Let adware be treated as malware, Canuck boffins declare after breaking open Wajam ad injector

Analysis The technology industry has numerous terms for sneaky software, including malware, adware, spyware, ransomware, and the ever adorable PUPs – potentially unwanted programs. But there isn't always a clear difference between malware and less threatening descriptors.

In a research paper distributed this month through pre-print server ArXiv, a pair of researchers from Concordia University in Montreal, Canada – Xavier de Carné de Carnavalet and Mohammad Mannan – show that in the case of software known as Wajam, these categorical distinctions obscure how adware relies on the same untrustworthy techniques as malicious code.

"Adware applications are generally not considered as much of a threat as malware," the researchers say, pointing to anti-virus applications that label the code as not-a-virus, riskware, unwanted program or PUP. "After all, displaying ads is not considered a malicious activity. Consequently, adware has received less scrutiny from the malware research community."

The Canadian boffins argue that needs to change because Wajam, which injects ads into browser traffic, uses techniques employed by malware: browser process injection attacks (man-in-the-browser) seen in the Zeus banking Trojan, anti-analysis and evasion techniques, anti-detection features seen in rootkits, security policy downgrading and data leakage.

Also, over the past four years, the code has contained flaws that expose people using it to arbitrary content injection, man-in-the-middle (MITM) attacks, and remote code execution (RCE). Yet security companies remain reticent to apply the term malware too liberally because companies making dubious software have a history of suing. Recall in 2005 how spyware biz Zango, now defunct, sued Zone Labs for calling its software what it was.

"The line between adware and malware is a gray area," said de Carné de Carnavalet, a doctoral candidate in information and systems engineering at Concordia University in an email to The Register on Friday.

"Actually, the terminology has evolved in the past 15 years. Invasive adware was also considered as spyware, because of all the personal and sensitive data they collect. This was not the taste of adware vendors who filed lawsuits against antivirus companies. Those companies now simply use the terms 'adware' or 'potentially unwanted application.'"

"As a result, both antivirus companies and researchers rank the adware problem as a lower priority than, let's say, ransomware, and even tend to leave it out. We hope to bring back the focus on this issue. It is still there, and it now has even more impact than before."

He adds that his paper also touches on vulnerabilities in adware. "It can have serious vulnerabilities, and nobody has incentives to report or fix them," he said.

Waja doin' with that sample?

Working with professor Mohammad Mannan, de Carné de Carnavalet collected 52 samples of the ad injector Wajam – which has gone by different names over the years – spanning from 2013 through 2018 in order to study its chronological evolution. The samples contain more sophisticated anti-analysis and rootkit-like features than would be typically found in the most advanced malware.

Wajam, created by Montreal-based Wajam Internet Technologies, was first released in October 2011, the paper explains, and was rebranded as Social2Search in May 2016, then renamed SearchAwesome in August 2017.

In 2016 and 2017, the Office of the Privacy Commissioner (OPC) of Canada investigated the company and its software and found multiple violations of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). It made a series of recommendations to remediate violations, only to have the company sell its assets to Hong Kong-based Iron Mountain Technology Limited.

In a statement emailed to The Register, a spokesperson for Canada's OPC said the agency is aware of the Wajam research paper and its analysis of the software.

"Our investigation looked at the matter through a more narrow privacy lens," the OPC spokesperson said. "During our investigation, we found the functionality had more to do with adware than enabling social media searching. In other words, the intent of the software was to serve ads to the user which is not, in itself, contrary to PIPEDA provided it is done in accordance with certain legal principles."

"On the other hand, we generally view malware as malicious software that can be harmful to computer users and their devices," the OPC spokesperson added. "It can include various types of program which may install computer viruses, spyware, ransomware, can recruit computers into botnets or lead to crypto-currency mining (to name a few examples)."

The OPC spokesperson said several of Wajam's privacy practices contravene PIPEDA, such as the company's failure to obtain meaningful consent to the installation of the software, which resulted in the collection and use of personal information. The OPC also found the company prevented users from withdrawing their consent by making the software difficult to uninstall and by failing to take measures to safeguard users' personal information.

It's not going away

Despite these findings, eight years on, Wajam lives on, under an assumed name and a different legal jurisdiction. The Register emailed Iron Mountain Technology in the hope of discussing the software but we've not heard back.

"Advertising is not inherently bad, nor malicious," said de Carné de Carnavalet. "The ads displayed by Wajam are not known to be malicious either. However, Wajam could be considered as malicious due to the personal data it collects, insecurely, from users, including their browsing and download histories, and all search queries that the user makes."

He notes that it's doubtful users of Wajam, Social2Search or SearchAwesome would allow the software to operate as it does if they understood how it works and how it collects information.

In a phone interview with The Register, Andrew Crocker, senior staff attorney at the Electronic Frontier Foundation, said some of his colleagues have been arguing that sneaky software, now commonly employed by governments in addition to the marketers and cyber criminals, should be looked for common behavior rather than separated by prefixes like adware or ransomware.

"If you install software against the users wishes or without the users' knowledge, that's the behavior of malware," he said, pointing to the Computer Fraud and Abuse Act, the Wiretap Act, and the Electronic Communications Privacy Act as potential avenues for legal challenges.

There have been a few high-profile cases involving adware, most recently Lenovo's $7.3m settlement last year that it distributed Superfish adware on its PCs. But law enforcement authorities don't go after browser history thieves with the same passion as credit card thieves or raiders of government databases.

To mitigate the threat posed by adware, de Carné de Carnavalet argues more effort should be made to warn people attempting to install adware and that desktop platforms should adopt some of the same permission disclosures presented to mobile device users.

"You can't stop someone from writing an 'unwanted program,'" he said. "But such programs can be more seriously considered and better detected." ®