TY - GEN
T1 - Understanding and detecting overlay-based android malware at market scales
AU - Yan, Yuxuan
AU - Li, Zhenhua
AU - Chen, Qi Alfred
AU - Wilson, Christo
AU - Xu, Tianyin
AU - Zhai, Ennan
AU - Li, Yong
AU - Liu, Yunhao
N1 - Funding Information:
We sincerely thank our shepherd Dr. Landon Cox and the anonymous reviewers for their valuable feedback. We also appreciate Hai Long and Zipeng Wu for their contributions to the deployment of OverlayChecker. This work is supported in part by the National Key R&D Program of China under grant 2017YFB1003000, and the National Natural Science Foundation of China (NSFC) under grants 61632013, 61822205, 61432002 and 61632020.
Publisher Copyright:
© 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2019/6/12
Y1 - 2019/6/12
N2 - As a key UI feature of Android, overlay enables one app to draw over other apps by creating an extra View layer on top of the host View. While greatly facilitating user interactions with multiple apps at the same time, it is often exploited by malicious apps (malware) to attack users. To combat this threat, prior countermeasures concentrate on restricting the capabilities of overlays at the OS level, while barely seeing adoption by Android due to the concern of sacrificing overlays’ usability. To address this dilemma, a more pragmatic approach is to enable the early detection of overlay-based malware at the app market level during the app review process, so that all the capabilities of overlays can stay unchanged. Unfortunately, little has been known about the feasibility and effectiveness of this approach for lack of understanding of malicious overlays in the wild. To fill this gap, in this paper we perform the first large-scale comparative study of overlay characteristics in benign and malicious apps using static and dynamic analyses. Our results reveal a set of suspicious overlay properties strongly correlated with the malice of apps, including several novel features. Guided by the study insights, we build OverlayChecker, a system that is able to automatically detect overlay-based malware at market scales. OverlayChecker has been adopted by one of the world’s largest Android app stores to check around 10K newly submitted apps per day. It can efficiently (within 2 minutes per app) detect nearly all (96%) overlay-based malware using a single commodity server.
AB - As a key UI feature of Android, overlay enables one app to draw over other apps by creating an extra View layer on top of the host View. While greatly facilitating user interactions with multiple apps at the same time, it is often exploited by malicious apps (malware) to attack users. To combat this threat, prior countermeasures concentrate on restricting the capabilities of overlays at the OS level, while barely seeing adoption by Android due to the concern of sacrificing overlays’ usability. To address this dilemma, a more pragmatic approach is to enable the early detection of overlay-based malware at the app market level during the app review process, so that all the capabilities of overlays can stay unchanged. Unfortunately, little has been known about the feasibility and effectiveness of this approach for lack of understanding of malicious overlays in the wild. To fill this gap, in this paper we perform the first large-scale comparative study of overlay characteristics in benign and malicious apps using static and dynamic analyses. Our results reveal a set of suspicious overlay properties strongly correlated with the malice of apps, including several novel features. Guided by the study insights, we build OverlayChecker, a system that is able to automatically detect overlay-based malware at market scales. OverlayChecker has been adopted by one of the world’s largest Android app stores to check around 10K newly submitted apps per day. It can efficiently (within 2 minutes per app) detect nearly all (96%) overlay-based malware using a single commodity server.
UR - http://www.scopus.com/inward/record.url?scp=85069210578&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85069210578&partnerID=8YFLogxK
U2 - 10.1145/3307334.3326094
DO - 10.1145/3307334.3326094
M3 - Conference contribution
AN - SCOPUS:85069210578
T3 - MobiSys 2019 - Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services
SP - 168
EP - 179
BT - MobiSys 2019 - Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services
PB - Association for Computing Machinery, Inc
T2 - 17th ACM International Conference on Mobile Systems, Applications, and Services, MobiSys 2019
Y2 - 17 June 2019 through 21 June 2019
ER -