does not count and will still install the game.
Ads, I understand. I draw the line at forced installations. I had this app for so long and it was one of the more peaceful ones. They sadly introduced ads, which is annoying but understandable. Now the ads have gotten so intrusive I get more ads than game time. However the straw that broke the camel’s back was how exiting the ads forces you to download them. I’ve deleted 5 apps I did mot want to download.
Note: Game developer did not deny forced installations: “Our team hears you and we’re working to improve the ad experience for you. For now, you may consider getting the premium version to enjoy an ad-free version of the game.”
It installed itself into my phone when I tried to exit an app that was showing an ad for this. This is super shady on their part and should be looked into
Had an advertisment of wordscapes and after it finished it installed itself when I was trying to exit the advertisment. Very sketchy that it installed itself this way
Everytime one of their Royal Match advertisements come up while I’m playing a different game, it force-installs Royal Match game app on my Samsung phone without my consent! I don’t know how to block it from installing! Negative 5 stars! This should be banned from the Google Play store!
Royal Match keeps downloading itself to my phone – without my permission. I play Uno and they have ads for it. And for the past week, it has been automatically downloading itself to my phone.
Keeps installing on my phone every time I see an ad for it. I’ve never wanted this game and I’ve never played it. Just sick as hell of deleting it from my phone.
DO NOT INSTALL- Lately it has become difficult to exit out of the ads, which I had no problems with before. The issue now is that when I exit the ads, it begins to install the app for those ads immediately instead of simply bringing up the playstore where I have the OPTION to install. Frankly these ads that automatically download different apps make me feel that this game is UNSAFE to continue playing. What a dissapointment. This isn’t a fluke either as many friends of mine faced the same issue.
Somehow ended up on my phone,so I thought I’d leave a little insight as to how predatory the way-too-long ads are for this game. I believe it installed itself after a misclick on the ‘X’ to close the ad. A bit scary.
Culper 1 also presents correlation between AppLovin deals with OEMs and carriers in certain regions, spikes in installs in these regions, and spikes in user complaints. The most natural explanation is that the OEM and carrier relationships made it possible for AppLovin to install numerous apps onto users’ phones in affected regions – causing both a spike in installations, and a spike in user complaints. Notably the OEM and carrier deals pertained to Android only, not iPhone, and the installation spike similarly appeared for Android only.
Ordinarily, if app A wants to install app B, it must send the user to Google Play—where installation only proceeds if the user taps the prominent green Install button. At Google Play, accidental installs are rare, and nonconsensual installs are effectively unheard of.
If installations occur outside Google Play, the first question is technical feasibility. It is not enough that source code appears to support this behavior (as shown in my execution path analysis); the Android security model must also allow it. A close review of security settings in the relevant manifests shows that such installs are indeed possible—and in fact, the unusual settings documented on this page are difficult to explain any other way.
Save The Girl manifest indicates authorization to invoke AppHub
The Android game “Save The Girl” includes the following entry in its manifest:
Ordinarily, apps do not need this line to receive ads from AppLovin. So why does this game—and dozens of others—request permission to invoke AppHub? What legitimate purpose does this serve?
AppHub manifest indicates authorization to invoke T-Mobile packages with elevated permissions
The AppHub manifest includes permission to interact with a T-mobile installer helper:
One plausible explanation is that AppHub uses a T-Mobile install helper to complete out-of-box (OOBE) installations. But that only raises a further question: Why would third-party games need to connect to the same privileged middleware?
Com.tmobile.dm.cm has elevated permissions including installing other apps
The com.tmobile.dm.cm package has the critical permission necessary to install other apps.
Some AppLovin APKs seek permission to install apps themselves, without a manufacturer/carrier install helper
In some cases, AppHub does not rely on a manufacturer or carrier install helper. Certain AppLovin APKs instead request install permissions directly. For example, the Adapt v3.40.2 manifest includes:
AppLovin’s public statements are consistent with AppLovin sometimes receiving this permission. From AppLovin’s Array Terms:
To provide the Array Services to you, we may need access to the “INSTALL_PACKAGES” and “QUERY_ALL_PACKAGES” Android device permissions. We receive these permissions through your carrier or mobile phone original equipment manufacturer, and we use them to provide you with the Array Services, including presenting Direct Download screen to you and facilitating the on-device installation of mobile applications at your election (where Array acts as the technical installer, not your carrier).
This paragraph — including phone manufacturer or carrier preinstalling AppLovin code and presetting these permissions — matches what I observed. Of course the “at your election” claim is contrary to my analysis of the execution path, and my tabulation of user complaints, indicating nonconsensual installations.
Flipping through AppLovin APKs, it is easy to find labels and strings that appear to indicate nonconsensual installations. Examples are below.
These labels must be interpreted with care. Ultimately these are labels, not directly indicating actual application functionality. Anyone could name a function FlyToMoon(), but that doesn’t mean he has a rocket or a launchpad.
Furthermore, there could be proper reasons for certain silent installs. Consider the out-of-box experience, when it is routine for manufacturers and carriers to place apps on a user’s device. Consider installations in which user consent is obtained in some earlier part of the process.
Overall, I consider the execution path a more reliable method of determining what AppLovin’s code does. On the other hand, the execution path is complicated—requiring parsing thousands of lines of code to follow the flow, and requiring substantial technical skills to understand the code. In contrast, reviewing strings can be as easy as Edit-Find and dictionary meaning.
Labels and strings in Java code
AppLovin’s code includes various labels that indicate or reference nonconsensual installations. A representative example: com.applovin.array.apphub.tmobile includes a class called TmobileSilentInstallManager. The literal meaning of a “silent install” is one without user consent.
Elsewhere in AppLovin code, there are hundreds of references to “Install”, “Installer”, “installing”, “startInstall”, and the like, including more precise labels such as “andr_app_installing_start”, “an.ui.ntfn.installing_progress.enabled”, and “package_installing_successfully_finished_notification_id”. AppLovin logging also includes status messages like “Failed to start install”, “Failed to start installing”. These labels and strings leave no doubt that AppLovin can install apps—but they do not prove that installations are silent, automatic, or nonconsensual. Other labels, like “DirectInstallOrDownload”, indicate a nonstandard installation (not via Google Play) and suggest the install has few steps (calling into question what disclosure is provided and what consent obtained), but again are less than complete proof.
Labels in JavaScript code
The AppHub APK embeds a resource file, index-BFfWBgBF.js, which contains labels indicating non-consensual “auto” installations. The file merits close examination (see my execution path analysis), but even its labels reveal its purpose. For example:
A JavaScript “Breadcrumb” message logger even records a possible event, “Installation on ‘X’ button click”. Yet clicking an X is ordinarily understood as rejection, not consent. Similarly, an error handler describes “Failed to set installation on dismiss enabled”—implying that, when working correctly, the code can indeed install on dismiss. But what user thinks “dismiss[ing]” an ad is basis for an installation? Code snippets below.
catch(a => {
pe.reportError(new Error("Failed to set installation on dismiss enabled", {
pe.leaveBreadcrumb({
message: 'Installation on "X" button click', ...
Taken together, these labels describe scenarios where installations proceed without a user being asked to install or without the user agreeing to install.
Possible settings screen entries consistent with automatic installations
The resource file index-BFfWBgBF.js also includes a potential settings screen with the following labels:
zu = "Enable Direct Download",
Gu = "Download apps with a single click", ...
Ra = { EnableDirectDownload: zu,
EnableDirectDownload_Description: Gu, ...
From the resource file alone, it is unclear whether this screen is ever presented to users, and if so, under what conditions or with what default setting. Yet users consistently report unexpected app installations, suggesting that the option may be enabled by default—or hidden in a screen users do not ordinarily open.
My personal experience reinforces doubt about such a screen being shown to users. In spring 2025, I purchased a new T-Mobile phone directly from the carrier. On first boot, the out-of-box setup prominently displayed AppLovin screens urging me to download apps. At no point did I see any option to “Enable Direct Download” or to “Download apps with a single click.”
User complaints confirm that no such screen is shown. In reviewing complaints, I found no screenshots of such a screen being proactively shown. One user noted:
I found an app called Content Manager on my Samsung S24 that I bought through T-Mobile. There was an option there that says “Allow Install of New Apps” and I turned it off, and the ad installs stopped. (Skybreak, April 6, 2024)
This complaint reinforces the problem: a user would have no reason to hunt through a Content Manager settings screen to disable unwanted installs. Nor does failing to disable a buried option constitute consent for arbitrary app installations.
A reliable way to understand what software does is to examine its source code and trace the execution path. This is rarely possible for compiled code, but AppLovin is largely Java, which can be decompiled using tools such as JADX. I reviewed decompiled source code alongside the full app manifests and relevant resource files embedded within APKs. Together, these materials reveal both what the apps are permitted to do (via permissions), how execution proceeds from function to function, and, ultimately, what occurs.
Let me remark on three key challenges in interpreting the decompiled code. First, length. After decompilation using JADX, the AppHub APK totals a remarkable 626,053 lines of code. Then there’s more in the AppLovin SDK, in install helpers, in manifests, and in JavaScript. Of course most of the code is irrelevant to app installs. In the excerpts linked below, I focus on what I found to be relevant. But the execution path remains lengthy even after excerpting.
Second, both decompilation and deliberate obfuscation by AppLovin make parts of the code difficult to read. Decompilation recovers some labels (function names and variable names), but others are lost and must be generated by JADX – yielding labels that are difficult to interpret (such as AbstractC1838d0) and not the labels actually used in AppLovin’s source code. Meanwhile, AppLovin intentionally obfuscated (minified) its JavaScript—not unexpected, because they have no reason to help anyone read it, but still an impediment to understanding.
Third, Android’s architecture—including coroutine continuation functions for multithreading—adds further complexity. This code is not the simple a() calls b() calls c() taught in introductory programming classes.
Nonetheless, with knowledge of Java syntax and Android architecture, and with determination and grit, the execution flow is apparent. I worked on understanding this code on-and-off from February to September 2025, and I now feel I have a good understanding. My remarks below are my best effort under important constraints, including both the size of the task and AppLovin’s intentional obfuscation. I cannot guarantee perfection. See my disclosures.
In the index below, I present code in the sequence in which it operates. Where a function name is less than self-explanatory, I remark on its purpose. In the linked pages, I introduce each block of code with a short narrative about key steps, and I use red text to mark the flow from one step to the next. Occasional comments, marked with the prefix // , are added by me to explain selected areas.
showDirectDownloadAppDetailsWithExtra() with service method AbstractC1838d0.m3826C(),delegate C2823r(), and Kotlin coroutine continuation with entry point mo410()
setupAppDetailsFragment() and coroutine continuation class C3359j1 with continuation entry point mo410r()
DirectDownloadMainFragment C3374l2 and onViewCreated mo1147B() with coroutines C3339g2, C3332f2, and C3325e2, plus coroutine continuation orchestrator M5734P and URL builder m5748L
AbstractC3404p4.mo1147B() with C3334f4 and C3320d4 (WebView loader)
DirectDownloadMainFragment continuation entry point mo410r()
My work follows six prior critiques in which others questioned AppLovin practices, both as to app installations and beyond. I organize those critiques here, in chronological order, to assist those who wish to reread them. I emphasize those reports and sections that, like my post today, consider nonconsensual installations.
Compared with prior reports, I provide a more detailed technical analysis. For example Solon’s report of SEC inquiry does not provide any source code, screenshots, packet logs, or other direct evidence of data collection violations. I also provide greater proof relative to prior reports of nonconsensual installations. For example, the prior reports about nonconsensual installs present snippets of code, whereas I trace the full execution chain from ad delivery all the way to installation. Similarly, prior reports offer a few complaints about nonconsensual installations, but I offer hundreds, plus I explore patterns of complaints across devices and situations, and I cross-check complaints against details in decompiled AppLovin code.
In January 2025, I was engaged by an investment firm that was skeptical of AppLovin. They asked me to investigate a range of concerns, including installation practices. That engagement continued until June 2025. My agreement with that firm disallows me from revealing its name, but allows me to share all information I figured out from public sources. Since then, I have had no paid relationship with that firm—or any other investment firm—regarding AppLovin.
As part of my research for this post, I spoke with a range of experts concerned about AppLovin’s practices, including security researchers, journalists, industry analysts, attorneys, and competing adtech firms. No money changed hands in any of these discussions. As my post indicates, my primary methodology was forensic: I reviewed AppLovin source code and tested the product first-hand, plus examined user complaints.
From my extended analysis, I became convinced that AppLovin engaged in serious misconduct. The accompanying report details the methods and evidence supporting this conclusion.
Consistent with my practice whenever contractually permitted, I am releasing this report publicly for anyone to use. To the best of my knowledge, the information herein is accurate and based on sources and methods I consider reliable. Nonetheless, all content is provided strictly “as is,” without any warranty—express or implied. I make no representations as to the accuracy, timeliness, completeness, or likely results of using this information. My research necessarily contains inferences, estimates, and opinions which may prove inaccurate and are subject to risks and uncertainties beyond my control.
This report is not investment advice. I make no representation or warranty regarding its completeness or the future performance of AppLovin’s securities. Readers must conduct their own research and due diligence, including consulting with financial advisors, before making investment decisions.
I hold a financial interest in which I profit if AppLovin’s stock price declines. I opened this financial interest after completing research, based on my serious concern at what I found. I may change, reduce, or close this position at any time, without notice. I do not undertake to update this report to reflect changes in my views or positions. However, if I conclude that I am mistaken about AppLovin’s technology, I will correct the record publicly.
***
Update, October 16, 2025: I no longer have a financial interest relating to AppLovin.
In public statements, IronSource promises to "empower software" through "faster" downloads, "smoother" installations, and increased "user trust." It sounds like a reasonable business — free software for users in exchange for advertising.
Yet a closer look at IronSource installations reveals ample cause for concern. Far from facilitating "user trust," IronSource installations are often strikingly deceptive: they promise to provide software IronSource and its partners have no legal right to redistribute (indeed, specifically contrary to applicable license agreements); they bundle all manner of adware that users have no reason to expect with genuine software; they bombard users with popup ads, injected banner ads, extra toolbars, and other intrusions. It’s the very opposite of mainstream legitimate advertising. We are surprised to see such deceptive tactics from a large firm that is, by all indications, backed by distinguished investors and top-tier bankers.
In the following sections, we present two representative IronSource bundles, then offer broader assessments and recommendations.
An IronSource-Brokered "Chrome Browser"
Install a "Chrome Browser" and you wouldn’t expect a bundle of adware. But that’s exactly what we found when we tested an IronSource bundle by that name.
IronSource snares users who are searching for Google Chrome
IronSource landing page repeatedly presents Google’s Chrome trademark and logo, giving little indication that users have reached an independent installer.
Installer also lacks any branding of its own, giving little indication that users have reached an independent installer.
IronSource’s installer presents a series of screens like this, each touting a separate bundled adware program. Eventually a user might notice something amiss — but no "cancel" button lets a user reverse the entire process.
In testing on October 31, 2014, we began with a Google search for "download google chrome." A large ad promised "Download Google Chrome – Downloadb.net" (title) with details "New Google Chrome(R) 35 Version. Google Chrome 2014. Install Today! Chrome is still fast and loaded with new standard support. -PC Mag". Sublinks below the ad elaborated: "Download the New Version – Get the Latest Chrome(R) – 100% Free Installation". Thus, nothing in the text of the ad gives any suggestion that the ad would take a user to a third party rather than to genuine Google software. The display URL, "google-chrome-install.downloadb.net", might alert sophisticated users — but "downloadb.net" is generic enough that the warning is minimal, and bold type focuses attention on "google-chrome" (matching the user’s search terms).
The resulting landing page did not show anything amiss either. The landing page uses Google’s distinctive Chrome icon twice, as well as the large-type label "Google Chrome." On our standard 1024×768 test PC, no on-screen text offered any logo, any company name, or any product name other than Google Chrome.
We clicked the "Download Free" button to proceed, then run the resulting installer. After a perfunctory first screen (still without any affirmative indication that the software is not a genuine Google offering), the installer began to tout third party software. The installation solicitation was strikingly deceptive. First, the window’s two headings were "Google Chrome" and "Make your selection to continue", plus it repeated the distinctive Google Chrome icon at top-left. Notably, no large type indicated that the software is anything other than genuine Google software. Furthermore, the large scroll box on the right offered the bold-type heading "END USER LICENSE AGREEMENT" — more naturally understood to be a EULA for Chrome, the software the user requested and the software the user expected to receive. Small type at top-left mentioned "Astromedia new-tab add-on," but this could easily be overlooked in light of user expectations, prior statements, window headings, icon, and the EULA box heading. Nor did the bottom disclosure cure the problem: The bottom text mentioned Astromedia only in the second line of a disclosure where it is more likely to be overlooked. In addition, the disclosure’s links (to a EULA and privacy policy the user purportedly certifies having read and accepted) lacked any distinctive color or underline, so users are unlikely to recognize them as links. As a result, users have no reason to know that they are (purportedly) accepting lengthy external documents.
Next, the installer pushed another program, "Framed Display." The screen followed the same template critiqued in the prior paragraph, including deceptive headings, deficient disclosures, and unlabeled links. Moreover, the program name "Framed Display" is itself deceptive — a generic name, a combination of two standard words without secondary meaning, which gives no serious indication of the program’s function, origin, or even the fact that it is third-party software unrelated to Chrome.
The installer then touted two further programs, RegClean Pro and DriverSupport. These at least appeared with logos in the top-left, which might help some users realize that they are being asked to install third-party software. But like the prior screens, these both linked to (and asked users to agree to) contracts presented only via links not formatted as such. Both offers still appeared within a window entitled "Google Chrome," continuing the false suggestion that these programs are affiliated with or endorsed by Google.
Seeing the logos for RegClean and DriverSupport, some users might realize that they have received something other than Google Chrome. But the installer lacked a "Back" button to let a user return to prior screens and revoke the acceptances previously (purportedly) granted.
The install video shows the full install sequence, culminating in various popups, new programs, changed browser settings, and other interruptions. The computer becomes noticeably slower, and most users would find the computer much less useful. In fact we found 2,478 new files created as well as 2,465 registry values created — quite an onslaught. Among the most urgent problems is that, as best we can tell, a user cannot remove the DriverSupport’s window from the screen except by killing the process with Task Manager.
In a remarkable twist, the installer pushes the user to install additional software even after the main installation is complete. In particular, after the user receives the four offers described above, the installer runs a 30+ second download of the various programs to be installed. (In the video, this is 1:16 to 1:50.) The user then sees a "Finish" button. But far from ending the installation solicitations, "Finish" brings a solicitation for yet other adware, MyPCBackup. At the conclusion of an installation and after pushing a button labeled Finish, users naturally and reasonably expect only perfunctory final tasks, not requests to install more unrelated advertising software. Furthermore, the on-screen disclosures say nothing of adware, pop-up ads, or tracking of users’ browsing; and the links to EULA and privacy policy again lack any labeling to alert users that they are clickable. On the whole, users are poorly positioned to evaluate this offer, understand what they are asked to accept, or provide meaningful acceptance. Nor is this installer alone in presenting other solicitations after installation; we’ve seen other IronSource installers try the same scheme.
This bundle constitutes both software counterfeiting and trademark infringement. Contrary to the title of the initial ad and the large-type heading in every screen of the installer, this is not the genuine "Google Chrome" installer that Google provides; rather, it’s a wrapper with all manner of other software from third parties unaffiliated with Google. At every step, the installer features Google’s distinctive "Chrome" brand name and logo with no statement that Google authorized their use. And the installer redistributes Chrome despite a clear admonition, within the standard Chrome Terms of Service, that "You may not … distribute … this Content [Chrome] (either in whole or in part) unless you have been specifically told that you may do so by Google… in a separate agreement." The installer offers no suggestion, and certainly no affirmative statement, that Google has provide any such permission. Indeed, in a telling twist, we found that the installer never even showed the Chrome Terms of Service, contrary to Google’s standard requirement (implemented in all genuine Chrome installers) that users accept the ToS before receiving Chrome.
This bundle is also an objectively bad deal for consumers. A consumer seeking Chrome can easily obtain that exact program, on a standalone basis, without any bundled adware, toolbars, popups, injections, or other extra advertising or tacking. The installer adds nothing of genuine value to users; it delivers only the software that its adware partners pay it to deliver, and the partners pay to have their software delivered to users only because they correctly anticipate that users would not seek to install adware if it were not foisted upon them.
Although the IronSource company name appears nowhere in the installer’s on-screen displays, numerous factors indicate that this is indeed an IronSource installation. For example, installation temporary files include multiple references to "IC", and registry keys were created within the hierarchy HKEY_USERSSIDSoftwareInstallCore. (InstallCore is the IronSource service that provides adware bundling and adware installation.) Other temporary files were created within folders with prefix "ish******", "is**********", and "is*******", best understood as abbreviations for IronSource. Furthermore, while each installer connected to different hosts to obtain installation components, each installer’s hosts included at least one with an IP address used by IronSource (according to standard IP-WHOIS). Host names followed a pattern matching longstanding IronSource practice (as previously reported by, e.g., Sophos), including hosts called cdneu and cdnus, exactly as Sophos reported.
Moreover, it seems that some of the bundled adware is itself made by IronSource. For example, the Astromenda browser plug-in stores its settings in a Windows Registry section entitled SoftwareInstallCore — a fact most logically explained by Astromenda being made by IronSource’s InstallCore.
The Nonexistent "Snapchat Windows" App that Delivers Only Adware
Snapchat fans often wish for a Windows client. No such software exists, but that doesn’t stop an IronSource bundle from claiming to offer one, and thereby bombarding interested users with a variety of adware.
IronSource snares users who are searching for Snapchat.
IronSource landing page repeatedly presents Snapchat’s trademark and logo, giving little indication that users have reached an independent installer. In fact there exists no genuine "Snapchat for PC" software, and IronSource’s bundle is most notable for delivering adware.
In testing, we searched for "Snapchat Windows" and clicked an ad claiming to provide the "Latest 2014 PC version" of "Snapchat." The resulting landing page correctly describes Snapchat but says nothing of any bundled adware. Meanwhile, a prominent "McAfee SECURE" Logo purports to certify the trustworthiness of the site, notwithstanding the problems that follow. (We discuss McAfee’s strange role, both flagging this installation and simultaneously certifying it, at the end of this article.)
We clicked "DOWNLOAD NOW" and proceeded to the installer. The first install screen said nothing of any bundled adware. The subsequent screens (second, third, fourth, fifth, sixth) had the same problems detailed above, including lacking distinctive branding for the unrelated third-party software that’s touted, lacking distinctive format on links to contracts users purportedly accept, and lacking back buttons to serve users who realize something is amiss and want to change their mind. Additional shortcomings in this installation:
As we repeatedly demonstrated in the install video (1:35 to 1:47, 2:34, 2:47, 3:01), even if a user does click to activate the license, the installer remains superimposed always-on-top in the foreground, thereby blocking a user’s effort to read the document the user is purportedly accepting.
For one bundled program (video at 2:19 and 2:29), the agreements are hosted on an inoperational server, which completely prevents any attempt to read them.
The text of the installation disclosures is illogical. For example, the disclosure for MyPCBackup adware advises the user to "Click ‘Play’ on the video to see what MyPCBackup can do for you" — but no video or play button is shown.
This installer bundles even more software than the fake Chrome installer detailed above. We found the fake Snapchat bundling Astromenda, Framed Display, RegClean Pro, MyPCBackup, and Weatherbug.
As far as we can tell, the installer never actually provides Snapchat software. Rather, the installer provides unrelated software called BlueStacks (a program which lets users "install" and use Android apps on Windows PC). It’s no surprise that the installer doesn’t provide a Snapchat Windows app, since none exists. Yet this omission undermines the entire value proposition promised to the user. Notably, BlueStacks is itself freely available, without bundled adware.
Similar Installations
We have seen numerous similar installations. These installs share many factors:
They grab the attention of users searching leading search engines for common software including popular commercial applications like Adobe Reader, Chrome, Firefox, Flash, Internet Explorer, and Java as well as open source software such as 7zip, GIMP, and OpenOffice.
Often, the installations significantly overstate the need for the installation or the benefits it can provide. For example, some installation solicitations falsely claim that a media player is out of date or, as in the Snapchat example above, even promise software that does not actually exist.
They use generic domain names (our examples of downloadb.net and downloadape.org are typical) with no affirmative indication that they are not the official distributors of the specified software. Quite the contrary, their text, images, and layout suggest that they are the authoritative sources for the software they promise.
They fail to disclose the presence of bundled adware until midway through the download process, and they almost always lack "back" buttons to let a user reverse course once the bundled adware becomes apparent.
They fail to disclose the true identity of the companies behind the installs, including using domains with limited or no contact information, as well as domain Whois with privacy protection.
Ultimately, these bundled installations provide users with nothing of genuine value beyond the adware-free installs easily available from the original developers. They are a source of widespread user complaints on software discussion forums, as users with so much adware systematically report that their computers are slow and unreliable.
IronSource’s Responsibility
By all indications, IronSource has the right and ability to control these installations. Installation code is obtained from IronSource servers; the installer EXE acts as a bootstrap, downloading configuration and components at runtime. Indeed, the IronSource installer architecture entails all "creative" materials (such as installation text and images) hosted on IronSource servers, letting IronSource easily accept or reject configuration details.
IronSource is likely to blame third party "partners" for most or all of the defects we have listed, but our analysis indicates that IronSource is importantly responsible. First, IronSource’s servers and systems create the installation bundle; IronSource can easily refuse to create deceptive installations, including refusing to create bundles with names matching well-known software such as "Chrome." Moreover, by IronSource’s own admission, its systems select and optimize the offers presented to users: "InstallCore improves install completion rates by about 32%" with "customized installers [that] reinforce branding and user trust," optimized through "the installer A/B testing tool to continuously improve results." IronSource even indicates that its own staff design installations: "Every branded installer is backed by dedicated graphic designers and a team of UI/UX specialists [who] adjust and continually make improvements that drive more installs." And IronSource itself brokers the relationships between "premium advertisers" (making adware) and software publishers using IronSource installers.
Meanwhile, the apps at issue entail self-evident counterfeiting. It is widely known that Google does not allow third parties to bundle its Chrome browser with adware, and that there is no such thing as a Snapchat Windows app. Even the barest of examinations by IronSource staff would have revealed these implausible titles for the respective installers — red flags that the installations are not what they claim to be.
IronSource’s installers are "bootstraps" that check with an IronSource server before beginning an installation. (IronSource explains that its "installation client downloads in real-time a list of offers" to present to a given user.) By removing or modifying installer configuration files on an IronSource server, IronSource can disable any installer it determines to be deceptive or otherwise improper — even months after that installer was created. Thus, IronSource can easily block further installs using the deceptive practices we have flagged here, as well as similar practices by other installers.
Notably, IronSource’s involvement meets the common law tests for both contributory and vicarious liability, wherein a company is liable for the actions of its partners. Contributory liability arises when a company knows of illicit acts and when it assists in those acts. Here, IronSource surely knows of illicit conduct (including counterfeiting) both because it is obvious and because consumers and rights-holders have complained. IronSource’s knowledge of deceptive installation disclosures is even clearer because by all indications IronSource systems optimized or even designed the installation disclosures. As to IronSource’s assistance, note that IronSource helps partners by entering into agreements with adware providers to be paid to install their software, bundling adware into installers, and designing and optimizing installers. IronSource thus satisfies the tests for contributory liability. Meanwhile, vicarious liability arises when a company has the power to prevent illicit acts and when it benefits from those acts. Here, IronSource can stop the deceptive installations because each installation checks with IronSource servers to obtain adware to be presented to users, which gives IronSource with an easy opportunity to disable an installer. IronSource benefits from the installations because it retains a portion of the payment from adware vendors. IronSource thus also satisfies the test for vicarious liability. In addition, of course, IronSource might itself be directly liable for those acts that it does itself, e.g. designing or optimizing deceptive installations.
TRUSTe Trusted Download Violations
IronSource has sought and obtained TRUSTe Trusted Download certification, which claims to assure that software is "safe" so that users "feel more secure" and proceed with installations. Trusted Download requires compliance with numerous rules, and our inspection reveals that IronSource falls short.
For one, TRUSTe Trusted Download rules specifically prohibit "induc[ing] the User to install, download or execute software by misrepresenting the identity or authority of the person or entity providing the software." See rule 14.g. IronSource might argue that if any such misrepresentation occurred, it was made by an IronSource distributor, publisher, or other partner, but not by IronSource itself. But rule 14.j disallows certified software from being included in any bundle with software engaging in violations of any portion of rule 14. So even if it was IronSource’s partners who violated rule 14.g, their violation put IronSource in violation of rule 14.j.
Furthermore, TRUSTe Trusted Download requires disclosures that go well beyond what these installs actually provide. For example, rule 3.a.i.2 requires "prominent link[s]" to all reference notices providing full terms and conditions, whereas the examples above show links not labeled as such (without distinctive color or underlining), and thereby prevent users from recognizing the links as such. We also question whether IronSource partners’ changes of user browser configuration (home page, toolbars, etc.) satisfy the requirement of 3.a.i.1.A-D.
Here too, IronSource might argue that its distributors, publishers, or other partners are responsible for these violations. But Trusted Download rules specifically speak to a company’s responsibility for its partners’ disclosures. See rule 9. Under rule 9.a, IronSource is required to establish contractual provisions in agreements with partners to assure compliance with TRUSTe’s rules. Under 9.d, IronSource must demonstrate to TRUSTe that it has an effective process for assuring compliance. Under 9.e, IronSource must itself monitor compliance and report any known noncompliance to TRUSTe; failure to report is itself a violation.
A further violation comes from IronSource’s detection of virtualization environments where its software may be tested. Trusted Download rule 2.c.viii requires that certified software be compatible with virtualization tools such as VMware to facilitate testing. In contrast, IronSource systematically declines to show adware offers — its raison d’être — when running in virtualization environments. If TRUSTe tested IronSource using VMware, TRUSTe staff would see none of IronSource’s deceptive installation solicitations, and they would reach a mistaken assessment of IronSource’s purpose and effect.
We have forwarded these violations to TRUSTe and urged TRUSTe to revoke the certification of IronSource. Given the nature and scope of the violations, we suggest revocation without permission to reapply. TRUSTe’s distinguished members and Trusted Download founding supporters (including AOL, Verizon, and Yahoo) wouldn’t want to be associated with a company engaged in software counterfeiting, trademark infringement, adware bundling, and the other practices we have presented.
Violations of Other Industry Rules for Software Practices
Beyond TRUSTe, several key firms and industry groups offer standards for software practices. IronSource installations systematically fall short.
For example, Google’s Software Principles require "upfront disclosure" of the programs to be installed and their effects, whereas these IronSource installations disclose the programs one at a time — the very opposite of "upfront." Furthermore, Google’s "keeping good company" principle disallows bundling an app with others that violate Google’s principles and simultaneously blocking any IronSource attempt to deflect responsibility to others. Meanwhile, Google’s AdWords Counterfeit Goods policy prohibits any attempt to "pass [something] off as a genuine product of [a] brand owner," thereby disallowing IronSource installations that claim to be Google, Snapchat, or the like. Google’s AdWords Misrepresentation policy requires that an advertiser "first provid[e] all relevant information and obtain… the user’s explicit consent" (emphasis added) before prompting users to begin a download, whereas these IronSource installations include no such disclosures on landing pages and disclose bundled apps one by one during the installer. Other Google requirements ban deceptive domain names and display domains as well as unauthorized distribution of copyrighted content, which also occur here. We see strong arguments that IronSource installs fall short of each of these requirements.
Microsoft’s Bing has similar Editorial Guidelines, which these installations similarly violate. For example, Microsoft’s intellectual property guidelines disallow promoting counterfeit goods and further disallow copyright infringements (such as redistribution of another company’s software without its permission). Microsoft’s misleading content guidelines prohibit deceptive suggestions about a site’s relationship with a product provided by others and requires an explicit disclosure of that fact. Microsoft further limits use of brands and logos which tend to give a false sense of authorization. Microsoft’s software guidelines add special rules for installations including requirements for the timing and substance of disclosures, and Microsoft specifically bans adding additional software to a package produced by someone else. We see strong arguments that IronSource installs fall short of each of these requirements.
Facing these and other requirements, it’s hard to see how IronSource could claim to comply. In response, Google and Microsoft should ban IronSource from advertising through their respective search engines. They should enforce that ban both through diligent checks and through "cease and desist" orders advising IronSource and its partners and affiliates not to attempt to buy advertising through intermediaries or other company names.
The Role and Responsibility of Investors
IronSource’s efforts to date have relied on significant support from investors. Specific investors apparently decline to be listed (perhaps anticipating unwanted scrutiny like this article). But the Wall Street Journal reports that JP Morgan and Morgan Stanley are serving as bankers and raised $80 to $100 million in August 2014. IronSource reportedly plans an IPO for 2015 with anticipated valuation of $1.5 billion.
We wonder whether investors fully understand IronSource’s activities, users’ distaste for adware, and the lurking risks if users, software rights-holders, search engines, and others seek to block IronSource’s activities. Suppose, for example, that Google banned all IronSource installations from advertising in AdWords — a reasonable decision based on the deceptive installations flagged here. A few large losses like this could put a major crimp in IronSource’s plans.
Interest from investors also opens IronSource to new forms of vulnerability and accountability. A decade ago, notorious adware vendor Direct Revenue succeeded in raising significant funds from investors, some of whom later found their computers running Direct Revenue adware. In a notable email, Barry Osherow of TICC sought personal assistance from Direct Revenue CEO Joshua Abram in removing unwanted Direct Revenue adware. In another, a consumer complained to Insight Partners about their funding of Direct Revenue. Insight’s Ben Levin passed the message on to managing director Deven Parekh who instructed that Insight be removed from Direct Revenue’s web site. Deven specifically worried that “all I need is Bob Rubin getting this email,” referring to the former Secretary of the Treasury who later became a special limited partner at Insight. (These emails and hundreds of others became publicly available when the New York Attorney General sued Direct Revenue and released selected business records.) In my view, these investors were correct to worry that their adware would attract unwanted public scrutiny, and that risk remains for current adware investors.
Co-author Edelman has updated his Investors Supporting Spyware page to list IronSource and known information about its investors and bankers.
Next Steps
IronSource boasts that its installation service "installs better" in that it "improves install completion rates by about 32%." IronSource attributes increased installations to solving technical problems. But another plausible reason for more installs is that IronSource and its partners resort to exceptional deception including disguising their software as coming from others, presenting disclosures that are at best incomplete, and otherwise pushing the limits in foisting advertising software few users would willingly accept. In that context, a higher installation rate is nothing to celebrate; more installs just mean more users infected with unwanted adware.
To bring an end to these practices, a natural first step is to enforce existing rules for advertising standards and practices. Having established Trusted Download to check for this kind of misbehavior, TRUSTe is particularly well positioned to take action based on the violations detailed above. TRUSTe should at least revoke its erroneously-granted certification and perhaps also post an affirmative statement of noncompliance. Google and Microsoft should similarly ban these IronSource installations from their respective search engines.
Computer security companies appear to have at best partial success at detecting both IronSource and the additional programs that IronSource bundlers install. For example, on December 15, 2014, Mozilla blocked the Astromenda Search Addon (included in both bundles presented above) from being installed into any Firefox browsers, reporting that "This add-on is silently installed and is considered malware, in violation of the Add-on Guidelines." That said, IronSource quickly moved to pushing new toolbar, this time labeled Vosteran, with similar functionality. As of the posting of this article, Vosteran has not been blocked by Mozilla. For a broader assessment of security companies’ assessment of IronSource software, we used VirusTotal to check detections of the fake Snapchat installer described above. VirusTotal reported just 14 of 54 security programs detecting it as unesirable software. For example, McAfee detected it, but Microsoft and Symantec did not.
We are particularly struck by McAfee’s inconsistent approach to IronSource software. On one hand, as we note above, McAfee was one of a minority of security vendors that detected IronSource’s fake Snapchat app, so if a McAfee user attempts to install the app, a warning will protect the user. That said, McAfee SiteAdvisor’s online safety tool inexplicably fails to detect downloadape.org, the site hosting the installer. (Disclosure: co-author Edelman previously served as an advisor to SiteAdvisor, but has had no connection to the product or McAfee since 2010.) In addition, as we note above, the fake Snapchat landing page features a prominent "McAfee SECURE" logo which purports to certify the trustworthiness of the site. Once McAfee’s software flagged the app as untrustworthy — correctly, in our view — we think SiteAdvisor’s page should have been updated and any McAfee SECURE certification should have been rescinded.
We and others have been fighting adware for more than a decade. But with capable and well-funded adversaries like IronSource pushing adware through new and creative tactics, there’s ample work left to do.
* – Pat participated as an equal coauthor but prefers to be listed only with his first name.
My January 2014 “Darker Side of Blinkx” explored Blinkx’s adware business and other controversial practices. The posting prompted significant interest, but unexpectedly much of the subsequent discussion focused on why I did the work rather than Blinkx’s actual practices. With this piece, I further examine of Blinkx’s adware, deceptive installations, and other tactics that harm both users and advertisers.
Softdlspro claims to offer a “Flappy Birds Game Download.” The bundle provides myriad adware including Blinkx adware, but no Flappy Birds.
Deceptive Fast Media Converter installation solicitation pretends to be a Flash Player update. It installs Blinkx adware (and more).
Deceptive Super Backup installation puts the Next button above disclosures, and makes no mention of any popups or any advertising at all.
A decade after the dawn of adware, one might ask why users agree to install programs that slow their computers, reduce their privacy, and bombard them with pop-up ads. A close look at Blinkx installs is instructive: Often, users aren’t fairly told what they’re getting. Though FTC rules call for clear disclosure of key effects, in prominent text outside a license agreement, Blinkx and its partners often omit these statements. That omission isn’t just an occasional error — it’s a common characteristic of many Blinkx installations. Yet the omission is no great surprise: If Blinkx and its partners fairly told users what they’d be getting, most users would decline. The following sections show installations with this problem (among others).
On February 10, 2014, Flappy Bird creator Dong Nguyen withdrew his popular game from Apple and Google’s app stores. In response, users went to search engines to try to get the game. Users searching on Google often saw ads that promoted a Softdlspro page that purported to offer “Flappy Bird Game Downloads” but actually had no such thing. Through this process, unfortunate users received Blinkx adware.
In the top screenshot at right and in a first video, I demonstrate that a search for “flappy birds” took users to a Softdlspro download page. In a second video, I then show that this Softdlspro bundle bombards users with an onslaught of adware. In my testing, a user who attempts to install this game is asked to install Fast Media Converter adware (video at 2:42), Program Starter (3:51), Yahoo Toolbar (3:55), Gamevance/Trafficvance ArcadeParlor adware, “Clean Water Action Reminder” from We-Care (a browser plug-in that monitors users’ browsing and claims affiliate commission on users’ purchases) (4:02), SLOW-PCfighter (which purports to offer computer repair) (4:03), and Super Backup (4:08).
Second, Softdlspro’s “Flappy Bird” touts Super Backup which is also monetized by Blinkx. Super Backup more readily discloses the link to Blinkx: Its Privacy Policy (visible in the video at 4:17) describes the program’s advertising component as “LeadImpact Software,” and its Terms of Use say the same thing. Furthermore, LeadImpact’s privacy policy says LeadImpact comes from Pinball Corp, and LeadImpact’s DNS servers are also within pinballcorp.com. Notably, Blinkx’s 2010 annual reportlists Pinball as a wholly-owned subsidiary. LinkedIn statements are in accord: Tony Gozzo describes his employer as “the Leadimpact division” of Blinkx, and Ramon Navarro says he works for “Leadimpact – a division of Blinkx.”
The Softdlspro “Flappy Bird” bundle is deceptive for multiple reasons. For one, it never provides the game the user requested and the offer purports to provide. Any associated “consent” to receive adware is therefore ill-gotten; as Softdlspro didn’t hold up its end of the bargain.
Furthermore, the Softdlspro offers are less than forthright. Consider the Fast Media Converter solicitation that appears in the video at 2:42 and in the second screenshot at right. (In general this is a freestanding offer — it appears on its own web page, separate from the Softdlspro install window, so users can and do receive this offer from other sources. That said, the Softdlspro installer systematically opens this web page, so users in the fake Flappy Birds install sequence are bound to see this pitch too.) The FMC offer reads “An update to Adobe Flash Player is available,” prominently references “Adobe Flash Player 12”, and uses the distinctive Adobe logo. But the software at issue is not provided by, or in any way affiliated with, Adobe. Indeed, Fast Media Converter has no genuine connection to Adobe Flash Player, and FMC uses the Adobe name, logo, and trademark only to appear familiar and legitimate. Users may be induced to install software because they are told it will “update” software they genuinely want on their computers. But when Blinkx and its distributors falsely claim to provide updates to unrelated software, any user’s “agreement” is ill-gotten and invalid.
FMC’s disclosures are also cause for concern. FMC mentions advertisements in a single clause midway through its installation disclosure (third paragraph, next-to-last sentence) — a place where users are unlikely to notice. Furthermore, the disclosure is vague: FMC “is ad-supported software and displays advertisements during your web browsing experience.” Missing from this disclosure are the two key facts FMC needs to convey to users before asking them to accept the adware: First, that ads appear in pop-ups, a format users are known to dislike. Second, that the adware tracks users’ browsing in detail and at all times. Such disclosures are required to alert users to the material consequences of the installation, and such disclosures are specifically required under longstanding FTC rules. See analysis below.
In some respects, the Super Backup installation is even more deceptive. For the on-screen display, see the video at 4:08 and the third screenshot at right. Prominent on-screen disclosures are placed above the oversized green “Next” button. But these disclosures only mention innocuous features about a program launcher. (These features are associated with Program Starter, a bundler that solicits a series of further installations.)
Blinkx’s Super Backup is mentioned in a format that invites users to overlook what they are purportedly accepting. The disclosure is in grey type on a grey background (text color RGB 128 128 128 against 224 224 224, whereas black on white would be the higher-contrast 0 0 0 on 255 255 255).
The disclosure is at the far bottom of the window, outside the natural flow of a user’s review from top to bottom. Indeed, a user reading the window from top to bottom would have already have reached (and perhaps clicked) the Next button before reaching the disclosure.
The Next button does not solicit a clear manifestation of assent. To obtain meaningful permission to install, Biinkx and its partners would need a label like “I accept” or “I agree.”
Worst of all, the disclosure says nothing at all about advertising. It only mentions backup functions: “makes backup easy with intelligent system scans…” A user reading this description would conclude that Super Backup provides backup with no advertising at all. But in fact Super Backup uses the ex-Zango adware engine to present users with popup ads.
These Super Backup practices fall short of legal requirements, including the duty to disclose material effects outside the license agreement. See analysis below.
Soft1d claims to offer a Snapchat download. The bundle actually provides myriad adware including Blinkx adware, but no Snapchat app.
In February 2014, I used Google to search for a Snapchat app from a Windows PC. Sophisticated users may know that there is no such app — Snapchat is for phones only. But in my testing (preserved in video), my request yielded a Soft1d page ad touting an app purportedly entitled “Snapchat.” I clicked Download Now (0:10), ran the resulting installer, and ultimately received no Snapchat app — but I did receive numerous adware including adware funded by Blinkx ads. Specifically, the bundle included Program Starter (1:40), a deceptive Fast Media Converter “Update to Adobe Flash Player” solicitation (1:49), Yahoo Toolbar (3:40), Savings Bull (3:42), Gamevance/Trafficvance Arcade Parlor adware (3:43), “Clean Water Action Reminder” from We-Care (3:48), and SLOW-PCfighter (3:50).
These installations are deceptive for the same reasons detailed in the preceding section.
Chris Boyd of ThreatTrack Labs critiqued this same installation in a posting dated November 19, 2013. Yet the same practices continued three months later in February 2014. To my knowledge, these practices are ongoing.
Blinkx might like to write off these practices as rogue affiliates or subaffiliates. Such a response would be ironic after Blinkx attributed Zango’s downfall to “lax oversight of rogue partners.” Most importantly, these installations are the norm and not the exception: When I find a distributor asking users to install Blinkx adware, the distribution has defects like these as often as not.
Blinkx says users who receive its adware are “getting utility for free in exchange for being served ads.” Blinkx further claims “the user experience is explicit and clear” and “the installation process is unambiguous.” Blinkx even touts a “25 point evaluation check list” for every app it considers as a distributor for its adware. But the installations speak for themselve; whatever Blinkx is doing, it’s not enough. The fact is, Blinkx’s distributors are pushing its adware through deception — claiming to be “Update to Adobe Flash,” promising apps like Flappy Bird and Snapchat that they don’t even provide, and failing to disclose key effects in the way the FTC requires.
Relevant FTC Requirements
The FTC Act bans “unfair or deceptive acts or practices in or affecting commerce” (15 USC 45). Cases interpret the prohibition on “deceptive” practices to disallow conduct that is “likely to mislead” (Gill , 71 F.Supp.2d at 1037, citing Southwest Sunsites, Inc. v. FTC, 785 F.2d 1431, 1436 (9th Cir. 1986)). In litigation evaluating a FTC complaint, a court examines a defendant’s representation to determine whether the “net impression” is likely to mislead reasonable consumers. See FTC v. Cyberspace.com, LLC , 453 F.3d 1196, 1200 (9th Cir. 2006). Notably, it is not a sufficient defense for a defendant merely to disclose the truth somewhere. FTC. v Cyberspace.com is on point: “A solicitation may be likely to mislead by virtue of the net impression it creates even though the solicitation also contains truthful disclosures” (emphasis added). See also Removatron Int’l Corp., 884 F.2d at 1497 (examining the “common-sense net impression” of an allegedly deceptive advertisement).
Caselaw on “unfair” advertising takes an equally dim view of Blinkx’s tactics. The FTC’s Policy Statement on Unfairness disallows behavior that causes or is likely to cause substantial consumer injury that a consumer could not reasonably avoid, and is not outweighed by the benefit to consumers. Blinkx might argue that users can avoid its adware by declining installation solicitations. But the vague, unclear, and otherwise-deceptive installation disclosures make it difficult for a reasonable user to understand what they are asked to accept and to recognize the importance of declining. Meanwhile, in the examples I presented, Blinkx adware fails to offer a single benefit to consumers. Indeed, Blinkx and its partners never provide the promised benefits (e.g. the Flappy Birds game or Snapchat app), so users receive only the detriment of extra advertising and tracking, without the promised benefit. The failure to provide the promised benefit is an exceptionally clear case of lack of countervailing benefit.
Squarely on point, the FTC has long held that adware may only be installed after providing a clear and conspicuous notice of key effects. For example, in 2008 testimony, Eileen Harrington (FTC Deputy Director of the Bureau of Consumer Protection) described the FTC’s view of appropriate practices for adware vendors. Specifically, Harrington stated that “buried disclosures … are not sufficient.” She continued: “burying material information in an End User License Agreement will not shield [an adware] purveyor from Section 5 liability.”
Despite Director Harrington’s statement of applicable requirements, these examples indicate that Blinkx and its distributors are disclosing key practices at most in license agreements, not in prominent on-screen text. In this crucial respect, Blinkx’s practices are exactly contrary to Harrington’s statement of the FTC’s longstanding generally-applicable requirements for adware.
Critiquing Blinkx’s Response to Deceptive Installations
In its response to my January article, Blinkx argues that “Ad supported … options are valid, recognized and accepted alternatives for packaging and distributing premium content.” Blinkx goes on to compare its adware to the Google Chrome web browser, noting that both show ads and that there is nothing inherently wrong with showing ads. (“Chrome is itself ad-supported software distributed by Google.”) Blinkx even compares itself to “mainstream publishers, such as MSNBC.com and People.com,” which also show advertising and sometimes popups. But this misses the concern completely. Google Chrome shows ads in the program window, when it is in use, and at no other times. MSNBC shows ads when a user visits its site, but at no other time. Blinkx adware is quite different: It runs at all times; it tracks users’ browsing and sends users’ activities to Blinkx servers; and it shows frequent popup ads. This could hardly be more different than mainstream web advertising. Moreover, my piece did not criticize ad-supported software in general. Rather, I criticized deficient disclosures that give users no clear statement of what they are (purportedly) accepting. The absence of informative disclosures leads users to “accept” software that, unbeknownst to them, is actually adware they would never have agreed to receive, had they been aware of its true effects.
Blinkx then argues that whatever installation problems occurred, they are not its responsibility. For example, I presented an unauthorized Google Chrome package that (contrary to Google’s Chrome Terms of Service) included Youdownloaders code which installed Desktop Weather Alerts which is Blinkx adware. To this, Blinkx argued that “Youdownloaders is a third party distributor and is neither blinkx nor a blinkx affiliate.” But I never claimed Youdownloaders had a direct relationship with Blinkx. The best description of Youdownloaders is a Blinkx subaffiliate: By all indications, Blinkx pays Desktop Weather Alerts to place Blinkx adware on users’ computers, and then Desktop Weather Alerts in turn pays Youdownloaders. But this chain of relationships in no way relieves Blinkx of responsibility for the underlying installation practices. Indeed, in 2006 litigation against Zango (the very company that created the adware here at issue), the FTC noted that Zango acted “through affiliates and sub-affiliates.” Reinforcing the importance of this business structure, the FTC repeated that phrase six separate times in five paragraphs. Similarly, the FTC’s 2007 order specifically indicated that its obligations apply both to Zango and to any intermediaries Zango chooses to use: In five separate paragraphs, the order repeats that its obligations apply to Zango directly and also to acts “through any person, corporation, subsidiary, division, affiliate, or other device.” Moreover, the FTC further noted that, at best, Zango had failed to adequately supervise its affiliates and their subaffiliates when acting on Zango’s behalf: “Respondents knew or should have known that there was widespread failure by their affiliates and sub-affiliates to provide adequate notice of their adware and obtain consumer consent to its installation.” In such circumstances, the FTC found that Zango was liable for the actions of its affiliates and subaffiliates. The same principle applies to Blinkx.
Relatedly, Blinkx argues that even the conduct of Weather Alerts is not Blinkx’s responsibility because “blinkx does not own Weather Notifications.” But Blinkx admits two sentences later that it “does maintain a commercial relationship with Weather Notifications, where the Company provides the monetization engine for this application and others like it.” Indeed, link Zango, Blinkx has numerous distributors who place its adware onto users’ computers. Zango has historically arranged its partnerships so that its affiliates all used the same name — all installing, at one time, “Zango” adware. Blinkx has now structured its affairs somewhat differently — causing affiliate Weather Notifications to distribute adware with one set of names (including Desktop Weather Alerts) while other affiliates distribute Blinkx adware under other names (such as Fast Media Converter and various others). But the chosen names are irrelevant. Notice Blinkx’s crucial roles: Like Zango, Blinkx provides the adware engine that monitors users’ behavior, targets ads, and displays ads. Furthermore, like Zango, Blinkx sells the ad inventory to advertisers, including receiving advertisers’ requests about which popups to show when users visit which pages and search for which keywords. Consistent with prior litigation and longstanding principles of agency, these efforts make Blinkx responsible for the associated adware. Introducing more product names serves primarily to reduce accountability by making it harder for users to figure out whose adware they are actually running, what company made the adware engine, or who to complain to. But multiple product names do not reduce Blinkx’s responsibility for the underlying practices.
Blinkx and its defenders took issue with a portion of my January article that said certain adware “is part of Blinkx” when the adware is distributed by a third party. But under the FTC’s articulated standards and caselaw, Blinkx is responsible when adware shows ads sold by Blinkx, when Blinkx makes the adware engine that presents the ad, and indeed when the entire advertising delivery system uses Blinkx (ex-Zango) code. In each of the examples I presented previously and above, Blinkx plays these roles. That Blinkx chooses to label its software with the names of third parties such as Weather Alerts and others, rather than under its own name, is of little import to users. Notably, these distinctions are also of no consequence to the FTC, as discussed above.
Blinkx further suggests that Google may even have authorized Youdownloaders to redistribute Chrome and to bundle Chrome with multiple adware programs: “It is quite likely that Youdownloaders may have a commercial relationship with Google” allowing the redistribution I flagged. I emphatically disagree. For one, Google’s Software Principles rules confirm that Google takes a dim view of deceptive bundling: Google requires “upfront disclosure” including “clearly and conspicuously” explaining key functions and advertising, which is missing in the examples above. Google also requires “keeping good company” which requires “not allow[ing] products to be bundled with applications that do not meet these guidelines.” But the bundles at issue include numerous deceptive adware programs. Furthermore, I know of no instance where Google has ever allowed Chrome or any other Google software to be bundled with any adware or other software showing popup ads. Blinkx says it is “quite likely” that Google authorized the installation I flagged. I believe it’s far more likely that Youdownloaders acted without authorization and, indeed, contrary to the Terms of Service that bind every copy of Chrome.
Blinkx consultant E.J. Hilbert purports to have evaluated Blinkx’s practices in search of improprieties. But in describing his methodology, Hilbert says “I have spoken with the Blinkx” staff and managers. Interviews are unlikely to uncover the problems I flagged previously and above. Specifically, Blinkx staff and managers have every reason not to know — and not to want to know — how their affiliates and subaffiliates are getting Blinkx adware onto users’ computers. Nor are Blinkx business records likely to reveal the actions of affiliates and, especially, subaffiliates. The better methodology for investigating such installations is to test live installations on the web, as I did in preparing the installation videos previously and above. Hilbert’s statement gives no indication that he did so.
Hilbert then says that Blinkx’s risk is reduced because “A lot of what blinkx does is … revenue sharing” which he says “takes that ability to hide out of the practice.” I disagree that revenue sharing offers important benefits for the practices at issue. Even if Blinkx pays its distributors and affiliates through revenue sharing, and even if affiliates pay subaffiliates by revenue sharing, the affiliates and subaffiliates still have every incentive to place Blinkx adware on users’ computers without proper disclosure and consent. Revenue sharing in no way dulls the incentive for deceptive installations.
The Applicability and Importance of Zango’s 2007 FTC Consent Order
Blinkx argues at length that Zango’s 2007 FTC consent order does not bind Blinkx. Broadly, Blinkx contends that it “purchase[d] select ex-Zango assets” and that the FTC settlement obligations did not flow with that purchase. A Blinkx attorney even contacted the FTC to seek the FTC’s view. Based on the facts the attorney provided, the attorney reported that an FTC representative stated that he “believes that the Zango consent order might no longer be active or enforceable [on Blinkx] in light on Zango’s bankruptcy.”
I see three reasons why these FTC staff remarks offer Blinkx limited protection. First, as discussed above, the FTC has long held that “buried disclosures” are not sufficient. Zango settlement or not, Blinkx is bound by generally-applicable law, and Blinkx and its partners are using exactly the “buried disclosures” that the FTC has criticized, disallowed, and even brought suit to prevent.
Second, there is good reason to doubt that Blinkx only acquired “select assets” from Zango. In 2009, Zango then-CTO Ken Smith was surprised to see news articles saying that Blinkx acquired “only ten percent” of Zango’s assets, which prompted him to write a piece unambiguously entitled “Blinkx acquired 100% of Zango’s assets.” Smith continued: “[T]he banks have nothing left of Zango’s which they can sell. Blinkx owns it all.” Indeed, Blinkx clearly received the ex-Zango client-side software (adware), the server-side software (receiving information about users’ browsing and selecting and sending ads), the mechanism used to sell the ads (including receiving advertisers’ requests and offers, and collecting payment), Zango’s contractual relationships with advertisers, and Zango’s installed base (computers with Zango adware, which continued showing ads for years). Blinkx’s admittedly “hired select ex-Zango staff.” Blinkx also retainedZango’s headquarters at 136th Place SE Bellevue WA. Apropos of Smith’s message, one might ask: What assets of Zango did Blinkx not acquire? If in fact Blinkx acquired the entire Zango adware business, or substantially all of it, the FTC consent order may well follow the acquisition — as the FTC has repeatedly and successfully argued in other matters.
Third, as Blinkx’s attorney explains in detail, FTC staff specifically refused to offer any official or binding endorsement of Blinkx’s practices — making their informal oral comments non-binding and by all indications not intended for reproduction or redistribution. That’s entirely appropriate, as the FTC is in no position to judge Blinkx’s practices based solely on supposed facts provided by Blinkx; any evaluation would require that the FTC perform its own investigation of Blinkx’s practices and Blinkx’s relationship to Zango. Pending such an evaluation, it’s too soon to say how the FTC would view Blinkx’s activities.
In a further attempt to distance itself from Zango and Zango’s consent order, Blinkx argues that “current practices bear no relation to the ex-Zango practices that led to FTC action in 2006.” In this regard, I urge rereading the FTC’s complaint. In relevant part (emphasis added):
10. In numerous instances, Respondents, through affiliates and sub-affiliates acting on behalf and for the benefit of Respondents, bundled Respondents’ adware with purportedly free software programs (hereinafter “lureware”), including without limitation Internet browser upgrades, utilities, screen savers, games, peer-to-peer file sharing, and/or entertainment content. Respondents, through affiliates and sub-affiliates, generally represented the lureware as being free.
11. When installing the lureware, consumers often have been unaware that Respondents’ adware would also be installed because that fact was not adequately disclosed to them. In some instances, no reference to Respondents’ adware was made on the website offering the lureware or in the install windows. In other instances, information regarding Respondents’ adware was available only by clicking on inconspicuous hyperlinks contained in the install windows or in lengthy terms and conditions regarding the lureware. Because the lureware often was bundled with several different programs , the existence and information about the effects of Respondents’ adware could only be ascertained, if at all, by clicking through multiple inconspicuous hyperlinks. …
13. Respondents knew or should have known that there was widespread failure by their affiliates and sub-affiliates to provide adequate notice of their adware and obtain consumer consent to its installation. …
The preceding examples demonstrate substantially the same problems — “lureware” distributed “through affiliates and subaffiliates acting on behalf and for the benefit of” Blinkx, with “information regarding [Blinkx’s] adware available only by clicking on inconspicuous hyperlinks.” Though seven years old, the FTC’s complaint remains a fine summary of the installation practices at issue. Even if the 2007 consent order does not bind Blinkx, the same concerns — and the FTC’s generally-applicable principles — make Blinkx’s current practices deficient.
Monitoring and Retransmitting Users’ Otherwise-Secure Activities
Blinkx adware observes users’ browsing on all web sites, including sites that employ HTTPS encryption to protect users’ activities from outside examination and interference. Because Blinkx adware runs on users’ computers, HTTPS over-the-wire encryption offers no protection against Blinkx adware examining users’ behavior.
In addition, Blinkx retransmits portions of users’ behavior in cleartext. For one, as users browse, Blinkx sends messages to its control server — obfuscated but by all indications unencrypted. In the excerpted packet log below, see the transmission highlighted in blue, showing the HTTP POST parameter with name epostdata. (Historically, Zango transmitted user activity in clear text in an otherwise-similar method. Example with the relevant transmission marked in yellow.)
Blinkx then also often sends users’ activity details to advertisers. At this stage, the information is neither encrypted nor obfuscated.
For example, in February 2014, I logged in to Google (activating Google’s encryption of all communications between my computer and google.com), then ran a Google search for “cheap flights.” A moment later, Blinkx adware opened a popunder to an advertiser, sending the advertiser the HTTP querystring parameter “FpSub=cheap*flights” (red highlighting below). That transmission exactly revealed the term I had specified in my Google search just seconds earlier, even though my communications with Google were encrypted by HTTPS. See a screen-capture video (confirming the search and encryption) and the unexcerpted packet log (showing the excerpt in context).
GET /?FpAffiliate=Zango&FpSub=cheap*flights HTTP/1.1 …
Host: www.cheapoair.com
HTTP/1.1 200 OK …
Google goes to great lengths to keep users’ searches confidential, including devoting additional server capacity and electricity to the required encryption. Blinkx defeats those efforts by interceding at the user’s computer and retransmitting a portion of users’ search terms unencrypted, in plaintext. Blinkx’s interception and retransmission allows users’ activities to be observed by anyone along the way, including by other users of the same wifi hotspot.
The FTC has previously filed suit against companies whose desktop software revealed communications through broadly similar design flaws. In 2010, I reported college savings service Upromise transmitting users’ activity in cleartext, even when sites used HTTPS to attempt to keep that information confidential. In response, the FTC brought a complaint against Upromise. In count 1, the FTC expressed concern that Upromise collected “information consumers provided in secure sessions when interacting with third-party websites.” To my knowledge, Blinkx’s data collection is a notch less aggressive than Upromise: Upromise collected credit card numbers, social security numbers, and more, whereas in my testing Blinkx largely collects and retransmits search terms and domain names. But the same principle holds, and the plain language of the FTC’s complaint indicates well-justified concern at client-side software collecting (and insecurely retransmitting) information that users had transmitted with the benefit of encryption.
Incidentally, the green highlighting above shows that when Cheapoair receives traffic from Blinkx, it labels the traffic as coming from “Zango.” Consistent with my longstanding experience, this indicates that Cheapoair, an ex-Zango advertiser, was automatically transferred to Blinkx.
Deceptive Popup Ads
Blinkx adware presents a deceptive ad falsely claiming “You have been personally selected for todays annual anonymous survey” (s.i.c.).
Blinkx adware presents a deceptive ad falsely claiming a user’s browser needs updating.
Once installed, Blinkx adware shows deceptive ads. For example, in testing on March 10, 2014, Desktop Weather Alerts used the Blinkx adware engine to present a Consumerslifestyledaily .com popup claiming “You have been personally selected for todays annual anonymous survey” (s.i.c.). See top screenshot at right. Because Blinkx told Consumerslifestyledaily .com the domain name of the site I had been viewing, the popup mentioned the name of that site — making the popup look more like a genuine part of the site, even though the site had nothing to do with the popup and indeed is a victim of the popup’s ability to divert and distract its users. Moreover, far from conducting a bona fide survey, the questions actually lead only to a page that attempts to sell the user skincare products and electronic cigarettes — claiming “Your price: $0.00” but adding significant shipping charges.
Similarly, in testing on March 9, Blinkx adware delivered a N9dj.info popup claiming “Outdated Browser Detected” (screenshots: 1, 2). The popup used the distinctive Internet Explorer logo and even delivered an installer called Internet_Explorer_Setup.exe. Despite the “Internet Explorer” label, the popup attempted to install an adware bundle, not Internet Explorer. Moreover, the popup falsely claimed “You are currently using Internet Explorer 7 which is now outdated,” when in fact I was browsing using Windows 8 which came with Internet Explorer 10.
Only because of Blinkx are these advertisers able to interrupt users’ browsing to display their deceptive offers. Consider: I received these popups while browsing well-known trusted sites that would never accept such deceptive advertising. But Blinkx has no such standards.
Defrauding Affiliate Merchants (this section co-authored with Wesley Brandi)
Blinkx and a rogue affiliate charge Hotels.com for traffic it would otherwise receive for free.
My January posting flagged Blinkx defrauding affiliate merchants by loading popups that promote the very merchants users are already visiting — thereby claiming commission on users that the merchants had already reached via other methods. I noted that these practices can be difficult for merchants to detect: Standard measurement systems report a high volume of sales, hence seemingly-effective ad campaigns, and the measurement systems fail to alert merchants that this is traffic they would otherwise receive without charge.
To demonstrate the scope of the problem, Wesley and I today post ten more examples showing widespread affiliate fraud.
These incidents weren’t hard to find: Wesley and I built automation that runs many adware programs (not just Blinkx) to protect our advertiser and ad network clients. Our automation found all these examples (and plenty more) in one 12-hour run. Indeed, in the course of a typical month, we regularly alert our clients to a dozen rogue affiliates using Blinkx adware, making Blinkx adware among the most frequent sources of prohibited affiliate traffic draining our clients’ budgets.
In response to my evidence of Blinkx and an affiliate improperly claiming commission on traffic Walmart would otherwise receive for free, Blinkx responded that it “specifically prohibits the kind of activity” I presented. But a contract provision is only the beginning. Whatever prohibition may be written in Blinkx’s contracts, we see no sign of Blinkx taking steps to enforce that rule. It would be easy for Blinkx to check whether a Blinkx advertiser is in fact an affiliate and, if so, what network the affiliate is using and what merchant the affiliate is promoting — it could simply load the advertiser’s ad and check for any affiliate link(s). If the affiliate is using a network that has banned adware popups, or promoting a network that has banned adware popups, Blinkx could immediately eject that advertiser. Blinkx could also ban any advertiser that is promoting the same merchant the user is already viewing. Blinkx says it is “always possib[le for an affiliate to] circumvent[] any technical measures that may be put in place” — but there’s no sign that Blinkx has actually established these or other suitable measures. My first article about Zango (then “180solutions”) in 2004 focused on exactly these affiliate frauds, and these practices have continued apace ever since.
Breaking Google’s Rules by Displaying Ads in Popups
Google rules specifically disallow placing Google ads into adware and pop-ups. For example, Google’s AdSense rules specifically disallow “[a]ds in a software application” and “[p]lacing ads in pop-up windows.” I understand that Google’s rules for other search syndicators are broadly similar, although those agreements are not ordinarily available to the public.
Contrary to Google’s rules, Blinkx and its advertisers often load Google advertisements in popup ads. These popups cover other companies’ sites and interrupt users’ browsing. The effects on advertisers are particularly negative: Advertisers pay full price for a Google click that is supposed to be top-quality, but they receive the inferior quality and brand tarnishment of placement in a pop-up ad.
The money trail – how funds flow from advertisers to Google to Blinkx adware.
For example, in testing last month, other adware (installed in a bundle along with Blinkx) opened a popup that presented a supposed survey from Websurveypanel.org. (This page was deceptive for other reasons that I won’t explore here.) Blinkx noticed that traffic and opened a popup to Eboom.com with a supposed user search term (“q=”) parameter referencing “websurvey.” Eboom then presented a page of Google ads, with four oversized Google ads and no other content visible in the window. I clicked the first ad and was taken through a Google pay-per-click link to the advertiser, Snapsurveys.com. By all indications, Snapsurveys paid a pay-per-click advertising fee for my visit. Screen-capture video and packet log.
One might ask why Google would allow a partner like Eboom, which buys traffic from adware like Blinkx. But Google does not work with Eboom directly. Rather, the packet log reveals Eboom using Blucora/InfoSpace (an aggregator of subsyndicators) to access Google’s advertising network. I’ve repeatedly flagged tainted InfoSpace traffic, including deceptive toolbars and multiple adware applications. In 2010, I summarized and consolidated my prior findings about InfoSpace, concluding that “InfoSpace hardly appears a sensible partner for Google and the advertisers who entrust Google to manage their spending.” I stand by that conclusion. Indeed, I’ve recently collected ample additional evidence, including proof of InfoSpace sending Google various traffic from other adware beyond Blinkx and through numerous brokers beyond Eboom. (I’ll post other examples when time permits.)
The complexity of the relationship — traffic flowing from Blinkx to Eboom to InfoSpace to Google to advertisers — reveals why advertisers and even Google struggle to put an end to these practices. Yet the complexity is of Google’s own creation, resulting from Google’s decision to let InfoSpace subsyndicate Google’s ads to other partners Google fails to rigorously supervise. Importantly, Google engineers could detect such placements through suitable automation. By 2005, I had already built a crawler to inventory Zango (then 180solutions) advertisements and to determine the ad networks funding Zango. With a similar crawler today, Google could readily identify sites that impermissibly buy traffic from Blinkx — then eject all such sites from the Google syndication network.
Next Steps
I previously suggested that Blinkx disclose its revenue from adware, as distinguished from its other lines of business. My rationale: Of the adware vendors known (from their statements and investor statements) to have received venture capital funding, many or most have ceased operations, and in several instances publicly-available documents indicate that investors received little or no return of capital (not to mention profit). Meanwhile, industry experts widely report that Blinkx is importantly reliant on adware: For example, in a blog comment in March 2014, Zango ex-CTO Ken Smith remarked that “It was my understanding that for a while, the majority of their money was being made off the Zango technology and audience.” (Smith also noted that only “recently” did Blinkx disable the last of the Zango adware clients — entirely consistent with the test installations in my lab.)
In a particularly spirited section of its reply, Blinkx declined to provide the revenue apportionment I suggested. Rather, Blinkx said it “places equal importance on all of its product lines and acquisitions.” I credit Blinkx’s argument that it “is under no obligation to expend resources and energy to detail information beyond its regulatory requirements.” Yet my suggestion has an undeniable appeal. If adware is in fact small, then Blinkx could address investors’ concerns by showing the size of this business. Conversely, failure to provide such proof reinforces my suspicion — and Ken’s! — that adware is and has been a significant revenue source for Blinkx. Meanwhile, Blinkx’s approach also strengthens the inference that adware is significant: If adware were not important to Blinkx, shrewd managers would have elected to discard this controversial business years ago.
Meanwhile, I’ve gotten back in touch with other computer security researchers who have found other deceptive installations of Blinkx adware. We used to write articles about adware weekly, but we’ve subsequently largely moved on to other things, and it takes a while to resuscitate the prior spirit of testing and exposition. Nonetheless, I expect more reports from others in due course.
Looking at Blinkx’s practices as a while, it is striking to see Blinkx paying distributors to put its adware on users’ computers without the hard-fought protections the FTC previously demanded of Zango. Seven years ago, Zango promised to cease these practices, and it paid a multi-million dollar fine to disgorge a portion of its ill-gotten gains. Facing equally brazen conduct continuing after that consent order, the FTC should demand even more far-reaching remedies here.
My testing of Blinkx ex-Zango adware began in 2004 with unpaid writing on my web site, and has grown to include paid and unpaid work for advertisers, ad networks, publishers, investors, and regulators. However, none of these requested or funded this article or any portion of the research presented in this article.
Video and advertising conglomerate Blinkx tells investors its “strong performance” results from “strategic initiatives” and “expanding demand, content, and audiences.” Indeed, Blinkx recently climbed past a $1.2 billion valuation. At first glance, it sounds like a great business. But looking more carefully, I see reason for grave doubts.
My concerns result in large part from the longstanding practices of two of Blinkx’s key acquisitions, Zango and AdOn. But concerns extend even to Blinkx’s namesake video site. In the following sections, I address each in turn. Specifically, I show ex-Zango adware still sneaking onto users’ computers and still defrauding advertisers. I show the ex-AdOn traffic broker still sending invisible, popup, and other tainted traffic. I show Blinkx’ namesake site, Blinkx.com, leading users through a maze of low-content pages, while charging advertisers for video ads systematically not visible to users.
Few users would affirmatively request adware that shows extra pop-ups, so Blinkx and its distributors use deceptive tactics to sneak adware onto users’ computers. In a representative example, I ran a Google search for “Chrome” (Google’s well-known web browser), clicked an ad, and ended up at Youdownloaders.com — a site that bundles Chrome with third-party advertising software. (The Youdownloaders footer states “The installers are compliant with the original software manufacturer’s policies and terms & conditions” though it seems this claim is untrue: Chrome Terms of Service section 5.3 disallows copying and redistributing Chrome; 8.6 disallows use of Google’s trademarks in a way that is likely to cause confusion; 9.3 disallows transfer of rights in Chrome.) In my testing, the Youdownloaders installer presented offers for five different adware programs and other third-party applications, among them Weather Alerts from desktopweatheralerts.com. Installation video.
I consider the Youdownloaders installation deceptive for at least four reasons: 1) A user’s request for free Chrome software is not a proper circumstance to tout adware. The user gets absolutely nothing in exchange for supposed “agreement” to receive the adware; Chrome is easily and widely available for free, without adware. It is particularly one-sided to install five separate adware apps — taking advantage of users who do not understand what they are asked to accept (including kids, non-native speakers, and those in a hurry). 2) On the Weather Alerts page of the installation, on-screen statements mention nothing of pop-up ads or, indeed, any advertising at all. In contrast, the FTC’s settlement with Zango requires that disclosure of advertising practices be “clear and prominent,” “unavoidable,” and separate from any license agreement — requirements not satisfied here. 3) The Youdownloaders user interface leads users to think that the bundled installations are compulsory. For example, the “decline” button (which lets a user reject each adware app) appears without the distinctive shape, outline, color, or font of an ordinary Windows button. 4) Users are asked to accept an objectively unreasonable volume of agreements and contracts, which in my testing include at least 14 different documents totaling 37,564 words (8.5 times the length of the US Constitution).
Tellingly, Blinkx takes considerable steps to distance itself from these deceptive practices. For example, nothing on Blinkx’s site indicates that Weather Alerts is a Blinkx app or shows Blinkx ads. The Desktopweatheralerts.com site offers no name or address, even on its Contact Us form. Weather Alerts comes from a company called Local Weather LLC, an alter ego of Weather Notifications LLC, both of Minneapolis MN, with no stated affiliation with Blinkx. Weather Notifications’ listed address is a one-bedroom one-bathroom apartment — hardly a standard corporate office. Nonetheless, multiple factors indicate to me that Desktop Weather Alerts isdelivers a version of Zango adware. For one, Desktop Weather Alerts popups use the distinctive format long associated with Zango, including the distinctive browser buttons at top-left, as well as distinctive format of the advertisement label at bottom-left. Similarly, many sections of the license agreement and privacy policy are copied verbatim from longstanding Zango terms. Within the Weather Alerts EXE, strings reference 180search Assistant (a prior Zango product name) as well as 180client and various control systems long associated with Zango’s ad-targeting system. Similarly, when Weather Alerts delivers ads, its ad-delivery communications use a distinctive proprietary HTTP syntax both for request (to showme.aspx, with a HTTP POST parameter of epostdata= providing encoded ad context) and response (a series of HTML FORM elements, most importantly an INPUT NAME=ad_url to indicate the popup to open). I have seen this syntax (and its predecessors) in Zango apps for roughly a decade, but I have never seen this syntax used by any advertising delivered by other adware vendors or other companies. Moreover, when a Blinkx contractor previously contacted a security vendor to request whitelist treatment of its adware, the Blinkx representative said “The client is Blinkx … Your engine … was flagging their installer package SWA as SevereWeatherAlerts…” (emphasis added). Notice the Blinkx representative indicating that SWA (another Local Weather program, virtually identical save for domain name and product name) is “their” app, necessarily referring to Blinkx. Finally, in a February 2014 presentation, Blinkx CEO Brian Mukherjee included the distinctive Local Weather icon (present throughout the LW app and in LW’s installation solicitations) as part of the “Blinkx Ecosystem” — further confirming the link between LW and Blinkx. Taken together, these factors give good reason to conclude that Local Weather isapplications are powered by Blinkx and part of the Blinkx network. Furthermore, in my testing Blinkx is the sole source of advertising for Weather Alerts — meaning that Blinkx’s payments are Weather Alerts’ primary source of revenue and primary reason for existence. (Additions made February 13, 2014, shown in grey highlighting.)
Blinkx/Zango software continues to defraud affiliate merchants.
Meanwhile, Zango-delivered advertising remains a major cause of concern. Zango’s core advertising product remains the browser popup — a disruptive form of advertising unpopular with most users and also unpopular with most mainstream advertisers. Notably, Zango’s popups perpetrate various advertising fraud, most notably ‘lead stealing” affiliate windows that cover merchant sites with their own affiliate links. If the user purchases through either window, the Zango advertiser gets paid a commission — despite doing nothing to genuinely cause or encourage the user’s purchase. (Indeed, the popup interrupts the user and thereby somewhat discourages a purchase.) At right, I show a current example: In testing of January 19, 2014, Blinkx/Zango sees a user browsing Walmart, then opens a popup to Blinkx/LeadImpact (server lipixeltrack) which redirects to LinkShare affiliate ORsWWZomRM8 and on to Walmart. Packet log proof. Thus, Walmart ends up having to pay an affiliate commission on traffic it already had — a breach of Walmart’s affiliate rules and broadly the same as the practice for which two eBay affiliates last year pled guilty. I’ve reported Zango software used for this same scheme since June 2004. As shown at right and in other recent examples, Zango remains distinctively useful to rogue affiliates perpetrating these schemes. These rogue affiliates pay Blinkx to show the popups that set the scheme in motion — and I see no sign that Blinkx has done anything to block this practice.
Rather than put a stop to these practices, Blinkx largely attempts to distance itself from Zango’s legacy business. For one, Blinkx is less than forthright as to what exactly it purchased. In Blinkx’s 2010 financial report, the first formal investor statement to discuss the acquisition, Blinkx never uses the word “Zango” or otherwise indicates the specific company or assets that Blinkx acquired. Rather, Blinkx describes the purchase as “certain net assets from a consortium of financial institutions to facilitate the growth of the video search and advertising businesses.” If a reader didn’t already know what Blinkx had bought, this vague statement would do nothing to assist.
Even when Blinkx discusses the Zango acquisition, it is less than forthcoming. UK news publication The Register quotes an unnamed Blinkx spokeswoman saying that Blinkx “purchased some technical assets from the bank [that foreclosed on Zango] including some IP and hardware, which constituted about 10 per cent of Zango’s total assets.” Here too, readers are left to wonder what assets are actually at issue. A natural interpretation of the quote is that Blinkx purchased trademarks, domain names, or patents plus general-purpose servers — all consistent with shutting the controversial Zango business. But in fact my testing reveals the opposite: Blinkx continues to run key aspects of Zango’s business: legacy Zango installations continue to function as usual and continue to show ads, and Blinkx continues to solicit new installations via the same methods, programs, and partners that Zango previously used. Furthermore, key Zango staff joined Blinkx, facilitating the continuation of the Zango business. Consider Val Sanford, previously a Vice President at Zango; her LinkedIn profile confirms that she stayed with Blinkx for three years after the acquisition. I struggle to reconcile these observations with the claim that Blinkx only purchased 10% of Zango or that the purchase was limited to “IP and hardware.” Furthermore, ex-Zango CTO Ken Smith contemporaneously disputed the 10% claim, insisting that “Blinkx acquired fully 100% of Zango’s assets.”
Blinkx has been equally circumspect as to the size of the ex-Zango business. In Blinkx’ 2010 financial report, Blinkx nowhere tells investors the revenue or profit resulting from Zango’s business. Rather, Blinkx insists “It is not practical to determine the financial effect of the purchased net assets…. The Group’s core products and those purchased have been integrated and the operations merged such that it is not practical to determine the portion of the result that specifically relates to these assets.” I find this statement puzzling. The ex-Zango business is logically freestanding — for example, separate relationships with the partners who install the adware on users’ computers. I see no proper reason why the results of the ex-Zango business could not be reported separately. Investors might reasonably want to know how much of Blinkx’s business comes from the controversial ex-Zango activities.
Indeed, Blinkx’s investor statements make no mention whatsoever of Zango, adware, pop-ups, or browser plug-ins of any kind in any annual reports, presentations, or other public disclosures. (I downloaded all such documents from Blinkx’ Financial Results page and ran full-text search, finding no matches.) As best I can tell, Blinkx also failed to mention these endeavors in conference calls or other official public communications. In a December 2013 conference call, Jefferies analyst David Reynolds asked Blinkx about its top sources of traffic/supply, and management refused to answer — in sharp contrast to other firms that disclose their largest and most significant relationships.
In March-April 2012, many ex-Zango staff left Blinkx en masse. Many ended up at Verti Technology Group, a company specializing in adware distribution. Myriad factors indicate that Blinkx controls Verti: 1) According to LinkedIn, Verti has eight current employees of which five are former employees of Zango, Pinball, and/or Blinkx. Other recent Verti employees include Val Sanford, who moved from Zango to Blinkx to Verti. 2) Blinkx’s Twitter account: Blinkx follows just nineteen users including Blinkx’s founder, various of its acquisitions (including Prime Visibility / AdOn and Rhythm New Media), and several of their staff. Blinkx follows Verti’s primary account as well as the personal account of a Verti manager. 3) Washington Secretaty of State filings indicate that Verti’s president is Colm Doyle (then Directory of Technology at Blinkx, though he subsequently returned to HP Autonomy) and secretary, treasurer, and chairman is Erin Laye (Director of Project Management at Blinkx). Doyle and Laye’s links to Blinkx were suppressed somewhat in that both, at formation, specified their home addresses instead of their Blinkx office. 4) Whois links several Verti domains to Blinkx nameservers. (Details on file.) Taken together, these facts suggest that Blinkx attempted to move a controversial business line to a subsidiary which the public is less likely to recognize as part of Blinkx.
The Legacy AdOn Business
In November 2011, Blinkx acquired Prime Visibility Media Group, best known for the business previously known as AdOn Network and MyGeek. I have critiqued AdOn’s traffic repeatedly: AdOn first caught my eye when it boasted of relationships with 180solutions/Zango and Direct Revenue. New York Attorney General litigation documents later revealed that AdOn distributed more than 130,000 copies of notorious Direct Revenue spyware. I later repeatedly reported AdOn facilitating affiliate fraud, inflating sites’ traffic stats, showing unrequested sexually-explicit images, and intermediating traffic that led to Google click fraud.
Similar problems continue. For example, in a February 2013 report for a client, I found a botnet sending click fraud traffic through AdOn’s ad-feeds.com server en route to advertisers. In an August 2013 report for a different client, I found invisible IFRAMEs sending traffic to AdOn’s bing-usa.com and xmladfeed.com servers, again en route to advertisers. Note also the deceptive use of Microsoft’s Bing trademark — falsely suggesting that this tainted traffic is in some way authorized by or affiliated with Bing, when in fact the traffic comes from AdOn’s partners. Moreover, the traffic was entirely random and untargeted — keywords suggested literally at random, entirely unrelated to any aspect of user interests. In other instances, I found AdOn receiving traffic directly from Zango adware. All told, I reported 20+ distinct sequences of tainted AdOn traffic to clients during 2013. AdOn’s low-quality traffic is ongoing: Advertisers buying from AdOn receive invisible traffic, adware/malware-originating traffic, and other tainted traffic that sophisticated advertisers do not want.
An AdOn staff member touts multiple incriminating characteristics of AdOn traffic.
Industry sources confirm my concern. For example, a June 2013 Ad Week article quotes one publisher calling AdOn “just about the worst” at providing low-quality traffic, while another flags “crazy traffic patterns.” In subsequent finger-pointing as to tainted traffic to OneScreen sites, OneScreen blamed a partner, Touchstorm, for working with AdOn — wasting no words to explain why buying from AdOn is undesirable. Even intentional AdOn customers report disappointing quality: In comments on a posting by Gauher Chaudhry, AdOn advertisers call AdOn “the reason I stopped doing any PPV [pay-per-view] … this is bot traffic”, “junk”, and “really smell[s] like fake traffic.” Of 31 comments in this thread, not one praised AdOn traffic quality.
Recent statements from AdOn employees confirm undesirable characteristics of AdOn traffic. Matthew Papke’s LinkedIn page lists him as Director of Contextual Ads at AdOn. But his page previously described AdOn’s offering as “pop traffic” — admitting undesirable non-user-requested pop-up inventory. His page called the traffic “install based” — indicating that the traffic comes not from genuine web pages, but from adware installed on users’ computers. See screenshot at right. All of these statements have been removed from the current version of Matthew’s page.
Problems at Blinkx.com: Low-Quality Traffic, Low-Quality Content, and Invisible Ads
Alexa reports a sharp jump in Blinkx traffic in late 2013.
Zango adware caused my computer to display this page from the Blinkx site, full-screen and without standard window controls.
Blinkx’s namesake service is the video site Blinkx.com. Historically, this site has been a bit of an also-ran — it’s certainly no YouTube! But Alexa reports a striking jump in Blinkx popularity as of late 2013: Blinkx’s traffic jumped from rank of roughly 15,000 worldwide to, at peak, rank of approximately 3,000. What could explain such a sudden jump?
In my automated and manual testing of Zango adware, I’ve recently begun to see Zango forcing users to visit the Blinkx site. The screenshot at right gives an example. My test computer displayed Blinkx full-screen, without title bar, address bar, or standard window buttons to close or minimize. See also a partial packet log, wherein the Blinkx site attributes this traffic to Mossysky (“domain=mossysky”), one of the Zango brand names. It’s a strikingly intrusive display — no wonder users are complaining, about their computers being unusable due to Blinkx’s unwanted intrusion. See e.g. a December 2013 Mozilla forum post reporting “my computer has been taken over by malware, half the links are inaccessible because of hovering links to Blinkx,” and a critique and screenshot showing an example of these hovering links. On a Microsoft support forum, one user reports Internet Explorer automatically “opening … numerous BLINKX websites” — as many as “20 websites open at one time, all Blinkx related.”
Moreover, Alexa’s analysis of Blinkx visitor origins confirms the anomalies in this traffic. Of the top ten sites sending traffic to Blinkx, according to Alexa, six are Blinkx servers, largely used to forward and redirect traffic (networksad.com, advertisermarkets.com, networksads.com, advertiserdigital.com, blinkxcore.com, and networksmarkets.com). See Alexa’s Site Info for Blinkx.com at heading “Where do Blinkx.com’s visitors come from?”
Strikingly, Zango began sending traffic to Blinkx during the winter 2013 holiday season — a time of year when ad prices are unusually high. Zango’s popups of Blinkx seem to have ended as suddenly as they began — consistent with Blinkx wanting extra traffic and ad revenue when ad prices are high, but concluding that continuing this practice at length risks excessive scrutiny from both consumers and advertisers.
Meanwhile, examining Blinkx.com, I’m struck by the lack of useful content. I used the Google search site:blinkx.com to find the parts of the Blinkx site that, according to Google, are most popular. I was directed to tv.blinkx.com, where the page title says users can “Watch full episodes of TV shows online.” I clicked “60 Minutes” and received a page correctly profiling the excellence of that show (“the granddaddy of news magazines”). But when I clicked to watch one of the listed episodes, I found nothing of the kind: Requesting “The Death and Life of Asheboro, Stealing History, The Face of the Franchise,” I was told to “click here to watch on cbs.com” — but the link actually took me to a 1:33 minute home video of a dog lying on the floor, “Husky Says No to Kennel”, syndicated from YouTube, entirely unrelated to the top-quality 60 Minutes content I had requested. (Screen-capture video.) It was a poor experience — not the kind of content likely to cause users to favor Blinkx’s service. I tried several other shows supposedly available — The Colbert Report, The Daily Show with Jon Stewart, Family Guy, and more — and never received any of the listed content.
In parallel, the Blinkx site simultaneously perpetrated a remarkable scheme against advertisers: On the video index page for each TV show, video advertising was triggered to play as I exited each page by clicking to view the supposed video content. Because the supposed content opened in a new tab, the prior tab remained active and could still host a video player with advertising. Of course the prior tab was necessarily out of visibility: Blinkx’s code had just commanded the opening of a new tab showing the new destination. But the video still played, and video advertisers were still billed. Screen-capture video.
Industry sources confirm concerns about Blinkx ad visibility. For example, a December 15, 2013 Ad Week piece reported Vindico analysis finding just 23% of Blinkx videos viewable (defined as just 50% of pixels visible for just one second). By Vindico’s analysis, an advertiser buying video ads from Blinkx suffers three ads entirely invisible for every ad visible even by that low standard — a remarkably poor rate of visibility. In contrast, mainstream video sites like CBS and MSN enjoyed viewability rates two to four times higher.
Putting the Pieces Together
Q3 ’13 Headcount
’13 Revenue ($mm)
revenue / headcount ($k)
Tremor
287
$148
$517
YuMe
357*
$157
$440
RocketFuel
552
$240
$434
Criteo
452
$240
$532
Blinkx
265**
$246***
$927
* Q3 ’13 headcount not available. 357 is 2012 year-end. S&M spend up ~50% in 2013. Adjusted revenue/headcount is $293k
** Q3 ’13 headcount not available. 265 is 2012 year-end. S&M spend up ~15% in 2013. Adjusted revenue/headcount is $803k.
*** 2013 revenue estimate based on Bloomberg consensus estimates
Comparing Blinkx’s revenues to competitors, I am struck by Blinkx’s apparent outsized success. See the table at right, finding Blinkx producing roughly twice as much revenue per employee as online video/display ad networks and advertising technology companies which have recently made public offerings. Looking at Blinkx’s sites and services, one doesn’t get the sense that Blinkx’s service is twice as good, or its employees twice as productive, as the other companies listed. So why does Blinkx earn twice as much revenue per employee? One natural hypothesis is that Blinkx is in a significantly different business. While other services make significant payments to publishers for use of their video content, my browsing of Blinkx.com revealed no distinctive content obviously licensed from high-quality high-cost publishers. I would not be surprised to see outsized short-term profits in adware, forced-visit traffic, and other black-hat practices of the sort used by some of the companies Blinkx has acquired. But neither are these practices likely to be sustainable in the long run.
Reviewing Blinkx’s statements to investors, I was struck by the opacity. How exactly does Blinkx make money? How much comes from the legacy Zango and AdOn businesses that consumers and advertisers pointedly disfavor? Why are so many of Blinkx’s metrics out of line with competitors? The investor statements raise many questions but offer few answers. I submit that Blinkx is carefully withholding this information because the company has much to hide. If I traded in the companies I write about (I don’t!), I’d be short Blinkx.
This article draws in part on research I prepared for a client that sought to know more about Blinkx’s historic and current practices. At my request, the client agreed to let me include portions of that research in this publicly-available posting. My work for that client yielded a portion of the research presented in this article, though I also conducted significant additional research and drew on prior work dating back to 2004. My agreement with the client did not oblige me to circulate my findings as an article or in any other way; to my knowledge, the client’s primary interest was in learning more about Blinkx ‘s business, not in assuring that I tell others. By agreement with the client, I am not permitted to reveal its name, but I can indicate that the client is two US investment firms and that I performed the research during December 2013 to January 2014. The client tells me that it did not change its position on Blinkx after reading my article. (Disclosure updated and expanded on February 4-5, 2014.)
I thank Eric Howes, Principal Lab Researcher at ThreatTrack Security, and Matthew Mesa, Threat Researcher at ThreatTrack Security, for insight on current Blinkx installations.
viewers
Alexa reports a sharp jump in Blinkx traffic in late 2013.
