Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Wu Zhou,Yajin Zhou,Xuxian Jiang,Peng Ning

DOI: https://doi.org/10.1145/2133601.2133640

2012-01-01

Abstract:Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized in different application marketplaces, can be conveniently browsed by mobile users and then simply clicked to install on a variety of mobile devices. In practice, besides the official marketplaces from platform vendors (e.g., Google and Apple), a number of third-party alternative marketplaces have also been created to host thousands of apps (e.g., to meet regional or localization needs). To maintain and foster a hygienic smartphone app ecosystem, there is a need for each third-party marketplace to offer quality apps to mobile users. In this paper, we perform a systematic study on six popular Android-based third-party marketplaces. Among them, we find a common "in-the-wild" practice of repackaging legitimate apps (from the official Android Market) and distributing repackaged ones via third-party marketplaces. To better understand the extent of such practice, we implement an app similarity measurement system called DroidMOSS that applies a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. The experiments with DroidMOSS show a worrisome fact that 5% to 13% of apps hosted on these studied marketplaces are repackaged. Further manual investigation indicates that these repackaged apps are mainly used to replace existing in-app advertisements or embed new ones to "steal" or re-route ad revenues. We also identify a few cases with planted backdoors or malicious payloads among repackaged apps. The results call for the need of a rigorous vetting process for better regulation of third-party smartphone application marketplaces.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Yajin Zhou,Zhi Wang,Wu Zhou,Xuxian Jiang

2012-01-01

Abstract:In this paper, we present a systematic study for the detection of malicious applications (or apps) on popular Android Markets. To this end, we first propose a permissionbased behavioral footprinting scheme to detect new samples of known Android malware families. Then we apply a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families. We implemented both schemes in a system called DroidRanger. The experiments with 204, 040 apps collected from five different Android Markets in May-June 2011 reveal 211 malicious ones: 32 from the official Android Market (0.02% infection rate) and 179 from alternative marketplaces (infection rates ranging from 0.20% to 0.47%). Among those malicious apps, our system also uncovered two zero-day malware (in 40 apps): one from the official Android Market and the other from alternative marketplaces. The results show that current marketplaces are functional and relatively healthy. However, there is also a clear need for a rigorous policing process, especially for non-regulated alternative marketplaces.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Feng Dong,Haoyu Wang,Yuanchun Li,Yao Guo,Li,Shaodong Zhang,Guoai Xu

2017-01-01

Abstract:Previous studies on mobile ad fraud detection are limited to detecting certain types of ad fraud (e.g., placement fraud and click fraud). Dynamic interactive ad fraud has never been explored by previous work. In this paper, we propose an explorative study of ad fraud in Android apps. We first created a taxonomy of existing mobile ad fraud. Besides static placement fraud, we also created a new category called dynamic interactive fraud and found three new types of them. Then we propose FrauDroid, a new approach to detect ad fraud based on user interface (UI) state transition graph and networking traffic. To achieve accuracy and scalability, we use an optimized exploration strategy to traverse the UI states that contain ad views, and design a set of heuristic rules to identify kinds of ad fraud. Experiment results show that FrauDroid could achieve a precision of 80.9\% and it is capable of detecting all the 7 types of mobile ad fraud. We then apply FrauDroid to more than 80,000 apps from 21 app markets to study the prevalene of ad fraud. We find that 0.29\% of apps that use ad libraries are identified containing frauds, with 23 ad networks suffering from ad fraud. Our finding also suggests that Dynamic interactive fraud is more prevalent than static placement fraud in real world apps.

Hao Zhou,Haoyu Wang,Yajin Zhou,Xiapu Luo,Yutian Tang,Lei Xue,Ting Wang

DOI: https://doi.org/10.1145/3324884.3416637

2020-01-01

Abstract:Smartphone vendors are using multiple methods to kill processes of Android apps to reduce the battery consumption. This motivates developers to find ways to extend the liveness time of their apps, hence the name diehard apps in this paper. Although there are blogs and articles illustrating methods to achieve this purpose, there is no systematic research about them. What's more important, little is known about the prevalence of diehard apps in the wild. In this paper, we take a first step to systematically investigate diehard apps by answering the following research questions. First, why and how can they circumvent the resource-saving mechanisms of Android? Second, how prevalent are they in the wild? In particular, we conduct a semi -automated analysis to illustrate insights why existing methods to kill app processes could be evaded, and then systematically present 12 diehard methods. After that, we develop a system named DiehardDetector to detect diehard apps in a large scale. The experimental result of applying DiehardDetector to more than 80k Android apps downloaded from Google Play showed that around 21 % of apps adopt various diehard methods. Moreover, our system can achieve high precision and recall.

Shengtao Yue,Weizan Feng,Jun Ma,Yanyan Jiang,Xianping Tao,Chang Xu,Jian Lu

DOI: https://doi.org/10.1109/ICPC.2017.16

2017-01-01

Abstract:In recent years, with the explosive growth of mobile smart phonesnes, the number of Android applications (apps) increases rapidly. Attackers usually leverage the popumobile smart phoneslarity of Android apps by inserting malwares, modifying the original apps, repackaging and releasing them for their own illegal purposes. To avoid repackaged apps from being detected, they usually use sorts of obfuscation and encryption tools. As a result, it's important to detect which apps are repackaged. People often intuitively judge whether two apps are a repackaged pair by executing them and observing their runtime user interface (UI) traces. Hence, we propose layout group graph (LGG) built from UI trances to model those UI behaviors and use LGG as the birthmark of Android apps for identification. Based on LGG, we also implement a dynamic repackaging detection tool, RepDroid. Since our method does not require the apps' source code, it is resilient to app obfuscation and encryption. We conducted an experiment with two data sets. The first set contains 98 pairs of repackaged apps. The original apps and repackaged ones are compared and we can detect all of these repackaged pairs. The second set contains 125 commercial apps. We compared them pair-wisely and the false positive rate was 0.08%.

Shengtao Yue,Qingwei Sun,Jun Ma,Xianping Tao,Chang Xu,Jian Lu

DOI: https://doi.org/10.1109/ICSME.2018.00041

2018-01-01

Abstract:With the rapid development of mobile devices, Android applications (apps) are universally used. However, attackers repackage Android apps and release them to the markets for illegal purposes, which brings great threats to the Android ecosystem. To leverage the popularity of original apps, they keep similar software behaviors to confuse app users. Furthermore, repackaged apps can be obfuscated or encrypted to avoid being detected. Besides, hybrid mobile apps, built by combining web technology and native elements, are becoming a preferred choice for developers. The structure of hybrid apps differs a lot from that of native apps which would raise great challenges to repackaging detection. Existing works still have some limitations in detecting repackaging from obfuscated and encrypted apps. Besides, few of them can deal with hybrid apps. In this paper, we proposed an approach based on the app UI regions extracted from app's runtime UI traces. We also implement a tool named RegionDroid based on the approach. We apply RegionDroid to tree datasets with totally 369 apps. It successfully finds all the 98 obfuscated or encrypted repackaged pairs in dataset S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">1</sub> . It also shows good credibility in distinguishing another 114 commercial apps in dataset S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sub> . We also test our approach in dataset S <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">3</sub> with 157 hybrid apps by comparing them pairwisely and the false positive rate is 0.016%.

Wei Liu,Yueqian Zhang,Zhou Li,Hai-Xin Duan

DOI: https://doi.org/10.1145/2994459.2994472

2016-01-01

Abstract:We studied a new type of fraudulent activities, usage fraud, on Android platform in this paper. Different from previous fraud on mobile platforms targeting advertisers or mobile users, usage fraud was invented to boost usage statistics on third-party analytics platforms like Google Analytics to cheat investors. To understand the business model and infrastructures employed by the fraudsters, we infiltrated two underground services, Laicaimao and Anzhibao. A number of insights have been gained during this course, including the use of emulators and manipulation of user identifiers. In addition, we evaluated the efficacy of the existing fraud services and the defense status quo on 8 popular analytics platforms. Our result indicates that the fraud services are indeed capable of crafting valid usage numbers and the basic checks are missed by analytics platforms. We give several recommendations in the end and call for the contribution from the community to fight against this new type of fraud.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

王浩宇,王仲禹,郭耀,陈向群

DOI: https://doi.org/10.1360/n112013-00130

2014-01-01

Abstract:With the popularity of smart phones, mobile applications are growing rapidly, especially the Android applications. These applications not only provide useful features, but also bring security and privacy issues. The plagiarist can easily crack the legitimate applications, add malicious code or change the existing libraries, and advertise them in various third-party markets. The repackaged applications not only compromise the copyright of the original authors, but also weaken the security and privacy of users. In this paper, we propose an accurate and scalable approach to detect repackaged android applications and implement a prototype system. We use the system to study more than 14,500 applications collected from Google Play market and various third-party markets. The results demonstrate the effectiveness and scalability of our approach.

Shaoyong Du,Minrui Zhao,Jingyu Hua,Hang Zhang,Xiaoyu Chen,Zhiyun Qian,Sheng Zhong

DOI: https://doi.org/10.1109/tdsc.2021.3068209

2022-01-01

Abstract:As the mobile era matures, it is increasingly competitive to market mobile apps, forcing companies to invest heavily on mobile user acquisition campaigns. This has unfortunately given birth to a new form of Internet fraud, which we refer to as “app distribution fraud”. This new fraud involves collusion between ISPs and fraudulent app distributors where app download is hijacked/redirected. In this article, we have the unique opportunity to cooperate with a major e-commerce company (with about 0.2 billion active users per month) to take a first peek at this problem. Through the nationwide measurement results, we find that app distribution fraud is ubiquitous yet stealthy — about 1.55 percent app downloads are hijacked/redirected, affecting more than 75 percent of the cities we tested and causing an estimated 7.46 billion U.S. dollars financial loss per year. We follow up with additional measurements on the technical mechanism of the fraud and the scope of the fraud (i.e., what other apps are also affected). Surprisingly, we find that sometimes the original app a user intends to download can be replaced with a completely different app, rendering the user's device at risks.

Li Li,Tegawendé Bissyandé,Jacques Klein

DOI: https://doi.org/10.48550/arXiv.1811.08520

2018-11-21

Abstract:Repackaging is a serious threat to the Android ecosystem as it deprives app developers of their benefits, contributes to spreading malware on users' devices, and increases the workload of market maintainers. In the space of six years, the research around this specific issue has produced 57 approaches which do not readily scale to millions of apps or are only evaluated on private datasets without, in general, tool support available to the community. Through a systematic literature review of the subject, we argue that the research is slowing down, where many state-of-the-art approaches have reported high-performance rates on closed datasets, which are unfortunately difficult to replicate and to compare against. In this work, we propose to reboot the research in repackaged app detection by providing a literature review that summarises the challenges and current solutions for detecting repackaged apps and by providing a large dataset that supports replications of existing solutions and implications of new research directions. We hope that these contributions will re-activate the direction of detecting repackaged apps and spark innovative approaches going beyond the current state-of-the-art.

Software Engineering

Xin Sun,Yibing Zhongyang,Zhi Xin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-55415-5_12

2014-01-01

Abstract:Recently smartphones and mobile devices have gained incredible popularity for their vibrant feature-rich applications (or apps). Because it is easy to repackage Android apps, software plagiarism has become a serious problem. In this paper, we present an accurate and robust system DroidSim to detect code reuse. DroidSim calculates similarity score only with component-based control flow graph (CB-CFG). CB-CFG is a graph of which nodes are Android APIs and edges represent control flow precedence order in each Android component. Our system can be applied to detect repackaged apps and malware variants. We evaluate DroidSim on 121 apps and 706 malware variants. The results show that our system has no false negative and a false positive of 0.83% for repackaged apps, and a detection ratio of 96.60% for malware variants. Besides, ADAM is used to obfuscate apps and the result reveals that ADAM has no influence on our system.

Jiajin Cai,Tongxin Li,Can Huang,Xinhui Han

DOI: https://doi.org/10.1109/TrustCom50675.2020.00054

2020-01-01

Abstract:In recent years, Android commercial packers have been widely used to encrypt dex files of apps, making analysts and malware detection solutions hard to obtain the actual dex files for further analysis. Therefore, we propose a novel unpacking system named ReDex. ReDex uses Java reflection to execute all methods with forged arguments and collects the original instructions when the method is executing. Although apps may crash due to forged arguments, ReDex can collect its original instructions released by the commercial packer before the crash. Also, we design an exception/crash handling module, which can avoid most of the crashes and restart the unpacking process at the next method after the crash. The comparison with 2 state-of-the-art unpackers on 100 packed apps with source code and 140 wild packed apps shows that ReDex can unpack more apps. Besides, we conduct an experiment with 1,801 real-world apps packed by 7 representative packers. Of 21 million methods, ReDex can extract 19,239,743 (90.30%) methods. The exception/crash handling module effectively reduces the crash rate to 2.31%. In these packed apps, we find 4 interesting packing techniques. ReDex can deal with these packing techniques while 2 state-of-the-art unpackers cannot.

Tianming Liu,Haoyu Wang,Li Li,Xiapu Luo,Feng Dong,Yao Guo,Liu Wang,Tegawende Bissyande,Jacques Klein

DOI: https://doi.org/10.1145/3366423.3380242

2020-01-01

Abstract:Advertisement drives the economy of the mobile app ecosystem. As a key component in the mobile ad business model, mobile ad content has been overlooked by the research community, which poses a number of threats, e.g., propagating malware and undesirable contents. To understand the practice of these devious ad behaviors, we perform a large-scale study on the app contents harvested through automated app testing. In this work, we first provide a comprehensive categorization of devious ad contents, including five kinds of behaviors belonging to two categories: ad loading content and ad clicking content. Then, we propose MadDroid, a framework for automated detection of devious ad contents. MadDroid leverages an automated app testing framework with a sophisticated ad view exploration strategy for effectively collecting ad-related network traffic and subsequently extracting ad contents. We then integrate dedicated approaches into the framework to identify devious ad contents. We have applied MadDroid to 40,000 Android apps and found that roughly 6% of apps deliver devious ad contents, e.g., distributing malicious apps that cannot be downloaded via traditional app markets. Experiment results indicate that devious ad contents are prevalent, suggesting that our community should invest more effort into the detection and mitigation of devious ads towards building a trustworthy mobile advertising ecosystem.

Deqing Zou,Yueming Wu,Siru Yang,Anki Chauhan,Wei Yang,Jiangying Zhong,Shihan Dou,Hai Jin

DOI: https://doi.org/10.1145/3442588

IF: 3.685

2021-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Android, the most popular mobile operating system, has attracted millions of users around the world. Meanwhile, the number of new Android malware instances has grown exponentially in recent years. On the one hand, existing Android malware detection systems have shown that distilling the program semantics into a graph representation and detecting malicious programs by conducting graph matching are able to achieve high accuracy on detecting Android malware. However, these traditional graph-based approaches always perform expensive program analysis and suffer from low scalability on malware detection. On the other hand, because of the high scalability of social network analysis, it has been applied to complete large-scale malware detection. However, the social-network-analysis-based method only considers simple semantic information (i.e., centrality) for achieving market-wide mobile malware scanning, which may limit the detection effectiveness when benign apps show some similar behaviors as malware. In this article, we aim to combine the high accuracy of traditional graph-based method with the high scalability of social-network-analysis--based method for Android malware detection. Instead of using traditional heavyweight static analysis, we treat function call graphs of apps as complex social networks and apply social-network--based centrality analysis to unearth the central nodes within call graphs. After obtaining the central nodes, the average intimacies between sensitive API calls and central nodes are computed to represent the semantic features of the graphs. We implement our approach in a tool called IntDroid and evaluate it on a dataset of 3,988 benign samples and 4,265 malicious samples. Experimental results show that IntDroid is capable of detecting Android malware with an F-measure of 97.1% while maintaining a True-positive Rate of 99.1%. Although the scalability is not as fast as a social-network-analysis--based method (i.e., MalScan ), compared to a traditional graph-based method, IntDroid is more than six times faster than MaMaDroid . Moreover, in a corpus of apps collected from GooglePlay market, IntDroid is able to identify 28 zero-day malware that can evade detection of existing tools, one of which has been downloaded and installed by more than ten million users. This app has also been flagged as malware by six anti-virus scanners in VirusTotal, one of which is Symantec Mobile Insight .

Minghao Jiang,Mingxin Cui,Chang Liu,Gaopeng Gou,Gang Xiong,Zhen Li

DOI: https://doi.org/10.1016/j.comnet.2023.109728

IF: 5.493

2023-03-30

Computer Networks

Abstract:Mobile-app identification over encrypted network traffic plays a vital role in network management, cyberspace security, and advertising analysis. Combining machine learning algorithms and traffic features is the mainstream approach, which assumes the training and test traffic is independent and identically distributed ( i.i.d ). However, the distribution of test flows could drift due to the updating app, diverse mobile platforms, and regions, resulting in low accuracy. Existing methods relabel the non- i.i.d traffic manually and retrain the model from scratch, which takes lots of human effort and thus limits deployment. In this paper, we propose a Flow Domain Adaptation Neural Network (FDAN) to improve the accuracy in identifying mobile apps over non- i.i.d traffic under zero-relabeling. FDAN transforms the drifted test flows into approximate i.i.d samples by reducing the differences between traffic distributions in a trainable feature space. Specifically, we adopt two domain discriminators and a feature generator to strengthen the feature's invariance under an adversarial loss. An app predictor is used to enhance the discrimination with supervised data from the source domain. We conduct extensive experiments on public and private datasets, including changing app versions, platforms, and regions. With theoretical guarantees, our FDAN achieves a remarkable improvement (7.8% ∼47%↑ in F1 ) with zero-relabeling and outperforms other comparisons.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Zainul Abi Din,Hari Venugopalan,Henry Lin,Adam Wushensky,Steven Liu,Samuel T. King

DOI: https://doi.org/10.48550/arXiv.2106.14861

2021-06-28

Cryptography and Security

Abstract:App builders commonly use security challenges, a form of step-up authentication, to add security to their apps. However, the ethical implications of this type of architecture has not been studied previously. In this paper, we present a large-scale measurement study of running an existing anti-fraud security challenge, Boxer, in real apps running on mobile devices. We find that although Boxer does work well overall, it is unable to scan effectively on devices that run its machine learning models at less than one frame per second (FPS), blocking users who use inexpensive devices. With the insights from our study, we design Daredevil, anew anti-fraud system for scanning payment cards that work swell across the broad range of performance characteristics and hardware configurations found on modern mobile devices. Daredevil reduces the number of devices that run at less than one FPS by an order of magnitude compared to Boxer, providing a more equitable system for fighting fraud. In total, we collect data from 5,085,444 real devices spread across 496 real apps running production software and interacting with real users.