1 Detecting Hidden Attacks through the Mobile App-Web InterfacesYan Chen Lab of Internet and Security Technology (LIST) Northwestern University, USA
2 Downloaded phishing appMotivation Downloaded phishing app Click on the buttons Scan Automatically
3 Motivation Vast effort has been spent analyzing the malicious apps themselves For both industry and academia An important, yet unexplored vector of malware propagation is benign, legitimate apps that lead users to websites hosting malicious apps We call this hidden attacks though the app-web interface D.Arp,M.Spreitzenbarth,M.Hubner,H.Gascon,andK.Rieck,“Drebin:Effective and explainable detection of android malware in your pocket,”NDSS), 2014. 3
4 Contributions Develop a framework for analyzing the app-web interfaces in Android applications Develop a novel technique to interact with UI widgets to trigger app-web interface Conduct a systematic study to associate ad networks with ad library packages Detect hidden attacks Tested 600,000 apps in two months Found several unknown attacks: a rogue antivirus scam, free iPad and iPhone scams, and ads propagating SMS trojans
5 Outline Background on mobile advertising System DesignDetection Results Case study
6 Advertising Overview 6
7 Publishers and AdvertisersPublishers – show ads to users Advertisers – the brand owners that wish to advertise 7
8 Ad networks Also called aggregators Link advertisers to publishersBuy ad space from publishers; sell to advertisers Sophisticated algorithms for Targeting Inventory management 8
9 Ad networks Ad networks may interface with each other SyndicationOne ad network asks another to fill ad space Ad exchange Real time auction of ad inventory Bidding from many ad networks for many ad spaces
10 Mobile In-app AdvertisingAd networks provide glue code that apps can embed and communicate with ad servers Ad libraries, which identify ad networks Web links embedded directly in apps Malicious links are visited via the landing pages of ads coming from ad networks Though the apps themselves are benign
11 Outline Background on mobile advertising System DesignDetection Results Case study
12 Overview of Detection MethodologyTrigger App-web interfaces URL scanning Redirection Chains Dynamic App Analysis App DataSet Malware and scan report Downloaded Files WEBSITE File scanning Landing Pages Dynamic webpage analysis
13 Components Triggering Detection ProvenanceInteract with the app to launch web links Detection Include the various processes to detect malicious and benig that may occur as a result of triggering Provenance Understand the cause or origin of a detected malicious activity, and attribute events to a specific domain or an ad library
14 Triggering App-Web interfacesApplication UI Exploration Use the heuristics and algorithms developed in AppsPlayground [Codaspy2013] Handling Webviews Develop based on Selendroid to interact with Webviews Apply computer vision techniques Add an example for 14
15 UI Exploration of AppsPlaygroundAdd an example for 15
16 Examples of Handling WebviewsBounding boxes are depicted as red rectangles. The top two figures contain the whole screen while the bottom figure is just an ad. Note the detection of buttons. Add an example for 16
17 Detection Redirection chains Landing pages File and URL scanningIn a browser configured with a realistic user agent and window size Download any files that can be downloaded File and URL scanning VirusTotal URL blacklists Google Safebrowsing, Websense, … VirusTotal antivirus engines Symantec, Dr. Web, Kaspersky, Eset, …
18 Provenance Understand the cause and origins of attacksApproach 1: through redirection chains Identify the parties owning the URLs leading up to the landing URL Approach 2: attribute code-level elements to locate it: at app or ad libraries? log specific intents that are indicative of URL launches together with which part of the code (the Java class within which the launching code lies) that submitted the intent 18
19 Discovering Ad NetworksFirst systematic step towards understanding malvertising Finding ad libraries Typically have their own Java packages, e.g., com.google.ads Disassemble the app and get Java packages
20 Approach 1 Find frequent packagesAd networks included in many apps so their packages will be frequent So are some other packages, e.g., Apache libs, game development libs,… Have to manually filter them
21 Approach 2 Observation: Ad functionality is different from the main app functionality Three steps Get all android APIs Decouple: Break the app into different modules based on code characteristics Inheritance, function calls, field relationships Cluster: cluster modules from multiple apps together based on their API call similarity Frequent libs such as Apache, game libs ad libraries
22 Approach 2 Cluster 1 Cluster 2 APP1 APP2 APPn Cluster m DecouplingClustering Google ads libs Module Cluster 1 APP1 Module Module Apache libs Module APP2 Cluster 2 Module Module Module Game libs APPn Module Cluster m Module
23 Discovering Ad Networks: ResultsDataset 492,534 apps from Google Play 422,505 apps from four Chinese stores: 91, Anzhi (安智), AppChina(应用汇), Mumayi (木蚂蚁) Discovered a total of 201 ad networks The most reported ad networks so far
24 Outline Background on mobile advertising System DesignDetection Results Case study
25 Overall Detection FindingsGoogle Play Chinese Markets App-to-web links 1,000,000 415,000 Malicious URLs 948 1475 Downloaded Files 468 1097 Malicious Downloaded Files 271 435 Run 492,534 apps from Google Play and 200,000 apps from Chinese markets, having ad libraries
26 Which Ad Libraries Have AttacksGoogle Play Chinese market Malicious files downloaded through ad libraries and other links. Tapcontext malware has the most malicious file download, but we exclude them here for better viewing
27 Comparison on Redirection ChainsGoogle Play Chinese market As the length of the chains increase, the two curves come closer We have a greater fraction of malicious chains when they are longer
28 Outline Background on mobile advertising System DesignDetection Results Case study
29 Case Study:Fake AV scamCampaign found in multiple apps, one network: Tapcontext (244 instances in America and 102 in China) Website design mimics Android dialog box We detected this campaign 20 days before the site was flagged as phishing by Google and others
30 Case Study:Free iPad scamLanding Page Phishing: asked to give some very personal information without getting anything in return After that, receiving spam on our address registered with this ad Click on the button
31 Case Study:Free iPad scamThe scam originates not through an ad in the app, but through a link statically embedded in the app.
32 Case Study: Downloaded PlayerDownload player Ad library name: jp.co.nobot It leads to download a video player The purported video player is actually an SMS trojan Automatically send out paid SMS? Click on the ad
33 Case Study: SMS Trojan When opening the app, it will try to send a message directly Once click on the "send" button, it will send message to (a charged SMS service) Receive warning on a Xiaomi phone 12/7/2017
34 Case Study: Porn PhishingIt also asks you to pay 15 RMB to register a member to see porn content 12/7/2017
35 Case Study: 禁播视频 Get your location Send SMS to 12114Download several malicious apps directly Some get installed directly without prompt 12/7/2017
36 Conclusions Explored the app-web interface, wherein a user may go from an app to a Web destination via ad or web links embedded in the app Tested 600,000 applications in two months Identified several malware and scam campaigns propagating through both ads and web links in apps. We are working with CNCERT to protect Android users by screening out offending apps that embed links leading to malicious content by making ad networks more accountable for their ad content
37 Thank you ! Questions ?
38 Android Ecosystem
39 Button Detection AlgorithmPerform edge detection on the view’s image Find contours in the image Ignore the non-convex contours or those with very small area Compute the bounding boxes of all remaining contours Add an example for 39
40 Case Study:Downloaded AppMalicious apps downloaded from Baidu ads Sent message directly to 12114