Abstract
Today digital technologies are evolving to accommodate small businesses and young entrepreneurs by reducing their time-to-market while encouraging rapid innovation in mobile, Extended Reality (XR), Internet of Things (IoT), cloud, and edge devices. The leading operating system Android typically takes one to a few days to perform application vetting and go to production by leveraging code analysis technologies in their Play Protect anti-malware program. However, developers with malicious intent are looking to circumvent this detection mechanism by exploiting Google’s relatively lenient trust policies that allow for package distribution and feature updates. This paper develops a proof-of-concept malware that exploits customers’ trust and Google’s policies to circumvent popular voice search applications. Our results show that attackers can initially circumvent Play Protect by uploading benign applications to build trust and then add malicious feature updates incrementally to distribute highly intrusive malware into user systems. This malware can scan and collect private user data from the device and exfiltrate it to the command-and-control server. The contributions are three-fold. (1) A proof-of-concept stealthy malware and publishing mechanism has developed that highlights the relative ease with which Google Play Protect policies may be subverted. (2) a comprehensive evaluation has been performed using major publicly available anti-malware solutions. (3) Recommendations and policies have been suggested to prevent this attack and ensure users’ privacy concerns (IMUTA is a novel attack in which malicious functionality is slowly added to a benign application through updates. This attack evades malware detection tools and exploits user trust. The attack can be launched against any application distribution platform like the Play Store).
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data Availability
Data sources are highlighted in the paper.
Notes
Firebase®. It is a cloud storage platform launched by Google and is considered the most trusted platform for storage, analytics, and back-end services for mobile and web applications.
References
Ahmed W, Rasool A, Javed AR, Kumar N, Gadekallu TR, Jalil Z, Kryvinska N (2021) Security in next generation mobile payment systems: a comprehensive survey. IEEE Access
Alazab M, Tang M (2019) Deep learning applications for cyber security. Springer, Cham
Allix K, Jerome Q, Bissyande TF, Klein J, State R, Traon YL (2014) A Forensic Analysis of Android Malware. In: 38th Annual Computer Software and Applications Conference, IEEE, pp 384–393, 10.1109/COMPSAC.2014.61, http://ieeexplore.ieee.org/document/6899240/. Accessed 22 July 2022
Buildfire (2022) Ultimate mobile app stores list. https://www.android.com/intl/en_us/intl/en_uk/play-protect/, last checked on Jan 7, 2022
Cao M (2022) Understanding the characteristics of invasive malware from the google play store. PhD thesis, University of British Columbia
Fatima M, Abbas H, Yaqoob T, Shafqat N, Ahmad Z, Zeeshan R, Muhammad Z, Rana T, Mussiraliyeva S (2021) A survey on common criteria (cc) evaluating schemes for security assessment of it products. PeerJ Comput Sci 7:e701
Google (2018) Android Security and Privacy 2018 Year In Review. https://source.android.com/security/reports. Report Dec, 2020
Hutchinson S, Zhou B, Karabiyik U (2019) Are we really protected? An investigation into the play protect service. In: 2019 IEEE International Conference on Big Data (Big Data), pp 4997–5004, 10.1109/BigData47090.2019.9006100
Imtiaz SI, Imtiaz SI, ur Rehman S, Javed AR, Jalil Z, Liu X, Alnumay WS (2021) Deepamd: detection and identification of android malware using high-efficient deep artificial neural network. Future Gen Comput Syst 115:844–856
Javed AR, Beg MO, Asim M, Baker T, Al-Bayatti AH (2020) Alphalogger: Detecting motion-based side-channel attack using smartphone keystrokes. J Ambient Intell Human Comput. pp 1–14
Javed AR, Rehman SU, Khan MU, Alazab M, Khan HU (2021) Betalogger: smartphone sensor-based side-channel attack detection and text inference using language modeling and dense multilayer neural network. Trans Asian Low-Resour Lang Inf Process 20(5):1–17
Javed AR, Shahzad F, ur Rehman S, Zikria YB, Razzak I, Jalil Z, Xu G (2022) Future smart cities requirements, emerging technologies, applications, challenges, and future aspects. Cities 129:103794
Karunanayake N, Rajasegaran J, Gunathillake A, Seneviratne S, Jourjon G (2022) A multi-modal neural embeddings approach for detecting mobile counterfeit apps: A case study on google play store. IEEE Trans Mob Comput 21(1):16–30. https://doi.org/10.1109/TMC.2020.3007260
Kumar A, Sharma A, Bharti V, Singh AK, Singh SK, Saxena S (2021) Mobihisnet: a lightweight cnn in mobile edge computing for histopathological image classification. IEEE Internet Things J 8(24):17778–17789
Lee W (2019) SeqDroid: obfuscated android malware detection using stacked convolutional. In: deep learning applications for cyber security. Springer International Publishing, Cham, pp 197–210, https://doi.org/10.1007/978-3-030-13057-2_9, http://link.springer.com/10.1007/978-3-030-13057-2_9
Liyanage M, Ahmed I, Okwuibe J, Ylianttila M, Kabir H, Santos JL, Kantola R, Perez OL, Itzazelaia MU, De Oca EM (2017) Enhancing security of software defined mobile networks. IEEE Access 5:9422–9438
Lu J, Issaranon T, Forsyth D (2017) Safetynet: Detecting and rejecting adversarial examples robustly. In: Proceedings of the IEEE international conference on computer vision. pp 446–454
McCarty B (2005) SELinux. O’Reilly Japan
Mercaldo F, Nardone V, Santone A, Visaggio CA (2016) Download malware? no, thanks: How formal methods can block update attacks. In: Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering, Association for Computing Machinery, New York, NY, USA, FormaliSE ’16, p 22-28, https://doi.org/10.1145/2897667.2897673
Mirza S, Abbas H, Shahid WB, Shafqat N, Fugini M, Iqbal Z, Muhammad Z (2021) A malware evasion technique for auditing android anti-malware solutions. In: 2021 IEEE 30th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), IEEE. pp 125–130
Montano IH, de la Torre Díez I, López-Izquierdo R, Villamor MAC, Martín-Rodríguez F (2021) Mobile triage applications: a systematic review in literature and play store. J Med Syst 45(9):1–11
Muhammad Z, Amjad MF, Abbas H, Iqbal Z, Azhar A, Yasin A, Iesar H (2021) A systematic evaluation of android anti-malware tools for detection of contemporary malware. In: 2021 IEEE 19th International Conference on Embedded and Ubiquitous Computing (EUC), IEEE. pp 117–124
Narayanan A, Chandramohan M, Chen L, Liu Y (2017) Context-aware, adaptive, and scalable android malware detection through online learning. IEEE Trans Emerg Topics Comput Intell. 1(3):157–175. https://doi.org/10.1109/TETCI.2017.2699220
Ranaweera P, Jurcut AD, Liyanage M (2019) Realizing multi-access edge computing feasibility: security perspective. In: 2019 IEEE Conference on Standards for Communications and Networking (CSCN), IEEE. pp 1–7
Rasool A, Javed AR, Jalil Z (2021) Sha-amd: sample-efficient hyper-tuned approach for detection and identification of android malware family and category. Int J Ad Hoc Ubiquitous Comput 38(1–3):172–183
Rehman A, Razzak I, Xu G (2022) Federated learning for privacy preservation of healthcare data from smartphone-based side-channel attacks. IEEE J Biomed Health Inform
Renjith G, Aji S (2022) Unveiling the security vulnerabilities in android operating system. In: Proceedings of Second International Conference on Sustainable Expert Systems. Springer, Cham. pp 89–100
Report AS (2022) Google play protects 2.5 billion active devices. https://www.android.com/intl/en_us/intl/en_uk/play-protect/, last checked on Jan 4, 2022
Roy AK, Nath K, Srivastava G, Gadekallu TR, Lin JCW (2022) Privacy preserving multi-party key exchange protocol for wireless mesh networks. Sensors 22(5):1958
Saracino A, Sgandurra D, Dini G, Martinelli F (2018) MADAM. IEEE Trans Depend Secure Comput. 15(1):83–97. https://doi.org/10.1109/TDSC.2016.2536605
Shalaginov A (2021) Review of the malware categorization in the era of changing landscape. Malware Analysis Using Artificial Intelligence. Springer, Cham
Sharma S, Khanna K, Ahlawat P (2022) Survey for detection and analysis of android malware (s) through artificial intelligence techniques. Cyber security and digital forensics. Springer, Cham, pp 321–337
Srivastava G, Jhaveri RH, Bhattacharya S, Pandya S, Maddikunta PKR, Yenduri G, Hall JG, Alazab M, Gadekallu TR, et al. (2022) Xai for cybersecurity: State of the art, challenges, open issues and future directions. arXiv preprint arXiv:2206.03585
Stonehem B (2016) Google android firebase: learning the basics, vol 1. First Rank Publishing
Tian K, Yao D, Ryder BG, Tan G, Peng G (2020) Detection of repackaged android malware with code-heterogeneity. IEEE Trans Depend Secure Comput 17(01):64–77. https://doi.org/10.1109/TDSC.2017.2745575
Usman N, Usman S, Khan F, Jan MA, Sajid A, Alazab M, Watters P (2021) Intelligent dynamic malware detection using machine learning in ip reputation for forensics data analytics. Future Gen Comput Syst 118:124–141
Viennot N, Garcia E, Nieh J (2014) A measurement study of google play. In: The 2014 ACM international conference on Measurement and modeling of computer systems - SIGMETRICS ’14, ACM Press, Austin, Texas, USA, pp 221–233, https://doi.org/10.1145/2591971.2592003, http://dl.acm.org/citation.cfm?doid=2591971.2592003
Zhao J, Cao B, Liu X, Yang P, Singh AK, Lv Z (2022) Multiobjective multiple mobile sink scheduling via evolutionary fuzzy rough neural network for wireless sensor networks. IEEE Trans Fuzzy Syst
Funding
This research is funded by Sheila and Robert Challey Institute for Global Innovation and Growth, North Dakota State University (NDSU), USA.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest/Conflict of interest
The authors share no conflict of interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Muhammad, Z., Amjad, F., Iqbal, Z. et al. Circumventing Google Play vetting policies: a stealthy cyberattack that uses incremental updates to breach privacy. J Ambient Intell Human Comput 14, 4785–4794 (2023). https://doi.org/10.1007/s12652-023-04535-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-023-04535-7