Controversial Advertising Program Now Being Embedded in More Software

toggle-button

OpenCandy (OC) is an advertising product that some software developers are bundling with their programs. It can now be found in the installers of dozens of popular programs.

OpenCandy employs some controversial techniques in its operation and this has created some heated discussions in Internet forums and blogs. Some say it is adware or spyware while others say it is just another legitimate form of advertising. Whatever, you need to be aware of this product and its potential pitfalls.

How OpenCandy Works

OC makes software recommendations to users during the program installation process. That is, while you are installing one product you get an invitation to install others. Users can accept or reject these download recommendations from OC; it is their call. Here's an example of how it works when you install a program.

At the start of an installation process you are presented with the licensing agreement which clearly flags OpenCandy as a separate agreement.

License

 

And here's what the agreement says:

 

If you agree to this you get offered other products to install before installing the program you need. The products offered depend on what you already have installed on your PC - OpenCandy scans your PC to find that out.

Not all implementations of OC work the same way. Sometimes the "install" or "yes" option is preselected. That means that users who just mindlessly click through the installation of the product they want to install will also end up downloading and installing additional products. How OC is configured depends on the software vendor.

Harmless Advertising or a New Form of Spyware

Now to some readers all this may sound harmless enough but there is more to it:

  • The recommendations made by OC are partly based on the products you already have installed on your PC. OpenCandy determines this by secretly scanning your PC without ever asking your permission.
  • While you can elect not to download any of the programs suggested by OC you cannot opt out from installing OC itself; it is fully embedded in the installation process. The situation is made worse by the fact that some software vendors don’t even mention in their End User Licensing Agreement (EULA) that OC is included as part of the installation process for their product.
  • If you accept any of the software recommendations made by OC then not only will that software be downloaded and installed but OC will also permanently install itself on your PC as well.
  • Regardless of whether you accept or reject OC’s software recommendations OC will transmit information about your PC back to the OpenCandy Corporation.
  • Some anti-malware programs including Microsoft Security Essentials and the excellent freeware Avira flag some products containing OpenCandy as adware.

The makers of OpenCandy have published some credible counter-arguments. They claim:

  • Many installers from reputable companies scan your PC during the installation process to check for old versions, the existence of essential components and more.
  • They also claim that OC installs nothing permanently on your computer should you choose not to accept any OC download recommendations.
  • They state that any data about your PC sent back to OC is the kind of general information collected when you visit a website and contains no personally identifiable information.

They also put forward an argument that OC is not adware as it does not conform with the Wikipedia definition of adware as programs that display ads during program operation or usage. Using definitions to deflect the argument is ridiculous. OpenCandy is without doubt adware. Yes, it displays ads during product installation rather than product operation but the effect is the same. To claim otherwise is fatuous.

But there is nothing particularly wrong with adware. Many reputable products like the free version of Avira AntiVir and AVG Antivirus are adware. The product ads are the price that many users are prepared to accept in order to get the product for free.

Is OC spyware? There is little evidence to suggest this rather it seems to be just another form of adware. However it does worry us that the distribution model OC uses could potentially be used to turn the product into spyware.

In fact that’s the aspect of OpenCandy we find most disturbing. With the product now installed on a huge number of computers the current or future owners of the product could be tempted at some time in the future to more aggressively utilize the huge installed base. Can the OpenCandy Corporation or its successor be trusted not to exploit this opportunity? Will a hacker break into their system and create a huge botnet? Who knows; nobody can know but the possibility itself is disquieting.

The Gizmo’s Freeware Policy on OpenCandy

We thought seriously about banning any product containing OpenCandy from our website but have decided against that on two grounds:

First, we have no evidence that OpenCandy is a malicious product or spyware. It is simply an adware program. Yes it is a product that makes us feel uncomfortable in the way it pushes privacy limits and even more uncomfortable with the potential for the model to be exploited but these are ultimately soft objections.

Second, to ban products containing OC would deprive our users of the right to make their own choices as to the products they wish to use. Some of the programs that contain OC are of outstanding quality. If users wish to use these products knowing that they contain OC then we need respect that choice.

We have however decided to attach some strong conditions to products that contain OpenCandy:

  • Gizmos’ Freeware will not list any program that contains OpenCandy in its installer and does not clearly state this fact in its End User Licensing Agreement (EULA).
  • Gizmo’s Freeware will not list any program that contains OpenCandy that does not provide users with the ability to opt out of all recommended downloads.
  • The presence of OpenCandy will be treated by our editors as a negative when preparing our lists of recommended programs. It will be left to individual editors whether a program’s features and other strengths are sufficient to offset the inclusion of OpenCandy.
  • Where we do list programs which we know contain OpenCandy, we will clearly alert our readers to this fact.

This policy is now in place but it will take some time** for us to check every product and decide whether we will continue to recommend it. If you are aware that any product we recommend that contains OpenCandy then please leave a comment at bottom of the program review.

Now I know some people will consider these initiatives to be an over-reaction while others feel we have not gone far enough. What we have tried to do is balance the right of our readers to make their own informed choices about the products they use against the concerns we have about the OpenCandy marketing model.

What I can say is that we will keep the situation under ongoing review. Should the OpenCandy company show any indications they are moving their product in a direction that is not in the interest of our users then we will immediately ban all products containing OpenCandy from this site.

** To the best of our knowledge, all products listed here which contain OpenCandy have now been identified and an appropriate advisory added to the text. The situation is fluid though as some authors will no doubt remove it and others will begin bundling it with new software. If you discover an incidence of OpenCandy within a product listed here which is not marked as such, please inform us by leaving a comment on the appropriate page, or by contacting one of the mod team directly.

 

Gizmo

 

Please rate this article: 

Your rating: None
4.806845
Average: 4.8 (1315 votes)

Comments

I wonder how naive we are in thinking OpenCandy doesnt get installed regardless of us saying "YES" or "NO" during installation of software

I recently did a Malwarebytes scan of my computer, and it found a few remnant "OpenCandy" titled files
I do test a lot of programs, and I am well aware of spyware, malware, viruses etc
During testing, I deliberately avoid some freeware sites that insist on you installing programs using a third party installer
I am also meticulous when installing programs and watching for toolbars etc

I pretend to myself that I am safe, using a firewall that detects outward traffic, but maybe I am naive that this stops spyware sending my information from my computer

OpenCandy new? I think not!
I've just been in touch with the developer of this program and checked the current agreement and there is NO mention anywhere of OpenCandy, which he claims has been dropped altogether for some time.
This is a very useful article if it were current, but it really needs updating too reflect the true position of this software.
I've been using FreeFileSync for many years and it's one of the very best out there.

Many thanks for your kind feedback boristhemoggy. We've now updated the article with a general example.

FreeFileSync is merely an example for OpenCandy, which is what this article is about.

But why use FreeFileSync as an example when it doesn't have OpenCandy? Why not use a program that DOES have OpenCandy? That's just plain silly.
It prompted me to contact the developer with concerns because you don't say it's an example and they don't have OpenCandy. You risk spoiling the reputation of a great free program for no discernible reason?
It doesn't make any sense and it certainly goes against the high standards we usually see on TSA.

If this is the case then the Wiki also needs updating.
https://en.wikipedia.org/wiki/FreeFileSync
Fact is, many developers shuffle from one wrapped installer to another as users get annoyed with it and then often back again after a few months. Maybe if anyone here has time this article can be re-written to illustrate a current container of OpenCandy but likely that will then go out of date too. Across the site, it is impossible for editors to keep up with these changes which is why we now include a general installer warning with product details where appropriate. In the meantime, this article continues to provide a valid example of what users might encounter during a software install. MC - Site Manager.

Site manager...with your responsibility, don't you think that as a valid means of giving an example to people of a installation of OpenCandy, you ought to use an anonymous example if the current software doesn't use it?
I take your point that FFS may have had OpenCandy in the past, although in all the years FFS I've used it I've never found it during an installation, but then I usually use it portably so that might explain why.
Nonetheless we depend on the site to give accurate info too, and again that's something I've done for years so when I sea great piece of software that does NOT have OpenCandy, I wonder why it's used as an example?
If there is a current piece of software that uses OpenCandy I would be more than happy to rewrite this article for you to keep it up to date. I think people respect the site too much to be happy with articles from here that are incorrect and it's unfair to label great pieces of software incorrectly.

Thank you for offering to help which is greatly appreciated. Please complete the form at this link so we can process your application. MC - Site Manager.
http://www.techsupportalert.com/content/id-become-editor-gizmos-freeware...

The article clearly says .. Here's an example of how OpenCandy works... while giving the example of FreeFileSync.

But yes, got your point that since FreeFileSync doesn't contain OpenCandy now... the article needs to be updated.

Still, even if FreeFileSync doesn't contain OpenCandy, it still shows a screen for installing third party software, during installation. Just saying.

I personally do use FreeFileSync, and agree that's it is a great software.

Will request for this article to be updated.

Gizmo's new policy towards software with bundled Open Candy is a step in the right direction although does not go far enough in my opinion however there is a discernible ever growing user push back against software which contain this crapware and the companies that produce it.
Social media and sites like yours can quickly alert consumers to this insidious practice and hopefully it will eventually lead to a user boycott of these odious programs.

Excellent coverage of an incendiary topic. I firmly believe that there is no such thing as privacy as long as we have computers in our life. The fact that they have become so embedded in our lifestyles is dangerous in itself, but will not change. The only anonymity left to us is to stay in the center of the herd and be quiet about it.

Has this article recently been updated????

I can't see anything in the first screenshot to indicate that "At the start of the FreeFileSync installation process you are presented with the licensing agreement which clearly flags OpenCandy as a separate agreement." Sorry, but nothing's clear to me from that; OC doesn't appear there at all. Or maybe I need some new glasses????

This article is the epitome of what consumers look for. Thank you very much.
p.s. There was a time when "news" media primarily had this type of content, which sadly, is no longer the case. Gizmo's wording to delineate specifically to include a time base for taking its own recommendation take committed resources to 'do' what one 'says'. applause, applause.

Being a tech-challenged senior I really appreciate articles like this one. I had read about OpenCandy on this site before and have since classified it as junkware, but hadn't known how to actually stop it other than reading an awful lot of Fine, very fine, print and hoping I didn't miss the info somehow.. I also appreciate the info on how to stop all of those OpenCandy offers.

I did have unchecky at one time but it caused me some problems in doing surveys so uninstalled it. This would be one of the areas the tech-challenged came in to play since I didn't know what to do when encountering problems such as those, except to uninstall...have had to do that with a few things. Do have AdBlock Plus and Ghostery on both my Firefox and IE9 browsers and they have helped avoid more than a few advertising pushers.

Gizmo has helped me ID new freeware and all of the commenters have helped me many times avoiding bad, or sticky, problems with that freeware. Kudos to everyone, with a big Thank You All...

I would also suggest that you add 'Web of Trust' to that list of security measures. It has saved my bacon several times.

Thank you for your kind words classicggma65. :) MC - Site Manager.

Pretty much says all there is to say -- and know -- about Open Candy from just one glance at your screenshot: UNIBLUE REGISTRY BOOSTER. Recommended for YOU. But of course, it isn't really 'recommended' at all. It's junk software -- Uniblue's awful reputation is well deserved in my experience -- which can't find a wide, knowledgeable paying audience so hooks up with Open Candy to be punted out to those without enough tech savvy to realize that (a) they've just been targeted and (b) they're now being manipulated.

Open Candy is proprietary software that has no more right to step into my computer without specific invitation than I or anyone else has the right to step into Open Candy's CEO's office without specific invitation. I could, of course, just slip past the security, the way Open Candy delights in doing wherever it can. And when caught, I could just say ah, I'm scanning your office to see what else you might like to have -- hey, how about a nice new Naugahyde chair? Another couple of crystal flower vases? Oh, and those pictures on your wall, how about me selling you a deal on canvas prints of pictures you took yourself?

Naturally in making these helpful recommendations, I couldn't care less what the Open Candy CEO has in his office or on his walls. What I care about is getting my rake-off from the sale of the chair, the vases, and the DIY canvas prints -- in exactly the same way Mr Open Candy CEO cares not one jot about the 'recommendations' made to me, and wishes only to stuff me with Uniblue products for as long as Uniblue is chucking money into his pocket.

I'm tired of an increasingly anemic world where so many allow the indefensible to pass unquestioned. It's almost as if there's a breed of folks out there who so prize themselves on their reasonableness and civility that they'll stay passive and quiescent no matter what. Open Candy is a pernicious money-grabbing invader of other people's property and should be treated as such. No ifs, no buts, and absolutely, no justifying its purpose or its behavior.

Personally, I never had any issues with OpenCandy nor have I ever considered it "controversial" to begin with. On the contrary, I have discovered some useful applications through it on more than one occasion.

OpenCandy is legitimate way for developers to earn a little money from the applications that they distribute for free. It's perfectly harmless and all its offerings are always optional.

If you have a problem with OpenCandy, then you're free to look for an alternative. But demonizing it doesn't help anyone.

Adware is not perfect but it's not necessarily evil either.

PS: I'm not affiliated with OpenCandy in any way.

OpenCandy is far from harmless and anything that seeks to hide itself from view and trick users for financial gain has to be controversial, at least amongst honest folk. Users would never encounter some of the products "suggested" by OpenCandy normally, and in doing so open themselves to significant risk, as detailed in one of the comments below. Complaints about wrapped installers form by far the largest mailbox received at Gizmo's Freeware so unless someone wants to suggest our readers are in some way deficient, then I maintain OpenCandy is a problem and we will do all we can to warn folks about it. MC - Site Manager.

I never had OpenCandy install an application that I explicitly declined its offer, not even once. Also, it's not hidden at all. All the applications I have tried that had OpenCandy, it was clear that was optional, but people rarely bother read and many are just to the "next-next-ok" sequence. But whose fault is that? We're not talking about some ambiguous "fine print" here, the option to decline is right there.

Deficient? I wouldn't know. Perhaps careless? I can't understand why so many people complain about it, AFAIK anyone can bypass it completely using a switch, an application (Unchecky?) or simple common sense. And even then people are always free to look for alternatives.

It's not that I love OpenCandy, but this all feels like some sort of witch-hunt to me. If you personally experienced OpenCandy installing applications without your consent or it installing actual harmful software then I'd like to know, really. I simply never experienced any issues with it nor have I ever felt it to be harmful.

I haven't scanned all the pages of comments, but i was installing some freeware today, and AVG Free 2015 warned me of it containing OpenCandy, and (allegedly) blocked it installing.

On Open Candy

One bottom line is that some systems of the grandmothers, or anyone less tech-savvy, gets trashed.

Look, they wanted to foist a Uniblue registry product on you, a registry cleaner that has trashed systems for years.

The small benefit you might get (product A instead of B) is at the expense of the freeware community as a whole.

Caveat emptor!

Steven

It is even possible to block OpenCandy in any installer.
You can make this by starting the installer with a specific parameter or configure your firewall so it blocks the connections to OpenCandy.

More information and a complete description how you can do this you can find here:
https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-...

The dangers of these types of programs is very high. Computers users may not be easily categorized but I would offer these general categories; very Knowledgeable, knowledgeable, casual, novice (in terms of computer knowledge). It seem easy enough to say that the this web site and these comments come from knowledgeable computer users, but this group is in the minority. The vast majority of users (probably world wide) probably cannot detect, grasp the nuances and avoid installing OpenCandy and its ilk. Which means that in spite of an intellectual debate that informs us enabling us to make knowledgeable decisions(like this particular discussion) the vast majority of users will unknowingly install Opencandy. How many millions of installations is that? 1,10,100 million or more? I worked on my Grandmother's PC that had slowed to a crawl and hundreds of these types of products infesting her pc, slowing it down and doing who knows what. It is this defenseless group who form the vast majority of users who will end up with this program. They are the prey. I acted in her behalf to warn her, put some protections on her PC and to give some good general advice. I think it is an obligation of the knowledgeable users to act on the behalf of those less capable, think of it as a civic service. This program should be banned because the majority of those who end up with it, were targets and not capable of acting in there own behalf.

OpenCandy may be far, far worse than you make out. I had recently downloaded something, I forget offhand what, from CNet. I had thought that one of my protection programs (probably Malewarebytes) had managed to block OpenCandy's installation. It would seem not. I more or less accidentally just found out about the netstat command which revealed the following:

TCP 0.0.0.0:135 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:2869 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:5357 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:12025 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
[AvastSvc.exe]

Plus a bunch of other entries. Perhaps I'm reading that wrong, but it seems that OpenCandy was on the machine and trying to listen. So I attempted to see if I could get rid of it. Absolutely nothing could find OpenCandy. NOTHING. Better, I could not edit the HOSTS file. Even better, web sites about dealing with OpenCandy were blocked! To check, I used another computer to open the same web sites with no problem.

Am hoping at this point that having done a restore I have killed the monster. At any rate, netstat is not showing the same type of activity.

I am one of those people who know just enough to be dangerous to their own machines without necessarily knowing completely what they are doing :) Any thoughts on this situation would be helpful.

BTW, the article that pointed out the netstat command to me was from the How-to -geek site. And even if I have read this whole situation incorrectly, at least I have found some nifty utilities such as HitmanPro and a useful new command :)

I simply do not want to be offered anything unless it is I who is asking to be offered. Installing something I want does not equate to permission for a Remora-type software (http://en.wikipedia.org/wiki/Remora), to also be installed. I am typically working on a specific task that I am installing a piece of software for and the last thing I want or need is another crapware distraction. So, to put it bluntly, leave me alone unless I am specifically asking for it. Installing or even viewing one thing is not the equivalent to asking for another. If I even smell OpenCandy or anything like it in something, I will move on to something else. Thank you for keeping us informed Gizmo.

There are 2 things one should do to install a OpenCandy program.

1. Block OpenCandy servers in the windows host file.

You do not want OpenCandy to spy on you.

Click on your start button, go to programs, accessories, right click on notepad and run as administrator.

Click on file, open.
Go to C:\Windows\System32\drivers\etc
type *.* and click on host

Add this to the host file

127.0.0.1 tracking.opencandy.com.s3.amazonaws.com
127.0.0.1 media.opencandy.com
127.0.0.1 cdn.opencandy.com
127.0.0.1 tracking.opencandy.com
127.0.0.1 api.opencandy.com

And click save.

2. Now go to the command line and enter:

"ProgamName /NOCANDY"

The program will now install with no chance of installing third party software & no chance of spying on you by communicating with the OpenCandy servers.

Hello Lassar,

There is a very nifty free application, Unchecky, http://www.softpedia.com/get/System/OS-Enhancements/Unchecky.shtml that helps to keep the user on a path during installations/upgrades so as to minimize the likelihood of accidentally installing PUPs (Potentially Unwanted Programs).

In addition, it automatically writes the blocking entries you've listed to the HOSTS file, along with several additional ones (this is especially helpful for those a bit less technically inclined...).

The current list of entries it writes is:

127.0.0.1 localhost

# unchecky_begin
# These rules were added by the Unchecky program in order to block advertising software modules
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com
0.0.0.0 cdn.appround.biz
0.0.0.0 cdn.bigspeedpro.com
0.0.0.0 cdn.bispd.com
0.0.0.0 cdn.bisrv.com
0.0.0.0 cdn.cdndp.com
0.0.0.0 cdn.download.sweetpacks.com
0.0.0.0 cdn.dpdownload.com
0.0.0.0 cdn.visualbee.net
# unchecky_end

Very low on system resources, Unchecky also updates itself automatically. Though still technically in beta, it has been regularly updated over the past several months, and I highly recommended it.

Regards,

AJN

Thank you for the Unchecky post. I've recently been running across OpenCandy with a few things and have wondered about it. Fortunately, something (Malwarebytes?, I forget) has been blocking it while allowing the rest of the installation to continue. Or at least, that's what I'm hoping is happening. Regardless, will be downloading Unchecky to check out.

The actual file name is: HOSTS

That's host with an 's'.

This is an old trick that works on Windows machines. YMMV on Apple/Unix/Linux.

What it does is re-direct any name listed on the right hand side to whatever URL is listed on the left hand side.

127.0.0.1 effectively does not exist.

Add the above list to your HOSTS file and what windows does is redirect any attempt to communicate to the name (ex: api.opencandy.com) to the URL 127.0.0.1. This will result in a 'cannot connect' type message.

I already had in my HOSTS file:
127.0.0.1 opencandy.com
127.0.0.1 api.opencandy.com

So I've added in the new ones. Thanks!

To see what's going on, try pasting/keying 127.0.0.1 into your browser address bar and see what you get. I got this in Firefox:

"Firefox can't establish a connection to the server at 127.0.0.1"

It's a nice trick, although a bit 'under the hood' geeky. But then if you are not a least a little geeky, whatcha doing here at Gizmo? (grin)

Wiki has more to say here:

https://en.wikipedia.org/wiki/Hosts_(file)

Russ

Pages