This paper focuses on mobile apps serving the underground economy by providing illegal services in the mobile system (e.g., gambling, porn, scam). These apps are named as underground economy apps, or UEware for short. As most UEware do not have malicious payloads, traditional malware detection approaches are ineffective to perform the detection. To address this problem, we propose a novel approach to effectively and efficiently detect UEware by considering the transition orders of the user interfaces (UIs), which determine the usage scenarios of these apps. Based on the proposed approach, we design a system named DeUEDroid to detect the UEware via scene graph. To evaluate DeUEDroid, we collect 26, 591 apps to evaluate DeUEDroid and build up the first large-scale ground-truth UEware dataset (1, 720 underground economy apps and 831 legitimate apps). The evaluation result shows that DeUEDroid can construct scene graph accurately, and achieve the accuracy scores of 77.70% on the five-classification task (i.e., gambling game, porn, financial scam, miscellaneous, and legitimate apps), reaching obvious improvements over the SOTA approaches. Running further on 24, 017 apps, DeUEDroid performs well in the real-world scenario to mitigate the threat. Specifically, by using DeUEDroid, we found that UEware are prevalent, i.e., 61% apps in the wild and 21% apps in the app stores are UEware (with over 72% accuracy after the manual investigation). We will release our dataset and system to engage the community after been accepted.
翻译:本文侧重于通过在移动系统中提供非法服务为地下经济服务的移动应用程序(例如赌博、色情、骗局)。这些应用程序被称为地下经济应用程序,或简称UEware。由于大多数UEware没有恶意有效载荷,传统的恶意软件检测方法无法有效进行检测。为了解决这个问题,我们提出一种新的方法,通过考虑用户界面(UIs)的过渡命令来切实有效地检测UEware,该用户界面决定了这些应用程序的使用情况。根据提议的准确性,我们设计了一个名为DeUEDroid的系统,以通过现场图表探测UEDware。为了评价DeUEDroid,我们收集了26、591个软件,以评估DUEDroid并建立了第一个大型地面图象数据集(1,720个地下经济应用程序和831个合法应用程序)。 评估结果显示,DeUEDroid能够准确构建场景图,并实现五级化任务的77.70%的准确分数(即赌博游戏,色情、金融诈骗、杂项、杂项和正当的软件),我们在SOVED 17 中将数据拖动后进行明显改进。