Thumbnail Image
Publication

Self-hiding behavior in Android apps: detection and characterization

Shan, Zhiyong
Neamtiu, Iulian
Samuel, Raina
Citations
Altmetric:
Files
Thumbnail Image
conference paper
Adobe PDF766.76 KB
Authors
Shan, Zhiyong
Neamtiu, Iulian
Samuel, Raina
Other Names
Location
Time Period
Advisors
Original Date
Digitization Date
Issue Date
2018
Type
Article
Genre
Keywords
Android,Static analysis,Malware,Mobile security
Subjects (LCSH)
Show all metadata
Research Projects
Organizational Units
Journal Issue
Citation
Zhiyong Shan, Iulian Neamtiu, and Raina Samuel. 2018. Self-Hiding Behavior in Android Apps: Detection and Characterization. In ICSE ’18: ICSE ’18: 40th International Conference on Software Engineering , May 27-June 3, 2018, Gothenburg, Sweden. ACM, New York, NY, USA, 12 pages. https://doi.org/ 10.1145/3180155.3180214
Abstract
Applications (apps) that conceal their activities are fundamentally deceptive; app marketplaces and end-users should treat such apps as suspicious. However, due to its nature and intent, activity concealing is not disclosed up-front, which puts users at risk. In this paper, we focus on characterization and detection of such techniques, e.g., hiding the app or removing traces, which we call "self hiding behavior" (SHB). SHB has not been studied per se - rather it has been reported on only as a byproduct of malware investigations. We address this gap via a study and suite of static analyses targeted at SH in Android apps. Specifically, we present (1) a detailed characterization of SHB, (2) a suite of static analyses to detect such behavior, and (3) a set of detectors that employ SHB to distinguish between benign and malicious apps. We show that SHB ranges from hiding the app's presence or activity to covering an app's traces, e.g., by blocking phone calls/text messages or removing calls and messages from logs. Using our static analysis tools on a large dataset of 9,452 Android apps (benign as well as malicious) we expose the frequency of 12 such SH behaviors. Our approach is effective: it has revealed that malicious apps employ 1.5 SHBs per app on average. Surprisingly, SH behavior is also employed by legitimate ("benign") apps, which can affect users negatively in multiple ways. When using our approach for separating malicious from benign apps, our approach has high precision and recall (combined F-measure = 87.19%). Our approach is also efficient, with analysis typically taking just 37 seconds per app. We believe that our findings and analysis tool are beneficial to both app marketplaces and end-users.
Table of Contents
Description
Click on the DOI link to access this article (may not be free.)
Publisher
Association for Computing Machinery
Journal
Book Title
Series
40th ACM/IEEE International Conference on Software Engineering (ICSE);2018
Digital Collection
URI
https://doi.org/10.1145/3180155.3180214
 http://hdl.handle.net/10057/15791
Finding Aid URL
Use and Reproduction
Archival Collection
PubMed ID
DOI
ISSN
EISSN
Collections
EECS Research Publications
Embedded videos