Analyzing "Not-a-Virus" Bundled Adware: The Wajam Case

Case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, ransomware, yet very little has been done on adware. Previous studies on "unwanted" applications, including adware, favored breadth of analysis, uncovering ties between different actors and distribution methods. We investigate the evolution over nearly six years of a particularly successful and active adware business: Wajam. As of 2016, revealed by the Office of the Privacy Commissioner of Canada, Wajam had "hundreds of millions of installations" and collected 400TB of private information from users. We gather 52 samples of Wajam, released between 2013 to 2018, and analyze the technical evolution from a simple browser add-on to full-fledged obfuscated malware including rootkit, browser process injection, and antivirus evasion capabilities. We uncover its strategy to ensure a low detection rate, which heavily relies on numerous layers of encryption, and more recently on steganography. Furthermore, Wajam leaks the browsing histories of four major browsers, along with the keywords searched by users on highly popular websites. It is also vulnerable to arbitrary content injection on HTTPS webpages, and likely to remote code execution. We show evidence that Wajam is a widespread threat, actively maintained with daily obfuscated samples that are poorly detected by antivirus engines. More worrisome, we found the same evasion techniques in another piece of adware, suggesting that they could be provided by a third-party, and reused in other cases. Finally, we conclude that the adware problem has been overlooked for too long, which can reach (or even surplus) the complexity of advanced malware, and pose both privacy and security risks to users, more so than many well-known and thoroughly-analyzed malware families.