Fact-checked by Grok 2 weeks ago

installCore

InstallCore was a software installation and distribution platform developed by the Israeli company ironSource, designed to help developers bundle and deliver applications to users across desktop platforms. Launched in 2010, it facilitated the monetization of software downloads by integrating third-party offers, but became widely criticized for deceptive bundling practices that installed adware and other potentially unwanted programs (PUPs) without clear user consent. The platform operated by wrapping legitimate installers with additional payloads, often using opt-out interfaces that made it easy for users to inadvertently accept unwanted software during setup. Security vendors, including Microsoft and Malwarebytes, classified InstallCore variants as PUPs due to behaviors like process injection, browser modifications, and unauthorized file additions. By 2012, InstallCore reportedly handled over 100 million monthly installs, underscoring its scale in the software distribution ecosystem before facing mounting scrutiny. In 2020, discontinued InstallCore as part of a strategic pivot toward monetization and user acquisition tools, amid regulatory pressures and reputational damage from its adware associations. The decision aligned with the company's evolution, culminating in its 2022 merger with , which reignited debates about 's legacy of malware-like distribution tactics. Despite its shutdown, InstallCore-related detections persist in security scans, highlighting ongoing risks from legacy bundlers in software ecosystems.

Development and History

Launch and Early Years

installCore was launched in 2010 by Ltd., an Israeli software company established that year in . It emerged as the company's flagship product, serving as a desktop software installation platform specifically designed for distributing internet-based applications. The platform was introduced to streamline the delivery of and , enabling publishers to reach users efficiently through customized download processes. The initial purpose of installCore was to facilitate easy downloads and installations of legitimate software, allowing developers to monetize distributions via optional offers presented to users during the setup. This model supported a approach, where core applications could be provided for free while generating revenue from user-selected additional content or services. Key early features encompassed customizable installer interfaces to align with brand aesthetics, support for multiple languages to accommodate global users, and seamless integration with networks for enhanced distribution and earnings potential. From its launch, installCore saw rapid adoption by software developers for freeware distribution, quickly positioning itself as a leading solution in the industry with billions of successful installs managed worldwide. Early partnerships included collaborations with prominent sites and download portals, such as Download.com, which leveraged the platform to host and deliver third-party applications to their audiences. These alliances helped solidify installCore's role in the of software dissemination during its formative years.

Evolution Under ironSource

Under ironSource's management, installCore underwent significant expansion in the mid-2010s, evolving from a primarily desktop-focused installer into a comprehensive platform that integrated advanced advertising and analytics capabilities. Launched by in 2010 as its inaugural product, installCore saw operational shifts around 2014-2015, including the launch of installCore , a standalone ad server designed to deliver highly targeted third-party offers during installations. This integration enabled programmatic advertising features, allowing developers to dynamically select and present relevant bundled offers based on user data, thereby optimizing revenue streams without altering core installation mechanics. A key development was the introduction of sophisticated analytics tools, which provided real-time tracking of user installations, performance metrics, and revenue optimization from bundled offers. These (BI) features allowed clients to monitor cross-platform traffic—spanning Windows and the newly launched Mac OS installer in 2014—in a unified , facilitating data-driven decisions to maximize installation success rates. By leveraging such tools, expanded its scope to support both desktop and emerging mobile app distributions, with installCore focusing on desktop. Growth accelerated during this period for , whose platform handled over 6 million new daily installations by 2016 across desktop and mobile, contributing to a cumulative total exceeding 3.5 billion installs, with installCore playing a key role in desktop distributions. This scale underscored installCore's role in the company's revenue growth, which rose from $260 million in to a projected $350 million in , driven by enhanced from third-party integrations. However, these advancements were tempered by external challenges, including a Microsoft security warning that labeled installCore as having a "poor reputation," resulting in network blocks due to associations with unwanted behaviors like process injections and browser modifications. Internally, shifted installCore toward deeper programmatic advertising ties, incorporating algorithms like FlowAutomator in 2014 to automate offer selection and boost revenue per install by up to 30% through AI-driven . This evolution positioned installCore as a central component of 's , emphasizing scalable distribution while navigating reputational hurdles that influenced its long-term trajectory.

Acquisition by Unity Technologies

In July 2022, Unity Technologies announced a merger agreement with in an all-stock deal valued at $4.4 billion, where each ironSource share would be exchanged for 0.1089 shares of Unity . The transaction aimed to enhance Unity's and capabilities by integrating ironSource's platform expertise. The merger was completed on November 7, 2022, forming a combined entity focused on end-to-end tools for creators. installCore emerged as a significant point of contention during the acquisition process, viewed as a legacy product from ironSource's early years with a history of associations with and distribution, which had led to its by major antivirus vendors. Developers expressed widespread backlash on forums and , warning that the deal could tarnish Unity's reputation and expose users to security risks tied to installCore's past bundling practices. Unity addressed the criticisms by acknowledging that installCore's desktop platform had been abused by "bad actors," while defending ironSource's broader contributions to mobile and user acquisition as valuable to the . In the immediate aftermath of the merger, Unity committed to reviewing and mitigating legacy issues from ironSource's portfolio, resulting in installCore no longer being actively promoted or supported within the unified company structure.

Technical Functionality

Core Installation Mechanisms

installCore's installation process began with the initiation of a , typically triggered by a accessing a link or advertisement. The would a bootstrap executable file (.exe for Windows), which served as the for the installation. This bootstrapper connected to servers to retrieve dynamic configuration data, including details on the primary application and any additional components. The process supported Windows operating systems from version 7 onward and macOS through a dedicated installer adapted for Apple systems. Following download initiation, the installer presented a series of user consent screens to outline the installation steps and obtain agreement, often displaying end-user license agreements (EULAs) for the main application and bundled elements. Upon user approval, the payload extraction phase commenced, where the installer unpacked the primary application files, dependencies, and optional components from the bundled .exe archive using scripting logic. This extraction involved temporary file creation in system directories, such as those prefixed with "ish" or "is," to stage the components before final placement. During installation, installCore performed registry modifications on Windows systems to integrate the software, such as adding entries under keys like HKEY_CURRENT_USER\Software\InstallCore for and startup . The typical of the .exe bundles included the main application , required libraries and dependencies, and modular optional components, all compressed within the archive for efficient distribution. Error handling incorporated built-in mechanisms that reported installation failures or incomplete processes back to servers for analytics purposes, aiding in performance optimization and issue diagnosis without user intervention.

Software Bundling and Distribution

InstallCore employed a pay-per-install () bundling model that integrated optional third-party offers, such as toolbars, antivirus trial versions, and , into the process of primary software applications. This approach required user consent through multi-step dialogues, allowing developers to monetize distributions by partnering with advertisers who paid for successful installations of bundled content. The platform distributed software primarily through partnerships with major download portals and affiliate networks, including sites like CNET Download.com and , where installers were promoted alongside popular . Affiliates utilized these channels, along with repositories and promotional tools such as content lockers, to drive downloads and bundle additional offers during the setup flow. Monetization occurred via revenue-sharing agreements, where software developers earned commissions—typically ranging from $0.10 to $1.50 per install, with higher rates in regions like the —based on user consents for bundled software. By 2012, installCore facilitated over 100 million monthly installations, contributing significantly to ironSource's annual earnings in the millions through this model. User interface tactics included multi-step screens with pre-checked checkboxes for additional offers, often employing misleading wording to encourage opt-ins, such as labeling bundles as "recommended" or part of an "express install" option. These designs aimed to maximize acceptance rates while nominally providing choices, though they were criticized for obfuscating the full implications of selections. Analytics integration enabled real-time tracking of bundle acceptance rates and installation outcomes, allowing partners to optimize offer placements and targeting based on user demographics and behavior data. This data-driven refinement helped sustain high conversion rates, with the platform processing over 60 million weekly download attempts at its peak.

Controversies and Security Issues

Associations with Malware and Adware

InstallCore has been implicated in numerous instances of facilitating the distribution of and potentially malicious payloads through its bundling mechanisms, often disguising installations as legitimate software updates. Security researchers have documented cases where the platform's installers were exploited to deliver unwanted programs that alter , inject processes, and enable further infections. A prominent example occurred in 2016, when campaigns targeted Mac users via fake updates. These deceptive ads, often appearing in results for terms like "," redirected users to malicious download sites hosting installers such as FLVPlayer.dmg. The packages utilized variants of OSX/InstallCore to bypass protections using compromised developer certificates, ultimately installing like MacKeeper and that prompted further downloads. InstallCore's bundling practices have also enabled the spread of specific , including programs that hijack browser settings and display intrusive advertisements. For instance, it has been used to bundle toolbars and extensions that modify default search engines and homepages, such as those associated with Software, leading to persistent redirects and without user consent. These bundled applications often arrive hidden within seemingly legitimate installers for plugins like or , exploiting user trust to evade detection. Third-party developers and malicious actors have abused InstallCore by injecting custom payloads into its distribution framework, resulting in a proliferation of variants. A detailed analysis by in highlighted .Win32.InstallCore.AN, which arrives via droppers from other and deploys files like Kapocafi.exe in temporary directories, facilitating the installation of further unwanted software. The scale of these associations underscores InstallCore's widespread impact, with detections reported commonly across regions including the , , and , contributing significantly to PUP incidents through millions of bundled installations. This has led to substantial user exposure, as the platform's design allowed for stealthy deployment in a large family of installers.

Classification as Potentially Unwanted Application

Microsoft first classified installCore as a potentially unwanted application (PUA) under the designation PUA:Win32/InstallCore in March 2015, citing its potential to degrade system performance through unwanted installations and modifications. This classification includes blocking mechanisms via , which prevents the execution of installCore files based on their poor reputation scores. Other prominent security vendors have issued similar designations, reflecting widespread recognition of installCore's risks. labeled variants as .Win32.InstallCore.AN starting in June 2020, focusing on its role in unauthorized software delivery. identifies it as Win32:InstallCore for its intrusive bundling behaviors. These classifications stem from specific criteria, including deceptive bundling that hides additional software during installations, persistence achieved through registry modifications for autorun entries, and outbound network communications to servers for and content retrieval. In response, affected security tools implement automated measures such as quarantine or outright deletion of installCore components; for instance, Windows Defender defaults to blocking and removing detected instances during scans. also blocks installCore-associated browser extensions to prevent unauthorized modifications to user browsing experiences. By 2022, installCore had been blacklisted by over 50 antivirus products across platforms like , leading to broad detection rates that curtailed its effectiveness as a tool.

Legacy and Impact

Discontinuation and Aftermath

discontinued active development of installCore in late , with the product spun off to a new company called , aligning with preparations for its via a merger in 2021. This decision marked a strategic shift away from desktop toward and monetization platforms. Following the completion of 's merger with in November 2022, installCore was fully deprecated and removed from all active pipelines, with Unity emphasizing that the product had been discontinued years prior and was not integral to their . However, existing installations on user systems persisted post-discontinuation, often detected as potentially unwanted applications, necessitating manual remediation. These residual installs prompted official removal guidance from security providers; Microsoft documented steps to address PUA:Win32/InstallCore detections using Windows Defender and the Microsoft Safety Scanner tool. Similarly, Malwarebytes issued instructions for eliminating PUP.Optional.InstallCore variants, highlighting its adware-bundling behavior and recommending full scans for affected systems. The loss of installCore as a revenue source, previously a key profit driver for , accelerated the company's focus on mobile ad networks, contributing to overall in that segment exceeding 50% year-over-year by 2021. No major lawsuits directly targeted installCore's discontinuation, though its bundling mechanisms drew ongoing regulatory attention to similar practices in the industry, without specific actions against ironSource.

Broader Industry Repercussions

The association of installCore with potentially unwanted programs (PUPs) has contributed to heightened scrutiny of software bundling practices across the , prompting developers and security firms to advocate for more transparent installation processes. InstallCore, developed by , was notorious for deceptive bundling tactics that often tricked users into installing additional alongside legitimate software, leading to widespread criticism from security experts. This has influenced a broader push toward explicit user consent mechanisms in installers, aligning with regulatory frameworks like the EU's (GDPR), which emphasizes clear disclosure of and bundled components to avoid misleading opt-ins. For instance, post-2015 analyses highlighted how such bundlers exploited ambiguities in user agreements, accelerating calls for standardized transparency in to mitigate risks. The acquisition of in 2022 amplified these concerns, as installCore's legacy of malware-like behavior eroded trust among game , many of whom viewed the merger as a shift toward aggressive monetization at the expense of . expressed outrage over 's history, with prominent figures publicly considering alternatives to Unity's engine due to fears of similar bundling practices infiltrating game ecosystems. This backlash underscored a growing demand for ethical ad tech and a reevaluation of partnerships with companies linked to PUPs. While no large-scale exodus was quantified, the incident highlighted vulnerabilities in the for software tools, fostering industry-wide discussions on vetting acquisition targets for security implications. In terms of security standards, installCore cases have driven advancements in PUP detection heuristics by antivirus vendors, including Microsoft's , which classifies InstallCore variants as PUA:Win32/InstallCore and blocks them based on behavioral patterns like unauthorized process injection and registry modifications. These detections evolved in response to bundlers' prevalence in freeware downloads, with tools like expanding generic signatures to cover InstallCore families, reducing the incidence of undetected installations. Windows 11's enhanced real-time scanning and reputation-based blocking reflect this trend, incorporating lessons from high-profile PUP scandals to prioritize installer integrity over the 2020s. Market dynamics have also shifted, with installCore's fallout contributing to a decline in reliance on third-party desktop bundlers, as users and developers increasingly favor vetted platforms like the Microsoft Store and Steam for safer distribution. This transition is evident in the reduced prominence of pay-per-install models, which fueled installCore's operations, as platforms enforce stricter app review processes to curb PUP proliferation. Ongoing monitoring reveals residual InstallCore variants persisting in legacy software as of 2025, accounting for a notable portion of PUP alerts in antivirus reports, necessitating continued vigilance in updating old installations.

References

  1. [1]
    Adware.InstallCore - Malwarebytes
    Adware.InstallCore is Malwarebytes' detection name for a family of bundlersthat installs more than one application on the user's computer, usually by combining ...
  2. [2]
    InstallCore Hits New High With 100 Million Monthly Installs
    Aug 10, 2012 · Established in 2010, InstallCore has quickly become the leading installation platform for premium software publishers.
  3. [3]
    PUP.Optional.InstallCore - Malwarebytes
    PUP.Optional.InstallCore is the detection for a large family of bundlers that are known to install adware and potentially unwanted programs (PUPs) with ...
  4. [4]
    https://nordvpn.com/cybersecurity/glossary/installcore/
  5. [5]
    A Closer Look at IronSource Installation Tactics - Ben Edelman
    Feb 18, 2015 · (InstallCore is the IronSource service that provides adware bundling and adware installation.) ... IronSource's InstallCore. The Nonexistent " ...
  6. [6]
    PUA:Win32/InstallCore threat description - Microsoft
    Mar 11, 2015 · This application was stopped from running on your network because it has a poor reputation. This application can also affect the quality of your computing ...<|control11|><|separator|>
  7. [7]
    Giving up its cash cow paved ironSource's way to NYSE - Globes
    Jun 29, 2021 · ironSource's highly profitable installCore product, a survivor from Israel's notorious "Download Valley", was discontinued late last year.
  8. [8]
    Unity and IronSource have completed their merger - Game Developer
    Nov 7, 2022 · Until 2020, IronSource's core product was an adware platform called InstallCore, which Microsoft's Windows Defender program would eventually ...
  9. [9]
    Unity: IronSource malware came from “bad actors who abused the ...
    Jul 15, 2022 · ... IronSource's first product was classified as malware. InstallCore was an installation program for internet-based applications launched in ...
  10. [10]
    Win32.PUA.Installcore - Zscaler Threat Library
    Aug 10, 2025 · Win32.PUA.Installcore is a PUA that targets the Win32 platform. A PUA, Potentially Unwanted Application, is a type of application that the user ...Missing: what | Show results with:what
  11. [11]
    https://en.globes.co.il/en/article-cosmetics-and-dog-food-meet-ai-1001526021
  12. [12]
    The Most Troubling Thing About Unity's ironSource Deal
    Jul 24, 2022 · ironSource was founded in 2010. Its first product was InstallCore, an installation program for internet-based applications. InstallCore hit ...
  13. [13]
    installCore From ironSource to Introduce Super Targeting ... - PRWeb
    Jan 9, 2014 · About installCore. Established in 2010, InstallCore has quickly become the leading installation platform for premium software publishers.
  14. [14]
    InstallCore - Established in 2010 and with over 2.5 billion successful ...
    Since its inception in 2010, installCore™ has managed billions of successful installs. Its cutting-edge technologies and industry experience make ...
  15. [15]
    PUADlManager:Win32/InstallCore threat description - Microsoft
    Oct 11, 2021 · Summary. This is a detection that covers the third-party bundling of InstallCore. These are often programs that appear in search engine results ...Missing: shareware | Show results with:shareware<|control11|><|separator|>
  16. [16]
    ironSource Launches Stand Alone Ad Server: installCore Fusion
    Dec 9, 2014 · Tel Aviv, ISRAEL (PRWEB) December 09, 2014 -- ironSource, the world's leading digital delivery platform, today announced the launch of ...
  17. [17]
    ironSource's installCore launches Mac OS installer to ... - SD Times
    Nov 25, 2014 · ironSource's installCore launches Mac OS installer to offer comprehensive, cross-platform solution for developers.
  18. [18]
    2016 IPO Prospects: ironSource Strengthening its Revenue ...
    Mar 18, 2016 · Its platform has seen more than 3.5 billion installs till date and records over 6 million new installs daily. The service is accessed by more ...
  19. [19]
    IronSource Integrates Artificial Intelligence Capabilities Into ...
    Feb 27, 2014 · ironSource integrated the new FlowAutomator algorithm, which was developed in-house, with the installCore ad server. installCore General Manager ...
  20. [20]
    Unity Announces Merger Agreement with ironSource
    Jul 13, 2022 · Unity and ironSource will merge in an all-stock deal, creating an end-to-end platform. Unity will own 73.5% of the combined company. The deal ...Missing: history rebranding<|control11|><|separator|>
  21. [21]
    Unity is merging with ironSource in an all-stock deal valuing ...
    Jul 13, 2022 · ironSource is being valued at $4.4 billion in the all-stock deal. Part of the transaction will also involve Silver Lake and Sequoia, the two ...
  22. [22]
    Welcome, ironSource! - Unity
    Jul 12, 2022 · Unity announced today that it has entered into an agreement to merge with ironSource, harnessing the company's tools, platform, technology, and talent.
  23. [23]
    Unity Completes Merger with ironSource
    Nov 7, 2022 · Unity (NYSE: U) today announced that it has completed its merger with ironSource, becoming the industry's leading end-to-end platform for mobile app creators.
  24. [24]
    Unity is merging with a company who made a malware installer
    Jul 13, 2022 · In 2015 IronSource merged with Supersonic, developer of an in-app purchase platform, and pivoted from InstallCore to in-game ads. At the start ...
  25. [25]
    Unity Criticised For Merging With Known Malware Distributor
    Jul 14, 2022 · The deal has since come under fire due to Ironsource's history of malware distribution, developing a delivery system so infamous it got blacklisted by ...
  26. [26]
    Why is Unity's merger with IronSource angering developers?
    Jul 14, 2022 · The program was called InstallCore, and it was IronSource's "flagship product." Microsoft's Windows Defender program would eventually ...
  27. [27]
    Inside Unity's troubled $4.4bn IronSource merger - Mobilegamer.biz
    Oct 29, 2024 · Alleged bullying and mismanagement within Unity's adtech arm have created a toxic atmosphere and a staff exodus, we're told.Missing: installCore controversy
  28. [28]
    [PDF] Investigating Commercial Pay-Per-Install and the Distribution of ...
    Aug 10, 2016 · InstallCore. 04/2011. InstallMonetizer. 06/2010. InstallMonster. 06/2013 ... 7960/qihoo-360-launched-its-own-affiliate- network/, 2014. [38] ...
  29. [29]
    Automated analysis of freeware installers promoted by download ...
    Cloning the base image every time a guest machine is launched is time consuming as the image may be gigabytes in size. ... dll, which belongs to the InstallCore, ...
  30. [30]
    Mac Users Attacked Again by Fake Adobe Flash Update - Intego
    Apr 12, 2016 · Mac users are once again being urged to exercise caution when installing updates to Adobe Flash Player, after a fake update was discovered infecting computers.
  31. [31]
    Top Five Malvertising Attacks of 2016 - GeoEdge
    The campaign targeted Apple Mac OS X users and tricked users into downloading a malicious installer identified as 'OSX/InstallMiez' (or 'OSX/InstallCore'). The ...
  32. [32]
    Potentially Unwanted Applications (PUAs) disguised as software ...
    Mar 21, 2016 · This report presents an insight into how cyber criminals are using pop-up ads to trick users into downloading malicious software.
  33. [33]
    PUA.Win32.InstallCore.AN - Threat Encyclopedia | Trend Micro (US)
    Jun 16, 2020 · This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users ...Missing: shareware | Show results with:shareware
  34. [34]
    InstallCore adware - Easy removal steps (updated) - PCrisk.com
    Jan 4, 2022 · Here's a list of potentially unwanted applications that use Installcore download client to promote installation of additional adware.
  35. [35]
    Virus or not a virus - Win32/InstallCore = VideoConverterSetup.exe?
    Jul 15, 2012 · Is this a virus or not? I downloaded the file from a website that claims it is a video conversion utility program. as Polonus said in the post ...
  36. [36]
    PUADlmanager:Win32/InstallCore Removal – Gridinsoft Blog
    Apr 10, 2025 · Registry Modifications: Creates entries in the Windows Registry to ensure applications launch at startup, including: HKEY_CURRENT_USER ...
  37. [37]
    Adware Empire – IronSource and InstallCore - INFOSTRUCTION
    Oct 26, 2018 · The IPs and types of Adware connected back to IronSource Ltd., Babylon Software Ltd., and InstallCore – all Israeli companies that have connections to Adware.
  38. [38]
    [PDF] Measuring PUP Prevalence and PUP Distribution through Pay-Per ...
    Aug 10, 2016 · In this work we perform the first systematic study of PUP prevalence and its distribution through pay-per- install (PPI) services, which link ...
  39. [39]
    VirusTotal - File - VirusTotal
    Sep 18, 2022 · Join our Community and enjoy additional community insights and crowdsourced detections, plus an API key to automate checks. ... VBA32 Malware- ...
  40. [40]
    how do i remove Win32/InstallCore - Microsoft Q&A
    Oct 7, 2023 · how do i remove Win32/InstallCore which was on an old drive which has been removed? windows 11 pro (recently updated from 10)Missing: Delta | Show results with:Delta<|separator|>