skip to main content
10.1145/3689941.3695773acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Detect Counterfeit Mini-apps: A Case Study on WeChat

Published: 19 November 2024 Publication History

Abstract

The rapid growth of mini-apps within super apps like WeChat has revolutionized mobile app ecosystems, but it has also introduced new security challenges. This paper presents the first comprehensive study of counterfeit mini-apps in the WeChat ecosystem. We developed an innovative detection model combining Chinese character similarity generation, automated data collection, and CNN-based image recognition to identify potential counterfeits. Our preliminary study of the top 50 popular mini-apps confirmed the prevalence of this issue. Expanding our analysis to the top 200 mini-apps, we generated 12,396 potential counterfeit names and identified 1,095 actual counterfeits in the catering category alone. Our findings reveal that counterfeit mini-apps primarily target highly popular legitimate apps, with 54% of counterfeits mimicking the top 25% most popular mini-apps. We also analyze the harmful impacts of these counterfeits, highlighting significant risks of user data theft and fraud. This study underscores the urgent need for enhanced security measures in mini-app platforms and provides a foundation for future research on protection strategies.

References

[1]
Pieter Agten, Wouter Joosen, Frank Piessens, and Nick Nikiforakis. 2015. Seven Months? Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse. In NDSS.
[2]
Aladdin. [n. d.]. Aladdin Mini-Program Ranking. http://www.aldzs.com/. Ac- cessed: 2024-07--19.
[3]
Supraja Baskaran, Lianying Zhao, Mohammad Mannan, and Amr Youssef. 2023. Measuring the Leakage and Exploitability of Authentication Secrets in Super- apps: The WeChat Case. arXiv preprint arXiv:2307.09317 (2023).
[4]
Sen Chen, Lingling Fan, Chunyang Chen, Minhui Xue, Yang Liu, and Lihua Xu. 2021. GUI-Squatting Attack: Automated Generation of Android Phishing Apps. IEEE Transactions on Dependable and Secure Computing 18, 6 (2021), 2551--2568. https://doi.org/10.1109/TDSC.2019.2956035
[5]
CNCERT. 2021. 2020 Annual Report on China's Internet Network Secu- rity. https://www.cert.org.cn/publish/main/46/2021/20210721130944504525772/ 20210721130944504525772_.html. Accessed: 2024-07--19.
[6]
Yangyu Hu, Haoyu Wang, Ren He, Li Li, Gareth Tyson, Ignacio Castro, Yao Guo, Lei Wu, and Guoai Xu. 2020. Mobile App Squatting. In Proceedings of The Web Conference 2020 (Taipei, Taiwan) (WWW '20). Association for Computing Machinery, New York, NY, USA, 1727--1738. https://doi.org/10.1145/3366423. 3380243
[7]
Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communi- cations Security (Dallas, Texas, USA) (CCS '17). Association for Computing Ma- chinery, New York, NY, USA, 569--586. https://doi.org/10.1145/3133956.3134002
[8]
Wei Li, Borui Yang, Hangyu Ye, Liyao Xiang, Qingxiao Tao, Xinbing Wang, and Chenghu Zhou. 2024. MiniTracker: Large-Scale Sensitive Information Tracking in Mini Apps. IEEE Transactions on Dependable and Secure Computing 21, 4 (2024), 2099--2114. https://doi.org/10.1109/TDSC.2023.3299945
[9]
Haoran Lu, Luyi Xing, Yue Xiao, Yifan Zhang, Xiaojing Liao, XiaoFeng Wang, and Xueqiang Wang. 2020. Demystifying Resource Management Risks in Emerg- ing Mobile App-in-App Ecosystems. In Proceedings of the 2020 ACM SIGSAC Con- ference on Computer and Communications Security (Virtual Event, USA) (CCS '20). Association for Computing Machinery, New York, NY, USA, 569--585. https: //doi.org/10.1145/3372297.3417255
[10]
S. Meng, L. Wang, S. Wang, K. Wang, X. Xiao, G. Bai, and H. Wang. 2023. Wemint:Tainting Sensitive Data Leaks in WeChat Mini-Programs. In 2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE Computer Society, Los Alamitos, CA, USA, 1403--1415. https://doi.org/ 10.1109/ASE56229.2023.00151
[11]
PortSwigger. 2024. Burp Suite: Application Security Testing Software. https: //portswigger.net/burp. Accessed: 2024-07--19.
[12]
Jathushan Rajasegaran, Naveen Karunanayake, Ashanie Gunathillake, Suranga Seneviratne, and Guillaume Jourjon. 2019. A Multi-modal Neural Embeddings Approach for Detecting Mobile Counterfeit Apps. In The World Wide Web Confer- ence (San Francisco, CA, USA) (WWW '19). Association for Computing Machin- ery, New York, NY, USA, 3165--3171. https://doi.org/10.1145/3308558.3313427
[13]
Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. 2014. The long 'Taile' of typosquatting domain names. In Pro- ceedings of the 23rd USENIX Conference on Security Symposium (San Diego, CA) (SEC'14). USENIX Association, USA, 191--206.
[14]
Xin Tong, Luona Wang, Runzheng Wang, and Jingya Wang. 2020. A generation method of word-level adversarial samples for Chinese text classification. Netinfo Secur 20, 09 (2020), 12--16.
[15]
Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Taint- Mini: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Anal- ysis. In Proceedings of the 45th International Conference on Software Engineer- ing (Melbourne, Victoria, Australia) (ICSE '23). IEEE Press, 932--944. https: //doi.org/10.1109/ICSE48619.2023.00086
[16]
Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. One Size Does Not Fit All: Uncovering and Exploiting Cross Platform Discrepant {APIs} in {WeChat}. In 32nd USENIX Security Symposium (USENIX Security 23). 6629--6646.
[17]
Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. Uncovering and exploiting hid- den apis in mobile super apps. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2471--2485.
[18]
Chao Wang, Yue Zhang, and Zhiqiang Lin. 2024. RootFree Attacks: Exploiting Mobile Platform's Super Apps From Desktop. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (Singapore, Singa- pore) (ASIA CCS '24). Association for Computing Machinery, New York, NY, USA, 830--842. https://doi.org/10.1145/3634737.3645001
[19]
Haoyu Wang, Yao Guo, Ziang Ma, and Xiangqun Chen. 2015. WuKong: a scalable and accurate two-phase approach to Android app clone detection. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (Baltimore, MD, USA) (ISSTA 2015). Association for Computing Machinery, New York, NY, USA, 71--82. https://doi.org/10.1145/2771783.2771795
[20]
Shenao Wang, Yuekang Li, Kailong Wang, Yi Liu, Chao Wang, Yanjie Zhao, Gelei Deng, Ling Shi, Hui Li, Yang Liu, et al. 2024. MiniScope: Automated UI Explo- ration and Privacy Inconsistency Detection of MiniApps via Two-phase Iterative Hybrid Analysis. arXiv preprint arXiv:2401.03218 (2024).
[21]
Shenao Wang, Yanjie Zhao, Kailong Wang, and Haoyu Wang. 2023. On the Usage-scenario-based Data Minimization in Mini Programs. In Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps (Copenhagen, Den- mark) (SaTS '23). Association for Computing Machinery, New York, NY, USA, 29--32. https://doi.org/10.1145/3605762.3624435
[22]
Tao Wang, Qingxin Xu, Xiaoning Chang, Wensheng Dou, Jiaxin Zhu, Jinhui Xie, Yuetang Deng, Jianbo Yang, Jiaheng Yang, Jun Wei, et al. 2022. Characterizing and detecting bugs in WeChat mini-programs. In Proceedings of the 44th Interna- tional Conference on Software Engineering. 363--375.
[23]
Wenqi Wang, Run Wang, Lina Wang, and Benxiao Tang. 2019. Adversarial exam- ples generation approach for tendency classification on Chinese texts. Journal of Software 30, 8 (2019), 2415--2427.
[24]
Yin Wang, Ming Fan, Junfeng Liu, Junjie Tao, Wuxia Jin, Qi Xiong, Yuhao Liu, Qinghua Zheng, and Ting Liu. 2023. Do as you say: Consistency detection of data practice in program code and privacy policy in mini-app. arXiv preprint arXiv:2302.13860 (2023).
[25]
WeChat. 2024. WeChat Mini-Programs Introduction. https://developers.weixin. qq.com/miniprogram/dev/framework/quickstart. Accessed: 2024-07--19.
[26]
Wikipedia. 2024. Cybersquatting. https://en.wikipedia.org/wiki/Cybersquatting. Accessed: 2024-07--19.
[27]
Yuqing Yang, Yue Zhang, and Zhiqiang Lin. 2022. Cross Miniapp Request Forgery: Root Causes, Attacks, and Vulnerability Detection. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (Los Angeles, CA, USA) (CCS '22). Association for Computing Machinery, New York, NY, USA, 3079--3092. https://doi.org/10.1145/3548606.3560597
[28]
Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity confusion in {WebView-based} mobile app-in-app ecosystems. In 31st USENIX Security Sym- posium (USENIX Security 22). 1597--1613.
[29]
Xiaohan Zhang, Yang Wang, Xin Zhang, Ziqi Huang, Lei Zhang, and Min Yang. 2023. Understanding Privacy Over-collection in WeChat Sub-app Ecosystem. arXiv preprint arXiv:2306.08391 (2023).
[30]
Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Don't Leak Your Keys: Un- derstanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communi- cations Security (Copenhagen, Denmark) (CCS '23). Association for Computing Machinery, New York, NY, USA, 2411--2425. https://doi.org/10.1145/3576915. 3616591

Index Terms

  1. Detect Counterfeit Mini-apps: A Case Study on WeChat

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SaTS '24: Proceedings of the ACM Workshop on Secure and Trustworthy Superapps
    November 2024
    28 pages
    ISBN:9798400712371
    DOI:10.1145/3689941
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 19 November 2024

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. counterfeit mini-apps
    2. data misuse
    3. fraud
    4. wechat

    Qualifiers

    • Research-article

    Conference

    CCS '24
    Sponsor:

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 41
      Total Downloads
    • Downloads (Last 12 months)41
    • Downloads (Last 6 weeks)15
    Reflects downloads up to 26 Jan 2025

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media