Abstract
Device Administrator (DA) capabilities for mobile devices, e.g., remote locking/wiping, or enforcing password strength, were originally introduced to help organizations manage phone fleets or enable parental control. However, DA capabilities have been subverted and abused: malicious apps have used DA to create ransomware or lock users out, while benign apps have used DA to prevent or hinder uninstallation; in certain cases the only remedy is to factory-reset the phone. We call these apps "Deathless Device Administrator"(DDA), i.e., apps that cannot be uninstalled. We provide the first systematic study of Android DA capabilities, DDA apps, DDA-attack resistance across Android versions, and DDA-induced families in malicious apps. To enable scalable studies of questionable DA behavior, we developed DAAX, a static analyzer which exposes potential DA abuse effectively and efficiently. In a corpus of 39,459 apps (20,467 malicious and 18,992 benign) DAAX has found 4,135 DA apps and 691 potential DDA apps. The static analysis results on the 4,135 apps were cross-checked via dynamic analysis on at least 3 phones, confirming 578 true DDAs, including apps currently on Google Play. The study has shown that DAAX is effective (84.8% F-measure) and efficient (analysis typically takes 205 seconds per app).
Original language | English (US) |
---|---|
DOIs | |
State | Published - 2019 |
Event | 25th Annual International Conference on Mobile Computing and Networking, MobiCom 2019 - Los Cabos, Mexico Duration: Oct 21 2019 → Oct 25 2019 |
Conference
Conference | 25th Annual International Conference on Mobile Computing and Networking, MobiCom 2019 |
---|---|
Country/Territory | Mexico |
City | Los Cabos |
Period | 10/21/19 → 10/25/19 |
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications
- Hardware and Architecture
- Software
Keywords
- mobile applications
- mobile device management
- security
- static analysis