Understanding Android app piggybacking

a systematic study of malicious code grafting

Li Li, Daoyuan Li, Tegawende F. Bissyande, Jacques Klein, Yves Le Traon, David Lo, Lorenzo Cavallaro

Research output: Contribution to journalArticleResearchpeer-review

40 Citations (Scopus)

Abstract

The Android packaging model offers ample opportunities for malware writers to piggyback malicious code in popular apps, which can then be easily spread to a large user base. Although recent research has produced approaches and tools to identify piggybacked apps, the literature lacks a comprehensive investigation into such phenomenon. We fill this gap by: 1) systematically building a large set of piggybacked and benign apps pairs, which we release to the community; 2) empirically studying the characteristics of malicious piggybacked apps in comparison with their benign counterparts; and 3) providing insights on piggybacking processes. Among several findings providing insights analysis techniques should build upon to improve the overall detection and classification accuracy of piggybacked apps, we show that piggybacking operations not only concern app code, but also extensively manipulates app resource files, largely contradicting common beliefs. We also find that piggybacking is done with little sophistication, in many cases automatically, and often via library code.

Original languageEnglish
Article number7828100
Pages (from-to)1269-1284
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Volume12
Issue number6
DOIs
Publication statusPublished - Jun 2017
Externally publishedYes

Keywords

  • android malware
  • Android security
  • code grafting
  • piggybacking attack

Cite this

Li, Li ; Li, Daoyuan ; Bissyande, Tegawende F. ; Klein, Jacques ; Le Traon, Yves ; Lo, David ; Cavallaro, Lorenzo. / Understanding Android app piggybacking : a systematic study of malicious code grafting. In: IEEE Transactions on Information Forensics and Security. 2017 ; Vol. 12, No. 6. pp. 1269-1284.
@article{a8acdd49b0224f04bb032c5be13fe206,
title = "Understanding Android app piggybacking: a systematic study of malicious code grafting",
abstract = "The Android packaging model offers ample opportunities for malware writers to piggyback malicious code in popular apps, which can then be easily spread to a large user base. Although recent research has produced approaches and tools to identify piggybacked apps, the literature lacks a comprehensive investigation into such phenomenon. We fill this gap by: 1) systematically building a large set of piggybacked and benign apps pairs, which we release to the community; 2) empirically studying the characteristics of malicious piggybacked apps in comparison with their benign counterparts; and 3) providing insights on piggybacking processes. Among several findings providing insights analysis techniques should build upon to improve the overall detection and classification accuracy of piggybacked apps, we show that piggybacking operations not only concern app code, but also extensively manipulates app resource files, largely contradicting common beliefs. We also find that piggybacking is done with little sophistication, in many cases automatically, and often via library code.",
keywords = "android malware, Android security, code grafting, piggybacking attack",
author = "Li Li and Daoyuan Li and Bissyande, {Tegawende F.} and Jacques Klein and {Le Traon}, Yves and David Lo and Lorenzo Cavallaro",
year = "2017",
month = "6",
doi = "10.1109/TIFS.2017.2656460",
language = "English",
volume = "12",
pages = "1269--1284",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "IEEE, Institute of Electrical and Electronics Engineers",
number = "6",

}

Understanding Android app piggybacking : a systematic study of malicious code grafting. / Li, Li; Li, Daoyuan; Bissyande, Tegawende F.; Klein, Jacques; Le Traon, Yves; Lo, David; Cavallaro, Lorenzo.

In: IEEE Transactions on Information Forensics and Security, Vol. 12, No. 6, 7828100, 06.2017, p. 1269-1284.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - Understanding Android app piggybacking

T2 - a systematic study of malicious code grafting

AU - Li, Li

AU - Li, Daoyuan

AU - Bissyande, Tegawende F.

AU - Klein, Jacques

AU - Le Traon, Yves

AU - Lo, David

AU - Cavallaro, Lorenzo

PY - 2017/6

Y1 - 2017/6

N2 - The Android packaging model offers ample opportunities for malware writers to piggyback malicious code in popular apps, which can then be easily spread to a large user base. Although recent research has produced approaches and tools to identify piggybacked apps, the literature lacks a comprehensive investigation into such phenomenon. We fill this gap by: 1) systematically building a large set of piggybacked and benign apps pairs, which we release to the community; 2) empirically studying the characteristics of malicious piggybacked apps in comparison with their benign counterparts; and 3) providing insights on piggybacking processes. Among several findings providing insights analysis techniques should build upon to improve the overall detection and classification accuracy of piggybacked apps, we show that piggybacking operations not only concern app code, but also extensively manipulates app resource files, largely contradicting common beliefs. We also find that piggybacking is done with little sophistication, in many cases automatically, and often via library code.

AB - The Android packaging model offers ample opportunities for malware writers to piggyback malicious code in popular apps, which can then be easily spread to a large user base. Although recent research has produced approaches and tools to identify piggybacked apps, the literature lacks a comprehensive investigation into such phenomenon. We fill this gap by: 1) systematically building a large set of piggybacked and benign apps pairs, which we release to the community; 2) empirically studying the characteristics of malicious piggybacked apps in comparison with their benign counterparts; and 3) providing insights on piggybacking processes. Among several findings providing insights analysis techniques should build upon to improve the overall detection and classification accuracy of piggybacked apps, we show that piggybacking operations not only concern app code, but also extensively manipulates app resource files, largely contradicting common beliefs. We also find that piggybacking is done with little sophistication, in many cases automatically, and often via library code.

KW - android malware

KW - Android security

KW - code grafting

KW - piggybacking attack

UR - http://www.scopus.com/inward/record.url?scp=85015105397&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2017.2656460

DO - 10.1109/TIFS.2017.2656460

M3 - Article

VL - 12

SP - 1269

EP - 1284

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

IS - 6

M1 - 7828100

ER -