1,138 research outputs found
Android Malware Clustering through Malicious Payload Mining
Clustering has been well studied for desktop malware analysis as an effective
triage method. Conventional similarity-based clustering techniques, however,
cannot be immediately applied to Android malware analysis due to the excessive
use of third-party libraries in Android application development and the
widespread use of repackaging in malware development. We design and implement
an Android malware clustering system through iterative mining of malicious
payload and checking whether malware samples share the same version of
malicious payload. Our system utilizes a hierarchical clustering technique and
an efficient bit-vector format to represent Android apps. Experimental results
demonstrate that our clustering approach achieves precision of 0.90 and recall
of 0.75 for Android Genome malware dataset, and average precision of 0.98 and
recall of 0.96 with respect to manually verified ground-truth.Comment: Proceedings of the 20th International Symposium on Research in
Attacks, Intrusions and Defenses (RAID 2017
Measuring third party tracker power across web and mobile
Third-party networks collect vast amounts of data about users via web sites
and mobile applications. Consolidations among tracker companies can
significantly increase their individual tracking capabilities, prompting
scrutiny by competition regulators. Traditional measures of market share, based
on revenue or sales, fail to represent the tracking capability of a tracker,
especially if it spans both web and mobile. This paper proposes a new approach
to measure the concentration of tracking capability, based on the reach of a
tracker on popular websites and apps. Our results reveal that tracker
prominence and parent-subsidiary relationships have significant impact on
accurately measuring concentration
MadDroid: Characterising and Detecting Devious Ad Content for Android Apps
Advertisement drives the economy of the mobile app ecosystem. As a key
component in the mobile ad business model, mobile ad content has been
overlooked by the research community, which poses a number of threats, e.g.,
propagating malware and undesirable contents. To understand the practice of
these devious ad behaviors, we perform a large-scale study on the app contents
harvested through automated app testing. In this work, we first provide a
comprehensive categorization of devious ad contents, including five kinds of
behaviors belonging to two categories: \emph{ad loading content} and \emph{ad
clicking content}. Then, we propose MadDroid, a framework for automated
detection of devious ad contents. MadDroid leverages an automated app testing
framework with a sophisticated ad view exploration strategy for effectively
collecting ad-related network traffic and subsequently extracting ad contents.
We then integrate dedicated approaches into the framework to identify devious
ad contents. We have applied MadDroid to 40,000 Android apps and found that
roughly 6\% of apps deliver devious ad contents, e.g., distributing malicious
apps that cannot be downloaded via traditional app markets. Experiment results
indicate that devious ad contents are prevalent, suggesting that our community
should invest more effort into the detection and mitigation of devious ads
towards building a trustworthy mobile advertising ecosystem.Comment: To be published in The Web Conference 2020 (WWW'20
A Multi-view Context-aware Approach to Android Malware Detection and Malicious Code Localization
Existing Android malware detection approaches use a variety of features such
as security sensitive APIs, system calls, control-flow structures and
information flows in conjunction with Machine Learning classifiers to achieve
accurate detection. Each of these feature sets provides a unique semantic
perspective (or view) of apps' behaviours with inherent strengths and
limitations. Meaning, some views are more amenable to detect certain attacks
but may not be suitable to characterise several other attacks. Most of the
existing malware detection approaches use only one (or a selected few) of the
aforementioned feature sets which prevent them from detecting a vast majority
of attacks. Addressing this limitation, we propose MKLDroid, a unified
framework that systematically integrates multiple views of apps for performing
comprehensive malware detection and malicious code localisation. The rationale
is that, while a malware app can disguise itself in some views, disguising in
every view while maintaining malicious intent will be much harder.
MKLDroid uses a graph kernel to capture structural and contextual information
from apps' dependency graphs and identify malice code patterns in each view.
Subsequently, it employs Multiple Kernel Learning (MKL) to find a weighted
combination of the views which yields the best detection accuracy. Besides
multi-view learning, MKLDroid's unique and salient trait is its ability to
locate fine-grained malice code portions in dependency graphs (e.g.,
methods/classes). Through our large-scale experiments on several datasets
(incl. wild apps), we demonstrate that MKLDroid outperforms three
state-of-the-art techniques consistently, in terms of accuracy while
maintaining comparable efficiency. In our malicious code localisation
experiments on a dataset of repackaged malware, MKLDroid was able to identify
all the malice classes with 94% average recall
- …