Pay-per-install (PPI) services have been an integral part of the e-crime ecosystem for a considerable amount of time. PPI services monetize wide dissemination of malware by providing the malware operators with mass geo-targeted installs (aka loads) in exchange for money. A malware operator provides payment, malicious payloads and targeting information while the PPI service overlooks or outsources the distribution and delivery. The accessibility and moderate costs of these services serves as another weapon in the arsenal of malware operators for rapid, bulk and geo-targeted malware infections.
Our focus in this research has been on the Privateloader, an undocumented downloader connected to an unidentified PPI service that delivers a panoply of malware payloads into infected systems. The loader is distributed by a network of websites that allegedly offer downloads for cracked versions of popular software.