The Daily Swig Web security digest

Named and shamed: AppEsteem marks a new chapter in the fight against deceptive software

James Walker | 14 March 2018 at 10:34

After forcing a sharp reduction in the number of utility apps that exist to deceive consumers, AppEsteem has now set its sights on software bundlers.

Life is about to get much more difficult for unethical software bundlers who try to sneak additional apps onto users’ devices, as AppEsteem prepares to expand its successful Deceptor program.

Founded in 2016 and led by a team of infosec industry veterans, AppEsteem identifies apps and services that may harm consumers by applying a stringent set of ‘Deceptor’ requirements, such as whether an app presents too many confusing ‘offers’ during the download process, installs unrelated (and often unwanted) components, or otherwise deceives users.

The company developed these requirements with input from some of the world’s leading cybersecurity companies, software vendors, consumer groups, and regulators, to help ensure that consumers fully consent to what happens on their devices, aren’t unpleasantly surprised, and don’t feel cheated.

In addition to combing the internet on its own for Deceptor candidates, AppEsteem learns of potential Deceptors through apps submitted by cybersecurity companies, software vendors, and the broader public, who can submit details of misleading software directly.

In a further effort to help boost transparency in the app space, vendors can also whitelist their software through AppEsteem’s certification program.

Bundlers beware

Since March 2017, the Bellevue, Washington-based company has identified more than 300 Deceptors – many of which came from the notorious ‘system optimizer’ or ‘registry cleaner’ stable of software utilities.

According to AppEsteem, a quarter of these software applications have now cleaned up their act, and many others have stopped distributing altogether.

Following its successful push against underhand utility software developers, AppEsteem is now pulling focus on another subsector of the app space that’s notorious for unethical and aggressive practices: software bundlers.

Beginning in April, the company will publicly disclose a list of bundlers it believes are Deceptors, including details about the alleged violations, on its website. The information will also be fed through to antivirus companies, which will earmark the apps to be flagged and removed from users’ devices.

According to AppEsteem CEO Dennis Batchelder, the app distribution market is worth hundreds of millions of dollars each year. And in an effort to maximize the fees paid from advertisers, devious bundlers have been relying on “trickery and deceit” to induce more installs.

“No matter how much you read the fine print, you still end up with extra crap on your device,” Batchelder told The Daily Swig. “We’ve all been there. That’s the next battle we’re fighting.

“There’s a lot of money in it for those companies to get extra software on the box. Ad vendors all pay to get their software onto users’ devices.”

Ahead of the launch of its software bundler initiative, AppEsteem has been working with the world’s leading antivirus software vendors, who have agreed to take part in the project.

“We’ve got the AVs aligned,” said Batchelder. “We’ve served up notice to all these bundlers that April 1 is the big day, and if they don’t clean up their act they are going to get labelled as Deceptors and they are going to get moved off devices.”

Bad apples

Batchelder, along with AppEsteem COO, David Finn, is a former Microsoft staffer who comes from a pedigree of infosec experts tasked with solving the age-old problem of apps that distribute junkware and malware to users’ devices.

“There’s not full transparency,” Finn told The Daily Swig. “There’s been this invidious deception of people that’s gone on for years and years. Our effort is to expose this and solve the problem for consumers in a new way.”

AppEsteem isn’t alone in the fight against deceptive software. Earlier this month Microsoft implemented new changes to its anti-malware evaluation criteria, which will force the removal of PC cleaner and optimizer programs that use underhand tactics to pressurize customers into buying premium versions of their software.

But why has it taken so long for the industry to address this problem?

“The reason why all of these Deceptor apps exist is because AVs are traditionally tuned to fighting the worst wrongdoers – the really bad guys who are distributing malware, viruses, and worms,” said Batchelder.

“However, when you get into this ‘unwanted’ space, this grey area, you have a bunch of lawyers, and you have real companies with real brands who are just being super aggressive.

“The AVs aren’t equipped to stop them, so they need a company like us who unites them and who will take the brunt of the pushback.”

Consumer haven

AppEsteem was created under a vision of a world in which consumers can install and use apps without fear. According to Finn, that world can only exist if Deceptor bundlers are held accountable for the harm they cause.

It might have taken a while to get here, but the rollout of AppEsteem’s latest initiative on April 1 will no doubt put incredible pressure on publishers, who now risk having their app distribution channels blocked.

“By giving fair warning to bundlers, we hope they will all take a hard look at what they are doing, and those who need to will clean up now – for the sake of all consumers,” said Finn. “But if they continue to put profits ahead of consumers, we won’t hesitate to call them out.”