SoundCloud Downloader: Always Read the EULA(s)

SoundCloud Downloader: Always Read the EULA(s)

Uh oh

Up above, you can see a (sanitised) screenshot of a web-browser shortly after installing a “SoundCloud Downloader”.

The non-sanitised version has the words “spank me” written across the middle, and the mouse moves a hand – no, really – until you perform said task and are directed to what appears to be a porn / adult dating sign-up page.

Warning!

And that’s before we get to the really wild stuff. Be advised that if you go looking for tunes, you may be in need of a tune-up.

How did all of this come about?

downloadsoundcloud(dot)net

says it is the “easiest way to download songs directly to your computer….you can download any song on Soundcloud”.

Music time
Download time

At first it seems like a fairly standard install, with the usual assortment of programs that end-users may or may not want (probably “not”, given all they want to do is download music. But there’s always a trade-off…)

Some extras...

InstallPath Install Manager takes care of the “download and installation process of this file”, and additional software comes in the form of Surftastic, Mobogenie and Awesomehp.

Worth noting that if you read all of the listed EULAs and policy pages, you’re looking at something like 18,000 words to plough through. I say “something like”, because one of the pages isn’t text you can tally up – it’s one gigantic screenshot of text instead. Here’s the zoomed out version of the image:

text screenshot

I have to admit, that’s a new one on me.

Anyway, back to the install. This is where things took an unusual turn:

Well, okay...

“…we would like to install on your machine the following program that uses your CPU for virtual currency mining and other computational activities when it is idle / standby, this program does not interfere with normal operations of the processor while you are working on the machine”

Well, that sounds straightforward enough. But should you click the EULA, you may find yourself feeling a little…uncomfortable?

Er....wait, what?

1) “…not approved for use and may not be used within the countries of Canada, the United States of America, Spain, France, England, Ireland, Scotland, Germany, Italy”.

It doesn’t say why, but apparently the program won’t work if located in those countries and you need to both remove and delete all copies of the software. Here’s the bit that made me sit up and take notice:

2) “…may do but not limited to the following actions to your personal computer: utilize all computing processing unit and graphics processing unit, power, random access memory, virtual memory…network capacity and bandwidth and any other resources it sees fit, activate all fans and generate an unlimited amount of heat, and utilize an unlimited amount of electricity (outlet and battery). This may damage and cause irreparable harm to your computer”

That sound you hear is the ever increasing distance of my footsteps, breaking into a mad dash for freedom.

Elsewhere, I spotted some text I thought I’d seen somewhere before:

Deja Vu

COMPUTER CALCULATIONS, SECURITY: as part of downloading the PCDataApp software, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by PCDataApp or our affiliates are the sole property of PCDataApp and our affiliates.

Compare and contrast with the EULA information from a blog about toolbars we covered in November.

On the one hand, the people behind this bundle are being surprisingly upfront about the system stressing possibilities of a miner (assuming you click the links in the installer, otherwise you’re going to miss it). On the other hand, who would read all of the above and think “Yes please, sign me up”?

It’s very peculiar.

The VirusTotal score for the initial installer is 12 / 50, and Malwarebytes Anti-Malware detect it as PUP.Optional.Amonetize.A. Here are some of the more unique additional names being used by the executable, courtesy of the VirusTotal Additional Information tab:

DownloadSetup__2299_i465318329_il3.exe The Palestine Israel Conflict Downloader__3687_i465117495_il3646208.exe DownloadSetup__2299_i465318327_il3.exe Canli.Mac.izle.ve.Ucretsiz.Yetiskin.Kanalla__2299_il33.exe Free.Premium.Download__2299_i465610277_il306.exe Launcher__3687_il3714493.exe Launcher__2299_i466083271_il245.exe Grave Robber from quot Repo the Genetic Opera quot Zydrate Anatomy__3055_il3228117.exe DownloadSetup__2299_i465318272_il3.exe Grave Robber from quot Repo the Genetic Opera quot Zydrate Anatomy__3055_il3228561.exe Launcher__2299_il8540.exe Launcher__3818_il3191792.exe Launcher__2299_i465596167_il245.exe DownloadSetup__2299_i465318357_il3.exe Launcher__3931_il3711053.exe Launcher__2299_i465613587_il245.exe WinActivarorKMS__2299_i465809060_il1736715.exe GPUMonitor__2348_i465306654_il1444.exe

You may also want to take a look at the Malwr.com sandbox analysis.

The mining EULA from this particular install is certainly a little eyebrow raising, and then there’s the issue of your web browser displaying an amazingly overt “this has nothing to do with me” advert sitting in the middle of the page (good luck explaining that one to whichever random relative happens to be in the room at the time).

If you want to listen to music on Soundcloud, you’re probably better off just streaming it like everybody else.

Christopher Boyd (Thanks to Jerome and Adam for additional information)

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.