Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-play scale

Kai Chen, Peng Wang, Yeonjoon Lee, Xiao Feng Wang, Nan Zhang, Heqing Huang, Wei Zou, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

125 Scopus citations

Abstract

An app market’s vetting process is expected to be scalable and effective. However, today’s vetting mechanisms are slow and less capable of catching new threats. In our research, we found that a more powerful solution can be found by exploiting the way Android malware is constructed and disseminated, which is typically through repackaging legitimate apps with similar malicious components. As a result, such attack payloads often stand out from those of the same repackaging origin and also show up in the apps not supposed to relate to each other. Based upon this observation, we developed a new technique, called MassVet, for vetting apps at a massive scale, without knowing what malware looks like and how it behaves. Unlike existing detection mechanisms, which often utilize heavyweight program analysis techniques, our approach simply compares a submitted app with all those already on a market, focusing on the difference between those sharing a similar UI structure (indicating a possible repackaging relation), and the commonality among those seemingly unrelated. Once public libraries and other legitimate code reuse are removed, such diff/common program components become highly suspicious. In our research, we built this “DiffCom” analysis on top of an efficient similarity comparison algorithm, which maps the salient features of an app’s UI structure or a method’s control-flow graph to a value for a fast comparison. We implemented MassVet over a stream processing engine and evaluated it nearly 1.2 million apps from 33 app markets around the world, the scale of Google Play. Our study shows that the technique can vet an app within 10 seconds at a low false detection rate. Also, it outperformed all 54 scanners in VirusTotal (NOD32, Symantec, McAfee, etc.) in terms of detection coverage, capturing over a hundred thousand malicious apps, including over 20 likely zero-day malware and those installed millions of times. A close look at these apps brings to light intriguing new observations: e.g., Google’s detection strategy and malware authors’ countermoves that cause the mysterious disappearance and reappearance of some Google Play apps.

Original languageEnglish (US)
Title of host publicationProceedings of the 24th USENIX Security Symposium
PublisherUSENIX Association
Pages659-674
Number of pages16
ISBN (Electronic)9781931971232
StatePublished - Jan 1 2015
Event24th USENIX Security Symposium - Washington, United States
Duration: Aug 12 2015Aug 14 2015

Publication series

NameProceedings of the 24th USENIX Security Symposium

Conference

Conference24th USENIX Security Symposium
CountryUnited States
CityWashington
Period8/12/158/14/15

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-play scale'. Together they form a unique fingerprint.

Cite this