[Paper Summary] Large-Scale Timing Measurements for Android Malicious Applications: Persistence, Migration, and Lessons Learned

introduce

This is a paper from 2022USENIX "A Large-scale Temporal Measurement of Android Malicious Apps: Persistence, Migration, and Lessons Learned"

Pre-knowledge

1. Goolge defines some disturbing adware as MUwS (Mobile unwanted software)
2. Multiple-Instance PHA: The attacker updates the PHA on top of the undeleted PHA, installs additional applications or Entice them to install the app with a full-screen ad

main content

Measure the persistence of Android Potentially Harmful Applications (PHAs) from the device, the persistence in the market, and the migration of the market.

Measurement methods

1. Measure the persistence of PHA in the device:

If it is recorded when the PHA is detected, it will be recorded as the first timestamp, and until the PHA is removed by the user, it will be recorded as the second timestamp.

2. Measuring the Persistence of PHAs to the Market:

When the device detects a PHA, record the package name, and use the package name to index the timestamp.

3. Measuring market migration

By tracking signatures and arranging the existence cycles of each application market according to their size, PHA migrates from a market with a longer cycle to a market with a smaller cycle

Dataset source

1. Passive data set: from NortonLifeLock, obtain device identifier, device country code, detection timestamp, signature, application package name and installation package name

2. Since different security companies have different strategies when marking different PHAs, check the corresponding PHAs in the data set in VirusTotal

3. Use AVclass to extract malware family names

measuring angle

1. Measure how long PHAs will exist in the device

1) Device persistence for different PHA types

2) Device persistence for PHA families

Measure top20 PHA families

3) Multiple-Instance persistence of PHA

2. How long can PHAs exist in the application market

1) Prevalence of PHAs in the market

2) Market actions in the face of PHAs

3) Market persistence of different types of PHAs

Angle 1 : Persistence of PHA in each market

Angle 2: Analysis of the overall survival rate of PHA in each market

Angle 3 : Different types of PHA in each market

Angle 4 : Top 10 PHA families in each market

3. Will PHAs be migrated to other markets after being deleted from the application market?

1) PHA cross-market migration

Angle 1 : Number of Migration by Market

Angle 2: Number of PHA Migration of Different Kinds

2) PHA Persistence for Migration via Backup/Clone