Are these ads safe? Detecting hidden attacks through the mobile app-web interface Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan Riley Presented by helen zhao

Mobile security problem Mobile phones are everywhere Android has 80% of the world’s market share in mobiles But is particularly susceptible to malware and scams Unlike iOS Trojans are app applications that have some useful function but also hide a malicious function

Android security Users able to install apps from unverified sources APKs from the internet Third Party App Stores Third party app stores are used almost exclusively in China May not have as robust integrity and security checks as the Google Play Store Unlike iOS Trojans are app applications that have some useful function but also hide a malicious function

Android attacks Trojans are the most common form of attacks as application sandboxing makes drive-by-download attacks difficult Trojans are applications that have some useful function but also hide some malicious behaviour Unlike iOS Trojans are app applications that have some useful function but also hide a malicious function

Where are these attacks coming from Malicious applications Possibly benign, legitimate applications that are knowingly or unknowingly hosting malicious ads This paper focuses on the 2nd type These applications can be benign and legitimate, but unknowingly running malicious ads A lot of research has been done on applications that are malicious, this paper focuses on mobile attacks through advertisements

Ads in android Many applications on App Stores, lots of them free Relies on revenue from ads Ads are links Ads can come from ad networks/aggregators, such as Google Ads These ads are connected to the web – hence are an app-web interface So to understand how attacks occur we have to first understand how ads work in the Android ecosystem

How are ads added to an app Developer just embeds the ad into the app statically Ad network code (e.g. API call) is added to the app that is responsible for serving up ads

redirection When you click on an ad… Ad networks generally don’t run independently: often bid with each other or through ad exchanges, or sell/delegate ad spaces to each other Leads to an ad being redirected many times, often through all the different ad network’s channels This is called the redirection chain The final ad page that the ad redirects to is called the landing page When you click on an ad it often doesn’t just redirect to the ad

Goal of the paper Analyse and understand mobile attacks through ads via the app-web interface How? Creating an analysis tool, deploying it for 2 months and analysing 600,000 applications in the US and in China

How the tool works The tool is an analysis framework that follows three steps Triggering the UI – clicking on all the web links Detecting malicious content in triggered pages Provenance – Determining where and from whom the malicious content originated

How: triggering the ui Can’t just use static analysis on the app to identify ad links as ad networks dynamically load the ads Created automated tool that ran applications in an emulator in a virtual machine – dynamic app analysis Extracted features and code elements from displayed UI and constructed a hierarchy of the widgets within in e.g. buttons, panels

Issues with triggering ui Ran into issues with WebViews, as appeared opaque, flat UI hierarchy Used graphics based algorithm to find clickable buttons/widgets Looks for convex, bounded contours

Capturing information To analyse the information, needed to capture and store: the links redirection chains landing pages

Capturing information Redirection chains Created custom browser that behaves as an user would Gets around time-based checks, e.g. by Google to prevent ad click fraud Landing Pages Landing pages were dynamically analysed, and every web link within recorded and visited Often landing pages ask the user to download some file – potential trojans Stored and recorded any files downloaded

Detecting malicious content Used information in the VirusTotal system to determine whether a URL/file is malicious or not VirusTotal is a database that aggregates results from 50+ blacklists and 50+ anti-virus systems Checked all the URLs/downloaded files against VirusTotal Anti-viruses are prone to false positives, therefore a file/URL needed to be flagged by three different systems for the authors to consider the links malicious

provenance Once a malicious URL or file is detected, need to: Determine where the malicious content originated Find who is responsible for the malicious content

provenance Two types of malicious ads: Ads redirecting to malicious landing pages Examine redirection chain to find out who owns the URLs finally redirecting to the malicious page Malicious links embedded in the application Need to find which block of code called the link Could be ad network code or developer code If it was ad network code

Finding the responsible ad network Method used: Identified loosely coupled libraries Clustered them according to their set of API endpoints Manually determined if a cluster was an ad network based on the library Identified 201 unique ad networks Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

Tool summary Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

Deployment System was run in Northwestern University Campus in US and Zhejiang University Campus in China Location is important for ads Ran for two months Required little human intervention Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

results App to web link launches 1,000,000 415,000 Malicious URLs 948 CHINA App to web link launches 1,000,000 415,000 Malicious URLs 948 1475 Unique domains hosting above malicious URLs 64 139 Malicious / Total file downloads from landing pages 271/468 ~ 58% 435/1097 ~40% Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

results These graphs show the length of the redirection chain and the number of occurrences. As you can see, the number of malicious links as a percentage of the number of total links increase as the redirection chain gets longer Longer the redirection chain, the higher fraction of redirections are malicious US China

results These graphs show the number of malicious files downloaded and the ad networks responsible Higher diversity and higher number of malicious downloads in Chinese deployment – most likely due to the fact the Android ecosystem is not centered around Google Play, but instead around web and third-party application stores One ad network, Tapcontext was excluded as the numbers were too big US China

Scams detected Armor for Android anti-virus scan trojan accounted for 244/271 malicious apps downloaded in US, and 102/435 malicious apps downloaded in China Run by malicious ad network Tapcontext Caught by the tool at least 20 days before Google Safebrowsing caught it Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

Other Scams detected Win free iPhone/iPad Fake Movie Player Malware Personal information gathering Fake Movie Player Malware SMS trojans Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

REflection Good: Wide-reaching – 600,000 apps tested in two countries Created a tool that can be used by government agencies/Google Well-researched, many algorithms and tool were based on previous studies

criticism Improvements and Issues: Applications that used native code excluded (30%) Tool relied on dynamic triggering of ads – may have been malicious ads in an ad library that wasn’t triggered UI Triggering was blocked by things such as login screens Ethics – running the experiment involved clicking on ads and generating revenue for ad networks Malware detection relied entirely on VirusTool and its database Focuses on identifying well-known malware instead of new malware

THANK YOU