Knowing when it’s worth the risk: riskware explained

Knowing when it’s worth the risk: riskware explained

If there’s one thing I like more than trivia quizzes, it’s quotes. Positive, inspirational, and motivational quotes. Quotes that impart a degree of ancient wisdom, or those that make you stop and consider. Reading them melts our fears, sorrows, and feelings of inadequacy away.

Some of the most inspiring quotes urge us to take risks in order to find meaning. If you don’t take risks, they say, you won’t be able to achieve remarkable things. The biggest risk, they say, is not taking a risk at all.

But when it comes to computer security, all that goes out the window. Taking risks on software you download onto your devices is not a recipe for success. Even if the programs are inherently benign, some may have features that can be used against you by those with malicious intent. No good can come of that.

What are these risky programs you’re talking about?

Did I lose you at “quotes?” That’s alright. These software programs that contain features that can easily be abused are known as riskware. They may come pre-installed on your computing device or they are downloaded and installed by malware.

How can something legit be a risk?

Such software was designed to have powerful features so it can do what it was programmed to do. Unfortunately, those same features can be used and/or abused by threat actors as part of a wider attack or campaign against a target. Riskware contains loopholes or vulnerabilities that can be exploited by cybercriminals and the threats they develop.

For example, there are monitoring apps available in the market that private individuals, schools, and businesses use to look after their loved ones, watch what their students are doing, or check employee activities. Those with ill intent could take over these apps to stalk certain individuals or capture sensitive information via logging keystrokes.

Read: When spyware goes mainstream

Riskware can be on mobile devices, too. On Android, there are apps created with an auto-install feature that have system-level rights and come pre-installed on devices; therefore, they cannot be removed (but can be disabled). The auto-installer we detect as Android/PUP.Riskware.Autoins.Fota, however, cannot be manually deactivated. Once exploited, it can be used to secretly auto-install malware onto susceptible devices.

Note that if you install software that your anti-malware program detects as riskware, then you need only make sure your security program is updated to stay safe.

How can you tell which software is riskware?

There are varying levels of malicious intent and capabilities for all software. In fact, any program should be assumed to have potential flaws and vulnerabilities that can be exploited. However, there are criteria for determining what is considered malware vs. riskware, and which software is deemed “safe.”

Pieter Arntz, malware intelligence researcher and riskware expert, makes this clear when he said that riskware can be classified based on the risks to data and devices involved.

“In my opinion, there are a few major categories of riskware, and you can split them up by type of risk they introduce,” Arntz said. “Some bring risk to the system because they introduce extra vulnerabilities, such as unlicensed Windows with updates disabled. Some bring risk to the user because having them is forbidden by law in some countries, such as hacking tools.”

Arntz continues: “Some monitor user behavior. When this is by design, a software may be labelled as riskware rather than spyware. Some bring risk to the system because they are usually accompanied by real malware, and their presence can be indicative of an infection. [And] some bring risk to the user because their use is against the Terms of Service of other software on the system, such as cracks.”

What’s the difference between riskware and PUPs?

Riskware and potentially unwanted programs (PUPs) are similar in that their mere presence could open systems up to exploitation. So, it’s no surprise that users might liken one to the other. However, there are different criteria for classifying riskware and PUPs.

Programs might be termed riskware because they put the user at risk in some way by:

  • Violating the terms of service (ToS) of other software or a user platform on the device.
  • Blocking another application or software from being updated and patched.
  • Being illegal in the user’s country.
  • Potentially being used as a backdoor for other malware.
  • Being indicative of the presence of other malware.

Whereas programs might be considered PUPs because:

  • They may have been installed without the user’s consent.
  • They may be supported by aggressive advertisements.
  • They may be bundlers or part of a bundle.
  • They may be misleading or offer a false sense of security.

Regardless of whether a program is a PUP or riskware, it’s important to evaluate critically whether or not the software is as useful and relevant as it is a nuisance or a potential risk.

Should I keep quarantined riskware or remove it?

If your anti-malware program detects and quarantines riskware, you likely have a choice whether or not to keep it. Our advice is to make a decision based on whether or not you installed the riskware yourself and then, if you did, weighing the benefits of the app against the risks outlined in the detection.

If riskware was installed without the user’s knowledge, it’s possible the software is part of an attack ensemble delivered by malware. I’d be more worried about the presence of malware in this case, and would delete the offending riskware.

If you want your anti-malware to stop detecting software you use that is classified as riskware, see if you can configure your security solution to exclude the file or whitelist it. That way, the software won’t be detected in the future. Want to know how to do this with your Malwarebytes product? Go here.

Stay safe out there!


Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.