Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case

Comprehensive case studies on malicious code mostly focus on botnets and worms (recently revived with IoT devices), prominent pieces of malware or Advanced Persistent Threats, exploit kits, and ransomware. However, adware seldom receives such attention. Previous studies on "unwanted" Windows applications, including adware, favored breadth of analysis, uncovering ties between different actors and distribution methods. In this paper, we demonstrate the capabilities, privacy and security risks, and prevalence of a particularly successful and active adware business: Wajam, by tracking its evolution over nearly six years. We first study its multi-layer antivirus evasion capabilities, a combination of known and newly adapted techniques, that ensure low detection rates of its daily variants, along with prominent features, e.g., traffic interception and browser process injection. Then, we look at the privacy and security implications for infected users, including plaintext leaks of browser histories and keyword searches on highly popular websites, along with arbitrary content injection on HTTPS webpages and remote code execution vulnerabilities. Finally, we study Wajam's prevalence through the popularity of its domains. Once considered as seriously as spyware, adware is now merely called "not-a-virus", "optional" or "unwanted" although its negative impact is growing. We emphasize that the adware problem has been overlooked for too long, which can reach (or even surplus) the complexity and impact of regular malware, and pose both privacy and security risks to users, more so than many well-known and thoroughly-analyzed malware families.