Illegal But Not Malware: An Underground Economy App Detection System Based on Usage Scenario
This paper focuses on mobile apps serving the underground economy by providing illegal services in the mobile system (e.g., gambling, porn, scam). These apps are named as underground economy apps, or UEware for short. As most UEware do not have malicious payloads, traditional malware detection approaches are ineffective to perform the detection. To address this problem, we propose a novel approach to effectively and efficiently detect UEware by considering the transition orders of the user interfaces (UIs), which determine the usage scenarios of these apps. Based on the proposed approach, we design a system named DeUEDroid to detect the UEware via scene graph. To evaluate DeUEDroid, we collect 26, 591 apps to evaluate DeUEDroid and build up the first large-scale ground-truth UEware dataset (1, 720 underground economy apps and 831 legitimate apps). The evaluation result shows that DeUEDroid can construct scene graph accurately, and achieve the accuracy scores of 77.70 five-classification task (i.e., gambling game, porn, financial scam, miscellaneous, and legitimate apps), reaching obvious improvements over the SOTA approaches. Running further on 24, 017 apps, DeUEDroid performs well in the real-world scenario to mitigate the threat. Specifically, by using DeUEDroid, we found that UEware are prevalent, i.e., 61 21 investigation). We will release our dataset and system to engage the community after been accepted.
READ FULL TEXT