Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets

Authors: Yajin Zhou, Zhi Wang, Wu Zhou, Xuxian Jiang
Proceedings of the 19th Network and Distributed System Security Symposium (NDSS 2012)
San Diego, CA, February 2012

This papers performs a study of how many malware applications are on the Android Market (along with several other third party markets). Due to the large number of applications the authors have to filter which applications they further inspect. This is accomplished by downloading the apps on a desktop computer, storing the app’s permission found in the manifest file into a database, and then performing queries on the database. They are querying for apps that have a certain combination of permissions that are known to be malicious. Examples given are SEND_SMS & RECEIVE_SMS, CHANGE_WIFI_STATE, or INTERNET, READ_PHONE_STATE. A listing of known malwares is given along with which permissions they require. After “permission-based filtering” has been preformed to reduce the number of apps, “behavioral footprint matching” is performed.

Behavioral footprint matching monitors the app and looks for suspicious activity. This include things such as listening for the android.provider.Telephony.SMS_RECEIVED intent followed by a call to abortBroadcast and SMS messages to premium numbers. This process screens for a Zsone like trojan that sends SMS messages to these premium numbers which runs up the users phone bill.

They also attempt to detect unknown Android malwares. This is accomplished by using “Heuristics-based filtering.” This method flags applications that tries to run code third party code, from either a web server, or hides native code in a location it does not belong. After an app has been flagged for this “Dynamic execution monitoring” is performed. This process monitors the system calls the app attempts to make and if something suspicious like an Android root command is invoked, the app is manually evaluated further. The authors claim that this method has actually helped them discover two new malwares, Plankton and DriodKungFu.

Out of the 204,040 apps that were evaluated, 211 were detected as malicious. The majority of these apps were in third party markets and not the official Android Market. It is concluded that third party markets need to police submissions more vigorously.

About Frank Sposaro

Frank was the initial student to start the mobile lab with Dr. Tyson. After working on the first project, iFall, he and Dr. Tyson designed the Mobile Programming course as FSU. The course is used as a training base to recruit new students into the lab. His thesis researches several medical related applications, including iFall. Frank then went on to implement the redesign of the “favorite contacts” for Android’s Ice Cream Sandwich at Google HQ in Mountain View, California. He currently acts as a tech lead in the lab getting infrastructure and project management tools setup. He has special focus on native Android coding and UI design.