One name that frequently crops up as a PUP (potentially unwanted program) is OpenCandy, although its makers strongly deny that it’s malware. David Crookes takes a closer look
What is it?
OpenCandy (opencandy.com) is an advertising plug-in that many software developers now include within their installers. It allows them to recommend other developers’ tools during the installation process, and give users the option of accepting or declining the additional software. If a user decides a recommended product looks interesting and accepts it, the extra program is then automatically installed.
Who is behind OpenCandy?
The idea came to life in 2008 when the team behind Stage6, a video-sharing website owned and operated by DivX (www.divx.com), noticed that the DivX player gave users the option of installing the Yahoo Toolbar. In the first nine months, this generated 250 million downloads and netted DivX $15.7 million (£10.6 million). Eight of the Stage6 team decided this would be a good basis for a business and went on to set up OpenCandy.
Who uses the OpenCandy platform?
Some of the biggest names in computing. Wikipedia lists more than 60 programs that have integrated OpenCandy into their installers, including lots of popular and respectable applications ranging from AOL Instant Messenger and CutePDF to Winamp and uTorrent. On its website, OpenCandy also highlights several high-profile names that advertise via its service, such as Microsoft, Opera, AVG and PasswordBox. Microsoft, for example, has used OpenCandy to advertise Skype, giving users the option to quickly download and install the software when they install another program. Opera, meanwhile, has used OpenCandy to increase take-up of its browser.
Why do companies use OpenCandy?
Quite simply, to make money, because more and more people appear reluctant to buy software. OpenCandy is akin to an advertising network and developers pay a small fee every time someone installs their software via a recommendation. This cash is then split between OpenCandy and the developer who allowed the program to be advertised with the installer of their product.
Do people actually accept its offers?
OpenCandy spans more than 180 countries and it claims its advertising model leads to up to 50 times higher payouts than display advertising. It also says that 95 per cent of software installers are now monetised, and that it achieves “100 million installs per month” (opencandy.com/monetize).
So why do some people think OpenCandy is a problem?
The main complaint is that OpenCandy is attempting to capitalise from users who don’t pay attention when they install software. Rather than read every word on the screen, a great many of us skip over a program’s terms and conditions, agree to everything and click Next from window to window until the program finishes installing. This is potentially dangerous because you might unwittingly accept the installation of extra items you would otherwise never have considered. You’ll only realise these unwanted tools are on your PC when they start making changes to your system.
What are the consequences of this?
If you’re not paying attention, you could end up with all kinds of unwanted software cluttering up your hard drive. Your browser’s search engine may also be changed, which can scare you into believing that your machine has been infected by malware, when it’s actually something you accidentally agreed to.
Is OpenCandy illegal, then?
No, because it doesn’t install anything on your computer without asking for your express permission. If you’re eagle-eyed and decline all the offers, OpenCandy won’t install anything apart from the program you originally set out to install.
But isn't OpenCandy morally wrong?
That is open to debate and is certainly controversial. Officially, OpenCandy says in its FAQs: "we do not play clever games or trick users into installing software”, but those who have experienced it say otherwise. The ‘Accept Offer’ options on recommendation pages are sometimes in exactly the same position as the Next button on other pages, making it look like they are a fundamental part of the installation. Certainly, in most cases, the acceptance options are pre-ticked. More sneakily, an OpenCandy End User License Agreement can also be bundled with the EULA of the program you’re downloading so that when you accept it, you are in fact granting OpenCandy permission, too. This is why it’s so important to be on your guard.
Isn't this some sort of malware?
This is where things become murky again. As we've already explained, OpenCandy is asking for permission even though many people may not notice it. However, once it has a hold of your computer, it does seek to install products. The programs it recommends are based to a degree upon the software you already have on your computer, so it stands to reason that the only way it could possibly work this out is by scanning your machine.
If nothing else, OpenCandy is adware. Indeed, some security companies, including Malwarebytes and ESET, actually flag it as such and let you remove it as you would other threats. The company behind OpenCandy says that the only reason it is detected as a threat by some security tools is because an unscrupulous company once bundled it with their software without including the EULA.
Does OpenCandy gather any information?
Yes. It sends anonymous statistics about installations to developers but it promises that it doesn’t gather or share any personally identifiable information. It collects your time zone, language settings and details of the software installed on your system, including the operating system and the default browser. OpenCandy says it also records the IP address of a computer during the installation (and uninstallation) process for geographical information. It says this data is used to make better recommendations.
Are computers being put in danger?
It would appear not. OpenCandy says that every program it recommends through its service is carefully vetted so that only programs which are entirely safe are let through. But, for many users, that misses the point. Ultimately, If you’re not carefully noting each stage of an installation, OpenCandy is a potential nuisance, putting programs on your computer that you then have to go to the trouble of uninstalling. As we say in our cover feature, people should be able to simply download the programs they want without any hidden surprises.
HOW CAN I AVOID INSTALLING OPENCANDY?
There are a few tricks you can try to completely avoid installing any unwanted programs via OpenCandy, all of which the company is very open about
• Disconnect your computer from the internet while you’re installing any software. OpenCandy is a cloud-based service that accesses the web for current recommendations; if you don’t have an internet connection, it shouldn’t bother you.
• When you install a program on your PC, use Ninite (ninite.com). This generates its own installer, which unticks any unwanted extras, so there’s no chance of you unwittingly accepting an unwanted offer.
• Run the program installer from the command-line using the command /NOCANDY.
• Delve into your firewall and add a domain block for ‘*.opencandy.com’ to stop the program accessing the web.