ICSE 2022

Search

Malware Characterization

Overview

We used five high-level categories to describe the analyzed Google Play malware:

Below, we list and describe sub-categories for each high-level category. We also list the number of samples in each category/sub-category.

Malware Event Conditions

System Events

  • Boot Status - Triggered based on the device boot status (e.g., boot complete, quickboot poweron, reboot, etc.)
  • Device Status - Triggered on the device screen status (e.g., screen on/off, device unlocked, dreaming stopped, etc.)
  • Network Status - Triggered on the device network status (e.g., connectivity change, wifi state change, signal strength change, etc.)
  • Developer-Defined - Triggered on non-Android defined intents (e.g., push notifications from Firebase messaging services)
  • Package Changes - Triggered on package related changes (e.g., installing an app, updating an app, removing an app, etc.)
  • Service Bind - Triggered on the use of bound services (e.g., notification listeners, accessibility)
  • SMS Delivery - Triggered on SMS deliveries (e.g., SMS received, SMS sent, etc.)
  • Battery Status - Triggered on the device battery status (e.g., battery level changes, charging status changes)
  • Call Status - Triggered on the device call status (e.g., receiving a call, putting a call on hold, hanging up the call, etc.)
  • USB Status - Triggered on device USB status (e.g., connecting a USB to the device)

User Events

  • Application Launch - Triggered when the user launches the app
  • Button Click - Triggered when the user interacts with a button on the app
  • Sensitive Input - Triggered when the user inputs sensitive information into UI elements of the app
  • Permissions - Triggered when the user grants an app permissions
  • App Install - Triggered when the user installs an app
  • Clipboard Text - Triggered when the user copies text to the clipboard

Scheduling Events

  • Triggered by scheduling an alarm or handler that executes periodically

Malware Check Conditions

External Server

  • SMS - Checking based on command retrieved from SMS
  • Internet - Checking based on commands retrieved from the internet

Device

  • Sensor - Checking data from sensors (e.g., battery, temperature, motion sensors)
  • Hardware Specifications - Checking hardware specifications of the device (e.g., CPU, screen status, network operator, etc.)
  • Software Specifications - Checking software specifications of the device (e.g., Android version, apps installed on device, emulator indicators, current phone state, device rooted, etc.)
  • Network - Checking network status of the device

Environment

  • Location - Checking based on specific location
  • Time - Checking based on specific time

Application

  • Permission - Checking if the app is provided with permissions
  • Data Format - Checking for a specific data format (e.g., phone number, PIN number, wallet address, image format, etc.)
  • Probability - Checking based on a probability roll (e.g., rolling a random number between 1-100 and checking it is less than 25)
  • Install Referrer - Checking if the app was installed under a specific install referrer (e.g., clicky, azuvu, etc.)
  • App Version - Checking if the app is a certain version

Malware Payloads

  • Information Stealing - Stealing information from the user (e.g., device, bank/social/entertainment accounts, content specific to the user, etc.)
  • Ad Abuse - Abusing advertisement schemes for monetary value
  • Premium Charges - Subscribe the device to premium charges (e.g., premium SMS, premium rate numbers, WAP billing)
  • Cryptocurrency Mining - Mining cryptocurrency without the users consent
  • Root Exploit - Granting elevated access to perform unauthorized actions
  • Clipboard Hijacking - Replacing the text of the user’s copy action to perform unintentional actions (e.g., replace copied text with malware developers cryptocurrency wallet)
  • Port Forwarding - Gain access to the users internal network
  • Ransom - Disable device functionalities to coerce victim into paying a fee to re-enable the device
  • Unknown - Payloads which download an unknown malicious executable

Hiding Techniques

  • Icon Manipulation - Changes to the icon to deter attention from the user (e.g., hiding the icon, changing icon to something user would not normally uninstall)
  • Rich Benign Functionality - Implementing functionalities that a user deems useful
  • Device Admin - Granting device admin privileges to increase difficulty in uninstalling the application
  • Information Blocking - Blocking information of malicious activities from the user (e.g., cancelling a notification, deleting an SMS message, etc.)
  • Self-Uninstallation - Uninstalls itself to confuse the user on which app performed the malicious behavior
  • Automated Gesture Input - Prevent the user from performing certain actions by performing automated gestures (e.g., pressing back button when the user is on an Antivirus app)
  • Screen Locking - Hide malicious behaviors of application by locking the screen

Coding Properties

Location

  • Direct - Implementation includes code from source DEX files
  • Hidden (Local) - Implementation includes code from local assets
  • Downloaded (Remote) - Implementation include code downloaded from remote sources

Language

  • Bytecode - Implementation found in Java bytecode
  • Native - Implementation found in native code
  • Web - Implementation found in HTML/CSS/JS

Detailed Mapping of Samples

Categorization of the properties of each sample is given in the tables below.