Threat Research

Can you spot a deceptive installer?

Christopher Budd, 22 April 2021

If a program costs something on a trusted site but is free somewhere else, there’s something suspicious going on

Have you ever downloaded a program you needed, only to realize that it’s actually something else? And then had your antivirus software flag it? It can be confusing and upsetting to fall for a deceptive installer and the Avast Threat Labs can help you learn how to avoid them.

When you fall for a deceptive installer, you get malware or software you didn’t expect, instead of what you thought you were getting. Fortunately, in addition to the protections that Avast provides you, there are ways you can spot deceptive installers and prevent this from happening altogether. Here are tips from our researchers based on what we’ve seen.

Let’s walk through the process with this example of a game that’s available on a well-known, global gaming site for three Euro (a little over three dollars).

However, if you go to an unofficial download site, they’re offering you that same game for free, as shown below.

This should be your first clue that there is something fishy on this download portal: As a rule if a game or program costs something on a well-known, trusted site but is free somewhere else, it’s likely not really free. There’s something suspicious going on.

In this example, if you click on the download button you’re taken to a download page, like below, with the game in question (along with other games) available for “free” download.

Here comes another clue to help you spot fakes: the file names of the downloads follow a pattern of: <name_of_the_program>_number.exe.

It’s highly unusual for legitimate games or programs to use filenames like this. Specifically, most legitimate games or programs won’t have “_number” in their file names.

In fact, when we looked at all the files on this page: 

DeathSpank_03761.exe

Death Inc._20157.exe

Pimp My Car GTA San Andreas_86021.exe

GTA IV Parche_30429.exe

Death and the Fly_72819.exe

Death From Above_52193.exe

We found that they were all actually the same file by using a tool to digitally check the actual file contents. This tool generates a “hash” which is essentially a fingerprint of the file and, as you can see below, all of these files have the same hash. The only thing different is the file name.

d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *DeathSpank_03761.exe

d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death Inc._25601.exe

d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death Inc._20157.exe

d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Pimp My Car GTA San Andreas_86021.exe

d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *GTA IV Parche_30429.exe

d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death and the Fly_72819.exe

d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death From Above_52193.exe

The files that claim to be the game that you’re interested in is actually only a small part of the installer. When you run the installer it:

  1. Looks at its filename like DeathSpank_03761.exe.

  2. Extracts the last number (03761) and sends it to the server along with some information about the computer

  3. The server then looks up the number in its database and sends back a download link to you along with offers to install more software

  4. The installer runs using various techniques to convince you to install additional software (that you didn’t know you’d be getting) 

  5. In the end, the installer only shows a link to a questionable site. And will not install what you expected.

Here’s what you see as that process unfolds.

Step 1: The installer starts to run and shows a generic message because it doesn’t have information yet on what it’s going to install. Also note that this was a Spanish-language download page, but the installer is in English. This is another tip that something suspicious is going on, since the installer doesn’t match the language of the page.

By contrast, this is what the legitimate installer for this game looks like when you’re purchasing it:

Step 2: The installer has done steps 2-3 above and gotten enough information to show what game name you thought you were getting and shows it in the installer. Note also that the installer has switched back to Spanish. This is because in steps 2 - 3 above, it got information from the server indicating that you thought you were getting a Spanish-language download. This “language flip” in the installation process is another clue that something suspicious is going on.

The data from the server arrived and the installer switched back to Spanish.

After you click next, the installer starts offering you other software you didn’t ask for and tries a number of techniques to get you to install them. For example, in this one below, to not install the product, you have to unclick the miniature checkbox.

In this example, if you don’t want to install the offered software, you have to do something different in this case, click “Decline”.

On the third offer screen that comes up, you have to to unclick another miniature checkbox.

On the fourth offer screen, to avoid the offered software you have to click a “Decline” button again. And on this screen they’ve removed the “Back” button, which makes it harder to abort the installation process.

When you’re going through this process, you’re presented with screen after screen that you have to pick your way through in order to find the right way to decline the offered software. This is by design and another clue that this isn’t what you thought it was. These screens are designed to confuse and frustrate you, making it more likely that you’ll accept the software. It also makes it hard on the last screen to end the session.

If you’ve navigated this far and move forward, it seems like you’re finally getting the game you came here for in the first place because you get a “Thank you” page.

However, the game you wanted isn’t actually installing. Instead you’re presented with yet another download link to a seemingly random and potentially malicious site.

At the end of this all, you may or may not have the software that you wanted in the first place. You may have other software that you didn’t want. And you may actually have malware on your system as well.

Avast is often able to detect these installers or the malware that may be downloaded in this process as malicious and raise an alert. That can be confusing to people because they think they’re getting something legitimate but, like we’ve seen, they’re not. In this case the alert is correct because our technology has detected the hidden scam.

You can avoid the dangers these kinds of deceptive installers by looking for the clues and following the tips I’ve outlined in this posting:

  1. If an offer is too good to be true, like a game or software for free that’s normally not free, be suspicious.

  2. If a program you want is being offered on a website outside of an official app store or the program maker’s website, be suspicious.

  3. If you begin to install something and the language of the installer changes, be suspicious.

  4. If the installer is offering you multiple applications that you didn’t want or didn’t expect, be suspicious.

  5. If the installer ends without actually installing what you expected it to install, be very suspicious.

  6. If you’re suspicious about an installer, end it immediately. If you can’t find an exit button for it (they sometimes don’t have one) you can always hit CTRL-ALT-DEL and bring up the list of running programs, highlight the installer and click “End Task” on Microsoft Windows.

  7. If your security software raises a warning about what you’re installing, trust it and let it help protect you and your computer.

  8. If you get to the end of an installer like this and realize that it’s not what you want, go ahead and uninstall everything that was installed and run a full scan of your system using Avast (or whichever security software you use).

If you understand how these installers work, you can better protect yourself from the nasty surprises of unwanted software and malware that they can leave for you. If you look for the clues and follow the tips I’ve outlined, that can help you ensure that you’ve only got the applications and games you want and expect on your system.