What Are PUPs in Malware? Potentially Unwanted Programs Explained
Table of Contents
You installed what you thought was a free PDF converter. Now your browser homepage has changed, ads are appearing where they didn't before, and your system feels sluggish. You probably have a PUP — a Potentially Unwanted Program. Antivirus tools frequently flag these, but many users don't know what the detection means or what to do about it.
Defining PUPs: The Grey Zone¶
A Potentially Unwanted Program (PUP) — sometimes called a Potentially Unwanted Application (PUA) — is software that a user may not have consciously chosen to install, or that performs behaviors users find undesirable once installed.
PUPs differ from traditional malware in one key aspect: technical consent. Unlike a virus or trojan that installs itself without any user interaction, a PUP typically arrives bundled with another program, disclosed in an end-user license agreement (EULA) that almost nobody reads. This technical consent creates legal grey zones that allow PUP distributors to argue their software is legitimate.
In practice, PUPs exhibit many behaviors associated with malware:
- Browser hijacking: Changing your homepage, default search engine, or adding unwanted toolbar extensions
- Adware behavior: Injecting ads into web pages or displaying pop-up advertisements
- System slowdown: Running background processes that consume CPU and RAM
- Data collection: Harvesting browsing history, search queries, and system information
- Difficult removal: Resisting uninstallation through multiple mechanisms
How PUPs Get Onto Your Device¶
Bundled Software (Bundleware)¶
The most common PUP distribution method is software bundling. A free download manager, media player, or system optimizer includes a PUP as an "optional" installation component. The installer pre-checks the PUP's installation checkbox, counting on users clicking "Next" without reading each screen.
Misleading Download Buttons¶
On free software sites, large green "Download" buttons often download an installer wrapper — not the software you wanted. This wrapper installs the desired program alongside several PUPs. The legitimate software serves as bait.
Fake System Alerts¶
PUPs are frequently distributed through browser pop-ups warning that your system is infected or your software is out of date. Clicking the alert downloads a "fix" that is itself a PUP, often an adware-laden fake antivirus.
App Stores and Mobile Platforms¶
Android is particularly affected. Apps on the Google Play Store have been caught displaying excessive ads, collecting more data than disclosed, or functioning as adware. Apple's App Store is more strictly policed but not immune.
Common PUP Categories¶
Browser hijackers like Conduit, Ask Toolbar, and MyWebSearch redirect searches through their own advertising networks and are notoriously difficult to remove completely.
Fake antivirus / scareware products such as MacKeeper (in some configurations), PC Optimizer Pro, and Registry Cleaner programs generate fake scan results to frighten users into purchasing the "full version."
Adware programs like Superfish (famously pre-installed on Lenovo laptops in 2015) inject ads into web traffic and, in Superfish's case, also intercepted HTTPS connections — a critical security vulnerability.
Cryptojackers that arrive as PUPs use your CPU to mine cryptocurrency in the background, slowing your system and increasing electricity consumption.
How to Remove PUPs¶
Windows¶
- Open Settings > Apps > Installed Apps and look for software you don't recognize. Sort by installation date to find recently added items.
- Uninstall suspicious programs — be thorough, as PUPs often install multiple components.
- Check browser extensions in every browser you use (Chrome, Firefox, Edge). Remove anything you didn't intentionally add.
- Run Malwarebytes Free — it specifically targets PUPs and adware that traditional antivirus tools sometimes miss.
- Reset browser settings if hijacking persists: in Chrome, go to Settings > Reset settings.
macOS¶
- Check Applications folder and drag unwanted apps to the Trash.
- Use Malwarebytes for Mac or AdwareMedic to scan for adware components.
- Check System Settings > Login Items for auto-starting PUP components.
- Review Safari/Chrome/Firefox extensions.
Preventing PUP Infections¶
- Always choose Custom or Advanced installation when installing free software — never click "Next" repeatedly.
- Download software only from official developer websites, not from third-party aggregators like Softonic, CNET Downloads, or FileHippo.
- Use a browser extension like uBlock Origin to block adware domains and malicious redirects.
- Enable PUP detection in your antivirus settings — many products have this disabled by default.
FAQ¶
Is a PUP the same as a virus?
No. A virus replicates itself and spreads without consent. A PUP technically has a form of disclosed consent through bundling agreements, though this consent is often obscured.
Should I remove every PUP my antivirus flags?
Generally yes. If you didn't intentionally install it and don't recognize it, remove it.
Can PUPs steal my passwords?
Most PUPs don't function as credential stealers, but some collect browsing data including form-fill information. Some PUPs also serve as doorways for more serious malware.
Why doesn't my antivirus automatically remove PUPs?
Many antivirus vendors don't remove PUPs by default to avoid false positives and legal disputes. You need to enable PUP removal in settings or use a dedicated tool like Malwarebytes.
Are PUPs illegal?
In most jurisdictions, no — because they obtain technical consent through EULAs. However, regulators in the EU and US have taken action against the most aggressive distributors under consumer protection laws.
This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.