from Understanding Java Code and Malware | Malwarebytes Unpacked
RelevantKnowledge is a Marketscore variant. It is considered adware and by some even seen as spyware. MarketScore, formerly known as Netsetter, uses RelevantKnowledge to gather data about internet usage. The data are sold for various goals. These include internet development, commerce, economic analysis, and market predictions. Officially RelevantKnowledge is part of TWRG, Inc. which in turn is part of comScore, Inc.
comScore, Inc. is a global media measurement and analytics company providing marketing data and analytics to many of the world’s largest enterprises, media and advertising agencies, and publishers.
Privacy Policy
Their online privacy policy seems to be aimed at their panelists, people who volunteer to fill out online surveys. It can be found at their site. It does mention, however, that it also uses bundlers.
Software downloads – RelevantKnowledge sponsors select software that members enjoy for free. This research software is easily installed and easily removed.
Privacy Policy
What struck me as odd is that the notification shown in the next screenshot did not show up every time I installed this bundle. In fact I had to try a few times before I saw it. We can’t be sure if this is intentional or a flaw in the bundler.
A very important sentence in that notification is the reason why this is considered spyware by some and just adware by others.
We make commercially viable efforts to automatically filter confidential personally identifiable information and to purge our databases of such information about our panelists when inadvertently collected.
Now, if I were a less trusting person I could read that as “we try to remove the really confidential stuff if you signed up voluntarily.” For sure it should leave you wondering what they consider:
- viable efforts: is there an acceptable standard for this and are they in compliance?
- confidential personally identifiable: is not everything that is personally identifiable considered confidential, and if so what exactly isn’t?
- panelists: does this include the people that get the software in a bundle?
All in all it is not hard to see where the suspicions of being spyware are stemming from.
Bundle
Looking at the installation of such a bundle we used Scrollup – adware in its own right – as an example. As you can see below you are given the opportunity not to include RelevantKnowledge.
During install you can “Accept” or “Decline” RelevantKnowledge
All the changes made by that installer can be found in the logs that are included in our removal guide on the forums. Most notably the RelevantKnowledge service that will be set to run automatically. This means that this service will always be running in the background unless the user does something about it. The file can usually be found at “C:\Program Files (x86)\RelevantKnowledge\rlservice.exe”
Another notable fact is that the bundle installer downloads a file called PackageV.exe from post[dot]securestudies[dot]com before it offers the option to include RelevantKnowledge. This file used to be called rkverify.exe so your guess that it serves to check whether RelevantKnowledge is already installed is probably the same as mine.
Detection and Protection
Malwarebytes Anti-Malware Premium protects you against Scrollup and RelevantKnowledge getting installed.
And Malwarebytes Anti-Malware (both the free and paid versions) are able to remove them from your system. An elaborate removal guide for the bundle we used as an example can be found on our forums.
Summary
Relevant Knowledge is adware that comes bundled with many freeware utilities. But there are claims that it is spyware as well. We tried to show you some reasons for those suspicions.
Relevant hash values
Md5 rlservice.exe eb136d46ff65cdf9ef782f9f3eed2d83
Md5 rlls.dll aa863cd8bc4f13a12f2582bbdf5b8ca0
Md5 installer dfdc9a70b733bd01ec7de20085e3e49b
Md5 PackageV.exe 11033fe49e144984b82ae16ce1221cd0
As always: Save yourself the hassle and get protected.
Pieter Arntz
