If a program costs something on a trusted site but is free somewhere else, there’s something suspicious going on
Have you ever downloaded a program you needed, only to realize that it’s actually something else? And then had your antivirus software flag it? It can be confusing and upsetting to fall for a deceptive installer — and the Avast Threat Labs can help you learn how to avoid them.
When you fall for a deceptive installer, you get malware or software you didn’t expect, instead of what you thought you were getting. Fortunately, in addition to the protections that Avast provides you, there are ways you can spot deceptive installers and prevent this from happening altogether. Here are tips from our researchers based on what we’ve seen.
Let’s walk through the process with this example of a game that’s available on a well-known, global gaming site for three Euro (a little over three dollars).
However, if you go to an unofficial download site, they’re offering you that same game for free, as shown below.
This should be your first clue that there is something fishy on this download portal: As a rule if a game or program costs something on a well-known, trusted site but is free somewhere else, it’s likely not really free. There’s something suspicious going on.
In this example, if you click on the download button you’re taken to a download page, like below, with the game in question (along with other games) available for “free” download.
Here comes another clue to help you spot fakes: the file names of the downloads follow a pattern of: <name_of_the_program>_number.exe.
It’s highly unusual for legitimate games or programs to use filenames like this. Specifically, most legitimate games or programs won’t have “_number” in their file names.
In fact, when we looked at all the files on this page:
Pimp My Car GTA San Andreas_86021.exe
GTA IV Parche_30429.exe
Death and the Fly_72819.exe
Death From Above_52193.exe
We found that they were all actually the same file by using a tool to digitally check the actual file contents. This tool generates a “hash” which is essentially a fingerprint of the file and, as you can see below, all of these files have the same hash. The only thing different is the file name.
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death Inc._25601.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death Inc._20157.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Pimp My Car GTA San Andreas_86021.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *GTA IV Parche_30429.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death and the Fly_72819.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death From Above_52193.exe
The files that claim to be the game that you’re interested in is actually only a small part of the installer. When you run the installer it:
Here’s what you see as that process unfolds.
Step 1: The installer starts to run and shows a generic message because it doesn’t have information yet on what it’s going to install. Also note that this was a Spanish-language download page, but the installer is in English. This is another tip that something suspicious is going on, since the installer doesn’t match the language of the page.
By contrast, this is what the legitimate installer for this game looks like when you’re purchasing it:
Step 2: The installer has done steps 2-3 above and gotten enough information to show what game name you thought you were getting and shows it in the installer. Note also that the installer has switched back to Spanish. This is because in steps 2 - 3 above, it got information from the server indicating that you thought you were getting a Spanish-language download. This “language flip” in the installation process is another clue that something suspicious is going on.
The data from the server arrived and the installer switched back to Spanish.
After you click next, the installer starts offering you other software you didn’t ask for and tries a number of techniques to get you to install them. For example, in this one below, to not install the product, you have to unclick the miniature checkbox.
In this example, if you don’t want to install the offered software, you have to do something different — in this case, click “Decline”.
On the third offer screen that comes up, you have to to unclick another miniature checkbox.
On the fourth offer screen, to avoid the offered software you have to click a “Decline” button again. And on this screen they’ve removed the “Back” button, which makes it harder to abort the installation process.
When you’re going through this process, you’re presented with screen after screen that you have to pick your way through in order to find the right way to decline the offered software. This is by design and another clue that this isn’t what you thought it was. These screens are designed to confuse and frustrate you, making it more likely that you’ll accept the software. It also makes it hard on the last screen to end the session.
If you’ve navigated this far and move forward, it seems like you’re finally getting the game you came here for in the first place because you get a “Thank you” page.
However, the game you wanted isn’t actually installing. Instead you’re presented with yet another download link to a seemingly random and potentially malicious site.
At the end of this all, you may or may not have the software that you wanted in the first place. You may have other software that you didn’t want. And you may actually have malware on your system as well.
Avast is often able to detect these installers or the malware that may be downloaded in this process as malicious and raise an alert. That can be confusing to people because they think they’re getting something legitimate but, like we’ve seen, they’re not. In this case the alert is correct because our technology has detected the hidden scam.
You can avoid the dangers these kinds of deceptive installers by looking for the clues and following the tips I’ve outlined in this posting:
If you understand how these installers work, you can better protect yourself from the nasty surprises of unwanted software and malware that they can leave for you. If you look for the clues and follow the tips I’ve outlined, that can help you ensure that you’ve only got the applications and games you want and expect on your system.
Avast researchers have discovered fleeceware apps with over a billion downloads and over $400 million in revenue on the Apple App Store and Google Play Store. Learn about the mechanics of these scams as well as how to prevent falling victim to them.
Avast Threat Labs researchers have looked into OnionCrypter, a crypter that uses techniques to make it harder for researchers and security software to read the information that it protects.