These days it is becoming extremely difficult to download software from an official source without getting gobsmacked by a sundry of unwanted programs. PUPs is an acronym for potentially unwanted programs and frequently propagate through:
- Download portals (Express installations)
- Fake updates (malicious sites)
- Browser add-ons (or toolbars)
- Search bars
- Shopping helpers
- Weather apps
- Legitimate software companies (third-party programs included in their installer)
According to PCMag, a PUP “is an application that is installed along with the desired application the user actually asked for. Also called a “barnacle,” in most cases, the PUP is spyware, adware or some other unwanted software. However, what makes spyware or adware a PUP rather than pure malware is the fact that the end user license agreement (EULA) does inform the user that this additional program is being installed. Considering that hardly anyone ever reads the license agreement, the distinction is a subtle one.”
PUPs currently operate within the grey area of the digital realm — hidden and concealed beneath the surface of murky waters. They often appear innocent enough, but frequently contain borderline and undesirable characteristics. Often labeled as spyware or adware, they may contain built in key loggers that record every stroke that you input from your keyboard — or they may look over your shoulder (like a nosy neighbor) and spy on every aspect of your browsing activities. They could also be the introvert PUP, just digging holes in system performance. Yawn.
PUPs currently operate within the grey area of the digital realm — hidden and concealed beneath the surface of murky waters— they often appear innocent enough but frequently contain borderline and undesirable characteristics. Often labeled as spyware or adware: they may contain built in keyloggers, that record every stroke that you input from your keyboard —or they may look over your shoulder (like a nosy neighbor) and spy on every aspect of your browsing activities. They could also be the introvert PUP, just digging holes in system performance. Yawn.
Rod Rotzien of Techwarrior Technologies LLC runs across PUPs pretty much on a daily basis, usually in tandem with malware. “Most of them we’ve found — you can’t just run software to get rid of them. They embed themselves into browser extensions, install into the operating system — so they have to be completely uninstalled. PUPs can hit scheduled tasks, so it’s best to go through the scheduled tasks and remove every instance of them from the tasks list. They also affect Boot Up services, and Msconfig start-up items need to be checked too. Even after removal, if you don’t get every piece of the PUP, they can leave pop-up errors on boot-up that will seek pieces of the ‘software’ that was there before.”
Tricks of the Trade
PUPs also borrow tricks of the trade from malware authors. Malwarebytes discovered that reputable software sources such as Adobe, was being used by a vendor to bundle PUPs with the Adobe Flash Player installer. This particular installer made it mandatory to install PUP.Optional.Vosteran (a browser add-in) replete with numerous pop-up ads that can be displayed in most popular browsers (Chrome, Internet Explorer, and Firefox). This insidious PUP has the ability to collect sensitive information via tracking all online browsing activities. It’s not only annoying, invasive, and privacy-sapping — it is highly profitable for the Vosteran developers too.
“Many companies are turning to creating PUPs as a way of propagating their software nowadays – what many of them do not realize, however, is that this is a very short-sighted approach. While it may work in terms of numbers, they are effectively alienating their potential customers in the long run.” —Maros Mozola, CEO, LIFARS, LLC
A recent client of mine experienced a PUP-over-PUP invasion when one PUP downloaded another PUP. The poor guy had erroneously clicked on a free download manager over at Filehippo.com, (instead of clicking on the legitimate download link). The PUP-over-PUP download manager had all the bases covered in its EULA — deceptive, invasive, and unethical practices abound with these greedy miscreants.
PUPs in Adware
Juraj Partila — an application security senior advisor at the international cybersecurity and digital forensics firm LIFARS LLC — says in general that “adware is becoming a real problem — not just because of its unnecessary memory occupation, frequent CPU use, consumption of data, and privacy intrusion, but also due to its potential to provide an additional vector to have more malware installed. This can happen either because of a bug, through scareware ads, or because a particular malware initially masks itself as useful utility.
“I don’t mind apps showing ads if it is a lite/trial version that I knowingly installed and if the ads are relevant and in good taste,” Partila said. “But it’s infuriating that a legitimate antivirus company installs potentially unwanted browser add on as part of its default installation.”
I did not ask Partila which antivirus company he is referring to, but I think I found a clue over at Emsisoft. Though he mainly provides his expertise in penetration testing, application assessment, code review, and system architecture design, he also prefers to start with a bare-bone OEM installation of a plain vanilla operating system. Some computers with pre-bundled software can come with hidden “bloatware,” Partila says, meaning PUPs.
Mobile devices and PUPs
Andrew Hoog, CEO and co-founder of NowSecure (formerly viaForensics), says that though the definition for potentially unwanted programs typically revolves around adware or spyware, “while that exists to an extent on mobile, like the adware recently discovered, we think that this definition should be much broader. The term ‘potentially unwanted’ in itself should define the category.
“We categorize many of the apps we see on a daily basis as ‘potentially unwanted’ due to their underlying security flaws that leave user data at risk. Gartner has predicted that over 75 percent of mobile apps will fail basic security tests by the end of 2015. That amounts to over 3,000,000 apps. These apps, which are downloadable in the Play and App stores, may leak key user data, such as contacts, geolocation information, usernames, passwords, and more.”
Potentially unwanted apps (PUAs) on mobile devices can pose a significant risk for user security and privacy. I’ve witnessed free game apps display aggressive ads that have the capability of tricking a child or teen to inadvertently click on an advertisement within the game. Why? Because it looks ultra-appealing to youthful and impressionable minds. Some of these mobile apps are so slick at deception and trickery — that they could potentially nab me!
What Can Be Done?
You should always pay special attention to EULAs and read them from top to bottom and bottom to top. Free does not always mean that you are getting the product or service for free. It will end up costing you in the longer term. If you are stubborn and plan to download free bundled software anyway, you should:
- Choose the custom or advanced installation and never accept the *express or standard install.
- When downloading from a portal; look for the link to the actual download (it is generally tiny), and stay away from over-sized flashing download buttons and arrows.
- Use a good antivirus and anti-malware program and keep your system, software, and devices updated on a regular basis.
*If you choose the express installation option — enjoy your PUPs. If the only option offered is an express installation, do not install the product. Always pay close attention to what you are installing, read the EULA, uncheck any boxes that offer other software, and use common sense.
Stronger Mobile App Security
To reduce the increasing numbers of leaky apps, security must be a significant part of the app development life cycle, Hoog says. He offers the following steps to take:
- Educate developers on how to securely code apps.
- Implement security in every facet of app development. It is critical to do it right from the beginning. It saves time and money when you do.
- Test, test, test. He recommends testing your app 99 times before it ever goes to market. Then testing multiple times for every version release afterwards.
- If you can’t do, outsource. No one is an expert at everything. If you’re unsure about how to securely code, or are unable to proficiently test the security of your apps, hire someone who can.
PUPs Are Rising
According to Emsisoft, quick cash is at the core of the PUPs strategic game. More freeware vendors and distributors are distributing PUPs in high volume (than ever before), and some antivirus companies have jumped on the PUPs bandwagon too. What is even more shocking is that Emsisoft tested eight free antivirus suites and only one free antivirus suite was squeaky-clean from PUPs.
PUP producers know that what they do is misleading, freeware vendors know PUPs are highly questionable and antivirus vendors for sure know that it’s unethical. Therefore, all these players will go great lengths to hide the fact that they are bundling PUPs. They will make sure that they fulfill the legal requirements but use any possible way to increase the spread of those unwanted programs. The fact that vendors are willing to put their ethics aside and their reputation at risk for quick cash says a lot. PUP distributors are taking advantage of the average “unknowing” computer user. —Mariska, Emsisoft
It disturbs me that antivirus companies are jumping on the PUP cash cow. What about you? What has your experience been with PUPs? Have your PUPs been mostly innocent and laid-back, or have they been a nasty bunch of curmudgeons?
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.