introduce
This is a paper from 2022USENIX "A Large-scale Temporal Measurement of Android Malicious Apps: Persistence, Migration, and Lessons Learned"
Pre-knowledge
1. Goolge defines some disturbing adware as MUwS (Mobile unwanted software)
2. Multiple-Instance PHA: The attacker updates the PHA on top of the undeleted PHA, installs additional applications or Entice them to install the app with a full-screen ad
main content
Measure the persistence of Android Potentially Harmful Applications (PHAs) from the device, the persistence in the market, and the migration of the market.
Measurement methods
1. Measure the persistence of PHA in the device:
If it is recorded when the PHA is detected, it will be recorded as the first timestamp, and until the PHA is removed by the user, it will be recorded as the second timestamp.
2. Measuring the Persistence of PHAs to the Market:
When the device detects a PHA, record the package name, and use the package name to index the timestamp.
3. Measuring market migration
By tracking signatures and arranging the existence cycles of each application market according to their size, PHA migrates from a market with a longer cycle to a market with a smaller cycle
Dataset source
1. Passive data set: from NortonLifeLock, obtain device identifier, device country code, detection timestamp, signature, application package name and installation package name
2. Since different security companies have different strategies when marking different PHAs, check the corresponding PHAs in the data set in VirusTotal
3. Use AVclass to extract malware family names
measuring angle
1. Measure how long PHAs will exist in the device
1) Device persistence for different PHA types
2) Device persistence for PHA families
Measure top20 PHA families
3) Multiple-Instance persistence of PHA
2. How long can PHAs exist in the application market
1) Prevalence of PHAs in the market
2) Market actions in the face of PHAs
3) Market persistence of different types of PHAs
Angle 1 : Persistence of PHA in each market
Angle 2: Analysis of the overall survival rate of PHA in each market
Angle 3 : Different types of PHA in each market
Angle 4 : Top 10 PHA families in each market
3. Will PHAs be migrated to other markets after being deleted from the application market?
1) PHA cross-market migration
Angle 1 : Number of Migration by Market
Angle 2: Number of PHA Migration of Different Kinds
2) PHA Persistence for Migration via Backup/Clone