Beyond App Markets: Demystifying Underground Mobile App Distribution Via Telegram
Article No.: 33, Pages 1 - 25
Abstract
The thriving mobile app ecosystem encompasses a wide range of functionalities. However, within this ecosystem, a subset of apps provides illicit services such as gambling and pornography to pursue economic gains, collectively referred to as "underground economy apps". While previous studies have examined these apps' characteristics and identification methods, investigations into their distribution via platforms beyond app markets (like Telegram) remain scarce, which has emerged as a crucial channel for underground activities and cybercrime due to the robust encryption and user anonymity.
This study provides the first comprehensive exploration of the underground mobile app ecosystem on Telegram. Overcoming the complexities of the Telegram environment, we build a novel dataset and analyze the prevalence, promotional strategies, and characteristics of these apps. Our findings reveal the significant prevalence of these apps on Telegram, with the total sum of subscription user numbers across channels promoting these apps equivalent to 1% of Telegram's user base. We find these apps primarily cater to gambling and pornography services. We uncover sophisticated promotional strategies involving complex networks of apps, websites, users, and channels, and identify significant gaps in Telegram's content moderation capabilities. Our analysis also exposes the misuse of iOS features for app distribution and the prevalence of malicious behaviors in these apps. This research not only enhances our understanding of the underground app ecosystem but also provides valuable insights for developing effective regulatory measures and protecting users from potential risks associated with these covert operations. Our findings provide implications for platform regulators, app market operators, law enforcement agencies, and cybersecurity professionals in combating the proliferation of underground apps on encrypted messaging platforms.
References
[1]
2019. Cyber Security Asean. https://cybersecurityasean.com/news-press-releases/july-2019%E2%80%99s-most-wantedmalware-vulnerability-opendreambox-200-webadmin-plugin.
[2]
2020. Telegram's massive revenge porn problem has made these women's lives hell. https://mashable.com/article/nudesrevenge-porn-crime-telegram.
[3]
2021. A Threat Analysis of Sideloading. https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_ Millions_of_Apps_A_Threat_Analysis_of_Sideloading.pdf.
[4]
2022. Telegram: A Cybercriminal Hotspot - Compromised Financial Accounts. https://cybersixgill.com/news/articles/ telegram-a-cybercriminal-hotspot-compromised-financial-accounts.
[5]
2023. Is Telegram turning into a hub for cybercrime activities? https://10guards.com/en/articles/is-telegram-turninginto-a-hub-for-cybercrime-activities/.
[6]
2023. Money mules: Scam syndicates use Telegram to recruit young people for bank and Singpass accounts. https://www.straitstimes.com/singapore/courts-crime/money-mules-scam-syndicates-use-telegram-torecruit-young-people-for-bank-and-singpass-accounts.
[7]
2023. Stories and 10 Years of Telegram. https://telegram.org/blog/stories.
[8]
2023. Telegram and OSINT Investigations: An Essential Platform in 2023. https://flare.io/learn/resources/blog/telegraminvestigation/.
[9]
2023. Top Industries Significantly Impacted by Illicit Telegram Networks. https://thehackernews.com/2023/08/topindustries-significantly-impacted.html.
[10]
2024. androguard: Reverse engineering and pentesting for Android applications. https://github.com/androguard/ androguard.
[11]
2024. AppBrain. https://www.appbrain.com/stats/libraries/development-tools.
[12]
2024. Apple, Apple Developer Enterprise Program. https://developer.apple.com/programs/enterprise.
[13]
2024. Apple, iTunes search API. https://affiliate.itunes.apple.com/resources/documentation/itunes-store-web-servicesearch-api/.
[14]
2024. Apple,Web Clips MDM payload settings for Apple devices. https://support.apple.com/en-mn/guide/deployment/ depbc7c7808/1/web/1.0.
[15]
2024. Build for any screen. https://flutter.dev.
[16]
2024. Burp Suite: Application Security Testing Software. https://portswigger.net/burp.
[17]
2024. Google, Google play store. https://play.google.com/store/apps.
[18]
2024. Huawei, Huawei app store. https://consumer.huawei.com/cn/support/appgallery/.
[19]
2024. IPinfo, Official Python Library for IPinfo API (IP geolocation and other types of IP data). https://github.com/ ipinfo/python.
[20]
2024. Kaspersky Threats - AdWare.Win32.SoftPulse.gokp. https://threats.kaspersky.com/en/threat/AdWare.Win32. SoftPulse.gokp/.
[21]
2024. Kaspersky Threats - Boogr. https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Boogr/.
[22]
2024. Kaspersky Threats - Mobtes. https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Mobtes/.
[23]
2024. Kaspersky Threats - Trojan.AndroidOS.Piom.bbdw. https://threats.kaspersky.com/en/threat/Trojan.AndroidOS. Piom.bbdw/.
[24]
2024. macaca: Automation solution for multi-platform. https://github.com/alibaba/macaca.
[25]
2024. PaddleOCR: Awesome multilingual OCR toolkits based on PaddlePaddle. https://github.com/PaddlePaddle/ PaddleOCR.
[26]
2024. plistlib: Generate and parse Apple .plist files. https://docs.python.org/3/library/plistlib.html.
[27]
2024. requests, A simple, yet elegant, HTTP library. https://pypi.org/project/requests/.
[28]
2024. The Rise of Cybercrime on Telegram and Discord and the Need for Continuous Monitoring. https://www. cloudsek.com/blog/the-rise-of-cybercrime-on-telegram-and-discord-and-the-need-for-continuous-monitoring.
[29]
2024. Selenium automates browsers. That's it! https://www.selenium.dev/.
[30]
2024. Telegram channels and groups catalog | TGStat. https://tgstat.com/.
[31]
2024. Telegram Search Engine Send keywords to search for groups and channels! This advertising space is available for sponsorship. https://t.me/TGbaiduCN.
[32]
2024. Telegram, Telegram API. https://core.telegram.org.
[33]
2024. TelegramChannels: Discover The Best Telegram Channels. https://telegramchannels.me/.
[34]
2024. Telethon: Pure Python 3 MTProto API Telegram client library, for bots too! https://github.com/LonamiWebs/ Telethon.
[35]
2024. TestFlight: Beta Testing made simple with TestFlight. https://developer.apple.com/cn/testflight/.
[36]
2024. VirusTotal: Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community. https://www.virustotal.com/.
[37]
2024. whois. https://github.com/richardpenman/whois.
[38]
2024. Xiaomi, Xiaomi app store. https://app.mi.com/.
[39]
2024. ZXing ("Zebra Crossing") barcode scanning library for Java, Android. https://github.com/zxing/zxing.
[40]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM sigplan notices 49, 6 (2014), 259--269.
[41]
Vincent D Blondel, Jean-Loup Guillaume, Renaud Lambiotte, and Etienne Lefebvre. 2008. Fast unfolding of communities in large networks. Journal of statistical mechanics: theory and experiment 2008, 10 (2008), P10008.
[42]
Tianqin Cai, Zhao Zhang, and Ping Yang. 2020. Fastbot: A Multi-Agent Model-Based Test Generation System Beijing Bytedance Network Technology Co., Ltd. In Proceedings of the IEEE/ACM 1st International Conference on Automation of Software Test. 93--96.
[43]
Pei Chen, Gang Hong, Mengying Wu, Jinsong Chen, Haixin Duan, and Min Yang. 2024. An underground industry application collection method based on flow analysis. Journal of Software 35, 8 (2024), 0--0.
[44]
Zhuo Chen, Jie Liu, Yubo Hu, Lei Wu, Yajin Zhou, Yiling He, Xianhao Liao, Ke Wang, Jinku Li, and Zhan Qin. 2023. Deuedroid: Detecting underground economy apps based on utg similarity. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. 223--235.
[45]
Zhuo Chen, Lei Wu, Jing Cheng, Yubo Hu, Yajin Zhou, Zhushou Tang, Yexuan Chen, Jinku Li, and Kui Ren. 2021. Lifting The Grey Curtain: A First Look at the Ecosystem of CULPRITWARE. arXiv preprint arXiv:2106.05756 (2021).
[46]
Yuhao Gao, Haoyu Wang, Li Li, Xiapu Luo, Guoai Xu, and Xuanzhe Liu. 2021. Demystifying illegal mobile gambling apps. In Proceedings of the Web Conference 2021. 1447--1458.
[47]
Yadi Han, Shanshan Wang, Yiwen Li, Xueyang Cao, Limei Huang, and Zhenxiang Chen. 2023. Measurement of Illegal Android Gambling App Ecosystem From Joint Promotion Perspective. In 2023 IEEE 10th International Conference on Data Science and Advanced Analytics (DSAA). IEEE, 1--11.
[48]
Geng Hong, Zhemin Yang, Sen Yang, Xiaojing Liaoy, Xiaolin Du, Min Yang, and Haixin Duan. 2022. Analyzing ground-truth data of mobile gambling scams. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2176--2193.
[49]
Qinyu Hu, Songyang Wu, Wenqi Sun, Zhushou Tang, Chaofan Chen, Zhiguo Ding, and Xiaomei Zhang. 2022. Measurement of the Usage of Web Clips in Underground Economy. arXiv preprint arXiv:2209.03319 (2022).
[50]
Yangyu Hu, Haoyu Wang, Yajin Zhou, Yao Guo, Li Li, Bingxuan Luo, and Fangren Xu. 2019. Dating with scambots: Understanding the ecosystem of fraudulent dating applications. IEEE Transactions on Dependable and Secure Computing 18, 3 (2019), 1033--1050.
[51]
Vincenzo Imperati, Massimo La Morgia, Alessandro Mei, Alberto Maria Mongardini, and Francesco Sassi. 2023. The Conspiracy Money Machine: Uncovering Telegram's Conspiracy Channels and their Profit Model. arXiv preprint arXiv:2310.15977 (2023).
[52]
Massimo La Morgia, Alessandro Mei, and Alberto Maria Mongardini. 2023. TGDataset: a Collection of Over One Hundred Thousand Telegram Channels. arXiv preprint arXiv:2303.05345 (2023).
[53]
Massimo La Morgia, Alessandro Mei, Alberto Maria Mongardini, and Jie Wu. 2021. Uncovering the dark side of Telegram: Fakes, clones, scams, and conspiracy movements. arXiv preprint arXiv:2111.13530 (2021).
[54]
Massimo La Morgia, Alessandro Mei, Alberto Maria Mongardini, and Jie Wu. 2023. It'sa Trap! Detection and Analysis of Fake Channels on Telegram. In 2023 IEEE International Conference on Web Services (ICWS). IEEE, 97--104.
[55]
Li Li, Tegawendé F Bissyandé, Hao-Yu Wang, and Jacques Klein. 2019. On identifying and explaining similarities in android apps. Journal of Computer Science and Technology 34 (2019), 437--455.
[56]
Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017. Droidbot: a lightweight ui-guided test input generator for android. In 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE, 23--26.
[57]
Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. Libradar: Fast and accurate detection of third-party libraries in android apps. In Proceedings of the 38th international conference on software engineering companion. 653--656.
[58]
Volodymyr Miz, Joëlle Hanna, Nicolas Aspert, Benjamin Ricaud, and Pierre Vandergheynst. 2020. What is trending on wikipedia? capturing trends and language biases across wikipedia editions. In Companion proceedings of the Web conference 2020. 794--801.
[59]
Behnaz Moradi-Jamei, Brandon L Kramer, J Bayoán Santiago Calderón, and Gizem Korkmaz. 2021. Community formation and detection on GitHub collaboration networks. In Proceedings of the 2021 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. 244--251.
[60]
Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro. 2019. {TESSERACT}: Eliminating experimental bias in malware classification across space and time. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 729--746.
[61]
Silvia Sebastián and Juan Caballero. 2020. Avclass2: Massive malware tag extraction from av labels. In Proceedings of the 36th Annual Computer Security Applications Conference. 42--53.
[62]
Yun Shen, Pierre-Antoine Vervier, and Gianluca Stringhini. 2022. A large-scale temporal measurement of android malicious apps: Persistence, migration, and lessons learned. In 31st USENIX Security Symposium (USENIX Security 22). 1167--1184.
[63]
Kseniia Tikhomirova and Ilya Makarov. 2021. Community detection based on the nodes role in a network: The telegram platform case. In Analysis of Images, Social Networks and Texts: 9th International Conference, AIST 2020, Skolkovo, Moscow, Russia, October 15--16, 2020, Revised Selected Papers 9. Springer, 294--302.
[64]
Milind Tiwari, Jamie Ferrill, and Douglas MC Allan. 2024. Trade-based money laundering: a systematic literature review. Journal of Accounting Literature (2024).
[65]
JingjingWang, LiuWang, Feng Dong, and HaoyuWang. 2023. Re-measuring the label dynamics of online anti-malware engines from millions of samples. In Proceedings of the 2023 ACM on Internet Measurement Conference. 253--267.
[66]
Bryan White, Aniket Mahanti, and Kalpdrum Passi. 2022. Characterizing the OpenSea NFT marketplace. In Companion Proceedings of the Web Conference 2022. 488--496.
[67]
Yijun Zhao, Lingjing Yu, Yong Sun, Qingyun Liu, and Bo Luo. 2024. No Source Code? No Problem! Demystifying and Detecting Mask Apps in iOS. In Proceedings of the 32nd IEEE/ACM International Conference on Program Comprehension. 358--369.
[68]
Yury Zhauniarovich, Olga Gadyatskaya, Bruno Crispo, Francesco La Spina, and Ermanno Moser. 2014. FSquaDRA: Fast detection of repackaged applications. In Data and Applications Security and Privacy XXVIII: 28th Annual IFIP WG 11.3 Working Conference, DBSec 2014, Vienna, Austria, July 14--16, 2014. Proceedings 28. Springer, 130--145.
[69]
Shuofei Zhu, Jianjun Shi, Limin Yang, Boqin Qin, Ziyi Zhang, Linhai Song, and Gang Wang. 2020. Measuring and modeling the label dynamics of online {Anti-Malware} engines. In 29th USENIX Security Symposium (USENIX Security . 2361--2378.
Index Terms
- Beyond App Markets: Demystifying Underground Mobile App Distribution Via Telegram
Recommendations
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Comments
Information & Contributors
Information
Published In
![cover image Proceedings of the ACM on Measurement and Analysis of Computing Systems](/cms/asset/5499ae84-b34b-4a53-8bba-14b4e89d049b/3708555.cover.jpg)
December 2024
588 pages
EISSN:2476-1249
DOI:10.1145/3708555
- Editors:
- John C.S. Lui,
- Leana Golubchik,
- Zhi-Li Zhang
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 December 2024
Published in POMACS Volume 8, Issue 3
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 112Total Downloads
- Downloads (Last 12 months)112
- Downloads (Last 6 weeks)51
Reflects downloads up to 13 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in