Hao Pan,Lanqing Yang,Honglu Li,Chuang-Wen You,Xiaoyu Ji,Yi-Chao Chen,Zhenxian Hu,Guangtao Xue

DOI: https://doi.org/10.1109/secon52354.2021.9491601

2021-01-01

Abstract:Various characteristics of mobile applications (apps) and associated in-app services have been used reveal potentially-sensitive user information; however, privacy concerns have prompted third-party apps to rigorously restrict access to data related to mobile app usage. This paper outlines a novel approach to the extraction of detailed app usage information based on analysis of the electromagnetic (EM) signals emitted from mobile devices when executing app-related tasks. Note that this type of EM leakage becomes high-complex when multiple apps are used simultaneously and is subject to interference from geomagnetic signals generated by device movement. This paper proposes a deep learning-based multi-label classification system to identify apps and in-app services based on magnetometer readings. The proposed MAGTHIEF system uses accelerometer and gyroscope data to cancel out the offset in geomagnetic signals followed by an elaborate deep region convolution neural network (DRCNN) to differentiate among multiple apps and the corresponding inapp services. Experiments on 50 apps demonstrated the efficacy of MAGTHIEF in identifying multiple apps and in-app services, achieving high average macro F1 scores of 0.87 and 0.95, respectively. MAGTHIEF also achieved time duration accuracy of 89.5% in recognizing app trajectory in the real-world scene.

Wu Zhou,Yajin Zhou,Xuxian Jiang,Peng Ning

DOI: https://doi.org/10.1145/2133601.2133640

2012-01-01

Abstract:Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized in different application marketplaces, can be conveniently browsed by mobile users and then simply clicked to install on a variety of mobile devices. In practice, besides the official marketplaces from platform vendors (e.g., Google and Apple), a number of third-party alternative marketplaces have also been created to host thousands of apps (e.g., to meet regional or localization needs). To maintain and foster a hygienic smartphone app ecosystem, there is a need for each third-party marketplace to offer quality apps to mobile users. In this paper, we perform a systematic study on six popular Android-based third-party marketplaces. Among them, we find a common "in-the-wild" practice of repackaging legitimate apps (from the official Android Market) and distributing repackaged ones via third-party marketplaces. To better understand the extent of such practice, we implement an app similarity measurement system called DroidMOSS that applies a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. The experiments with DroidMOSS show a worrisome fact that 5% to 13% of apps hosted on these studied marketplaces are repackaged. Further manual investigation indicates that these repackaged apps are mainly used to replace existing in-app advertisements or embed new ones to "steal" or re-route ad revenues. We also identify a few cases with planted backdoors or malicious payloads among repackaged apps. The results call for the need of a rigorous vetting process for better regulation of third-party smartphone application marketplaces.

Jianyu Wang,Chunming Wu

DOI: https://doi.org/10.1177/0020294020970213

2020-01-01

Abstract:Given users and products that he/she reviews, can we recognize fake reviews just using the text information, or determine whether a reviewer is a fraud or not? Automatically detecting fake reviews and reviewers is an urgent problem and lots of work attempts for discovering linguistics, behaviors and graph patterns. However, in reality, there are new kinds of fraudsters who can change their behaviors to camouflage as genuine reviewers to avoid detection systems. With the fraudsters become distributed, dynamic, and adversarial, anti-spam tasks face a new challenge. In this paper, we tackle the challenge of adversarial fraudsters in online app review platform and propose a system called DDF (Detect, Defense, and Forecast) to uncover camouflage accounts. Firstly, we select a small set of seed with high-precision based on text and behavior features; Secondly, we build our graph-based detection model for uncovering hidden (distant) users who serve structurally similar to the seed by utilizing Graph Convolutional Network (GCN) algorithm. Thirdly, we evaluate DDF using real-world data set from Tencent APP Store and analyze the potential fraudsters detected by DDF. It is worth mentioning that precision can achieve 0.95+. Finally, we validate the efficiency and scalability of DDF and show that it can be well transferred to other anti-spam tasks.

Yajin Zhou,Zhi Wang,Wu Zhou,Xuxian Jiang

2012-01-01

Abstract:In this paper, we present a systematic study for the detection of malicious applications (or apps) on popular Android Markets. To this end, we first propose a permissionbased behavioral footprinting scheme to detect new samples of known Android malware families. Then we apply a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families. We implemented both schemes in a system called DroidRanger. The experiments with 204, 040 apps collected from five different Android Markets in May-June 2011 reveal 211 malicious ones: 32 from the official Android Market (0.02% infection rate) and 179 from alternative marketplaces (infection rates ranging from 0.20% to 0.47%). Among those malicious apps, our system also uncovered two zero-day malware (in 40 apps): one from the official Android Market and the other from alternative marketplaces. The results show that current marketplaces are functional and relatively healthy. However, there is also a clear need for a rigorous policing process, especially for non-regulated alternative marketplaces.

Zhuo Chen,Jie Liu,Yuxia Hu,Lei Wu,Yajin Zhou,Xianhao Liao,Ke Wang

DOI: https://doi.org/10.48550/arxiv.2209.01317

2022-01-01

Abstract:This paper focuses on mobile apps serving the underground economy by providing illegal services in the mobile system (e.g., gambling, porn, scam). These apps are named as underground economy apps, or UEware for short. As most UEware do not have malicious payloads, traditional malware detection approaches are ineffective to perform the detection. To address this problem, we propose a novel approach to effectively and efficiently detect UEware by considering the transition orders of the user interfaces (UIs), which determine the usage scenarios of these apps. Based on the proposed approach, we design a system named DeUEDroid to detect the UEware via scene graph. To evaluate DeUEDroid, we collect 26, 591 apps to evaluate DeUEDroid and build up the first large-scale ground-truth UEware dataset (1, 720 underground economy apps and 831 legitimate apps). The evaluation result shows that DeUEDroid can construct scene graph accurately, and achieve the accuracy scores of 77.70% on the five-classification task (i.e., gambling game, porn, financial scam, miscellaneous, and legitimate apps), reaching obvious improvements over the SOTA approaches. Running further on 24, 017 apps, DeUEDroid performs well in the real-world scenario to mitigate the threat. Specifically, by using DeUEDroid, we found that UEware are prevalent, i.e., 61% apps in the wild and 21% apps in the app stores are UEware (with over 72% accuracy after the manual investigation). We will release our dataset and system to engage the community after been accepted.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Weili Han,Chang Cao,Hao Chen,Dong Li,Zheran Fang,Wenyuan Xu,X. Sean Wang

DOI: https://doi.org/10.1109/tdsc.2017.2768536

2020-01-01

Abstract:Sensors are widely used in modern mobile devices (e.g., smartphones, watches) and may gather abundant information from environments as well as about users, e.g., photos, sounds and locations. The rich set of sensor data enables various applications (e.g., health monitoring) and personalized apps as well. However, the powerful sensing abilities provide opportunities for attackers to steal both personal sensitive data and commercial secrets like never before. Unfortunately, the current design of smart devices only provides a coarse access control on sensors and does not have the capability to audit sensing. We argue that knowing how often the sensors are accessed and how much sensor data are collected is the first-line defense against sensor data breach. Such an ability is yet to be designed. In this paper, we propose a framework that allows users to acquire sensor data usages. In particular, we leverage a hook-based track method to track sensor accesses. Thus, with no need to change the source codes of the Android system and applications, we can intercept sensing operations to graphic sensors, audio sensors, location sensors, and standard sensors, and audit them from four aspects: flow audit, frequency audit, duration audit and invoker audit. Then, we implement a prototype, referred to as senDroid, which visually shows the quantitative usages of these sensors in real time at a performance overhead of [0.04-8.05] percent. senDroid allows Android users to audit the applications even when they bypass the Android framework via JNI invocations or when the malicious codes are dynamically loaded from the server side. Our empirical study on 1,489 popular apps in three well-known Android app markets shows that 26.32 percent apps access sensors when the apps are launched, and 11.01 percent apps access sensors while the apps run in the background. Furthermore, we analyze the relevance between sensor usage patterns and third-party libraries, and reverse-engineering on suspicious third-party libraries shows that 77.27 percent apps access sensors via third-party libraries. Our results call attentions to address the users' privacy concerns caused by sensor access.

Hao Zhou,Haoyu Wang,Yajin Zhou,Xiapu Luo,Yutian Tang,Lei Xue,Ting Wang

DOI: https://doi.org/10.1145/3324884.3416637

2020-01-01

Abstract:Smartphone vendors are using multiple methods to kill processes of Android apps to reduce the battery consumption. This motivates developers to find ways to extend the liveness time of their apps, hence the name diehard apps in this paper. Although there are blogs and articles illustrating methods to achieve this purpose, there is no systematic research about them. What's more important, little is known about the prevalence of diehard apps in the wild. In this paper, we take a first step to systematically investigate diehard apps by answering the following research questions. First, why and how can they circumvent the resource-saving mechanisms of Android? Second, how prevalent are they in the wild? In particular, we conduct a semi -automated analysis to illustrate insights why existing methods to kill app processes could be evaded, and then systematically present 12 diehard methods. After that, we develop a system named DiehardDetector to detect diehard apps in a large scale. The experimental result of applying DiehardDetector to more than 80k Android apps downloaded from Google Play showed that around 21 % of apps adopt various diehard methods. Moreover, our system can achieve high precision and recall.

Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Tong Zhu,Yan Meng,Haotian Hu,Xiaokuan Zhang,Minhui Xue,Haojin Zhu

DOI: https://doi.org/10.1145/3460120.3484546

2021-09-15

Abstract:Although the use of pay-per-click mechanisms stimulates the prosperity of the mobile advertisement network, fraudulent ad clicks result in huge financial losses for advertisers. Extensive studies identify click fraud according to click/traffic patterns based on dynamic analysis. However, in this study, we identify a novel click fraud, named humanoid attack, which can circumvent existing detection schemes by generating fraudulent clicks with similar patterns to normal clicks. We implement the first tool ClickScanner to detect humanoid attacks on Android apps based on static analysis and variational AutoEncoder (VAE) with limited knowledge of fraudulent examples. We define novel features to characterize the patterns of humanoid attacks in the apps' bytecode level. ClickScanner builds a data dependency graph (DDG) based on static analysis to extract these key features and form a feature vector. We then propose a classification model only trained on benign datasets to overcome the limited knowledge of humanoid attacks. We leverage ClickScanner to conduct the first large-scale measurement on app markets (i.e.,120,000 apps from Google Play and Huawei AppGallery) and reveal several unprecedented phenomena. First, even for the top-rated 20,000 apps, ClickScanner still identifies 157 apps as fraudulent, which shows the prevalence of humanoid attacks. Second, it is observed that the ad SDK-based attack (i.e., the fraudulent codes are in the third-party ad SDKs) is now a dominant attack approach. Third, the manner of attack is notably different across apps of various categories and popularities. Finally, we notice there are several existing variants of the humanoid attack. Additionally, our measurements demonstrate the proposed ClickScanner is accurate and time-efficient (i.e., the detection overhead is only 15.35% of those of existing schemes).

Cryptography and Security

Shaoyong Du,Minrui Zhao,Jingyu Hua,Hang Zhang,Xiaoyu Chen,Zhiyun Qian,Sheng Zhong

DOI: https://doi.org/10.1109/tdsc.2021.3068209

2022-01-01

Abstract:As the mobile era matures, it is increasingly competitive to market mobile apps, forcing companies to invest heavily on mobile user acquisition campaigns. This has unfortunately given birth to a new form of Internet fraud, which we refer to as “app distribution fraud”. This new fraud involves collusion between ISPs and fraudulent app distributors where app download is hijacked/redirected. In this article, we have the unique opportunity to cooperate with a major e-commerce company (with about 0.2 billion active users per month) to take a first peek at this problem. Through the nationwide measurement results, we find that app distribution fraud is ubiquitous yet stealthy — about 1.55 percent app downloads are hijacked/redirected, affecting more than 75 percent of the cities we tested and causing an estimated 7.46 billion U.S. dollars financial loss per year. We follow up with additional measurements on the technical mechanism of the fraud and the scope of the fraud (i.e., what other apps are also affected). Surprisingly, we find that sometimes the original app a user intends to download can be replaced with a completely different app, rendering the user's device at risks.

Geng Hong,Zhemin Yang,Sen Yang,Xiaojing Liao,Xiaolin Du,Min Yang,Haixin Duan

DOI: https://doi.org/10.1109/sp46214.2022.9833665

2022-01-01

Abstract:With the growth of mobile computing techniques, mobile gambling scams have seen a rampant increase in the recent past. In mobile gambling scams, miscreants deliver scamming messages via mobile instant messaging, host scam gambling platforms on mobile apps, and adopt mobile payment channels. To date, there is little quantitative knowledge about how this trending cybercrime operates, despite causing daily fraud losses estimated at more than ${\$}$522,262 USD. This paper presents the first empirical study based on ground-truth data of mobile gambling scams, associated with 1,461 scam incident reports and 1,487 gambling scam apps, spanning from January 1, 2020 to December 31, 2020. The qualitative and quantitative analysis of this ground-truth data allows us to characterize the operational pipeline and full fraud kill chain of mobile gambling scams. In particular, we study the social engineering tricks used by scammers and reveal their effectiveness. Our work provides a systematic analysis of 1,068 confirmed Android and 419 iOS scam apps, including their development frameworks, declared permissions, compatibility, and backend network infrastructure. Perhaps surprisingly, our study unveils that public online app generators have been abused to develop gambling scam apps. Our analysis reveals several payment channels (ab)used by gambling scam app and uncovers a new type of money mule-based payment channel with the average daily gambling deposit of ${\$}$400,000 USD. Our findings enable a better understanding of the mobile gambling scam ecosystem, and suggest potential avenues to disrupt these scam activities.

Yitian (Sky) Liang,Xinlei (Jack) Chen,Yuxin Chen,Ping Xiao,Jinglong Zhang

DOI: https://doi.org/10.1016/j.ijresmar.2023.09.003

IF: 8.047

2024-01-01

International Journal of Research in Marketing

Abstract:Ad fraud has serious consequences for brands. It also contaminates academic research if scholars neglect a significant level of ad fraud in their data. However, only limited theoretical work has addressed this topic, and empirical research is scarce. In this article, we take a first step to document empirical patterns of mobile ad fraud using two datasets. The datasets are commonly available to buyers of advertising services, and the types of ad fraud studied are significant in the advertising market. We identify some app and campaign characteristics correlated with ad fraud, and uncover methods used by fraudsters to conceal the fraud. They often make the ad fraud proportional to the daily traffic but lowering the ratio of ad fraud on high-traffic days. However, when traffic is unstable, they change strategy to use ad fraud to smooth out the traffic. Meanwhile, in advertising campaigns, the fraudsters allocate most part of fraud during the middle of campaign period, an attempt to reduce the risk of being detected. These findings not only help practitioners and academic researchers determine the extent of ad fraud in the data but also provide stylized facts for future research on theoretical modeling of ad fraud.

Feng Dong,Haoyu Wang,Yuanchun Li,Yao Guo,Li,Shaodong Zhang,Guoai Xu

2017-01-01

Abstract:Previous studies on mobile ad fraud detection are limited to detecting certain types of ad fraud (e.g., placement fraud and click fraud). Dynamic interactive ad fraud has never been explored by previous work. In this paper, we propose an explorative study of ad fraud in Android apps. We first created a taxonomy of existing mobile ad fraud. Besides static placement fraud, we also created a new category called dynamic interactive fraud and found three new types of them. Then we propose FrauDroid, a new approach to detect ad fraud based on user interface (UI) state transition graph and networking traffic. To achieve accuracy and scalability, we use an optimized exploration strategy to traverse the UI states that contain ad views, and design a set of heuristic rules to identify kinds of ad fraud. Experiment results show that FrauDroid could achieve a precision of 80.9\% and it is capable of detecting all the 7 types of mobile ad fraud. We then apply FrauDroid to more than 80,000 apps from 21 app markets to study the prevalene of ad fraud. We find that 0.29\% of apps that use ad libraries are identified containing frauds, with 23 ad networks suffering from ad fraud. Our finding also suggests that Dynamic interactive fraud is more prevalent than static placement fraud in real world apps.

Zhuo Chen,Lei Wu,Yubo Hu,Jing Cheng,Yufeng Hu,Yajin Zhou,Zhushou Tang,Yexuan Chen,Jinku Li,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3329205

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Mobile applications (apps) are extensively involved in online scams. Previous studies mainly target malicious apps that either compromise victims' devices ( e.g. , malware and ransomware), or lead to privacy leakage and abuse ( e.g. , creepware). Recently, an emerging kind of app makes profits by providing scam services rather than compromising devices or abusing privacy . We name these apps as scamware due to their deceptive behavior, which poses a new threat to (mobile) users. However, the characteristics and the ecosystem of scamware remain mysterious. This paper takes the first step toward systematically studying scamware. In total, 1262 ground-truth scamware are collected from December 1, 2020, to May 1, 2022. Specifically, we first investigate the social tricks used by scamware, and then analyze the participants and their relationships to demystify the ecosystem behind scamware. Finally, we reveal the scamware development features to facilitate the detection of scamware. Our study also gives some interesting findings, e.g. , 1) the crowd-sourcing strategy is adopted to develop scamware, i.e. , the scammers are the core members, while other participants are hired as peripherals; and 2) the online app generators have been abused to facilitate development; and 3) the money mule based payment is prevalent, and the case study shows the money flow is around $ 2593346 per day. We believe that our findings will facilitate the community and law enforcement agencies to mitigate this threat, and we will release the source code of our tools to engage the community.

Nestor Hernandez,Ruben Recabarren,Bogdan Carbunar,Syed Ishtiaque Ahmed

DOI: https://doi.org/10.48550/arXiv.2111.10400

2021-11-19

Cryptography and Security

Abstract:Online app search optimization (ASO) platforms that provide bulk installs and fake reviews for paying app developers in order to fraudulently boost their search rank in app stores, were shown to employ diverse and complex strategies that successfully evade state-of-the-art detection methods. In this paper we introduce RacketStore, a platform to collect data from Android devices of participating ASO providers and regular users, on their interactions with apps which they install from the Google Play Store. We present measurements from a study of 943 installs of RacketStore on 803 unique devices controlled by ASO providers and regular users, that consists of 58,362,249 data snapshots collected from these devices, the 12,341 apps installed on them and their 110,511,637 Google Play reviews. We reveal significant differences between ASO providers and regular users in terms of the number and types of user accounts registered on their devices, the number of apps they review, and the intervals between the installation times of apps and their review times. We leverage these insights to introduce features that model the usage of apps and devices, and show that they can train supervised learning algorithms to detect paid app installs and fake reviews with an F1-measure of 99.72% (AUC above 0.99), and detect devices controlled by ASO providers with an F1-measure of 95.29% (AUC = 0.95). We discuss the costs associated with evading detection by our classifiers and also the potential for app stores to use our approach to detect ASO work with privacy.

Yangyu Hu,Haoyu Wang,Yajin Zhou,Yao Guo,Li Li,Bingxuan Luo,Fangren Xu

DOI: https://doi.org/10.48550/arXiv.1807.04901

2018-07-13

Abstract:In this work, we are focusing on a new and yet uncovered way for malicious apps to gain profit. They claim to be dating apps. However, their sole purpose is to lure users into purchasing premium/VIP services to start conversations with other (likely fake female) accounts in the app. We call these apps as fraudulent dating apps. This paper performs a systematic study to understand the whole ecosystem of fraudulent dating apps. Specifically, we have proposed a three-phase method to detect them and subsequently comprehend their characteristics via analyzing the existing account profiles. Our observation reveals that most of the accounts are not managed by real persons, but by chatbots based on predefined conversation templates. We also analyze the business model of these apps and reveal that multiple parties are actually involved in the ecosystem, including producers who develop apps, publishers who publish apps to gain profit, and the distribution network that is responsible for distributing apps to end users. Finally, we analyze the impact of them to users (i.e., victims) and estimate the overall revenue. Our work is the first systematic study on fraudulent dating apps, and the results demonstrate the urge for a solution to protect users.

Computers and Society,Cryptography and Security

Yang Yang,Yuhong Xu,Yizhou Sun,Yuxiao Dong,Fei Wu,Yueting Zhuang

DOI: https://doi.org/10.1109/tkde.2019.2924431

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:The rapid development of modern communication technologies—in particular, (mobile) phone communications—has largely facilitated human social interactions and information exchange. However, the emergence of telemarketing frauds can significantly dissipate individual fortune and social wealth, resulting in a potential slow down or damage to economics. In this work, we propose to spot telemarketing frauds, with an emphasis on unveiling the "precise fraud" phenomenon and the strategies that are used by fraudsters to precisely select targets. To study this problem, we employ a one-month complete dataset of telecommunication metadata in Shanghai with 54 million users and 698 million call logs. Through our study, we find that user's information might have been seriously leaked, and fraudsters have a preference over the target user's age and activity in mobile network. We further propose a novel semi-supervised learning framework to distinguish fraudsters from non-fraudsters. Experimental results on a real-world data show that our approach outperforms several state-of-the-art algorithms in accuracy of detecting fraudsters (e.g., $+0.278$<math>+0.278</math> in terms of F1 on average). We believe that our study can potentially inform policymaking for government and mobile service providers.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Shuai Li,Zhemin Yang,Guangliang Yang,Hange Zhang,Nan Hua,Yurui Huang,Min Yang

2023-01-01

Abstract:Recent years have witnessed the rapid development of mobile services, spanning almost every field. To characterize users and provide personalized and targeted services, user tag sharing, which labels users and shares their data, is becoming increasingly popular. Its security attracts more and more attention, and a series of privacy issues have been reported in several specific services. However, up to now, there still lacked a thorough and comprehensive understanding of the characteristics and security of user tag sharing. In this work, we conduct a systematic study of user tag sharing and its security. We first model user tag sharing with three phases, and discover that the privacy security issue commonly exists in practice. We generalize and formalize the privacy issue as user tag spoofing. Then, we propose a novel network-level smart fuzzing approach, called UTSFuzzer, against user tag spoofing. The key idea behind UTSFuzzer is to explore a large number of valid user tag values as input to imitate user tag spoofing against real-world mobile services. By applying UTSFuzzer on a large scale of real-world popular apps, we verify the effectiveness of UTSFuzzer and unveil that 100 mobile apps (including 115 mobile services) are vulnerable to user tag spoofing. The accumulated installations of all affected apps (users) reach more than 413 million. Additionally, UTSFuzzer shows user tag spoofing can cause serious attack efforts, including economic loss and user activity monitoring.

Sha Zhao,Feng Xu,Yizhi Xu,Xiaojuan Ma,Zhiling Luo,Shijian Li,Anind Dey,Gang Pan

DOI: https://doi.org/10.1007/s42486-019-00011-4

2019-01-01

CCF Transactions on Pervasive Computing and Interaction

Abstract:Smartphone applications (Abbr. apps) have become an indispensable part in our everyday lives. Users determine what apps to use depending on their personal needs and interests. Users with different attributes may have different needs, making it natural for their app usage behaviors to be different. The differences in app usage behaviors among users make it possible to infer their attributes. Knowing such differences could help improve mobile user experiences by enhancing smart services and devices. In this paper, we present an empirical study of investigating smartphone user differences on a large-scale dataset of recently used app lists from 106,672 Android users from China. We first investigate the user differences in app usage behaviors with respect to their attributes (gender, age, and income level). We find significant differences in app usage frequency, app usage with time context and functions. We then extract corresponding features from app usage records to infer the attributes of each user, and investigate the predictive ability of individual features and combinations of different individual features. We achieve the accuracy of 83.29% for gender, 69.94% for age (four age ranges) and 71.43% for income level (three income levels) with the best set of features, respectively. Finally, we discuss the implications of our findings and the limitations of this work.