research-article

MAST: triage for market-scale mobile malware analysis

Authors:

Saurabh Chakradeo,

Bradley Reaves,

Patrick Traynor,

William EnckAuthors Info & Claims

WiSec '13: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks

Pages 13 - 24

https://doi.org/10.1145/2462096.2462100

Published: 17 April 2013 Publication History

Abstract

Malware is a pressing concern for mobile application market operators. While current mitigation techniques are keeping pace with the relatively infrequent presence of malicious code, the rapidly increasing rate of application development makes manual and resource-intensive automated analysis costly at market-scale. To address this resource imbalance, we present the Mobile Application Security Triage (MAST) architecture, a tool that helps to direct scarce malware analysis resources towards the applications with the greatest potential to exhibit malicious behavior. MAST analyzes attributes extracted from just the application package using Multiple Correspondence Analysis (MCA), a statistical method that measures the correlation between multiple categorical (i.e., qualitative) data. We train MAST using over 15,000 applications from Google Play and a dataset of 732 known-malicious applications. We then use MAST to perform triage on three third-party markets of different size and malware composition---36,710 applications in total. Our experiments show that MAST is both effective and performant. Using MAST ordered ranking, malware-analysis tools can find 95% of malware at the cost of analyzing 13% of the non-malicious applications on average across multiple markets, and MAST triage processes markets in less than a quarter of the time required to perform signature detection. More importantly, we show that successful triage can dramatically reduce the costs of removing malicious applications from markets.

References

[1]

H. Abdi and D. Valentin. Multiple correspondence analysis. In Encyclopedia of Measurement and Statistics, page 13. Sage, California, 2007.

[2]

Android market API. http://code.google.com/p/android-market-api/.

[3]

Anzhi Market. http://www.anzhi.com.

[4]

Apple app store, 2012. http://www.apple.com/iphone/from-the-app-store/.

[5]

Baksmali, 2012. http://code.google.com/p/smali/.

[6]

D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In Proceedings of the 17th ACM conference on Computer and communications security, page 73. ACM Press, 2010.

Digital Library

[7]

C. Beaumont. Apple iPhone 'kill switch' discovered, August 2008. http://www.telegraph.co.uk/technology/3358115/Apple-iPhone-kill-switch-discovered.html.

[8]

Blackberry app world, 2012. http://appworld.blackberry.com/webstore/.

[9]

A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral detection of malware on mobile handsets. In Proceeding of the 6th international conference on Mobile systems, applications, and services, page 225. ACM Press, 2008.

Digital Library

[10]

T. Bray. Exercising Our Remote Application Removal Feature, June 2010. http://android-developers.blogspot.com/2010/06/exercising-our-remote-application.html.

[11]

J. Burns. Developing Secure Mobile Applications for Android. iSEC Partners, Oct. 2008. http://www.isecpartners.com/files/iSEC_Securing_Android_Apps.pdf.

[12]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM.

Digital Library

[13]

M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS), 2011.

[14]

W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, pages 393--407, 2010.

Digital Library

[15]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of Android application security. In Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, 2011.

Digital Library

[16]

W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, page 235. ACM Press, 2009.

Digital Library

[17]

W. Enck, M. Ongtang, and P. McDaniel. Understanding Android Security. IEEE Security & Privacy Magazine, 7(1):50--57, January/February 2009.

Digital Library

[18]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, Chicago, Illinois, USA, Oct. 2011.

Digital Library

[19]

A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In ACM Workshop on Security and Privacy in Mobile Devices, Chicago, Illinois, USA, Oct. 2011.

Digital Library

[20]

GFan Market. http://www.gfan.com/.

[21]

Google play, 2012. https://play.google.com/store/apps.

[22]

M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys), June 2012.

Digital Library

[23]

P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[24]

J. Jang, D. Brumley, and S. Venkataraman. Bitshred: feature hashing malware for scalable triage and semantic analysis. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 309--320, New York, NY, USA, 2011. ACM.

Digital Library

[25]

X. Jiang. Questionable Android Apps -- SndApps -- Found and Removed from Official Android Market, July 2011. http://www.csc.ncsu.edu/faculty/jiang/SndApps/.

[26]

X. Jiang. Security Alert: New Android SMS Trojan -- YZHCSMS -- Found in Official Android Market and Alternative Markets, June 2011. http://www.csc.ncsu.edu/faculty/jiang/YZHCSMS/.

[27]

X. Jiang. Security Alert: New Stealthy Android Spyware -- Plankton -- Found in Official Android Market, June 2011. http://www.csc.ncsu.edu/faculty/jiang/Plankton/.

[28]

H. Kim, J. Smith, and K. G. Shin. Detecting energy-greedy anomalies and mobile malware variants. In Proceeding of the 6th international conference on Mobile systems, applications, and services, page 239. ACM Press, 2008.

Digital Library

[29]

A. Kingsley-Hughes. So that's what happens when you highlight an iOS security hole, November 2011. http://www.zdnet.com/blog/hardware/so-thats-what-happens-when-you-highlightan-ios-security-hole/16078.

[30]

L. Liu, G. Yan, X. Zhang, and S. Chen. VirusMeter: preventing your cellphone from spies. In Recent Advances in Intrusion Detection, volume 5758, pages 244--264, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg.

Digital Library

[31]

H. Lockheimer. Android and Security. Google Mobile Blog, Feb. 2012. http://googlemobile.blogspot.com/2012/02/android-and-security.html.

[32]

Lookout Mobile Security. Mobile threat report. Technical report, Lookout Mobile Security, Aug. 2011.

[33]

Lookout mobile security, 2012. https://www.mylookout.com/.

[34]

J. Lowensohn. iPhone lock-screen password app pulled, June 2011. http://news.cnet.com/8301-27076_3-20071405-248/iphone-lock-screen-password-app-pulled/.

[35]

K. Mahaffey. Security Alert: DroidDream Malware Found in Official Android Market, March 2011. http://blog.mylookout.com/2011/03/security-alert-malware-found-inofficial-android-market-droiddream/.

[36]

P. Marquardt, A. Verma, H. Carter, and P. Traynor. (sp)iPhone: Decoding Vibrations From Nearby Keyboards Using Mobile Phone Accelerometers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[37]

P. McDaniel and W. Enck. Not so great expectations: Why application markets haven't failed security. IEEE Security & Privacy, 8(5):76--78, Oct. 2010.

Digital Library

[38]

Min Zheng, Patrick P.C. Lee, and John C.S. Lui. ADAM: an automatic and extensible platform to stress test android anti-virus systems. In Proceedings of the 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'12), Heraklion, Crete, Greece, July 2012.

Digital Library

[39]

Ndoo market. http://www.nduoa.com/.

[40]

NetQin Mobile Security, 2012. http://www.netqin.com/en/.

[41]

M. Neugschwandtner, P. M. Comparetti, G. Jacob, and C. Kruegel. Forecast: skimming off the malware cream. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, pages 11--20, New York, NY, USA, 2011. ACM.

Digital Library

[42]

Nicholas J. Percoco and Sean Schulte. Adventures in BouncerLand. In Blackhat USA, Las Vegas, NV, 2012.

[43]

M. Parkour. Contagio mobile malware MiniDump. http://contagiominidump.blogspot.com/.

[44]

H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, page 241--252, New York, NY, USA, 2012. ACM.

Digital Library

[45]

R. Perdisci, A. Lanzi, and W. Lee. Mcboost: Boosting scalability in malware collection and analysis using statistical classification of executables. In Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC '08, pages 301--310, Washington, DC, USA, 2008. IEEE Computer Society.

Digital Library

[46]

B. L. Roux and H. Rouanet. Multiple Correspondence Analysis. Number 163 in Quantitative Applications in the Social Sciences. SAGE Publications, Los Angeles, California, USA, 2010.

[47]

B. P. Sarma, N. Li, C. Gates, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Android permissions: a perspective combining risks and benefits. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies, SACMAT '12, page 13--22, New York, NY, USA, 2012. ACM.

Digital Library

[48]

R. E. Schapire. The Boosting Approach to Machine Learning: An Overview. In Nonlinear Estimation and Classification. Springer, 2003.

[49]

SoftAndroid Market. http://softandroid.ru.

[50]

Trend Micro Command Line Antivirus Scanner, 2012. http://esupport.trendmicro.com/solution/en-us/0117058.aspx.

[51]

Windows Phone: Marketplace, 2011. http://www.windowsphone.com/en-US/marketplace.

[52]

B. Womack. Google says 700,000 applications available for android, Oct. 2012.

[53]

Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the IEEE Symposium on Security and Privacy (OAKLAND), 2012.

Digital Library

[54]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the Network and Distributed System Security Symposium, Feb. 2012.

[55]

Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In TRUST, pages 93--107, 2011.

Digital Library

Cited By

Deypir MZoughi T(2025)Robust security risk estimation for android apps using nearest neighbor approach and hamming distanceSoft Computing10.1007/s00500-025-10489-z29:2(593-611)Online publication date: 10-Feb-2025
https://doi.org/10.1007/s00500-025-10489-z
Pantelaios NKapravelos ABalzarotti DXu W(2024)FV8Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699110(3747-3764)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699110
Cui YSun YLin ZMa BLi Y(2023)Potentially Unwanted App Detection for Blockchain-Based Android App MarketplaceIEEE Internet of Things Journal10.1109/JIOT.2023.326259410:24(21154-21167)Online publication date: 15-Dec-2023
https://doi.org/10.1109/JIOT.2023.3262594
Show More Cited By

Index Terms

MAST: triage for market-scale mobile malware analysis
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

How I Met Your Mother?
ICETE 2016: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications

Android malware is becoming more and more aggressive, in terms of impact on the victimâ s device and in

terms of capability of evading detection. Not only smartphones with their sensitive information are targeted

by attackers, but also devices such as ...
POSTER: A Framework for Phylogenetic Analysis in Mobile Environment
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

To maximize the probability of successful attacks and reduce the odds of being detected, malware developers implement different versions of the same malicious payloads. As a matter of fact, malware writers often generate new malicious code starting from ...
Towards an Automatic Method for API Association Extraction for PE-Malware Categorization
IPAC '15: Proceedings of the International Conference on Intelligent Information Processing, Security and Advanced Communication

Behavior-based malware detection techniques remain one of the most efficient protections against malicious programs. Such techniques are based on constructing models representing malicious and legitimate behaviors by analyzing the set of APIs (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '13: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks

April 2013

230 pages

ISBN:9781450319980

DOI:10.1145/2462096

General Chair:
Levente Buttyán
Budapest University of Technology and Economics, Hungary
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universitaet Darmstadt, Fraunhofer SIT, Intel-CRISC, Germany
,
Marco Gruteser
Rutgers University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 April 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WISEC'13

Sponsor:

SIGSAC

WISEC'13: Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks

April 17 - 19, 2013

Budapest, Hungary

Acceptance Rates

WiSec '13 Paper Acceptance Rate 26 of 70 submissions, 37%;

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

124
Total Citations
View Citations
1,067
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Deypir MZoughi T(2025)Robust security risk estimation for android apps using nearest neighbor approach and hamming distanceSoft Computing10.1007/s00500-025-10489-z29:2(593-611)Online publication date: 10-Feb-2025
https://doi.org/10.1007/s00500-025-10489-z
Pantelaios NKapravelos ABalzarotti DXu W(2024)FV8Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699110(3747-3764)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699110
Cui YSun YLin ZMa BLi Y(2023)Potentially Unwanted App Detection for Blockchain-Based Android App MarketplaceIEEE Internet of Things Journal10.1109/JIOT.2023.326259410:24(21154-21167)Online publication date: 15-Dec-2023
https://doi.org/10.1109/JIOT.2023.3262594
Alavizadeh HJang-Jaccard JEnoch SAl-Sahaf HWelch ICamtepe SKim D(2022)A Survey on Cyber Situation-awareness Systems: Framework, Techniques, and InsightsACM Computing Surveys10.1145/353080955:5(1-37)Online publication date: 3-Dec-2022
https://dl.acm.org/doi/10.1145/3530809
Suarez-Tangil GConti MTapiador JPeris-Lopez P(2022)Detecting Targeted Smartphone Malware with Behavior-Triggering Stochastic ModelsComputer Security - ESORICS 201410.1007/978-3-319-11203-9_11(183-201)Online publication date: 10-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-319-11203-9_11
Kumawat ASharma AKumawat S(2021)Identification of Cryptographic Vulnerability and Malware Detection in AndroidResearch Anthology on Securing Mobile Technologies and Applications10.4018/978-1-7998-8545-0.ch004(58-74)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-8545-0.ch004
Shen YStringhini G(2021)ANDRuspex: Leveraging Graph Representation Learning to Predict Harmful App Installations on Mobile Devices2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00044(562-577)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00044
Mahindru ASangal A(2021)FSDroid:- A feature selection technique to detect malware from Android using Machine Learning TechniquesMultimedia Tools and Applications10.1007/s11042-020-10367-w80:9(13271-13323)Online publication date: 1-Apr-2021
https://dl.acm.org/doi/10.1007/s11042-020-10367-w
Bordeanu OStringhini GShen YDavies T(2021)JABBIC Lookups: A Backend Telemetry-Based System for Malware TriageSecurity and Privacy in Communication Networks10.1007/978-3-030-90022-9_9(164-184)Online publication date: 4-Nov-2021
https://doi.org/10.1007/978-3-030-90022-9_9
WATANABE TAKIYAMA MKANEI FSHIOJI ETAKATA YSUN BISHII YSHIBAHARA TYAGI TMORI T(2020)Study on the Vulnerabilities of Free and Paid Mobile Apps Associated with Software LibraryIEICE Transactions on Information and Systems10.1587/transinf.2019INP0011E103.D:2(276-291)Online publication date: 1-Feb-2020
https://doi.org/10.1587/transinf.2019INP0011
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten