Yuhao Gao,Haoyu Wang,Li Li,Xiapu Luo,Guoai Xu,Xuanzhe Liu

DOI: https://doi.org/10.1145/3442381.3449932

2021-01-01

Abstract:Mobile gambling app, as a new type of online gambling service emerging in the mobile era, has become one of the most popular and lucrative underground businesses in the mobile app ecosystem. Since its born, mobile gambling app has received strict regulations from both government authorities and app markets. However, to the best of our knowledge, mobile gambling apps have not been investigated by our research community. In this paper, we take the first step to fill the void. Specifically, we first perform a 5-month dataset collection process to harvest illegal gambling apps in China, where mobile gambling apps are outlawed. We have collected 3,366 unique gambling apps with 5,344 different versions. We then characterize the gambling apps from various perspectives including app distribution channels, network infrastructure, malicious behaviors, abused third-party and payment services. Our work has revealed a number of covert distribution channels, the unique characteristics of gambling apps, and the abused fourth-party payment services. At last, we further propose a "guilt-by-association" expansion method to identify new suspicious gambling services, which help us further identify over 140K suspicious gambling domains and over 57K gambling app candidates. Our study demonstrates the urgency for detecting and regulating illegal gambling apps.

Zhuo Chen,Lei Wu,Yubo Hu,Jing Cheng,Yufeng Hu,Yajin Zhou,Zhushou Tang,Yexuan Chen,Jinku Li,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3329205

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Mobile applications (apps) are extensively involved in online scams. Previous studies mainly target malicious apps that either compromise victims' devices ( e.g. , malware and ransomware), or lead to privacy leakage and abuse ( e.g. , creepware). Recently, an emerging kind of app makes profits by providing scam services rather than compromising devices or abusing privacy . We name these apps as scamware due to their deceptive behavior, which poses a new threat to (mobile) users. However, the characteristics and the ecosystem of scamware remain mysterious. This paper takes the first step toward systematically studying scamware. In total, 1262 ground-truth scamware are collected from December 1, 2020, to May 1, 2022. Specifically, we first investigate the social tricks used by scamware, and then analyze the participants and their relationships to demystify the ecosystem behind scamware. Finally, we reveal the scamware development features to facilitate the detection of scamware. Our study also gives some interesting findings, e.g. , 1) the crowd-sourcing strategy is adopted to develop scamware, i.e. , the scammers are the core members, while other participants are hired as peripherals; and 2) the online app generators have been abused to facilitate development; and 3) the money mule based payment is prevalent, and the case study shows the money flow is around $ 2593346 per day. We believe that our findings will facilitate the community and law enforcement agencies to mitigate this threat, and we will release the source code of our tools to engage the community.

Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Zhuo Chen,Jie Liu,Yuxia Hu,Lei Wu,Yajin Zhou,Xianhao Liao,Ke Wang

DOI: https://doi.org/10.48550/arxiv.2209.01317

2022-01-01

Abstract:This paper focuses on mobile apps serving the underground economy by providing illegal services in the mobile system (e.g., gambling, porn, scam). These apps are named as underground economy apps, or UEware for short. As most UEware do not have malicious payloads, traditional malware detection approaches are ineffective to perform the detection. To address this problem, we propose a novel approach to effectively and efficiently detect UEware by considering the transition orders of the user interfaces (UIs), which determine the usage scenarios of these apps. Based on the proposed approach, we design a system named DeUEDroid to detect the UEware via scene graph. To evaluate DeUEDroid, we collect 26, 591 apps to evaluate DeUEDroid and build up the first large-scale ground-truth UEware dataset (1, 720 underground economy apps and 831 legitimate apps). The evaluation result shows that DeUEDroid can construct scene graph accurately, and achieve the accuracy scores of 77.70% on the five-classification task (i.e., gambling game, porn, financial scam, miscellaneous, and legitimate apps), reaching obvious improvements over the SOTA approaches. Running further on 24, 017 apps, DeUEDroid performs well in the real-world scenario to mitigate the threat. Specifically, by using DeUEDroid, we found that UEware are prevalent, i.e., 61% apps in the wild and 21% apps in the app stores are UEware (with over 72% accuracy after the manual investigation). We will release our dataset and system to engage the community after been accepted.

Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Zheyuan Gu,Gaopeng Gou,Chang Liu,Chen Yang,Xiyuan Zhang,Zhen Li,Gang Xiong

DOI: https://doi.org/10.1016/j.comnet.2024.110278

IF: 5.493

2024-01-01

Computer Networks

Abstract:Mobile gambling apps, as a new type of online gambling service, have not only enriched people’s online entertainment activities but also brought about negative impacts for both individuals and society. Existing gambling app detection methods mainly extract static content-based characteristics, such as vision and textual features, to mine the key information from the user interface to detect gambling apps. In this paper, we are the first to introduce a dynamic communication characteristic-based approach by utilizing encrypted traffic analysis. Firstly, we conduct an analysis of the communication characteristics of 175 popular gambling apps in China, and unveil their important server domain name randomization and inter-app level familial characteristics, which cannot be well-leveraged by previous encrypted traffic analysis methods. Based on the analysis results, we design HeCGamb, a Heterogeneous Communication Graph-based method to enhance the Gambling app detection performance. HeCGamb models the inter-flow relations from various traffic flows to mine the flow-level communication patterns of gambling apps. Based on the inter-flow relations, HeCGamb further constructs inter-app relations to utilize the app-level familial characteristics. Finally, the multi-view semantic information from both servers and apps with inter-app relations are fused to generate the app node representations to comprehensively leverage the characteristics from server domains and familial apps. Extensive experiments not only demonstrate the superior performance(94.1% F1-score and 96.8% AUC score in open world) of HeCGamb, but also highlight its potential in gambling industry chain tracking.

Wei Liu,Yueqian Zhang,Zhou Li,Hai-Xin Duan

DOI: https://doi.org/10.1145/2994459.2994472

2016-01-01

Abstract:We studied a new type of fraudulent activities, usage fraud, on Android platform in this paper. Different from previous fraud on mobile platforms targeting advertisers or mobile users, usage fraud was invented to boost usage statistics on third-party analytics platforms like Google Analytics to cheat investors. To understand the business model and infrastructures employed by the fraudsters, we infiltrated two underground services, Laicaimao and Anzhibao. A number of insights have been gained during this course, including the use of emulators and manipulation of user identifiers. In addition, we evaluated the efficacy of the existing fraud services and the defense status quo on 8 popular analytics platforms. Our result indicates that the fraud services are indeed capable of crafting valid usage numbers and the basic checks are missed by analytics platforms. We give several recommendations in the end and call for the contribution from the community to fight against this new type of fraud.

Wenbo Yang,Juanru Li,Yuanyuan Zhang,Dawu Gu

DOI: https://doi.org/10.1016/j.jisa.2019.102358

IF: 4.96

2019-01-01

Journal of Information Security and Applications

Abstract:The massive growth of smart mobile devices has attracted numerous apps to embed third-party in-app payment, which involves more sophisticated interactions between multiple participants compared to traditional payments. Therefore, such payment is error prone and could be exploited easily, leading to serious financial deceptions. To investigate current third-party mobile payment ecosystem and find potential security threats, we conduct an in-depth analysis against China–world’s largest mobile payment market. We study four mainstream third-party mobile payment cashiers, and conclude unified process models. We also summarize the security rules that must be regulated by cashiers and merchants and illustrate four types of attacks if violating these rules. Besides, we also detect seven cases of security rule violation on both Android and iOS platform. Our detection result shows that hundreds of popular apps violate at least one security rule, and hence face with various security risks, allowing attackers to consume commodities or services without purchasing them or deceiving others to pay for them. Our further investigation reveals that cashiers as well as merchants should be responsible for those vulnerable cases. We also performed proof-of-concept attacks in real world, reported these issues to all involved parties and helped them fix the vulnerabilities.

Shaoyong Du,Minrui Zhao,Jingyu Hua,Hang Zhang,Xiaoyu Chen,Zhiyun Qian,Sheng Zhong

DOI: https://doi.org/10.1109/tdsc.2021.3068209

2022-01-01

Abstract:As the mobile era matures, it is increasingly competitive to market mobile apps, forcing companies to invest heavily on mobile user acquisition campaigns. This has unfortunately given birth to a new form of Internet fraud, which we refer to as “app distribution fraud”. This new fraud involves collusion between ISPs and fraudulent app distributors where app download is hijacked/redirected. In this article, we have the unique opportunity to cooperate with a major e-commerce company (with about 0.2 billion active users per month) to take a first peek at this problem. Through the nationwide measurement results, we find that app distribution fraud is ubiquitous yet stealthy — about 1.55 percent app downloads are hijacked/redirected, affecting more than 75 percent of the cities we tested and causing an estimated 7.46 billion U.S. dollars financial loss per year. We follow up with additional measurements on the technical mechanism of the fraud and the scope of the fraud (i.e., what other apps are also affected). Surprisingly, we find that sometimes the original app a user intends to download can be replaced with a completely different app, rendering the user's device at risks.

Hao Yang,Kun Du,Yubao Zhang,Shuang Hao,Zhou Li,Mingxuan Liu,Haining Wang,Haixin Duan,Yazhou Shi,Xiaodong Su,Guang Liu,Zhifeng Geng,Jianping Wu

DOI: https://doi.org/10.1145/3359789.3359817

2019-01-01

Abstract:The popularity of online gambling could bring negative social impact, and many countries ban or restrict online gambling. Taking China for example, online gambling violates Chinese laws and hence is illegal. However, illegal online gambling websites are still thriving despite strict restrictions, since they are able to make tremendous illicit profits by trapping and cheating online players. In this paper, we conduct the first deep analysis on illegal online gambling targeting Chinese to unveil its profit chain. After successfully identifying more than 967,954 suspicious illegal gambling websites, we inspect these illegal gambling websites from five aspects, including webpage structure similarity, SEO (Search Engine Optimization) methods, the abuse of Internet infrastructure, third-party online payment, and gambling group. Then we conduct a measurement study on the profit chain of illegal online gambling, investigating the upstream and downstream of these illegal gambling websites. We mainly focus on promotion strategies, third-party online payment, the abuse of third-party live chat services, and network infrastructures. Our findings shed the light on the ecosystem of online gambling and help the security community thwart illegal online gambling.

Yangyu Hu,Haoyu Wang,Li Li,Yao Guo,Guoai Xu,Ren He

DOI: https://doi.org/10.1109/SANER.2019.8668035

2019-01-01

Abstract:Have you ever thought of earning profits from the apps that you are using on your mobile device? It is actually achievable thanks to many so-called money-making apps, which pay app users to complete tasks such as installing another app or clicking an advertisement. To the best of our knowledge, no existing studies have investigated the characteristics of moneymaking apps. To this end, we conduct the first exploratory study to understand the features and implications of money-making apps. We first propose a semi-automated approach aiming to harvest money-making apps from Google Play and alternative app markets. Then we create a taxonomy to classify them into five categories and perform an empirical study from different aspects. Our study reveals several interesting observations: (1) moneymaking apps have become the target of malicious developers, as we found many of them expose mobile users to serious privacy and security risks. Roughly 26% of the studied apps are potentially malicious. (2) these apps have attracted millions of users, however, many users complain that they are cheated by these apps. We also revealed that ranking fraud techniques are widely used in these apps to promote the ranking of apps inside app markets. (3) these apps usually spread inappropriate and malicious contents, while unsuspicious users could get infected. Our study demonstrates the emergency for detecting and regulating this kind of apps and protect mobile users.

Sen Chen,Lingling Fan,Guozhu Meng,Ting Su,Minhui Xue,Yinxing Xue,Yang Liu,Lihua Xu

DOI: https://doi.org/10.48550/arXiv.1805.05236

2020-02-18

Abstract:Mobile banking apps, belonging to the most security-critical app category, render massive and dynamic transactions susceptible to security risks. Given huge potential financial loss caused by vulnerabilities, existing research lacks a comprehensive empirical study on the security risks of global banking apps to provide useful insights and improve the security of banking apps. Since data-related weaknesses in banking apps are critical and may directly cause serious financial loss, this paper first revisits the state-of-the-art available tools and finds that they have limited capability in identifying data-related security weaknesses of banking apps. To complement the capability of existing tools in data-related weakness detection, we propose a three-phase automated security risk assessment system, named AUSERA, which leverages static program analysis techniques and sensitive keyword identification. By leveraging AUSERA, we collect 2,157 weaknesses in 693 real-world banking apps across 83 countries, which we use as a basis to conduct a comprehensive empirical study from different aspects, such as global distribution and weakness evolution during version updates. We find that apps owned by subsidiary banks are always less secure than or equivalent to those owned by parent banks. In addition, we also track the patching of weaknesses and receive much positive feedback from banking entities so as to improve the security of banking apps in practice. To date, we highlight that 21 banks have confirmed the weaknesses we reported. We also exchange insights with 7 banks, such as HSBC in UK and OCBC in Singapore, via in-person or online meetings to help them improve their apps. We hope that the insights developed in this paper will inform the communities about the gaps among multiple stakeholders, including banks, academic researchers, and third-party security companies.

Cryptography and Security

Yangyu Hu,Haoyu Wang,Yajin Zhou,Yao Guo,Li Li,Bingxuan Luo,Fangren Xu

DOI: https://doi.org/10.48550/arXiv.1807.04901

2018-07-13

Abstract:In this work, we are focusing on a new and yet uncovered way for malicious apps to gain profit. They claim to be dating apps. However, their sole purpose is to lure users into purchasing premium/VIP services to start conversations with other (likely fake female) accounts in the app. We call these apps as fraudulent dating apps. This paper performs a systematic study to understand the whole ecosystem of fraudulent dating apps. Specifically, we have proposed a three-phase method to detect them and subsequently comprehend their characteristics via analyzing the existing account profiles. Our observation reveals that most of the accounts are not managed by real persons, but by chatbots based on predefined conversation templates. We also analyze the business model of these apps and reveal that multiple parties are actually involved in the ecosystem, including producers who develop apps, publishers who publish apps to gain profit, and the distribution network that is responsible for distributing apps to end users. Finally, we analyze the impact of them to users (i.e., victims) and estimate the overall revenue. Our work is the first systematic study on fraudulent dating apps, and the results demonstrate the urge for a solution to protect users.

Computers and Society,Cryptography and Security

Zainul Abi Din,Hari Venugopalan,Henry Lin,Adam Wushensky,Steven Liu,Samuel T. King

DOI: https://doi.org/10.48550/arXiv.2106.14861

2021-06-28

Cryptography and Security

Abstract:App builders commonly use security challenges, a form of step-up authentication, to add security to their apps. However, the ethical implications of this type of architecture has not been studied previously. In this paper, we present a large-scale measurement study of running an existing anti-fraud security challenge, Boxer, in real apps running on mobile devices. We find that although Boxer does work well overall, it is unable to scan effectively on devices that run its machine learning models at less than one frame per second (FPS), blocking users who use inexpensive devices. With the insights from our study, we design Daredevil, anew anti-fraud system for scanning payment cards that work swell across the broad range of performance characteristics and hardware configurations found on modern mobile devices. Daredevil reduces the number of devices that run at less than one FPS by an order of magnitude compared to Boxer, providing a more equitable system for fighting fraud. In total, we collect data from 5,085,444 real devices spread across 496 real apps running production software and interacting with real users.

Bo Wang,Fan Wu,Guihai Chen

DOI: https://doi.org/10.1007/978-981-10-8890-2_12

2017-01-01

Abstract:With the widespread use of mobile devices, mobile online advertising is taking more and more market share. Cost per click and cost per view are the most popular pricing modes in mobile internet advertising, which take effective clicks or displaying duration as the charging basis. However, at the same time, ad fraud, which uses illegal and invalid clicks to fraud advertisers in order to obtain unreasonable income, become a serious problem. Most of the previous studies on click fraud in website focused on network traffic data analysis. This makes them cannot solve the placement fraud problem, which use invalid placement to mislead user to click on it in mobile apps. In this paper, we propose a joint crowdsourcing and data analyzing based placement click fraud detection system. For the characteristic of placement fraud in mobile apps, automatic processing cannot cover every possible fraud. To overcome this, our report system provides a platform to find all possible placement fraud through crowdsourcing. Report system has three main services: a monitor service for monitoring user’s call; a layout service for recording the screen; a data service for recording the backend data. Because the placement fraud only appears when users use the apps, the report system based on crowdsourcing can cover every possible placement fraud. We implement our system in 10 tablets with 500 apps to evaluate its effectiveness. Experiment result shows that our approach can record enough data to analysis which app has placement fraud. What’s more, our system can figure out some special placement fraud which pop ads when user is using other apps. This placement fraud cannot be solved through automatic method in previous studies.

FAN Ming,LIU Ting,LIU Jun,LUO Xiapu,YU Le,GUAN Xiaohong,Le YU,Xiaohong GUAN,Ming FAN,Xiapu LUO,Ting LIU,Jun LIU

DOI: https://doi.org/10.1360/ssi-2019-0149

2020-07-31

Scientia Sinica Informationis

Abstract:Android has become the most popular mobile operating system in the past ten years due to its three main advantages, namely, the openness of source code, richness of hardware selection, and millions of applications (apps). It is of no surprise that Android has become the major target of malware. The rapid increase in the number of Android malware poses big threats to smart phone users such as financial charges, information collection, and remote control. Thus, the in-depth study of the security issues of mobile apps is of great importance to the sound development of the smart phone ecosystem. We first introduce the existing problems and challenges of malware analysis, and then summarize the widely-used benchmark datasets. After that, we divide the existing malware analysis methods into three categories, including signature-based methods, machine learning-based methods, and behavior-based methods. We further summarize the techniques used in each method, and compare and analyze the advantages and disadvantages of different techniques. Finally, combined with our own research foundation in malware analysis, we explore and discuss future research directions and challenges.

Jianlin Xu,Yifan Yu,Zhen Chen,Bin Cao,Wenyu Dong,Yu Guo,Junwei Cao

DOI: https://doi.org/10.1109/tst.2013.6574680

2013-01-01

Tsinghua Science & Technology

Abstract:With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win+Intel alliance in PC, Android+ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app's virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework (ASEF) and Static Android Analysis Framework (SAAF), the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

Yanhui Guo,Dong Wang,Liu Wang,Yongsheng Fang,Chao Wang,Minghui Yang,Tianming Liu,Haoyu Wang

2024-08-07

Abstract:The thriving mobile app ecosystem encompasses a wide range of functionalities. However, within this ecosystem, a subset of apps provides illicit services such as gambling and pornography to pursue economic gains, collectively referred to as "underground economy apps". While previous studies have examined these apps' characteristics and identification methods, investigations into their distribution via platforms beyond app markets (like Telegram) remain scarce, which has emerged as a crucial channel for underground activities and cybercrime due to the robust encryption and user anonymity. This study provides the first comprehensive exploration of the underground mobile app ecosystem on Telegram. Overcoming the complexities of the Telegram environment, we build a novel dataset and analyze the prevalence, promotional strategies, and characteristics of these apps. Our findings reveal that these apps reach approximately 1% of Telegram's user base, primarily catering to gambling and pornography services. We uncover sophisticated promotional strategies involving complex networks of apps, websites, users, and channels, and identify significant gaps in Telegram's content moderation capabilities. Our analysis also exposes the misuse of iOS features for app distribution and the prevalence of malicious behaviors in these apps. This research not only enhances our understanding of the underground app ecosystem but also provides valuable insights for developing effective regulatory measures and protecting users from potential risks associated with these covert operations. Our findings provide implications for platform regulators, app market operators, law enforcement agencies, and cybersecurity professionals in combating the proliferation of underground apps on encrypted messaging platforms.

Cryptography and Security

Yitian (Sky) Liang,Xinlei (Jack) Chen,Yuxin Chen,Ping Xiao,Jinglong Zhang

DOI: https://doi.org/10.1016/j.ijresmar.2023.09.003

IF: 8.047

2024-01-01

International Journal of Research in Marketing

Abstract:Ad fraud has serious consequences for brands. It also contaminates academic research if scholars neglect a significant level of ad fraud in their data. However, only limited theoretical work has addressed this topic, and empirical research is scarce. In this article, we take a first step to document empirical patterns of mobile ad fraud using two datasets. The datasets are commonly available to buyers of advertising services, and the types of ad fraud studied are significant in the advertising market. We identify some app and campaign characteristics correlated with ad fraud, and uncover methods used by fraudsters to conceal the fraud. They often make the ad fraud proportional to the daily traffic but lowering the ratio of ad fraud on high-traffic days. However, when traffic is unstable, they change strategy to use ad fraud to smooth out the traffic. Meanwhile, in advertising campaigns, the fraudsters allocate most part of fraud during the middle of campaign period, an attempt to reduce the risk of being detected. These findings not only help practitioners and academic researchers determine the extent of ad fraud in the data but also provide stylized facts for future research on theoretical modeling of ad fraud.

Rui Shao,Vaibhav Rastogi,Yan Chen,Xiang Pan,Guanyu Guo,Shihong Zou,Ryan Riley

DOI: https://doi.org/10.1109/tmc.2018.2809727

2016-01-01

Abstract:Mobile users are increasingly becoming targets of malware infections and scams. In order to curb such attacks it is important to know how these attacks originate. We take a previously unexplored step in this direction. Numerous in-app advertisements work at this interface: when the user taps on the advertisement, she is led to a web page which may further redirect until the user reaches the final destination. Even though the original applications may not be malicious, the Web destinations that the user visits could play an important role in propagating attacks. We develop a systematic static analysis methodology to find ad libraries embed in applications and dynamic analysis methodology consisting of three components related to triggering web links, detecting malware and scam campaigns, and determining the provenance of such campaigns reaching the user. Our static analysis system identified 242 different ad libraries and dynamic analysis system was deployed for a two-month period and analyzed over 600,000 applications while triggering a total of about 1.5 million links in applications to the Web. We gain a general understanding of attacks through the app-web interface and make several interesting findings including a rogue antivirus scam, free iPad scams, and advertisements propagating SMS trojans.