I guess most people would be aware of OpenCandy by now, for those who are not, here is a short explanation compliments of Wikipedia:
OpenCandy is an advertising software module consisting of a Microsoft Windows library that can be incorporated into a Windows installer. When a user installs an application that includes the OpenCandy library, there is an option to install additional software that it recommends (based on a scan of the user’s system and location).
These types of advertizing modules are often included by freeware developers with their proucts to help generate revenue for projects. Developers first began utilizing OpenCandy way back in late 2008, but is wasn’t until more recently, after the practice had spread considerably, that OpenCandy came to prominence – and under the microscope. There is little doubt that this type of installer add-in has the potential to be misused. It must scan the host system and collect data in order to identify which type of software would best suit the user, and subsequently offer its recommendations. It’s nigh on impossible to ascertain the exact nature of data collected, we can only take the associated privacy statements at their word. So, it is pretty much self-regulatory and there is certainly an element of trust involved.
OpenCandy has recently suffered a couple of hiccups which, according to them, was caused by software developers ignoring mandatory requirements in the distribution agreement. But OpenCandy itself is now generally considered to be benign and trustworthy… that’s certainly my opinion.
So how can we assess the legitimacy, honesty, and integrity of any new similar services offering their modules to freeware developers? While they are in their infancy and until they actually establish a reputation, it’s not easy. But we can perform a little research, look at affiliates, and generally hunt around for any and all information which might help. You’re probably not going to achieve a 100% definitive result but you’ll often gain a very good indication.
Mark Williamson, over at FreewareBB (our recommended freeware download site), has already done the legwork on two such new modules – one called Solimba and another called Somoto. I followed up with some research of my own, here are Mark’s reports with my opinions appended – (I must add; I haven’t identified any freeware which already includes either the Solimba or Somoto advertizing module as yet):
FreewareBB classification: Adware
From the owners website:
Solimba is an advertising agency that develops solutions for monetizing online traffic, its primary focus being the software download market.
Our take on Solimba: Like most revenue generating addons, Solimba would appear to be an advertising addon, similar to OpenCandy where developers of freeware can bundle offers of further downloads from Solimba. If an install contained Solimba, it would offer the user alternative and additional recommendations for download and if the person installing agree’s to accept the additional recommendation it will download and install it. If the user declines the recommendation, no further details will be processed by Solimba.
Our Recommendation: We have no reason to believe, or can find little evidence, that Solimba can be harmful to your computer, although it can cause an annoyance as it isn’t known what software they will promote and although we can’t consider it harmful as such, we would recommend not installing any third party recommendations.
Jim Says: Sophos reports the recent appearance of a trojan named Solimba. Several other well respected AV vendors too, including Emsisoft and BitDefender. Some define it as a trojan, others adware. Not sure if it’s the same ‘Solimba’ but seems co-incidental and definitely suspect.
Also, I checked the list of ‘Partners’ on Solimba’s home page, six in total. All but one are rated negatively by WOT, the sixth one I could not locate the site. Of the five I was able to locate, 3 are rated Red (high risk) and 2 Amber. This does not sound like the type of partners a responsible/honest organization would go looking for or want be associated with. In my opinion, highly dubious.
FreewareBB classification: Adware/malware
From the owners website:
Somoto was founded by experienced web and shareware industry entrepreneurs who recognized that freeware and shareware developers are in a constant quest to improve software functionality, revenue and distribution. We have made it our mission to provide freeware and shareware developers with a straightforward and simple method to monetize, enhance and distribute their offerings.
What will Somoto do?: It is thought that Somoto not only offer publishers the opportunity to monetize from their installers by offering additional downloads but Somoto may also provide the opportunity for developers to push “trial” versions and monetize on aggressive marketing for users to purchase the full versions.
It’s also been suggested on more than one website (based on user experience) that Somoto can and does hijack browsers and can cause drive-by downloads – whether this is via their own methods or due to the software they recommend for download we’re not sure but either way, users report these issues after noticing Somoto.
Our take on Somoto: Initially, it would appear Somoto is nothing more than an OpenCandy alternative, pushing recommendations, although on further investigation across the web it would appear that some users are highlighting this distributor as malicious, suspicious and questionable.
Our Recommendation: Personally, if I noticed Somoto appearing in any download on our site, I’d prefer to remove the listing and remove the potential for damage.
Jim Says: Evidence to date indicates Somoto may well be high risk. The Somoto site is rated Red by WOT, with the lowest ratings possible (all ones). And there are enough user reports of malicious behavior to at least suggest that Somoto should be avoided.
Identifying and avoiding these new installer add-ins depends largely on what requirements the distribution agreement enforces on participating developers. Transparency is key; if the companies behind Solimba and Somoto follow OpenCandy’s example and insist on full disclosure it shouldn’t be a problem. If, on the other hand, no such conditions are imposed… big problem!
We published an article some time back which includes advice on how you might avoid these types of installer add-ins, here: Freeware and the bundling of extras.
No freeware download site can offer a 100% guarantee, but if you stick with a source known to make 100% effort to identify and/or eliminate products which include unwanted or malicious add-ins, that is certainly a huge step in the right direction. That’s one of the reasons DCT recommends FreewareBB.
Thanks to Mark for the legwork and excellent appraisals.