Want Instagram on your PC? Watch out for PUPs


There’s something to be said for a smartphone app that has in less than 4 years managed to acquire more than 200 million users – 40.5 million of which log on at least once a month.  They call it Instagram, and its overwhelming popularity proves just how much people like to take pictures with their smartphones and share them with the world.

Google Instagram, and besides the latest tabloids about celebrities using it to post provocative selfies, you’ll find a few more pertinent links that convey a lot of information. The first one will be Instagram.com, and if you go to it from your PC you’ll find a landing page that encourages you to download the Instagram app to your smartphone. Scroll down a bit on your Google Search, and you’ll also find the Instagram Wikipedia page, which in its History section states that in 2012 Facebook bought Instagram for a modest 1 billion American dollars.

So what do we have here?

A lot of users, a lot of money, and a lot of room for malware.

Instagram PUPs Designed for the PC

That over 40 million people log on to Instagram at least once a month makes for quite the mobile malware target. Instagram is itself an app – designed to help its users share their photos with family and friends through both the Instagram network and through an automatic sync to Facebook, Twitter, and Tumblr. Imagine, then, if a malware author decided to create a malicious app designed to pilfer Instagram credentials. In one fell swoop, that author could gain access to every single one of your social media profiles and wreak digital-identity havoc.

Scenarios like these are exactly why we have created Emsisoft Mobile Security.

Such scenarios don’t have much to do with your PC or PUPs, though – and, since both of those terms are contained within the  title of this article, the Instagram malware rabbit hole indeed goes deeper.

First a word on PUPs: they are potentially unwanted programs that usually come bundled with other, legitimate software. They are designed primarily for the purpose of advertisement, and in addition to slowing down your computer they can be extremely annoying. PUPs are not legally malware, but they come pretty darn close. (For more on PUPs, see our Security Knowledgebase: What is a PUP? or A Typical Day at Emsisoft’s HQ, which recounts our CEO’s real-life encounter with a PUP Peddler.)

Now: What if someone made a PUP for Instagram?

There’s no doubt that marketers have targeted the hugely popular app as the next ad-mecca, so what’s to stop the makers of PUPs from doing the same? According to a recent insight from one of our rivals, absolutely nothing at all. It’s already happening, and it’s hinging on the fact that Instagram isn’t instantaneously accessible via PC. Established users can log on to Instagram from their PC, but first time users can really only set up an Instagram account by downloading the app to their smartphone. This leaves a window of opportunity for PUP authors to target new Instagram users who want to set up an account through their PC.

For example:

  1. Say you hear about Instagram (from an article like this one ;) and you Google it while on your computer.
  2. You visit Instagram.com and find out that it’s an app, meant for your smartphone.
  3. You don’t like downloading apps or smartphones but you still want to try Instagram, so you go back to Google.
  4. You search for ways to get “Instagram for PC.”
  5. You download an Instagram “PC Installer” PUP, the nefarious author of which knew you were going to use the search term listed in #4.

It might sound like a round about way to distribute malicious software, but with over 200 million fish in the barrel it’s a low effort strategy to PUP payoff – particularly as Instagram grows in popularity and continues to attract less tech-savvy users.

Protecting Yourself from Social PUPs

PUPsPUPs might sound harmless or even downright silly, but if your computer collects enough of them it will slow down to a crawl. For this reason, Emsisoft Anti-Malware features PUP prevention technology which can recognize and protect you from 1000s of these not-so malware advertising schemes.

We go through this effort because Instagram PUPs are simply one of too-many potentially unwanted programs circulating the web, essentially parasitizing the success of legitimate websites and applications. In the social media centric world we live in, there are endless opportunities for PUP authors to attach their creations to new trends and cash in with advertisements that slow down your computer.

For this reason, in addition to running a PUP-aware anti-malware, you should always take care to READ BEFORE YOU INSTALL. Most PUPs hide in the fine print – which is an excellent place to remain undetected in a world of character restricted commentary and tweets.

Have a Great (PUP-Free) Day!

  • Legend

    It is so true, that a potentially unwanted program, can cause a true havoc on a pc, or any other digital device,… that can be as damaging as malware. What I expect as a paying customer from an Av vendor,… is that it will inform me if there is more than one program bundle in a download. So that I at least have a chance, to opt out form the download, so I can choose another download site. It is nice to see, that Emsisoft take that part as seriously as their heuristics detection. Because I truly don’t think that a user that has downloaded a PUP, that easily can contain 2 or 3 more potentially unwanted programs in the wrapped download, will distinguish between PUP or malware, but see this, as an actually malware infection.

  • Dontrell M’BuluBulu

    Most people don’t read the fine print, so THANKS EMSISOFT!!

  • Kael.

    Several times Google Chrome has installed itself, by stealth, on my system and it can be difficult to do a total removal – I actually had to use, XP Add/Remove Programs, two registry cleaning programs as well as a manual search/deletion in order to clean my system. As far as I am now concerned GC is, and always will be, a PUP and Google, as a company, is definitely suspect. I finally discovered that when my (generally respected) AV program updates I am given the option to ‘Reboot now’ or ‘Reboot later’ in order to cmplete the update. At the bottom of that page, in very, very faint, grey print is some small text and a small box which, if not unchecked, instructs the computer to reboot and also install Google Chrome – this to me is about as unethical as it can get.


    • Kael that in NOT Google Chrome, its either Google Chrome you did NOT download from Google’s site rapped with malware or perhaps a virus.

      • Kael.

        ANDREW – It was Google Chrome, not a virus (I scanned it with two top AV programs and then used it briefly) and it certainly came in with my AV updates. I am currently awaiting the comments from my AV provider.

        LORIE LEE – I totally agree – it is difficult, however, to check something that one can hardly see (blame eyesight) because it is almost invisible.


  • Legend

    A small hint from me to those who want to boost their defence against PUPs. It’s a small free program called ” Unchecky “. Just Google it , and see it on youtube in action.

  • Lorie Lee

    One of our biggest computer/smartphone rules in my home is “No downloading ANYTHING without letting Mom read the checkboxes first”!! It’s saved our devices many times. And a big thankyou to Emsisoft for great mal ware! My computer was infected with a browser hijacker that I couldn’t get rid of, and you guys did the job first time around! Very easy to use too. Thanks again!