ABSTRACT
In recent years, the underground economy is proliferating in the mobile system. These underground economy apps (UEware for short) make profits from providing non-compliant services, especially in sensitive areas (e.g., gambling, porn, loan). Unlike traditional malware, most of them (over 80%) do not have malicious payloads. Due to their unique characteristics, existing detection approaches cannot effectively and efficiently mitigate this emerging threat. To address this problem, we propose a novel approach to effectively and efficiently detect UEware by considering their UI transition graphs (UTGs). Based on the proposed approach, we design and implement a system, named DeUEDroid, to perform the detection. To evaluate DeUEDroid, we collect 25, 717 apps and build up the first large-scale ground-truth dataset (1, 700 apps) of UEware. The evaluation result based on the ground-truth dataset shows that DeUEDroid can cover new UI features and statically construct precise UTG. It achieves 98.22% detection F1-score and 98.97% classification accuracy, a significantly better performance than the traditional approaches. The evaluation result involving 24, 017 apps demonstrates the effectiveness and efficiency of UEware detection in real-world scenarios. Furthermore, the result also reveals that UEware are prevalent, i.e., 54% apps in the wild and 11% apps in the app stores are UEware. Our work sheds light on the future work of analyzing and detecting UEware. To engage the community, we have made our prototype system and the dataset available online.
Supplemental Material
Available for Download
This is the appendix material of our work accpeted by ISSTA 2023. In this paper, we propose a novel approach to effectively and efficiently detect UEware by considering their UI transition graphs (UTGs). Based on the proposed approach, we design and implement a system, named DeUEDroid, to perform the detection. Our work sheds light on the future work of analyzing and detecting UEware.
- 2021. BBC Report about romance scammer. https://edition.cnn.com/ 2021 /02/21/ us/losses-to-romance-scams-trnd/index.html. Accessed January 1, 2021. Google Scholar
- 2021. China Gambling Report. http://english.www.gov.cn/statecouncil/ ministries/202101/06/content_WS5f570dac6d0f7257694358b.html. Accessed January 1, 2021. Google Scholar
- 2021. F-droid. https://f-droid.org/. Accessed November, 2021. Google Scholar
- 2021. Google Activity. https://developer.android.com/guide/components/ activities/intro-activities. Accessed November 23, 2021. Google Scholar
- 2021. USA Gambling. https://www.baltictimes.com/usa_online_gambling_laws___legal_states_in_usa_2022/. Accessed November, 2021. Google Scholar
- 2022. Apps for economy. https://42matters.com/blog/?p= the-state-of-the-appeconomy-and-app-markets. Accessed June 4, 2022. Google Scholar
- 2022. DeUEDroid project website. https://github.com/HypoopyH/DeUEDroid. Accessed November 20, 2022. Google Scholar
- 2022. Fragment Navigation. https://developer.android.com/guide/navigation/ navigation-getting-started. Accessed June 4, 2022. Google Scholar
- 2022. Google Play. https://support.google.com/googlepay/answer/10223857?hl= en. Accessed November 08, 2022. Google Scholar
- 2022. Hybrid App Percentage in Appstore. https://venturebeat.com/ 2020 /11/23/ why-74-of-the-top-50-retail-apps-are-hybrid-apps-not-native-apps/. Accessed August 8, 2022. Google Scholar
- 2022. India loan scam. https://www.bbc.com/news/business-61564038. Accessed June 4, 2022. Google Scholar
- 2022. State of Mobile in 2022. https://www.data.ai/en/go/state-of-mobile-2022. Accessed June 8, 2022. Google Scholar
- 2022. US Scam App Report. https://www.straitstimes.com/asia/se-asia/ malaysiagovt-loses-s1bil-revenue-a-year-from-illegal-gaming-syndicates. Accessed June 6, 2022. Google Scholar
- 2023. DeUEDroid System. https://zenodo.org/record/7962231. https://doi.org/10. 5281/zenodo.7962231 Accessed May 08, 2023. Google Scholar
- Faraz Ahmed, Haider Hameed, M Zubair Shafiq, and Muddassar Farooq. 2009. Using spatio-temporal information in API calls with machine learning algorithms for malware detection. In Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence. 55-62. Google ScholarDigital Library
- Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. Drebin: Efective and explainable detection of android malware in your pocket.. In Ndss, Vol. 14. 23-26. Google Scholar
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 ( 2014 ), 259-269. Google ScholarDigital Library
- Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and depth-first exploration for systematic testing of android apps. In Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications. 641-660. Google ScholarDigital Library
- Farnaz Behrang and Alessandro Orso. 2019. Test migration between mobile apps with similar functionality. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 54-65. Google ScholarDigital Library
- Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the {Google-Play} Scale. In 24th USENIX Security Symposium (USENIX Security 15). 659-674. Google Scholar
- Sen Chen, Lingling Fan, Chunyang Chen, Ting Su, Wenhe Li, Yang Liu, and Lihua Xu. 2019. Storydroid: Automated generation of storyboard for Android apps. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 596-607. Google ScholarDigital Library
- Yi Chen, Wei You, Yeonjoon Lee, Kai Chen, XiaoFeng Wang, and Wei Zou. 2017. Mass discovery of android trafic imprints through instantiated partial execution. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 815-828. Google ScholarDigital Library
- Zhuo Chen, Lei Wu, Jing Cheng, Yubo Hu, Yajin Zhou, Zhushou Tang, Yexuan Chen, Jinku Li, and Kui Ren. 2021. Lifting The Grey Curtain: A First Look at the Ecosystem of CULPRITWARE. arXiv preprint arXiv:2106.05756 ( 2021 ). Google Scholar
- Wei-Lin Chiang, Xuanqing Liu, Si Si, Yang Li, Samy Bengio, and Cho-Jui Hsieh. 2019. Cluster-gcn: An eficient algorithm for training deep and large graph convolutional networks. In Proceedings of the 25th ACM SIGKDD international conference on knowledge discovery & data mining. 257-266. Google ScholarDigital Library
- Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. 2003. Precise Analysis of String Expressions. In Proc. 10th International Static Analysis Symposium (SAS) (LNCS, Vol. 2694 ). Springer-Verlag, 1-18. Available from http://www.brics.dk/JSA/. Google Scholar
- Feng Dong, Haoyu Wang, Li Li, Yao Guo, Tegawendé F Bissyandé, Tianming Liu, Guoai Xu, and Jacques Klein. 2018. Frauddroid: Automated ad fraud detection for android apps. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 257-268. Google ScholarDigital Library
- William Enck, Machigar Ongtang, and Patrick McDaniel. 2009. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security. 235-245. Google ScholarDigital Library
- Parvez Faruki, Vijay Laxmi, Ammar Bharmal, Manoj Singh Gaur, and Vijay Ganmoor. 2015. AndroSimilar: Robust signature for detecting variants of Android malware. Journal of Information Security and Applications 22 ( 2015 ), 66-80. Google Scholar
- Yuhao Gao, Haoyu Wang, Li Li, Xiapu Luo, Guoai Xu, and Xuanzhe Liu. 2021. Demystifying illegal mobile gambling apps. In Proceedings of the Web Conference 2021. 1447-1458. Google ScholarDigital Library
- Kaveh Hassani and Amir Hosein Khasahmadi. 2020. Contrastive multi-view representation learning on graphs. In International Conference on Machine Learning. PMLR, 4116-4126. Google Scholar
- Geofrey E Hinton and Richard Zemel. 1993. Autoencoders, minimum description length and Helmholtz free energy. Advances in neural information processing systems 6 ( 1993 ). Google Scholar
- Geng Hong, Zhemin Yang, Sen Yang, Xiaojing Liaoy, Xiaolin Du, Min Yang, and Haixin Duan. 2022. Analyzing Ground-Truth Data of Mobile Gambling Scams. In 2022 IEEE Symposium on Security and Privacy (SP). 2176-2193. https: //doi.org/10.1109/SP46214. 2022.9833665 Google ScholarCross Ref
- Yangyu Hu, Haoyu Wang, Yajin Zhou, Yao Guo, Li Li, Bingxuan Luo, and Fangren Xu. 2019. Dating with scambots: Understanding the ecosystem of fraudulent dating applications. IEEE Transactions on Dependable and Secure Computing ( 2019 ). Google Scholar
- Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. {SUPOR}: Precise and scalable sensitive user input detection for android apps. In 24th USENIX Security Symposium (USENIX Security 15). 977-992. Google Scholar
- Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. 2014. Asdroid: Detecting stealthy behaviors in android applications by user interface and program behavior contradiction. In Proceedings of the 36th International Conference on Software Engineering. 1036-1046. Google ScholarDigital Library
- TaeGuen Kim, BooJoong Kang, Mina Rho, Sakir Sezer, and Eul Gyu Im. 2018. A multimodal deep learning method for android malware detection using various features. IEEE Transactions on Information Forensics and Security 14, 3 ( 2018 ), 773-788. Google Scholar
- Konstantin Kuznetsov, Chen Fu, Song Gao, David N Jansen, Lijun Zhang, and Andreas Zeller. 2021. What do all these Buttons do? Statically Mining Android User Interfaces at Scale. arXiv preprint arXiv:2105.03144 ( 2021 ). Google Scholar
- Jin Li, Lichao Sun, Qiben Yan, Zhiqiang Li, Witawas Srisa-An, and Heng Ye. 2018. Significant permission identification for machine-learning-based android malware detection. IEEE Transactions on Industrial Informatics 14, 7 ( 2018 ), 3216-3225. Google ScholarCross Ref
- Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mcdaniel. 2014. I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis. arXiv preprint arXiv:1404.7431 ( 2014 ). Google Scholar
- Li Li, Tegawendé F Bissyandé, and Jacques Klein. 2017. Simidroid: Identifying and explaining similarities in android apps. In 2017 IEEE Trustcom/BigDataSE/ICESS. IEEE, 136-143. Google Scholar
- Yuanchun Li, Yao Guo, and Xiangqun Chen. 2016. Peruim: Understanding mobile application privacy with permission-ui mapping. In Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing. 682-693. Google ScholarDigital Library
- Bin Liu, Suman Nath, Ramesh Govindan, and Jie Liu. 2014. {DECAF}: Detecting and characterizing ad fraud in mobile apps. In 11th USENIX symposium on networked systems design and implementation (NSDI 14). 57-70. Google Scholar
- Chao Liu, Chen Chen, Jiawei Han, and Philip S Yu. 2006. GPLAG: detection of software plagiarism by program dependence graph analysis. In Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining. 872-881. Google ScholarDigital Library
- Changlin Liu, Hanlin Wang, Tianming Liu, Diandian Gu, Yun Ma, Haoyu Wang, and Xusheng Xiao. 2022. ProMal: precise window transition graphs for android via synergy of program analysis and machine learning. In Proceedings of the 44th International Conference on Software Engineering. 1755-1767. Google ScholarDigital Library
- Amirreza Mahbod, Gerald Schaefer, Chunliang Wang, Georg Dorfner, Rupert Ecker, and Isabella Ellinger. 2020. Transfer learning using a multi-scale and multi-network ensemble for skin lesion classification. Computer methods and programs in biomedicine 193 ( 2020 ), 105475. Google Scholar
- Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and Gianluca Stringhini. 2016. Mamadroid: Detecting android malware by building markov chains of behavioral models. arXiv preprint arXiv:1612.04433 ( 2016 ). Google Scholar
- Tomas Mikolov, Kai Chen, Greg Corrado, and Jefrey Dean. 2013. Eficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 ( 2013 ). Google Scholar
- Collins W Munyendo, Yasemin Acar, and Adam J Aviv. 2022. “ Desperate Times Call for Desperate Measures”: User Concerns with Mobile Loan Apps in Kenya. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 1521-1521. Google Scholar
- Nicole L Muscanell, Rosanna E Guadagno, and Shannon Murphy. 2014. Weapons of influence misused: A social influence analysis of why people fall prey to internet scams. Social and Personality Psychology Compass 8, 7 ( 2014 ), 388-396. Google Scholar
- Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to android intercomponent communication analysis. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 77-88. Google ScholarCross Ref
- Sanghyuk Park, Minchul Shin, Sungho Ham, Seungkwon Choe, and Yoohoon Kang. 2019. Study on fashion image retrieval methods for eficient fashion visual search. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops. 0-0. Google Scholar
- Atanas Rountev and Dacong Yan. 2014. Static reference analysis for GUI objects in Android software. In Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization. 143-153. Google Scholar
- Silvia Sebastian and Juan Caballero. 2020. Towards attribution in mobile markets: Identifying developer account polymorphism. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 771-785. Google ScholarDigital Library
- Mingshen Sun, Mengmeng Li, and John CS Lui. 2015. DroidEagle: Seamless detection of visually similar Android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. 1-12. Google ScholarDigital Library
- Yutian Tang, Yulei Sui, Haoyu Wang, Xiapu Luo, Hao Zhou, and Zhou Xu. 2020. All your app links are belong to us: understanding the threats of instant apps based attacks. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 914-926. Google ScholarDigital Library
- Raja Vallée-Rai, Etienne Gagnon, Laurie Hendren, Patrick Lam, Patrice Pominville, and Vijay Sundaresan. 2000. Optimizing Java bytecode using the Soot framework: Is it feasible?. In International conference on compiler construction. Springer, 18-34. Google ScholarCross Ref
- Petar Veličković, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Lio, and Yoshua Bengio. 2017. Graph attention networks. arXiv preprint arXiv:1710.10903 ( 2017 ). Google Scholar
- Petar Velickovic, William Fedus, William L Hamilton, Pietro Liò, Yoshua Bengio, and R Devon Hjelm. 2019. Deep Graph Infomax. ICLR (Poster) 2, 3 ( 2019 ), 4. Google Scholar
- Michelle Y Wong and David Lie. 2016. Intellidroid: a targeted input generator for the dynamic analysis of android malware.. In NDSS, Vol. 16. 21-24. Google ScholarCross Ref
- Dong-Jie Wu, Ching-Hao Mao, Te-En Wei, Hahn-Ming Lee, and Kuo-Ping Wu. 2012. DroidMat: Android Malware Detection through Manifest and API Calls Tracing. 2012 Seventh Asia Joint Conference on Information Security ( 2012 ), 62-69. Google ScholarDigital Library
- Haowei Wu, Yan Wang, and Atanas Rountev. 2018. Sentinel: generating GUI tests for Android sensor leaks. In 2018 IEEE/ACM 13th International Workshop on Automation of Software Test (AST). IEEE, 27-33. Google ScholarDigital Library
- Shengqu Xi, Shao Yang, Xusheng Xiao, Yuan Yao, Yayuan Xiong, Fengyuan Xu, Haoyu Wang, Peng Gao, Zhuotao Liu, Feng Xu, et al. 2019. DeepIntent: Deep icon-behavior learning for detecting intention-behavior discrepancy in mobile apps. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2421-2436. Google ScholarDigital Library
- Xusheng Xiao, Xiaoyin Wang, Zhihao Cao, Hanlin Wang, and Peng Gao. 2019. Iconintent: automatic identification of sensitive ui widgets based on icon classification for android apps. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 257-268. Google ScholarDigital Library
- Shengqian Yang, Haowei Wu, Hailong Zhang, Yan Wang, Chandrasekar Swaminathan, Dacong Yan, and Atanas Rountev. 2018. Static window transition graphs for Android. Automated Software Engineering 25, 4 ( 2018 ), 833-873. Google Scholar
- Shengqian Yang, Dacong Yan, Haowei Wu, Yan Wang, and Atanas Rountev. 2015. Static Control-Flow Analysis of User-Driven Callbacks in Android Applications. In International Conference on Software Engineering. 89-99. Google Scholar
- Shengqian Yang, Dacong Yan, Haowei Wu, Yan Wang, and Atanas Rountev. 2015. Static control-flow analysis of user-driven callbacks in Android applications. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 89-99. Google ScholarCross Ref
- Shengqian Yang, Hailong Zhang, Haowei Wu, Yan Wang, Dacong Yan, and Atanas Rountev. 2015. Static Window Transition Graphs for Android. In IEEE/ACM International Conference on Automated Software Engineering. 658-668. Google Scholar
- Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X Sean Wang. 2013. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 1043-1054. Google ScholarDigital Library
- Kan Yuan, Di Tang, Xiaojing Liao, XiaoFeng Wang, Xuan Feng, Yi Chen, Menghan Sun, Haoran Lu, and Kehuan Zhang. 2019. Stealthy porn: Understanding realworld adversarial images for illicit online promotion. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 952-966. Google ScholarCross Ref
- Zhenlong Yuan, Yongqiang Lu, Zhaoguo Wang, and Yibo Xue. 2014. Droid-sec: deep learning in android malware detection. In Proceedings of the 2014 ACM conference on SIGCOMM. 371-372. Google ScholarDigital Library
- Fangfang Zhang, Heqing Huang, Sencun Zhu, Dinghao Wu, and Peng Liu. 2014. ViewDroid: Towards obfuscation-resilient mobile application repackaging detection. In Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks. 25-36. Google ScholarDigital Library
- Xiaohan Zhang, Yuan Zhang, Ming Zhong, Daizong Ding, Yinzhi Cao, Yukun Zhang, Mi Zhang, and Min Yang. 2020. Enhancing state-of-the-art classifiers with API semantics to detect evolved android malware. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 757-770. Google ScholarDigital Library
- Yutao Zhang, Fanjin Zhang, Peiran Yao, and Jie Tang. 2018. Name Disambiguation in AMiner: Clustering, Maintenance, and Human in the Loop.. In Proceedings of the 24th ACM SIGKDD international conference on knowledge discovery & data mining. 1002-1011. Google ScholarDigital Library
- Received 2023-02-16; accepted 2023-05-03 Google Scholar
Index Terms
- DeUEDroid: Detecting Underground Economy Apps Based on UTG Similarity
Recommendations
Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers
Android platform has dominated the markets of smart mobile devices in recent years. The number of Android applications (apps) has seen a massive surge. Unsurprisingly, Android platform has also become the primary target of attackers. The management of ...
Network-based detection of Android malicious apps
Users leverage mobile devices for their daily Internet needs by running various mobile applications (apps) such as social networking, e-mailing, news-reading, and video/audio streaming. Mobile device have become major targets for malicious apps due to ...
Detecting money-stealing apps in alternative Android markets
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications securityThe prevalence of malware in Android marketplaces is a growing and significant problem. Among the most worrisome concerns are with regarding to malicious Android applications that attempt to steal money from unsuspecting users. These malicious ...
Comments