“We have decided to give our users the option of protecting themselves against the rising number of Android apps which cannot be officially classified as malware, but sit in a legal gray area," explains Malwarebytes' CEO Marcin Kleczynski. "Not only are these pieces of software annoying and needlessly expensive, but they can end up seeing personal data put to dubious use.”
It is the latest iteration of a long running problem for AV companies – what to do with programs that are dual-purpose. A program that is child-monitoring and protective to a parent might be spyware and privacy-threatening to the young adult. When is sponsored advertising so intrusive that the free application is nothing more than a vehicle for making money with what borders on criminal intent?
David Harley, a senior research fellow with ESET, used to call them 'possibly unwanted applications' (PUAs). Fraser Howard at Sophos still calls them PUAs; and points to examples (Android Adload, Airpush, Signature ByPass, MSpy and more) as examples already detected by Sophos. "Having this tier of detections enables customers to much more effectively police what type of software is allowed to be installed on managed devices," he told Infosecurity.
Kaspersky Lab has always detected PUPs. "As a rule," Alexey Chikov, product manager of mobile product line told infosecurity, "we divide such software into two categories: adware for displaying adverts, and riskware with potentially harmful functions such as the ability to secretly send text messages, track a device’s location, etc. Our products detect these types of software as a ‘risk tool’ and give the user the option of installing it or not. This is a standard feature of the antivirus engine in Kaspersky Internet Security for Android, and has been since the very first version of the product.”
As long ago as 2009, an ESET-authored whitepaper discussed some of the issues and problems involved in classifying applications (and apps) as PUAs (and PUPs). "When AV labs note these practices [that is, potentially unwanted practices] and add detection of such applications to their products, this causes a conflict of interests between AV software vendors and the suppliers of such potentially unwanted software. These conflicts sometimes result in legal battles, dragging many people into the decision-making process, including the legal department, and consuming a significant amount of a company’s human and financial resources. The decision to detect such software is in many cases made even more difficult by the users themselves: different individuals, social groups and even nations have very different desires and opinions."
Given this background of increased costs and potential legal problems with blocking what it calls 'PUPs,' Malwarebytes decision to publicly declare it will block them as a category is a brave move. One problem is that what is and what is not a PUP is largely a moral rather than a technical or legal distinction. Malwarebytes clearly accepts this: "Given the nature of such apps, the classification of an app as a PUP will initially be made by a human researcher," says its announcement.
But the ESET whitepaper makes a valid point. "When an AV specialist decides that some piece of software isn’t very much to his liking and that it’s potentially unsafe/unwanted/problematic, the chances are good that he’s right."