Potentially unwanted program

From Infogalactic: the planetary knowledge core
(Redirected from Unwanted software bundling)
Jump to: navigation, search

Unwanted software bundling is bundled software which computer users are fooled into installing along with a wanted program.

Such software can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application. This may install an unwanted application, without providing a clear opt-out method.[1][2] Unwanted programs often include no sign that they are installed, and no uninstall or opt-out instructions.[3]

Antivirus companies define the software bundled as potentially unwanted programs (PUP)[3][4] which can include software that displays intrusive advertising, or tracks the user's Internet usage to sell information to advertisers, injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user.[5][6] The practice is widely considered unethical because it violates the security interests of users without their informed consent.

Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks.[7]

A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software.[8]

Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.


Historically, the first big companies working with Potentially Unwanted Programs for creating revenue, came up in the USA in the mid-2000s, such as Zango. These activities have declined, after the companies were tackled by authorities for invasive and harmful installs.[9]

Download Valley

A major industry, dedicated to creating revenue by foisting potentially unwanted programs, has grown among the Israeli software industry and is frequently referred to as Download Valley. These companies are responsible for a large part of the download and install tools,[10] which place unwanted, additional software on users' systems. These companies have faced little to no disturbance by authorities.

Unwanted programs

Unwanted programs have increased in recent years, and one study in 2014 classified unwanted programs as comprising 24.77% of total malware infections.[11]

Many programs include unwanted browser add-ons that track which websites a user goes to in order to sell this information to advertisers, or add advertising into web pages.[3] Five percent of computer browser visits to Google owned websites are altered by computer programs that inject their own ads into pages.[12][13][14] Researchers have identified 50,870 Google Chrome extensions and 34,407 programs that injected ads. Thirty-eight percent of extensions and 17 percent of programs were catalogued as malicious software, the rest being potentially unwanted adware-type applications. Some Google Chrome extension developers have sold extensions they made to third-party companies who silently push unwanted updates that incorporate previously non-existent adware into the extensions.[15][16][17]

Local proxies

Spyware programs install a proxy server on a person's computer that monitors all web traffic passing though it, tracking user interests to build up a profile and sell that profile to advertisers.


Superfish is an advertising injector that creates its own root certificate in a computer operating system, allowing the tool to inject advertising into encrypted Google search pages and track the history of a user's search queries.

In February 2015, the United States Department of Homeland Security advised uninstalling Superfish and its associated root certificate, because they make computers vulnerable to serious cyberattacks, including interception of passwords and sensitive data being transmitted through browsers.[7][18] Heise Security has revealed that the Superfish certificate is included in bundled downloads with a number of applications from companies including SAY Media and Lavasoft's Ad-Aware Web Companion.[19]

Browser hijacking

Many companies use browser hijacking to modify a user's home page and search page, to force Internet hits to a particular website and make money from advertisers.[20] Some companies steal the cookies in a user's browser, hijacking their connections to websites they are logged into, and performing actions using their account, without the user's knowledge or consent (like installing Android apps).

Fraudulent dialer

Some users with dial-up Internet access use modems in their computer to connect to the Internet, and these have been targeted by fraudulent applications that used security holes in the operating system to dial up premium numbers.

Many Android devices are targeted by malware that use premium SMS services to rack up charges for users.[21][22][23]

Third party websites

In 2015, research by EMSISOFT suggested that all free download providers bundled their downloads with potentially unwanted software, and that Download.com was the worst offender.[8] Lowell Heddings has expressed dismay that "Sadly, even on Google all the top results for most open source and freeware are just ads for really terrible sites that are bundling crapware, adware, and malware on top of the installer."[24]


In December 2011 Gordon Lyon published his strong dislike of the way Download.com has started bundling grayware with their installation managers and concerns over the bundled software, causing many people to spread the post on social networks, and a few dozen media reports. The main problem is the confusion between Download.com-offered content[25][26] and software offered by original authors; the accusations included deception as well as copyright and trademark violation.[26]

In 2014, The Register and US-CERT warned that via download.com's "foistware", an "attacker may be able to download and execute arbitrary code".[27]


Many open-source software developers have expressed frustration and dismay that their work is being packaged by companies that profit from their work by using search advertising to occupy the first result on a search page. Increasingly, these pages are offering bundled installers that include unwanted software, and confuse users by presenting the bundled software as an official download page endorsed by the open source project.


In November 2013, GIMP, a free image manipulation program, removed its download from SourceForge, citing misleading download buttons that can potentially confuse customers, as well as SourceForge's own Windows installer, which bundles third-party offers. In a statement, GIMP called SourceForge a once "useful and trustworthy place to develop and host FLOSS applications" that now faces "a problem with the ads they allow on their sites ..."[28] In May 2015, the GIMP for Windows SourceForge project was transferred to the ownership of the "SourceForge Editorial Staff" account and adware downloads were re-enabled.[29] The same happened to the developers of nmap.[30][31]

In May 2015 SourceForge took control of projects which had migrated to other hosting sites and replaced the project downloads with adware-laden downloads.[32]


Gordon Lyon has lost control of the Nmap SourceForge page, with SourceForge taking over the project's page. Lyon stated "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP. But we certainly don't trust them one bit! Sourceforge is pulling the same scheme that CNet Download.com tried back when they started circling the drain".[30][31]

VLC Media player

VideoLAN has expressed dismay that users searching for their product see search advertising from websites that offer "bundled" downloads that include unwanted programs, while VideoLAN lacks resources to sue the many companies abusing their trademarks.[24][33][34][35][36]

See also


  1. "Facebook: The 'Evil Interface?'". msnbc.com.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  2. "Facebook's "Evil Interfaces"". Electronic Frontier Foundation.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  3. 3.0 3.1 3.2 "Malwarebytes Potentially Unwanted Program Criteria". Malwarebytes.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  4. "Rating the best anti-malware solutions". Arstechnica. Retrieved 28 January 2014.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  5. "Threat Encyclopedia – Generic Grayware". Trend Micro. Retrieved 27 November 2012.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  6. "PUP Criteria". https://www.malwarebytes.org/pup/. Malwarebytes. External link in |website= (help); Missing or empty |url= (help); |access-date= requires |url= (help)<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  7. 7.0 7.1 "U.S. government urges Lenovo customers to remove Superfish software". Reuters. February 20, 2015. Retrieved February 20, 2015.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  8. 8.0 8.1 "Mind the PUP: Top download portals to avoid". EMSISOFT. March 11, 2015. Retrieved May 4, 2015.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  9. CDT Files Complaints Against Major Adware Distributor (archived) January 27, 2006
  10. 3. IronSource, Downloads Ltd Calcalist, Assaf Gilad. April 15, 2013
  11. "62% of the Top 50 Download.com applications bundle toolbars and other PUPs". EMSISOFT blog. 26 Feb 2015.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  12. "Ad Injection at Scale: Assessing Deceptive Advertisement Modifications" (PDF).<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  13. http://www.pcworld.com/article/2920012/superfish-injects-ads-in-one-in-25-google-page-views.html
  14. http://www.cio.com.au/article/574450/superfish-injects-ads-one-25-google-page-views/
  15. "Adware vendors buy Chrome Extensions to send ad- and malware-filled updates". Ars Technica. Retrieved 20 January 2014.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  16. "Google Removes Two Chrome Extensions Amid Ad Uproar". Wall Street Journal. Retrieved 20 January 2014.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  17. Bruce Schneier (21 Jan 2014). "Adware Vendors Buy and Abuse Chrome Extensions".<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  18. "Alert: Lenovo "Superfish" Adware Vulnerable to HTTPS Spoofing". United States Computer Emergency Readiness Team. February 20, 2015. Retrieved February 20, 2015.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  19. "Gefährliche Adware: Mehr als ein Dutzend Anwendungen verbreiten Superfish-Zertifikat". Heise Security. February 24, 2015. Retrieved May 5, 2015. Unknown parameter |trans_title= ignored (help)<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  20. Rudis Muiznieks. "Exploiting Android Users for Fun and Profit". The Code Word.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  21. "Android trojan sends premium SMS messages, targets U.S. users for first time". SC Magazine.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  22. "New malware attack through Google Play". MediaCenter Panda Security.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  23. Swati Khandelwal (15 February 2014). "300000 Android Devices infected by Premium SMS-Sending Malware". The Hacker News - Biggest Information Security Channel.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  24. 24.0 24.1 "Yes, Every Freeware Download Site is Serving Crapware (Here's the Proof)". HowToGeek.com. 21 Jan 2015. Sadly, even on Google all the top results for most open source and freeware are just ads for really terrible sites that are bundling crapware, adware, and malware on top of the installer. Most geeks will know that they shouldn’t click on the ads, but obviously enough people are clicking those ads for them to be able to afford to pay the high per-click prices for Google AdWords.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  25. Brian Krebs (2011-12-06). "Download.com Bundling Toolbars, Trojans?". Krebs on security. Retrieved 2015-05-04.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  26. 26.0 26.1 Gordon Lyon (2012-06-27). "Download.com Caught Adding Malware to Nmap & Other Software". Retrieved 2015-05-04. we suggest avoiding CNET Download.com entirely<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  27. Darren Pauli (2014-07-08). "Insecure AVG search tool shoved down users' throats, says US CERT". The Register. Retrieved 2015-05-04. Sneaky 'foistware' downloads install things you never asked for<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  28. Sharwood, Simon (November 8, 2013). "GIMP flees SourceForge over dodgy ads and installer". The Register. Retrieved November 21, 2013.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  29. "SourceForge locked in projects of fleeing users, cashed in on malvertising". Ars Technica. Retrieved 2 June 2015.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  30. 30.0 30.1 "Sourceforge Hijacks the Nmap Sourceforge Account". Seclists.org. 3 June 2015.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  31. 31.0 31.1 Sean Gallagher (4 June 2015). "Black "mirror": SourceForge has now seized Nmap audit tool project". Ars Technica.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  32. "SourceForge grabs GIMP for Windows' account, wraps installer in bundle-pushing adware [Updated]". Retrieved 2015-05-30.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  33. "These companies that mislead our users". 7 Jul 2011.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  34. "VLC media player suffering in face of crapware and uncaring Google". Geek.com. 7 Jul 2011.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  35. "VideoLAN Calls Out for Help to Protect Users from VLC Scams". 16 Jul 2011.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  36. "Adware in new installer". The VideoLAN forums.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>