Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/2435349.2435377acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

Fast, scalable detection of "Piggybacked" mobile applications

Published: 18 February 2013 Publication History

Abstract

Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

References

[1]
MMSBG: An Open-Source Project. https://code.google.com/p/mmsbg. Online; accessed at Dec 1, 2011.
[2]
ProGuard | Android Developers. http://developer.android.com/guide/developing/tools/proguard.html. Online; accessed at Dec 1, 2011.
[3]
Smali - An Assembler/Disassembler for Android's dex Format. http://code.google.com/p/smali/. Online; accessed at Dec 1, 2011.
[4]
AndroidCommunity. {ALERT} New Trojan Called Hong Tou Tou Lurking. http://androidcommunity.com/android-trojan-alert-hong-tou-tou-20110216/. Online; accessed at Dec 1, 2011.
[5]
Nicolas Anquetil, Cédric Fourrier, and Timothy C. Lethbridge. Experiments with Clustering as a Software Remodularization Method. In Proceedings of the Sixth Working Conference on Reverse Engineering, WCRE'99, pages 235--, Washington, DC, USA, 1999. IEEE Computer Society.
[6]
AppBrain. Number of Available Android Applications. http://www.appbrain.com/stats/number-of-android-apps. Online; accessed at Dec 1, 2011.
[7]
David Barrera, William Enck, and Paul Oorschot. Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems. Technical report, School of Computer Science, Carleton University, http://www.scs.carleton.ca/shared/research/tech_reports/2010/TR-11-06%20Barrera.pdf. Online; accessed at Dec 1, 2011.
[8]
David Barrera, H. Güneş Kayacik, Paul C. van Oorschot, and Anil Somayaji. A Methodology for Empirical Analysis of Permission-Based Security Models and Its Application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS'10, 2010.
[9]
Joany Boutet. Malicious Android Applications: Risks and Exploitation - A Spyware Story about Android Application and Reverse Engineering. http://www.sans.org/reading_room/whitepapers/malicious/malicious-android-applications_risks-exploitation_33578. Online; accessed at Dec 1, 2011.
[10]
Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, and Bhargava Shastry. Towards Taming Privilege-Escalation Attacks on Android. In 19th Annual Network & Distributed System Security Symposium (NDSS), Feb 2012.
[11]
Erika Chin, Adrienne Felt, Kate Greenwood, and David Wagner. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2011, 2011.
[12]
Jonathan Crussell, Clint Gibler, and Hao Chen. Attack of the Clones: Detecting Cloned Applications on Android Markets. In Sara Foresti, Moti Yung, and Fabio Martinelli, editors, Computer Security âAS ESORICS 2012, volume 7459 of Lecture Notes in Computer Science, pages 37--54. Springer Berlin Heidelberg, 2012.
[13]
Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, USENIX Security'11, San Francisco, CA, 2011.
[14]
Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS '11, February 2011.
[15]
William Enck, Peter Gilbert, Byung-gon Chun, Landon Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, USENIX OSDI'11, 2011.
[16]
William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, USENIX Security'11, San Francisco, CA, 2011.
[17]
Adrienne Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS'11, 2011.
[18]
Adrienne Felt, Helen Wang, Alexander Moschhuk, Steve Hanna, and Erika Chin. Permission Re-Delegation: Attacks and Defense. In Proceedings of the 20th USENIX Security Symposium, USENIX Security'11, San Francisco, CA, 2011.
[19]
Adam Fuchs, Avik Chaudhuri, and Jeffrey Foster. SCanDroid: Automated Security Certification of Android Applications. http://www.cs.umd.edu/ avik/projects/scandroidascaa/paper.pdf. Online; accessed at Dec 1, 2011.
[20]
Michael Grace, Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2012.
[21]
Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS'12, February 2012.
[22]
Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, and Xuxian Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In 10th International Conference on Mobile Systems, Applications and Services, June 2012.
[23]
Xin Hu, Tzi-cker Chiueh, and Kang G. Shin. Large-Scale Malware Indexing using Function-Call Graphs. In Proceedings of the 16th ACM conference on Computer and communications security, CCS'09, pages 611--620, New York, NY, USA, 2009. ACM.
[24]
Google Inc. Admob for Android Developers. http://developer.admob.com/wiki/Android.
[25]
Google Inc. Android Market. https://market.android.com/. Online; accessed at Dec 1, 2011.
[26]
Lookout Inc. App Genome Report: February 2011. https://www.mylookout.com/appgenome/. Online; accessed at Dec 1, 2011.
[27]
Lookout Inc. Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild. http://blog.mylookout.com/2010/12/geinimi_trojan/. Online; accessed at Dec 1, 2011.
[28]
Lookout Inc. Update: Security Alert: DroidDream Malware Found in Official Android Market. http://blog.mylookout.com/2011/03/security-alert-malware-found-in_offic%ial-android-market-droiddream/. Online; accessed at Dec 1, 2011.
[29]
MobClix Inc. Mobclix SDK Integration Guide. http://support.mobclix.com/attachments/token/lvbgrqsfpjgvgxb/?name=Detailed_Start_Guide_for_Android.pdf. Online; accessed at Dec 1, 2011.
[30]
Scoreloop Inc. Scoreloop : Cross Platform Mobile Gaming SDK for Virtual Currency, Social Games and Distribution. http://www.scoreloop.com/developers/.
[31]
Symantec Inc. Android Threats Getting Steamy. http://www.symantec.com/connect/blogs/android-threats-getting-steamy. Online; accessed at Dec 1, 2011.
[32]
Symantec Inc. Android.Basebridge: Technical Details. http://www.symantec.com/security_response/writeup.jsp?docid=2011-060915%-4938--99&tabid=2. Online; accessed at Dec 1, 2011.
[33]
Wooboo Inc. How to Add Wooboo Advertisement SDK into Android. http://admin.wooboo.com.cn:9001/cbFiles/down/1272545843644.swf.
[34]
Jiyong Jang, David Brumley, and Shobha Venkataraman. BitShred: Feature Hashing Malware for Scalable Triage and Semantic Analysis. In Proceedings of the 18th ACM conference on Computer and communications security, CCS'11, pages 309--320, New York, NY, USA, 2011. ACM.
[35]
Christian Lindig and Gregor Snelting. Assessing Modular Structure of Legacy Code based on Mathematical Concept Analysis. In Proceedings of the 19th international conference on Software engineering, ICSE'97, pages 349--359, New York, NY, USA, 1997. ACM.
[36]
S. Mancoridis, B. S. Mitchell, C. Rorres, Y. Chen, and E. R. Gansner. Using Automatic Clustering to Produce High-Level System Organizations of Source Code. In Proceedings of the 6th International Workshop on Program Comprehension, IWPC'98, pages 45--, Washington, DC, USA, 1998. IEEE Computer Society.
[37]
Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. Semantically Rich Application-Centric Security in Android. In Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC'09, 2009.
[38]
OpenFeint. OpenFeint Developers - Mobile Open Source Social SDK & Tools for iOS & Android. http://openfeint.com/developers. Online; accessed at Dec 1, 2011.
[39]
Paolo Passeri. One Year of Android Malware (Full List)). http://paulsparrows.wordpress.com/2011/08/11/one-year-of-android-malware-full-list/. Online; accessed at Dec 1, 2011.
[40]
Google Code Project. Android-apktool - Tool for Reengineering Android apk Files. http://code.google.com/p/android-apktool/. Online; accessed at Dec 1, 2011.
[41]
Helmuth Spaeth. Cluster Analysis Algorithms for Data Reduction and Classification of Objects. J. Wiley and Sons, 1980.
[42]
Paolo Tonella. Concept Analysis for Module Restructuring. IEEE Trans. Softw. Eng., 27:351--363, April 2001.
[43]
Peter N. Yianilos. Data Structures and Algorithms for Nearest Neighbor Search in General Metric Spaces. In Proceedings of the fourth annual ACM-SIAM Symposium on Discrete algorithms, SODA'93, pages 311--321, Philadelphia, PA, USA, 1993. Society for Industrial and Applied Mathematics.
[44]
Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. DroidMOSS: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, CODASPY'12, February 2012.
[45]
Yajin Zhou and Xuxian Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.
[46]
Yajin Zhou and Xuxian Jiang. Detecting Passive Content Leaks and Pollution in Android Applications. In Proceedings of the 20th Annual Symposium on Network and Distributed System Security, 2013.
[47]
Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS'12, February 2012.

Cited By

View all
  • (2024)A Longitudinal Analysis Of Replicas in the Wild Wild AndroidProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695546(1821-1833)Online publication date: 27-Oct-2024
  • (2024)Research and Implementation of Open Source Component Library Detection for Binary ProgramsIEEE Access10.1109/ACCESS.2024.344219112(111846-111857)Online publication date: 2024
  • (2024)Android malware defense through a hybrid multi-modal approachJournal of Network and Computer Applications10.1016/j.jnca.2024.104035(104035)Online publication date: Sep-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy
February 2013
400 pages
ISBN:9781450318907
DOI:10.1145/2435349
  • General Chairs:
  • Elisa Bertino,
  • Ravi Sandhu,
  • Program Chair:
  • Lujo Bauer,
  • Publications Chair:
  • Jaehong Park
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 February 2013

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. app repackaging
  2. mobile application
  3. piggybacked application
  4. smartphone security

Qualifiers

  • Research-article

Conference

CODASPY'13
Sponsor:

Acceptance Rates

CODASPY '13 Paper Acceptance Rate 24 of 107 submissions, 22%;
Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)24
  • Downloads (Last 6 weeks)1
Reflects downloads up to 23 Nov 2024

Other Metrics

Citations

Cited By

View all
  • (2024)A Longitudinal Analysis Of Replicas in the Wild Wild AndroidProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695546(1821-1833)Online publication date: 27-Oct-2024
  • (2024)Research and Implementation of Open Source Component Library Detection for Binary ProgramsIEEE Access10.1109/ACCESS.2024.344219112(111846-111857)Online publication date: 2024
  • (2024)Android malware defense through a hybrid multi-modal approachJournal of Network and Computer Applications10.1016/j.jnca.2024.104035(104035)Online publication date: Sep-2024
  • (2023)ANDetect: A Third-party Ad Network Libraries Detection Framework for Android ApplicationsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627182(98-112)Online publication date: 4-Dec-2023
  • (2023)Mobile and Web Applications Clones: A Comprehensive Study2023 International Wireless Communications and Mobile Computing (IWCMC)10.1109/IWCMC58020.2023.10182983(464-469)Online publication date: 19-Jun-2023
  • (2023)Security of Android Banking Mobile Apps: Challenges and OpportunitiesInternational Conference on Cyber Security, Privacy and Networking (ICSPN 2022)10.1007/978-3-031-22018-0_39(406-416)Online publication date: 21-Feb-2023
  • (2022)A Systematic Assessment on Android Third-Party Library Detection ToolsIEEE Transactions on Software Engineering10.1109/TSE.2021.311550648:11(4249-4273)Online publication date: 1-Nov-2022
  • (2022)Research on Third-Party Libraries in Android Apps: A Taxonomy and Systematic Literature ReviewIEEE Transactions on Software Engineering10.1109/TSE.2021.311438148:10(4181-4213)Online publication date: 1-Oct-2022
  • (2022)Secure Repackage-Proofing Framework for Android Apps Using Collatz ConjectureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.309165419:5(3271-3285)Online publication date: 1-Sep-2022
  • (2022)Malware and Piracy Detection in Android Applications2022 IEEE 5th International Conference on Multimedia Information Processing and Retrieval (MIPR)10.1109/MIPR54900.2022.00061(306-311)Online publication date: Aug-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media