Potentially unwanted program

Last updated

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs [1] [2] which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. [3] [1] A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. [4] The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. [5] Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

Contents

Origins

Historically, the first big companies working with potentially unwanted programs for creating revenue came up in the US in the mid-2000s, such as Zango. These activities declined after the companies were investigated, and in some cases indicted, by authorities for invasive and harmful installs. [6]

Download Valley

A major industry, dedicated to creating revenue by foisting potentially unwanted programs, has grown among the Israeli software industry and is frequently referred to as Download Valley. These companies are responsible for a large part of the download and install tools, [7] which place unwanted, additional software on users' systems. [8] [9] [10]

Unwanted programs

Unwanted programs have increased in recent years, and one study in 2014 classified unwanted programs as comprising 24.77% of total malware infections. [11] This malware includes adware according to Google. [12] [13] Many programs include unwanted browser add-ons that track which websites a user goes to in order to sell this information to advertisers, or add advertising into web pages. [14] Five percent of computer browser visits to Google-owned websites are altered by computer programs that inject their own ads into pages. [15] [16] [17] Researchers have identified 50,870 Google Chrome extensions and 34,407 programs that inject ads. Thirty-eight percent of extensions and 17 percent of programs were catalogued as malicious software, the rest being potentially unwanted adware-type applications. Some Google Chrome extension developers have sold extensions they made to third-party companies who silently push unwanted updates that incorporate previously non-existent adware into the extensions. [18] [19] [20]

Local proxies

Spyware programs install a proxy server on a person's computer that monitors all web traffic passing through it, tracking user interests to build up a profile and sell that profile to advertisers.

Superfish

Superfish is an advertising injector that creates its own root certificate in a computer operating system, allowing the tool to inject advertising into encrypted Google search pages and track the history of a user's search queries.

In February 2015, the United States Department of Homeland Security advised uninstalling Superfish and its associated root certificate from Lenovo computers, because they make computers vulnerable to serious cyberattacks, including interception of passwords and sensitive data being transmitted through browsers. [5] [21] Heise Security revealed that the Superfish certificate is included in bundled downloads with a number of applications from companies including SAY Media and Lavasoft's Ad-Aware Web Companion. [22]

Browser hijacking

Many companies use browser hijacking to modify a user's home page and search page, to force Internet hits to a particular website and make money from advertisers.[ citation needed ] Some companies steal the cookies in a user's browser, hijacking their connections to websites they are logged into, and performing actions using their account, without the user's knowledge or consent (like installing Android apps).

Fraudulent dialer

Users with dial-up Internet access use modems in their computer to connect to the Internet, and these have been targeted by fraudulent applications that used security holes in the operating system to dial premium numbers.

Many Android devices are targeted by malware that use premium SMS services to rack up charges for users. [23] [24] [25]

Unwanted not by the user

A few classes of software are usually installed knowingly by the user and do not show any automated abusive behavior. However, the Enterprise controlling the computer or the antivirus vendor may consider the program unwanted due to the activities they allow.

Peer-to-peer file sharing programs are sometimes labelled as PUA and deleted due to their alleged links to piracy. In March 2021, Windows Defender started removing uTorrent and qBittorrent, causing widespread user confusion. Microsoft has since updated the PUA database to flag torrent clients on enterprise installations only. [26]

Keygens not tainted by actual malware are also commonly tagged as PUA due to piracy. [27]

Third party websites

In 2015, research by Emsisoft suggested that all free download providers bundled their downloads with potentially unwanted software, and that Download.com was the worst offender. [4] Lowell Heddings expressed dismay that "Sadly, even on Google all the top results for most open source and freeware are just ads for really terrible sites that are bundling crapware, adware, and malware on top of the installer." [28]

Download.com

In December 2011 Gordon Lyon published his strong dislike of the way Download.com had started bundling grayware with their installation managers and concerns over the bundled software, causing many people to spread the post on social networks, and a few dozen media reports. The main problem is the confusion between Download.com-offered content [29] [30] and software offered by original authors; the accusations included deception as well as copyright and trademark violation. [30]

In 2014, The Register and US-CERT warned that via Download.com's "foistware", an "attacker may be able to download and execute arbitrary code". [31]

Sourceforge

Many open-source software developers have expressed frustration and dismay that their work is being packaged by companies that profit from their work by using search advertising to occupy the first result on a search page. Increasingly, these pages are offering bundled installers that include unwanted software, and confuse users by presenting the bundled software as an official download page endorsed by the open source project.

As of early 2016 this is no longer the case. [32] Ownership of SourceForge transferred to SourceForge Media, LLC, a subsidiary of BIZX, LLC (BIZX). [33] After the sale they removed the DevShare program, which means bundled installers are no longer available.

GIMP

In November 2013, GIMP, a free image manipulation program, removed its download from SourceForge, citing misleading download buttons that can potentially confuse customers, as well as SourceForge's own Windows installer, which bundles third-party offers. In a statement, GIMP called SourceForge a once "useful and trustworthy place to develop and host FLOSS applications" that now faces "a problem with the ads they allow on their sites ..." [34] In May 2015, the GIMP for Windows SourceForge project was transferred to the ownership of the "SourceForge Editorial Staff" account and adware downloads were re-enabled. [35] The same happened to the developers of nmap. [36] [37]

In May 2015 SourceForge took control of projects which had migrated to other hosting sites and replaced the project downloads with adware-laden downloads. [38]

Nmap

Gordon Lyon has lost control of the Nmap SourceForge page, with SourceForge taking over the project's page. Lyon stated "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP. But we certainly don't trust them one bit! Sourceforge is pulling the same scheme that CNet Download.com tried back when they started circling the drain". [36] [37]

VLC media player

VideoLAN has expressed dismay that users searching for their product see search advertising from websites that offer "bundled" downloads that include unwanted programs, while VideoLAN lacks resources to sue the many companies abusing their trademarks. [28] [39] [40] [41] [42]

See also

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a "pay-per-click" basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, a full screen, a video, a pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users.

SourceForge is a web service that offers software consumers a centralized online location to control and manage open-source software projects and research business software. It provides source code repository hosting, bug tracking, mirroring of downloads for load balancing, a wiki for documentation, developer and user mailing lists, user-support forums, user-written reviews and ratings, a news bulletin, micro-blog for publishing project updates, and other features.

<span class="mw-page-title-main">VideoLAN</span> Non-profit organization developing software

VideoLAN is a non-profit organization which develops software for playing video and other media formats. It originally developed two programs for media streaming, VideoLAN Client (VLC) and VideoLAN Server (VLS), but most of the features of VLS have been incorporated into VLC, with the result renamed VLC media player.

<span class="mw-page-title-main">FileZilla</span> Free software, cross-platform file transfer protocol application

FileZilla is a free and open-source, cross-platform FTP application, consisting of FileZilla Client and FileZilla Server. Clients are available for Windows, Linux, and macOS. Both server and client support FTP and FTPS, while the client can in addition connect to SFTP servers. FileZilla's source code is hosted on SourceForge.

CNET Download is an Internet download directory website launched in 1996 as a part of CNET. Initially it resided on the domain download.com, and then download.com.com for a while, and is now download.cnet.com. The domain download.com attracted at least 113 million visitors annually by 2008 according to a Compete.com study.

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.

<span class="mw-page-title-main">Zango (company)</span>

Zango,, formerly ePIPO, 180solutions and Hotbar, was a software company that provided users access to its partners' videos, games, tools and utilities in exchange for viewing targeted advertising placed on their computers. Zango software is listed as adware by Symantec, and is also labeled as a potentially unwanted program by McAfee. Zango was co-founded by two brothers: Keith Smith, who served as the CEO; and Ken Smith, who served as the CTO.

<span class="mw-page-title-main">Lavasoft</span> Software company of Canada

Adaware, previously known as Lavasoft, is a software development company that produces spyware and malware detection software, including Adaware. It operates as a subsidiary of Avanquest, a division of Claranova.

A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.

<span class="mw-page-title-main">Babylon (software)</span> Computer dictionary and translation program

Babylon is a computer dictionary and translation program developed by the Israeli company Babylon Software Ltd. based in the city of Or Yehuda. The company was established in 1997 by the Israeli entrepreneur Amnon Ovadia. Its IPO took place ten years later. It is considered a part of Israel's Download Valley, a cluster of software companies monetizing "free" software downloads through adware. Babylon includes in-house proprietary dictionaries, as well as community-created dictionaries and glossaries. It is a tool used for translation and conversion of currencies, measurements and time, and for obtaining other contextual information. The program also uses a text-to-speech agent, so users hear the proper pronunciation of words and text. Babylon has developed 36 English-based proprietary dictionaries in 21 languages. In 2008–2009, Babylon reported earnings of 50 million NIS through its collaboration with Google.

<span class="mw-page-title-main">CCleaner</span> Suite of utilities for cleaning disk and operating system environment

CCleaner, developed by Piriform Software, is a utility used to clean potentially unwanted files and invalid Windows Registry entries from a computer. It is one of the longest-established system cleaners, first launched in 2004. It was originally developed for Microsoft Windows only, but in 2012, a macOS version was released. An Android version was released in 2014.

Pre-installed software is software already installed and licensed on a computer or smartphone bought from an original equipment manufacturer (OEM). The operating system is usually factory-installed, but because it is a general requirement, this term is used for additional software apart from the bare necessary amount, usually from other sources.

OpenCandy was an adware module and a potentially unwanted program classified as malware by many anti-virus vendors. They flagged OpenCandy due to its undesirable side-effects. It was designed to run during installation of other desired software. Produced by SweetLabs, it consisted of a Microsoft Windows library incorporated in a Windows Installer. When a user installed an application that had bundled the OpenCandy library, an option appeared to install software it recommended based on a scan of the user's system and geolocation. Both the option and offers it generated were selected by default and would be installed unless the user unchecked them before continuing with the installation.

<span class="mw-page-title-main">Chrome Web Store</span> Googles online store for its Chrome web browser

Chrome Web Store is Google's online store for its Chrome web browser. As of 2022, Chrome Web Store hosts about 123,000 extensions and 29,000 themes.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

InstallCore was an installation and content distribution platform created by ironSource, including a software development kit (SDK) for Windows and Mac OS X. The program allowed those using it for distribution to include monetization by advertisements or charging for installation, and made its installations invisible to the user and its anti-virus software.

Superfish was an advertising company that developed various advertising-supported software products based on a visual search engine. The company was based in Palo Alto, California. It was founded in Israel in 2006 and has been regarded as part of the country's "Download Valley" cluster of adware companies. Superfish's software is malware and adware. The software was bundled with various applications as early as 2010, and Lenovo began to bundle the software with some of its computers in September 2014. On February 20, 2015, the United States Department of Homeland Security advised uninstalling it and its associated root certificate, because they make computers vulnerable to serious cyberattacks, including interception of passwords and sensitive data being transmitted through browsers.

Download Valley is a cluster of software companies in Israel, producing and delivering adware to be installed alongside downloads of other software. The primary purpose is to monetize shareware and downloads. These software items are commonly browser toolbars, adware, browser hijackers, spyware, and malware. Another group of products are download managers, possibly designed to induce or trick the user to install adware, when downloading a piece of desired software or mobile app from a certain source.

The SourceForge Installer is a discontinued piece of software that was included in some downloads from SourceForge. It was often bundled with adware and crapware designed to trick people into installing unwanted software. SourceForge has been criticized about its use of this installer. Opinions of this feature vary, with some complaining about users not being as aware of what they are getting or being able to trust the downloaded content, whereas others see it as a reasonably harmless option that keeps individual projects and users in control.

Fireball is a browser hijacking malware discovered by the security company Check Point. It takes over target browsers and turns them into zombies.

References

  1. 1 2 "PUP Criteria". Malwarebytes. Retrieved 13 February 2015.
  2. "Rating the best anti-malware solutions". Arstechnica. 15 December 2009. Retrieved 28 January 2014.
  3. "Threat Encyclopedia – Generic Grayware". Trend Micro. Retrieved 27 November 2012.
  4. 1 2 "Mind the PUP: Top download portals to avoid". EMSISOFT. March 11, 2015. Retrieved May 4, 2015.
  5. 1 2 "U.S. government urges Lenovo customers to remove Superfish software". Reuters. February 20, 2015. Archived from the original on February 20, 2015. Retrieved February 20, 2015.
  6. CDT Files Complaints Against Major Adware Distributor (archived) January 27, 2006
  7. 3. IronSource, Downloads Ltd Calcalist, Assaf Gilad. April 15, 2013
  8. Appelberg, Shelly (8 August 2014). "Israel's Download Valley Companies See Hard Times Ahead". Haaretz.
  9. Hirschauge, Orr (15 May 2014). "Conduit Diversifies Away From 'Download Valley'". Wall Street Journal.
  10. "Meet Israel's low-profile unicorn: ironSource". 18 January 2015.
  11. "62% of the Top 50 Download.com applications bundle toolbars and other PUPs". EMSISOFT blog. 26 Feb 2015.
  12. "Google Investigation: Ad Injection Is Infesting Millions of Devices". adage.com. 4 August 2016.
  13. "Google Research". 2015.
  14. "Malwarebytes Potentially Unwanted Program Criteria". Malwarebytes.
  15. "Ad Injection at Scale: Assessing Deceptive Advertisement Modifications" (PDF). Archived from the original (PDF) on 2015-06-05. Retrieved 2015-06-03.
  16. "Superfish injects ads into 5 percent of all Google page views". PCWorld. 2015-05-07. Retrieved 2016-07-04.
  17. "Superfish injects ads in one in 25 Google page views". CIO. 2015-05-07. Retrieved 2016-07-04.
  18. "Adware vendors buy Chrome Extensions to send ad- and malware-filled updates". Ars Technica. 17 January 2014. Retrieved 20 January 2014.
  19. Winkler, Rolfe (19 January 2014). "Google Removes Two Chrome Extensions Amid Ad Uproar". Wall Street Journal. Retrieved 20 January 2014.
  20. Bruce Schneier (21 Jan 2014). "Adware Vendors Buy and Abuse Chrome Extensions".
  21. "Alert: Lenovo "Superfish" Adware Vulnerable to HTTPS Spoofing". United States Computer Emergency Readiness Team. February 20, 2015. Retrieved February 20, 2015.
  22. "Gefährliche Adware: Mehr als ein Dutzend Anwendungen verbreiten Superfish-Zertifikat" [Dangerous Aware: More than a Dozen Applications spreading Superfish Certificate]. Heise Security . February 24, 2015. Retrieved May 5, 2015.
  23. "Android trojan sends premium SMS messages, targets U.S. users for first time". SC Magazine.
  24. "New malware attack through Google Play". MediaCenter Panda Security. 13 February 2014.
  25. Swati Khandelwal (15 February 2014). "300000 Android Devices infected by Premium SMS-Sending Malware". The Hacker News - Biggest Information Security Channel.
  26. Van der Sar, Ernesto (March 18, 2021). "uTorrent Continues to be Flagged as 'Severe Threat' and It's Not alone". TorrentFreak. Archived from the original on 2021-07-28. Retrieved 1 August 2021.
  27. Microsoft Security Intelligence Report Volume 13, p14
  28. 1 2 "Yes, Every Freeware Download Site is Serving Crapware (Here's the Proof)". HowToGeek.com. 21 Jan 2015. Sadly, even on Google all the top results for most open source and freeware are just ads for really terrible sites that are bundling crapware, adware, and malware on top of the installer. Most geeks will know that they shouldn't click on the ads, but obviously enough people are clicking those ads for them to be able to afford to pay the high per-click prices for Google AdWords.
  29. Brian Krebs (2011-12-06). "Download.com Bundling Toolbars, Trojans?". Krebs on security. Retrieved 2015-05-04.
  30. 1 2 Gordon Lyon (2012-06-27). "Download.com Caught Adding Malware to Nmap & Other Software" . Retrieved 2015-05-04. we suggest avoiding CNET Download.com entirely
  31. Darren Pauli (2014-07-08). "Insecure AVG search tool shoved down users' throats, says US CERT". The Register. Retrieved 2015-05-04. Sneaky 'foistware' downloads install things you never asked for
  32. "SourceForge Acquisition and Future Plans | SourceForge Community Blog". sourceforge.net. 10 February 2016. Retrieved 2016-07-29.
  33. "SourceForge and Slashdot Have Been Sold | FOSS Force". 2016-01-29. Retrieved 2016-07-29.
  34. Sharwood, Simon (November 8, 2013). "GIMP flees SourceForge over dodgy ads and installer". The Register. Retrieved November 21, 2013.
  35. "SourceForge locked in projects of fleeing users, cashed in on malvertising". Ars Technica. Retrieved 2 June 2015.
  36. 1 2 "Sourceforge Hijacks the Nmap Sourceforge Account". Seclists.org. 3 June 2015.
  37. 1 2 Sean Gallagher (4 June 2015). "Black "mirror": SourceForge has now seized Nmap audit tool project". Ars Technica.
  38. "SourceForge grabs GIMP for Windows' account, wraps installer in bundle-pushing adware [Updated]" . Retrieved 2015-05-30.
  39. "These companies that mislead our users". 7 Jul 2011.
  40. "VLC media player suffering in face of crapware and uncaring Google". Geek.com. 7 Jul 2011. Archived from the original on 23 March 2017. Retrieved 3 June 2015.
  41. "VideoLAN Calls Out for Help to Protect Users from VLC Scams". 16 Jul 2011.
  42. "Adware in new installer". The VideoLAN forums.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.