Device Administrator Use and Abuse in Android: Detection and Characterization

Zhiyong Shan, Raina Samuel, Iulian Neamtiu

Research output: Contribution to conferencePaperpeer-review

3 Scopus citations

Abstract

Device Administrator (DA) capabilities for mobile devices, e.g., remote locking/wiping, or enforcing password strength, were originally introduced to help organizations manage phone fleets or enable parental control. However, DA capabilities have been subverted and abused: malicious apps have used DA to create ransomware or lock users out, while benign apps have used DA to prevent or hinder uninstallation; in certain cases the only remedy is to factory-reset the phone. We call these apps "Deathless Device Administrator"(DDA), i.e., apps that cannot be uninstalled. We provide the first systematic study of Android DA capabilities, DDA apps, DDA-attack resistance across Android versions, and DDA-induced families in malicious apps. To enable scalable studies of questionable DA behavior, we developed DAAX, a static analyzer which exposes potential DA abuse effectively and efficiently. In a corpus of 39,459 apps (20,467 malicious and 18,992 benign) DAAX has found 4,135 DA apps and 691 potential DDA apps. The static analysis results on the 4,135 apps were cross-checked via dynamic analysis on at least 3 phones, confirming 578 true DDAs, including apps currently on Google Play. The study has shown that DAAX is effective (84.8% F-measure) and efficient (analysis typically takes 205 seconds per app).

Original languageEnglish (US)
DOIs
StatePublished - 2019
Event25th Annual International Conference on Mobile Computing and Networking, MobiCom 2019 - Los Cabos, Mexico
Duration: Oct 21 2019Oct 25 2019

Conference

Conference25th Annual International Conference on Mobile Computing and Networking, MobiCom 2019
Country/TerritoryMexico
CityLos Cabos
Period10/21/1910/25/19

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Hardware and Architecture
  • Software

Keywords

  • mobile applications
  • mobile device management
  • security
  • static analysis

Fingerprint

Dive into the research topics of 'Device Administrator Use and Abuse in Android: Detection and Characterization'. Together they form a unique fingerprint.

Cite this