Should you consider adware as malware in your study?

Jun Gao, Li Li, Pingfan Kong, Tegawende F. Bissyande, Jacques Klein

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

1 Citation (Scopus)

Abstract

Empirical validations of research approaches eventually require a curated ground truth. In studies related to Android malware, such a ground truth is built by leveraging Anti-Virus (AV) scanning reports which are often provided free through online services such as VirusTotal. Unfortunately, these reports do not offer precise information for appropriately and uniquely assigning classes to samples in app datasets: AV engines indeed do not have a consensus on specifying information in labels. Furthermore, labels often mix information related to families, types, etc. In particular, the notion of 'adware' is currently blurry when it comes to maliciousness. There is thus a need to thoroughly investigate cases where adware samples can actually be associated with malware (e.g., because they are tagged as adware but could be considered as malware as well).In this work, we present a large-scale analytical study of Android adware samples to quantify to what extent 'adware should be considered as malware'. Our analysis is based on the Androzoo repository of 5 million apps with associated AV labels and leverages a state-of-The-Art label harmonization tool to infer the malicious type of apps before confronting it against the ad families that each adware app is associated with. We found that all adware families include samples that are actually known to implement specific malicious behavior types. Up to 50% of samples in an ad family could be flagged as malicious. Overall the study demonstrates that adware is not necessarily benign.

Original languageEnglish
Title of host publicationProceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering
EditorsXinyu Wang, David Lo, Emad Shihab
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages604-608
Number of pages5
ISBN (Electronic)9781728105918
ISBN (Print)9781728105925
DOIs
Publication statusPublished - 2019
EventIEEE International Conference on Software Analysis, Evolution, and Reengineering 2019 - Hangzhou, China
Duration: 24 Feb 201927 Feb 2019
Conference number: 26th
https://saner2019.github.io/

Conference

ConferenceIEEE International Conference on Software Analysis, Evolution, and Reengineering 2019
Abbreviated titleSANER 2019
CountryChina
CityHangzhou
Period24/02/1927/02/19
Internet address

Keywords

  • adware
  • Android
  • malware

Cite this

Gao, J., Li, L., Kong, P., Bissyande, T. F., & Klein, J. (2019). Should you consider adware as malware in your study? In X. Wang, D. Lo, & E. Shihab (Eds.), Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering (pp. 604-608). [8668010] Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/SANER.2019.8668010
Gao, Jun ; Li, Li ; Kong, Pingfan ; Bissyande, Tegawende F. ; Klein, Jacques. / Should you consider adware as malware in your study?. Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering. editor / Xinyu Wang ; David Lo ; Emad Shihab. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2019. pp. 604-608
@inproceedings{be9ce9ee7c3d467898f48a75d2b75162,
title = "Should you consider adware as malware in your study?",
abstract = "Empirical validations of research approaches eventually require a curated ground truth. In studies related to Android malware, such a ground truth is built by leveraging Anti-Virus (AV) scanning reports which are often provided free through online services such as VirusTotal. Unfortunately, these reports do not offer precise information for appropriately and uniquely assigning classes to samples in app datasets: AV engines indeed do not have a consensus on specifying information in labels. Furthermore, labels often mix information related to families, types, etc. In particular, the notion of 'adware' is currently blurry when it comes to maliciousness. There is thus a need to thoroughly investigate cases where adware samples can actually be associated with malware (e.g., because they are tagged as adware but could be considered as malware as well).In this work, we present a large-scale analytical study of Android adware samples to quantify to what extent 'adware should be considered as malware'. Our analysis is based on the Androzoo repository of 5 million apps with associated AV labels and leverages a state-of-The-Art label harmonization tool to infer the malicious type of apps before confronting it against the ad families that each adware app is associated with. We found that all adware families include samples that are actually known to implement specific malicious behavior types. Up to 50{\%} of samples in an ad family could be flagged as malicious. Overall the study demonstrates that adware is not necessarily benign.",
keywords = "adware, Android, malware",
author = "Jun Gao and Li Li and Pingfan Kong and Bissyande, {Tegawende F.} and Jacques Klein",
year = "2019",
doi = "10.1109/SANER.2019.8668010",
language = "English",
isbn = "9781728105925",
pages = "604--608",
editor = "Xinyu Wang and David Lo and Emad Shihab",
booktitle = "Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering",
publisher = "IEEE, Institute of Electrical and Electronics Engineers",
address = "United States of America",

}

Gao, J, Li, L, Kong, P, Bissyande, TF & Klein, J 2019, Should you consider adware as malware in your study? in X Wang, D Lo & E Shihab (eds), Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering., 8668010, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 604-608, IEEE International Conference on Software Analysis, Evolution, and Reengineering 2019, Hangzhou, China, 24/02/19. https://doi.org/10.1109/SANER.2019.8668010

Should you consider adware as malware in your study? / Gao, Jun; Li, Li; Kong, Pingfan; Bissyande, Tegawende F.; Klein, Jacques.

Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering. ed. / Xinyu Wang; David Lo; Emad Shihab. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2019. p. 604-608 8668010.

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

TY - GEN

T1 - Should you consider adware as malware in your study?

AU - Gao, Jun

AU - Li, Li

AU - Kong, Pingfan

AU - Bissyande, Tegawende F.

AU - Klein, Jacques

PY - 2019

Y1 - 2019

N2 - Empirical validations of research approaches eventually require a curated ground truth. In studies related to Android malware, such a ground truth is built by leveraging Anti-Virus (AV) scanning reports which are often provided free through online services such as VirusTotal. Unfortunately, these reports do not offer precise information for appropriately and uniquely assigning classes to samples in app datasets: AV engines indeed do not have a consensus on specifying information in labels. Furthermore, labels often mix information related to families, types, etc. In particular, the notion of 'adware' is currently blurry when it comes to maliciousness. There is thus a need to thoroughly investigate cases where adware samples can actually be associated with malware (e.g., because they are tagged as adware but could be considered as malware as well).In this work, we present a large-scale analytical study of Android adware samples to quantify to what extent 'adware should be considered as malware'. Our analysis is based on the Androzoo repository of 5 million apps with associated AV labels and leverages a state-of-The-Art label harmonization tool to infer the malicious type of apps before confronting it against the ad families that each adware app is associated with. We found that all adware families include samples that are actually known to implement specific malicious behavior types. Up to 50% of samples in an ad family could be flagged as malicious. Overall the study demonstrates that adware is not necessarily benign.

AB - Empirical validations of research approaches eventually require a curated ground truth. In studies related to Android malware, such a ground truth is built by leveraging Anti-Virus (AV) scanning reports which are often provided free through online services such as VirusTotal. Unfortunately, these reports do not offer precise information for appropriately and uniquely assigning classes to samples in app datasets: AV engines indeed do not have a consensus on specifying information in labels. Furthermore, labels often mix information related to families, types, etc. In particular, the notion of 'adware' is currently blurry when it comes to maliciousness. There is thus a need to thoroughly investigate cases where adware samples can actually be associated with malware (e.g., because they are tagged as adware but could be considered as malware as well).In this work, we present a large-scale analytical study of Android adware samples to quantify to what extent 'adware should be considered as malware'. Our analysis is based on the Androzoo repository of 5 million apps with associated AV labels and leverages a state-of-The-Art label harmonization tool to infer the malicious type of apps before confronting it against the ad families that each adware app is associated with. We found that all adware families include samples that are actually known to implement specific malicious behavior types. Up to 50% of samples in an ad family could be flagged as malicious. Overall the study demonstrates that adware is not necessarily benign.

KW - adware

KW - Android

KW - malware

UR - http://www.scopus.com/inward/record.url?scp=85064166595&partnerID=8YFLogxK

U2 - 10.1109/SANER.2019.8668010

DO - 10.1109/SANER.2019.8668010

M3 - Conference Paper

SN - 9781728105925

SP - 604

EP - 608

BT - Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering

A2 - Wang, Xinyu

A2 - Lo, David

A2 - Shihab, Emad

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

ER -

Gao J, Li L, Kong P, Bissyande TF, Klein J. Should you consider adware as malware in your study? In Wang X, Lo D, Shihab E, editors, Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2019. p. 604-608. 8668010 https://doi.org/10.1109/SANER.2019.8668010