A paper written by two researchers from Montreal’s Concordia University – Xavier de Carné de Carnavalet and Mohammad Mannan – and distributed this month on the ArXiv server, shows that in many cases there is no clear distinction between malware and other less threatening software such as adware.
The Canadian researchers focus specifically on Wajam, a rather disturbing browser extension that presents itself as a search enhancer. As a matter of fact, it injects ads by using the same techniques as malicious software.
“Adware applications are generally not considered as much of a threat as malware,” explain the researchers.”After all, displaying ads is not considered a malicious activity.” Consequently, many anti-virus programs label such type of code as not-a-virus, riskware or PUP.
Wajam ad-injection relies on browser process injection attacks, anti-analysis and evasion techniques, security policy downgrading, data leak, and rootkit-style anti-detection features. Over the past four years, its coding flaws exposed people to content injections, MITM attacks, and RCE.
“The line between adware and malware is a gray area,” said de Carné de Carnavalet in an email sent Friday to The Register. “Actually, the terminology has evolved in the past 15 years. Invasive adware was also considered as spyware, because of all the personal and sensitive data they collect. This was not the taste of adware vendors who filed lawsuits against antivirus companies. Those companies now simply use the terms ‘adware’ or ‘potentially unwanted application’.”
In other words, security companies downgraded the adware problem to a lower priority in order to avoid having to fight legal battles with adware companies (see Zango case).
Mannan and Xavier de Carné collected 52 samples of the ad injector Wajam over a five year period of time spanning from 2013 through 2018 and studied its evolution. The samples collected contained anti-analysis and rootkit-like features worthy of the most advanced malware.
Created in 2011 by Wajam Internet Technologies – Montreal, Wajam was renamed once in 2016 as Social2Search and again in 2017 as SearchAwesome. In 2016 and 2017 Canada’s OPC investigated the company and its software and discovered multiple violations of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). In response to OPC’s recommendations to remediate, the company sold its assets to Hong Kong-based Iron Mountain Technology.
In an emailed statement to The Register, Canada’s OPC pointed out its aware of the research paper on Wajam functionality. “[…] we found the functionality had more to do with adware than enabling social media searching. […]”.
Several of Wajam privacy practices contravene PIPEDA, such as the failure to obtain meaningful content after the installation of the software, and the software collects and uses personal information. Wajam also prevents users from opting-out from their consent by making the uninstallation procedure difficult and repeatedly failed to safeguard users’ data.
With their paper, the two scientists hope to bring back the focus on adware now that the issue has more impact than ever.