Detecting Hidden Attacks through the Mobile App-Web Interfaces Yan Chen Lab of Internet and Security Technology (LIST) Northwestern University, USA Motivation Scan Automatically Click on the buttons Downloaded phishing app Motivation • Vast effort has been spent analyzing the malicious apps themselves – For both industry and academia • An important, yet unexplored vector of malware propagation is benign, legitimate apps that lead users to websites hosting malicious apps • We call this hidden attacks though the app-web interface Contributions • Develop a framework for analyzing the app-web interfaces in Android applications • Develop a novel technique to interact with UI widgets to trigger app-web interface • Conduct a systematic study to associate ad networks with ad library packages • Detect hidden attacks – Tested 600,000 apps in two months – Found several unknown attacks: a rogue antivirus scam, free iPad and iPhone scams, and ads propagating SMS trojans Outline • • • • Background on mobile advertising System Design Detection Results Case study Advertising Overview 6 Publishers and Advertisers • Publishers – show ads to users • Advertisers – the brand owners that wish to advertise 7 Ad networks • Also called aggregators • Link advertisers to publishers • Buy ad space from publishers; sell to advertisers • Sophisticated algorithms for –Targeting –Inventory management 8 Ad networks • Ad networks may interface with each other • Syndication –One ad network asks another to fill ad space • Ad exchange –Real time auction of ad inventory –Bidding from many ad networks for many ad spaces Mobile In-app Advertising • Ad networks provide glue code that apps can embed and communicate with ad servers – Ad libraries, which identify ad networks • Web links embedded directly in apps • Malicious links are visited via the landing pages of ads coming from ad networks –Though the apps themselves are benign Outline • • • • Background on mobile advertising System Design Detection Results Case study Overview of Detection Methodology Trigger Appweb interfaces App DataSet Dynamic App Analysis URL scanning Redirection Chains Downloaded Files <CODE> WEBSITE </CODE> File scanning Landing Pages Dynamic webpage analysis Malware and scan report • Triggering Components –Interact with the app to launch web links • Detection –Include the various processes to detect malicious and benig that may occur as a result of triggering • Provenance –Understand the cause or origin of a detected malicious activity, and attribute events to a specific domain or an ad library Triggering App-Web interfaces • Application UI Exploration –Use the heuristics and algorithms developed in AppsPlayground [Codaspy2013] • Handling Webviews –Develop based on Selendroid to interact with Webviews –Apply computer vision techniques UI Exploration of AppsPlayground Examples of Handling Webviews  Bounding boxes are depicted as red rectangles.  The top two figures contain the whole screen while the bottom figure is just an ad.  Note the detection of buttons. Detection • Redirection chains • Landing pages – In a browser configured with a realistic user agent and window size – Download any files that can be downloaded • File and URL scanning – VirusTotal URL blacklists • Google Safebrowsing, Websense, … – VirusTotal antivirus engines • Symantec, Dr. Web, Kaspersky, Eset, … Provenance • Understand the cause and origins of attacks • Approach 1: through redirection chains – Identify the parties owning the URLs leading up to the landing URL • Approach 2: attribute code-level elements to locate it: at app or ad libraries? Discovering Ad Networks • First systematic step towards understanding malvertising • Finding ad libraries –Typically have their own Java packages, e.g., com.google.ads –Disassemble the app and get Java packages Approach 1 • Find frequent packages • Ad networks included in many apps so their packages will be frequent • So are some other packages, e.g., Apache libs, game development libs,… • Have to manually filter them