Automated analysis of freeware installers promoted by download portals

Alberto Geniola, Markku Antikainen*, Tuomas Aura

*Corresponding author for this work

Research output: Contribution to journalReview Articlepeer-review

1 Citation (Scopus)
422 Downloads (Pure)


We present an analysis system for studying Windows application installers. The analysis system is fully automated from installer download to execution and data collection. The system emulates the behavior of a lazy user who wants to finish the installation dialogs with the default options and with as few clicks as possible. The UI automation makes use of image recognition techniques and heuristics. During the installation, the system collects data about the system modification and network access. The analysis system is scalable and can run on bare-metal hosts as well as in a data center. We use the system to analyze 792 freeware application installers obtained from popular download portals. In particular, we measure how many of them drop potentially unwanted programs (PUP) such as browser plugins or make other unwanted system modifications. We discover that most installers that download executable files over the network are vulnerable to man-in-the-middle attacks. We also find, that while popular download portals are not used for blatant malware distribution, nearly 10% of the analyzed installers come with a third-party browser or a browser extension.

Original languageEnglish
Pages (from-to)209-225
Number of pages17
JournalComputers and Security
Publication statusPublished - 1 Aug 2018
MoE publication typeA2 Review article, Literature review, Systematic review


  • Man-in-the-middle Malware
  • Pay-per-install
  • Potentially-unwanted program
  • UI-automation


Dive into the research topics of 'Automated analysis of freeware installers promoted by download portals'. Together they form a unique fingerprint.

Cite this