[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

MalRadar: Demystifying Android Malware in the New Era

Published: 06 June 2022 Publication History

Abstract

Mobile malware detection has attracted massive research effort in our community. A reliable and up-to-date malware dataset is critical to evaluate the effectiveness of malware detection approaches. Essentially, the malware ground truth should be manually verified by security experts, and their malicious behaviors should be carefully labelled. Although there are several widely-used malware benchmarks in our community (e.g., MalGenome, Drebin, Piggybacking and AMD, etc.), these benchmarks face several limitations including out-of-date, size, coverage, and reliability issues, etc. In this paper, we first make efforts to create MalRadar, a growing and up-to-date Android malware dataset using the most reliable way, i.e., by collecting malware based on the analysis reports of security experts. We have crawled all the mobile security related reports released by ten leading security companies, and used an automated approach to extract and label the useful ones describing new Android malware and containing Indicators of Compromise (IoC) information. We have successfully compiled MalRadar, a dataset that contains 4,534 unique Android malware samples (including both apks and metadata) released from 2014 to April 2021 by the time of this paper, all of which were manually verified by security experts with detailed behavior analysis. Then we characterize the MalRadar dataset from malware distribution channels, app installation methods, malware activation, malicious behaviors and anti-analysis techniques. We further investigate the malware evolution over the last decade. At last, we measure the effectiveness of commercial anti-virus engines and malware detection techniques on detecting malware in MalRadar. Our dataset can be served as the representative Android malware benchmark in the new era, and our observations can positively contribute to the community and boost a series of research studies on mobile security.

References

[1]
2016. Android banking trojan masquerades as Flash Player and bypasses 2FA. https://www.welivesecurity.com/2016/ 03/09/android-trojan-targets-online-banking-users/.
[2]
2016. RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing. https://www. fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html.
[3]
2017. Analyzing Xavier: An Information-Stealing Ad Library on Android. https://blog.trendmicro.com/trendlabssecurity-intelligence/analyzing-xavier-information-stealing-ad-library-android/.
[4]
2017. Coin Miner Mobile Malware Returns, Hits Google Play. https://blog.trendmicro.com/trendlabs-securityintelligence/coin-miner-mobile-malware-returns-hits-google-play/.
[5]
2017. Dvmap: the first Android malware with code injection. https://securelist.com/dvmap-the-first-android-malwarewith-code-injection/78648/.
[6]
2017. Exobot - Android banking Trojan on the rise. https://www.threatfabric.com/blogs/exobot_android_banking_ trojan_on_the_rise.html.
[7]
2017. GhostClicker Adware is a Phantomlike Android Click Fraud. https://blog.trendmicro.com/trendlabs-securityintelligence/ghostclicker-adware-is-a-phantomlike-android-click-fraud/.
[8]
2017. New WannaCry-Mimicking SLocker Abuses QQ Services. https://blog.trendmicro.com/trendlabs-securityintelligence/new-wannacry-mimicking-slocker-abuses-qq-services/.
[9]
2017. The Strange Case of Play Policy for Copyright and Security. https://www.fortinet.com/blog/threat-research/thestrange-case-of-play-policy-for-copyright-and-security.
[10]
2017. Toast Overlay Weaponized to Install Several Android Malware. https://blog.trendmicro.com/trendlabs-securityintelligence/toast-overlay-weaponized-install-android-malware-single-attack-chain/.
[11]
2017. User Beware: Rooting Malware Found in 3rd Party App Stores. https://blog.trendmicro.com/trendlabs-securityintelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/.
[12]
2017. ZNIU: First Android Malware to Exploit Dirty COW. https://www.trendmicro.com/en_us/research/17/i/zniufirst-android-malware-exploit-dirty-cow-vulnerability.html.
[13]
2018. Analysis of Smoke Loader in New Tsunami Campaign. https://unit42.paloaltonetworks.com/analysis-of-smokeloader-in-new-tsunami-campaign/.
[14]
2018. Fake Banking App Found on Google Play Used in SMiShing. https://www.trendmicro.com/en_us/research/18/k/ fake-banking-app-found-on-google-play-used-in-smishing-scheme.html.
[15]
2018. Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure. https: //blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-hiddenminer-android-malware-canpotentially-cause-device-failure/.
[16]
2018. Windows, Android Users Targeted by Maikspy Spyware. https://www.trendmicro.com/en_us/research/18/e/ maikspy-spyware-poses-as-adult-game-targets-windows-and-android-users.html.
[17]
2018. XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. https://blog.trendmicro.com/ trendlabs-security-intelligence/new-wannacry-mimicking-slocker-abuses-qq-services/.
[18]
2019. Adware Campaign Identified From 182 Game and Camera Apps on Google Play and Third-Party Stores Like 9Apps. https://blog.trendmicro.com/trendlabs-security-intelligence/adware-campaign-identified-from-182-gameand-camera-apps-on-google-play-and-third-party-stores-like-9apps/. Proc. ACM Meas. Anal. Comput. Syst., Vol. 6, No. 2, Article 40. Publication date: June 2022. MalRadar: Demystifying Android Malware in the New Era 40:25
[19]
2019. Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics. https: //blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-usemotion-based-evasion-tactics/.
[20]
2019. Tracking down the developer of Android adware affecting millions of users. https://www.welivesecurity.com/ 2019/10/24/tracking-down-developer-android-adware/.
[21]
2020. 1Mobile. https://www.1mobile.com.
[22]
2020. APKiD. https://github.com/rednaga/APKiD.
[23]
2020. ApkPure. https://apkpure.com.
[24]
2020. Aptoide. https://www.aptoide.com.
[25]
2020. List of Mobile Security Vendors (Android). https://www.av-comparatives.org/list-of-mobile-security-vendorsandroid/.
[26]
2020. Publication Trends. https://app.dimensions.ai/discover/publication.
[27]
2020. Smartphone shopaholic. https://securelist.com/smartphone-shopaholic/95544/.
[28]
2021. Android malware found on Huawei's official app store. https://therecord.media/android-malware-found-onhuaweis-official-app-store/.
[29]
2021. Check Point. https://research.checkpoint.com/.
[30]
2021. ESET. https://www.welivesecurity.com/.
[31]
2021. FireEye. https://www.fireeye.com/blog.
[32]
2021. Fortinet. https://www.fortinet.com.
[33]
2021. GBHackers. https://gbhackers.com/.
[34]
2021. Kaspersky. https://securelist.com/.
[35]
2021. Koodous. https://koodous.com.
[36]
2021. Malwarebytes. https://blog.malwarebytes.com.
[37]
2021. McAfee. https://www.mcafee.com/blogs/.
[38]
2021. Qihoo. https://ti.360.net/blog/.
[39]
2021. TrendMicro. https://blog.trendmicro.com/.
[40]
Kevin Allix, Tegawendé F Bissyandé, Quentin Jérome, Jacques Klein, Yves Le Traon, et al. 2016. Empirical assessment of machine learning-based malware detectors for Android. Empirical Software Engineering 21, 1 (2016), 183--211.
[41]
Kevin Allix, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. 2016. Androzoo: Collecting millions of android apps for the research community. In 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR). IEEE, 468--471.
[42]
Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. Drebin: Effective and explainable detection of android malware in your pocket. In Ndss, Vol. 14. 23--26.
[43]
Iker Burguera, Urko Zurutuza, and Simin Nadjm-Tehrani. 2011. Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. 15--26.
[44]
Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, and Haojin Zhu. 2016. Stormdroid: A streaminglized machine learning-based system for detecting android malware. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. 377--388.
[45]
Santanu Kumar Dash, Guillermo Suarez-Tangil, Salahuddin Khan, Kimberly Tam, Mansour Ahmadi, Johannes Kinder, and Lorenzo Cavallaro. 2016. Droidscribe: Classifying android malware based on runtime behavior. In 2016 IEEE Security and Privacy Workshops (SPW). IEEE, 252--261.
[46]
Feng Dong, Haoyu Wang, Li Li, Yao Guo, Tegawendé F Bissyandé, Tianming Liu, Guoai Xu, and Jacques Klein. 2018. Frauddroid: Automated ad fraud detection for android apps. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 257--268.
[47]
Parvez Faruki, Vijay Ganmoor, Vijay Laxmi, Manoj Singh Gaur, and Ammar Bharmal. 2013. AndroSimilar: robust statistical feature signature for Android malware detection. In Proceedings of the 6th International Conference on Security of Information and Networks. 152--159.
[48]
Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken. 2014. Apposcopy: Semantics-based detection of android malware through static analysis. In Proceedings of ICSE 2014. 576--587.
[49]
Yangyu Hu, Haoyu Wang, Ren He, Li Li, Gareth Tyson, Ignacio Castro, Yao Guo, Lei Wu, and Guoai Xu. 2020. Mobile app squatting. In Proceedings of The Web Conference 2020. 1727--1738.
[50]
Roberto Jordaney, Kumar Sharad, Santanu K Dash, Zhi Wang, Davide Papini, Ilia Nouretdinov, and Lorenzo Cavallaro. 2017. Transcend: Detecting concept drift in malware classification models. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 625--642.
[51]
Nicolas Kiss, Jean-François Lalande, Mourad Leslous, and Valérie Viet Triem Tong. 2016. Kharon dataset: Android malware under a microscope. In The {LASER} Workshop: Learning from Authoritative Security Experiment Results ({LASER} 2016). 1--12. Proc. ACM Meas. Anal. Comput. Syst., Vol. 6, No. 2, Article 40. Publication date: June 2022. 40:26 Liu Wang et al.
[52]
Li Li, Daoyuan Li, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, David Lo, and Lorenzo Cavallaro. 2017. Understanding android app piggybacking: A systematic study of malicious code grafting. IEEE Transactions on Information Forensics and Security 12, 6 (2017), 1269--1284.
[53]
Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor Van Der Veen, and Christian Platzer. 2014. Andrubis--1,000,000 apps later: A view on current Android malware behaviors. In BADGERS Workshop. IEEE, 3--17.
[54]
Tianming Liu, Haoyu Wang, Li Li, Guangdong Bai, Yao Guo, and Guoai Xu. 2019. DaPanda: Detecting Aggressive Push Notifications in Android Apps. In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 66--78.
[55]
Tianming Liu, Haoyu Wang, Li Li, Xiapu Luo, Feng Dong, Yao Guo, Liu Wang, Tegawende F. Bissyande, and Jacques Klein. 2020. MadDroid: Characterising and Detecting Devious Ad Content for Android Apps. In Proceedings of the Web Conference 2020 (WWW'20).
[56]
Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and Gianluca Stringhini. 2017. MAMADROID: Detecting Android Malware by Building Markov Chains of Behavioral Models. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS).
[57]
Niall McLaughlin, Jesus Martinez del Rincon, BooJoong Kang, Suleiman Yerima, Paul Miller, Sakir Sezer, Yeganeh Safaei, Erik Trickel, Ziming Zhao, Adam Doupé, et al. 2017. Deep android malware detection. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. 301--308.
[58]
Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro. 2019. {TESSERACT}: Eliminating experimental bias in malware classification across space and time. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 729--746.
[59]
Justin Sahs and Latifur Khan. 2012. A machine learning approach to android malware detection. In 2012 European Intelligence and Security Informatics Conference. IEEE, 141--147.
[60]
Andrea Saracino, Daniele Sgandurra, Gianluca Dini, and Fabio Martinelli. 2016. Madam: Effective and efficient behavior-based android malware detection and prevention. IEEE Transactions on Dependable and Secure Computing 15, 1 (2016), 83--97.
[61]
Marcos Sebastián, Richard Rivera, Platon Kotzias, and Juan Caballero. 2016. Avclass: A tool for massive malware labeling. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 230--253.
[62]
Mingshen Sun, Xiaolei Li, John CS Lui, Richard TB Ma, and Zhenkai Liang. 2016. Monet: a user-oriented behavior-based malware variants detection system for android. IEEE Transactions on Information Forensics and Security 12, 5 (2016), 1103--1112.
[63]
Haoyu Wang, Hao Li, and Yao Guo. 2019. Understanding the evolution of mobile app ecosystems: A longitudinal measurement study of google play. In The World Wide Web Conference. ACM, 1988--1999.
[64]
Haoyu Wang, Hao Li, Li Li, Yao Guo, and Guoai Xu. 2018. Why are Android Apps Removed From Google Play? A Large-scale Empirical Study. In The 15th International Conference on Mining Software Repositories (MSR 2018).
[65]
Haoyu Wang, Zhe Liu, Yao Guo, Xiangqun Chen, Miao Zhang, Guoai Xu, and Jason Hong. 2017. An explorative study of the mobile app ecosystem from app developers' perspective. In Proceedings of the 26th International Conference on World Wide Web. 163--172.
[66]
Haoyu Wang, Zhe Liu, Jingyue Liang, Narseo Vallina-Rodriguez, Yao Guo, Li Li, Juan Tapiador, Jingcun Cao, and Guoai Xu. 2018. Beyond google play: A large-scale comparative study of chinese android app markets. In Proceedings of IMC 2018. 293--307.
[67]
Haoyu Wang, Junjun Si, Hao Li, and Yao Guo. 2019. Rmvdroid: towards a reliable android malware dataset with app metadata. In 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). IEEE, 404--408.
[68]
Liu Wang, Ren He, Haoyu Wang, Pengcheng Xia, Yuanchun Li, Lei Wu, Yajin Zhou, Xiapu Luo, Yulei Sui, Yao Guo, et al. 2021. Beyond the virus: a first look at coronavirus-themed Android malware. Empirical Software Engineering 26, 4 (2021), 1--38.
[69]
Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and Wu Zhou. 2017. Deep ground truth analysis of current android malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 252--276.
[70]
Zhenlong Yuan, Yongqiang Lu, Zhaoguo Wang, and Yibo Xue. 2014. Droid-sec: deep learning in android malware detection. In Proceedings of SIGCOMM 2014. 371--372.
[71]
Mu Zhang, Yue Duan, Heng Yin, and Zhiruo Zhao. 2014. Semantics-aware android malware classification using weighted contextual api dependency graphs. In Proceedings of the CCS 2014. 1105--1116.
[72]
Min Zheng, Mingshen Sun, and John CS Lui. 2013. Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware. In 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 163--171. Proc. ACM Meas. Anal. Comput. Syst., Vol. 6, No. 2, Article 40. Publication date: June 2022. MalRadar: Demystifying Android Malware in the New Era 40:27
[73]
Yajin Zhou and Xuxian Jiang. 2012. Dissecting android malware: Characterization and evolution. In 2012 IEEE symposium on security and privacy. IEEE, 95--109.
[74]
Shuofei Zhu, Jianjun Shi, Limin Yang, Boqin Qin, Ziyi Zhang, Linhai Song, and Gang Wang. 2020. Measuring and Modeling the Label Dynamics of Online Anti-Malware Engines. In Proceedings of USENIX Security 2020.

Cited By

View all
  • (2024)Combating Islamophobia: Compromise, Community, and Harmony in Mitigating Harmful Online ContentACM Transactions on Social Computing10.1145/36415107:1(1-32)Online publication date: 27-Apr-2024
  • (2024)Monotonicity and the Precision of Program AnalysisProceedings of the ACM on Programming Languages10.1145/36328978:POPL(1629-1662)Online publication date: 5-Jan-2024
  • (2024)PmTrackProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36314337:4(1-30)Online publication date: 12-Jan-2024
  • Show More Cited By

Index Terms

  1. MalRadar: Demystifying Android Malware in the New Era

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image Proceedings of the ACM on Measurement and Analysis of Computing Systems
    Proceedings of the ACM on Measurement and Analysis of Computing Systems  Volume 6, Issue 2
    POMACS
    June 2022
    499 pages
    EISSN:2476-1249
    DOI:10.1145/3543145
    Issue’s Table of Contents
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 06 June 2022
    Published in POMACS Volume 6, Issue 2

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. android malware
    2. dataset
    3. malware evolution
    4. security reports

    Qualifiers

    • Research-article

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)213
    • Downloads (Last 6 weeks)21
    Reflects downloads up to 21 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Combating Islamophobia: Compromise, Community, and Harmony in Mitigating Harmful Online ContentACM Transactions on Social Computing10.1145/36415107:1(1-32)Online publication date: 27-Apr-2024
    • (2024)Monotonicity and the Precision of Program AnalysisProceedings of the ACM on Programming Languages10.1145/36328978:POPL(1629-1662)Online publication date: 5-Jan-2024
    • (2024)PmTrackProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36314337:4(1-30)Online publication date: 12-Jan-2024
    • (2024)LTAChecker: Lightweight Android Malware Detection Based on Dalvik Opcode Sequences Using Attention Temporal NetworksIEEE Internet of Things Journal10.1109/JIOT.2024.339455511:14(25371-25381)Online publication date: 15-Jul-2024
    • (2024)Leveraging application permissions and network traffic attributes for Android ransomware detectionJournal of Network and Computer Applications10.1016/j.jnca.2024.103950230:COnline publication date: 18-Oct-2024
    • (2024)Malware detection for mobile computing using secure and privacy-preserving machine learning approaches: A comprehensive surveyComputers and Electrical Engineering10.1016/j.compeleceng.2024.109233117(109233)Online publication date: Jul-2024
    • (2023) Anchor: Fast and Precise Value-flow Analysis for Containers via Memory OrientationACM Transactions on Software Engineering and Methodology10.1145/356580032:3(1-39)Online publication date: 26-Apr-2023
    • (2023)Shockvertising, Malware, and a Lack of Accountability: Exploring Consumer Risks of Virtual Reality Advertisements and Marketing ExperiencesIEEE Security and Privacy10.1109/MSEC.2023.333210522:1(43-52)Online publication date: 8-Dec-2023
    • (2023)Android malware detection based on sensitive patternsTelecommunications Systems10.1007/s11235-022-00983-282:4(435-449)Online publication date: 20-Feb-2023
    • (2023)Cybersecurity for autonomous vehicles against malware attacks in smart-citiesCluster Computing10.1007/s10586-023-04114-727:3(3363-3378)Online publication date: 3-Oct-2023
    • Show More Cited By

    View Options

    Login options

    Full Access

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media