Understanding the Market-level and Network-level Behaviors of the Android Malware Ecosystem
Chao Yang, Jialong Zhang and Guofei Gu
Niara, Inc., IBM Research, Texas A&M University

The prevalence of malware in Android marketplaces is a growing and significant problem. These malicious Android applications (apps) get uploaded under the guise of benign apps, typically to third-party Android markets that lack proper security vetting procedures, and are subsequently downloaded and executed by unsuspecting victims. While most existing studies focus on detecting Android malware or designing new security extensions to defend against specific types of attacks, we still lack some basic insights on the characteristics of the market-level and network-level behaviors of the Android malware ecosystem. In this paper, we perform a comprehensive empirical study on analyzing the market-level and network-level behaviors of the Android malware ecosystem by crawling and analyzing several representative Android app markets. We focus on studying whether there are interesting characteristics of those market accounts that distribute malware and specific networks that are mainly utilized by Android malware authors to set up their remote server infrastructure. Furthermore, we investigate whether there are some large communities among Android malware from the perspective of their market account infrastructure and remote server infrastructure. Spurred by these analysis, we design a novel community inference algorithm to find more malicious apps by exploiting their community relationships. By using a small seed set (50) of known malicious apps, we can effectively find another extra 20 times of malicious apps, while maintaining a considerable accuracy higher than 94%.