Self-hiding behavior in Android apps: Detection and characterization

Zhiyong Shan, Iulian Neamtiu, Raina Samuel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

24 Scopus citations

Abstract

Applications (apps) that conceal their activities are fundamentally deceptive; app marketplaces and end-users should treat such apps as suspicious. However, due to its nature and intent, activity concealing is not disclosed up-front, which puts users at risk. In this paper, we focus on characterization and detection of such techniques, e.g., hiding the app or removing traces, which we call "self hiding behavior" (SHB). SHB has not been studied per se - rather it has been reported on only as a byproduct of malware investigations. We address this gap via a study and suite of static analyses targeted at SH in Android apps. Specifically, we present (1) a detailed characterization of SHB, (2) a suite of static analyses to detect such behavior, and (3) a set of detectors that employ SHB to distinguish between benign and malicious apps. We show that SHB ranges from hiding the app's presence or activity to covering an app's traces, e.g., by blocking phone calls/text messages or removing calls and messages from logs. Using our static analysis tools on a large dataset of 9,452 Android apps (benign as well as malicious) we expose the frequency of 12 such SH behaviors. Our approach is effective: it has revealed that malicious apps employ 1.5 SHBs per app on average. Surprisingly, SH behavior is also employed by legitimate ("benign") apps, which can affect users negatively in multiple ways. When using our approach for separating malicious from benign apps, our approach has high precision and recall (combined F-measure = 87.19%). Our approach is also efficient, with analysis typically taking just 37 seconds per app. We believe that our findings and analysis tool are beneficial to both app marketplaces and end-users.

Original languageEnglish (US)
Title of host publicationProceedings of the 40th International Conference on Software Engineering, ICSE 2018
PublisherIEEE Computer Society
Pages728-739
Number of pages12
ISBN (Electronic)9781450356381
DOIs
StatePublished - May 27 2018
Event40th International Conference on Software Engineering, ICSE 2018 - Gothenburg, Sweden
Duration: May 27 2018Jun 3 2018

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257

Other

Other40th International Conference on Software Engineering, ICSE 2018
Country/TerritorySweden
CityGothenburg
Period5/27/186/3/18

All Science Journal Classification (ASJC) codes

  • Software

Keywords

  • Android
  • Malware
  • Mobile security
  • Static analysis

Fingerprint

Dive into the research topics of 'Self-hiding behavior in Android apps: Detection and characterization'. Together they form a unique fingerprint.

Cite this