There’s a type of software Google finds so sleazy that the company refers to it internally as “ooze.” That’s the pronunciation of the acronym at least: UwS, short for “unwanted software.” (Ooze, hereafter.)
Though malware garners outsized attention among security folk, regular people encounter ooze—a grayer cousin to outright malicious code—three times more often online, the search giant found in a study that it previewed exclusively with Fortune. According to Google’s (GOOG) data, people bump into 60 million browser warnings for download attempts of unwanted software at unsafe webpages every week.
Get Data Sheet, Fortune’s technology newsletter.
“From a threat space perspective, it’s a really big problem that a lot of the rest of the community hasn’t gotten on board to tackle yet,” Kurt Thomas, a research scientist on Google’s security team, told Fortune on a call.
What qualifies as ooze? Generally, any software that deceives people into downloading it. Ooze can include ad injectors that cram unwanted ads onto webpages, browser setting hijackers that change the defaults on a person’s web browser (for instance, by making a hijacker’s preferred search engine the standard), or “scareware” that urges a person to install it to “clean up” his or her computer.
In the shadier parts of what’s known as the “pay per install” economy, software developers make money by bundling applications with other objectionable software, leading to the ooze epidemic, the researchers note. The incentives reward deception aimed at maximizing downloads, regardless of the consumer experience or outcome. (What separates this from the “blackmarket” variety is that it asks for user consent, albeit often underhandedly.)
“These PPI companies are profiting by catering to unwanted software and assisting them in evading detection,” said Damon McCoy, assistant professor of computer science and engineering at New York University, which collaborated with Google on the study. “They legitimize this by including a thin veil of consent skirting the fine line between malware and unwanted software.”
For more on Google security, watch:
Of the 160 families of software identified as being distributed through the commercial “pay per install” ecosystem every week, the researchers found that 59% gets flagged as unwanted on VirusTotal, a Google-owned antivirus search engine. As more security tools have moved to block the junk, the developers have gotten creative, designing the ooze to juke—slyly morphing its signatures or fingerprints—to evade detection by Google’s “safe browsing” scanners, or antivirus engines.
The team is careful to point out that not all “pay per install” players are bad, necessarily. Several antivirus companies participate in the ecosystem for distribution, including AVG (AVG) (soon to merge with Avast), Lavasoft, Comodo, and Qihoo. Even big brands such as the Opera browser and Microsoft-owned (MSFT) Skype participate to some degree.
It’s big business. One of the largest commercial “pay per install” players—an Israeli firm called Perion Network—raked in $460 million in revenue in 2014, the researchers point out.
“One of the primary outcomes of this research is, we hope, to raise awareness from the research community at large and to focus more on techniques to help protect users,” Google Security’s Moheeb Abu Rajab told Fortune. He said he hopes the report, which the team plans to present at this year’s Usenix security symposium, will mobilize the parties involved—advertisers, publishers, affiliate networks, antivirus software firms, and web browser developers—to recognize the problem, and devise solutions.
In the meantime, people should be on watch for download portals that sucker people into bloating up their machines with sleazy software. Read the fine print: when a site recommends an “express” install option, make sure it isn’t trying to jam onto your computer a batch of other free offers, like disguised adware, spyware, or ooze.
