skip to main content
research-article

DeviceWatch: A Data-Driven Network Analysis Approach to Identifying Compromised Mobile Devices with Graph-Inference

Published:07 November 2022Publication History
Skip Abstract Section

Abstract

We propose to identify compromised mobile devices from a network administrator’s point of view. Intuitively, inadvertent users (and thus their devices) who download apps through untrustworthy markets are often lured to install malicious apps through in-app advertisements or phishing. We thus hypothesize that devices sharing similar apps would have a similar likelihood of being compromised, resulting in an association between a compromised device and its apps. We propose to leverage such associations to identify unknown compromised devices using the guilt-by-association principle. Admittedly, such associations could be relatively weak as it is hard, if not impossible, for an app to automatically download and install other apps without explicit user initiation. We describe how we can magnify such associations by carefully choosing parameters when applying graph-based inferences. We empirically evaluate the effectiveness of our approach on real datasets provided by a major mobile service provider. Specifically, we show that our approach achieves nearly 98% AUC (area under the ROC curve) and further detects as many as 6 ~ 7 times of new compromised devices not covered by the ground truth by expanding the limited knowledge on known devices. We show that the newly detected devices indeed present undesirable behavior in terms of leaking private information and accessing risky IPs and domains. We further conduct in-depth analysis of the effectiveness of graph inferences to understand the unique structure of the associations between mobile devices and their apps, and its impact on graph inferences, based on which we propose how to choose key parameters.

REFERENCES

  1. [1] 2019. Koodous: Online malware analysis platform. https://koodous.com/.Google ScholarGoogle Scholar
  2. [2] Alan Hasan Faik and Kaur Jasleen. 2016. Can Android applications be identified using only TCP/IP headers of their launch time traffic? In ACM Conference on Security & Privacy in Wireless and Mobile Networks. 6166.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. [3] Allix Kevin, Bissyandé Tegawendé F., Klein Jacques, and Traon Yves Le. 2016. AndroZoo: Collecting millions of Android apps for the research community. In MSR’16 (Austin, Texas). ACM, New York, NY, USA, 468471.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. [4] Alowaisheq Eihal, Wang Peng, Alrwais Sumayah A., Liao Xiaojing, Wang XiaoFeng, Alowaisheq Tasneem, Mi Xianghang, Tang Siyuan, and Liu Baojun. 2019. Cracking the wall of confinement: Understanding and analyzing malicious domain take-downs. In NDSS.Google ScholarGoogle Scholar
  5. [5] Arp Daniel, Spreitzenbarth Michael, Hubner Malte, Gascon Hugo, Rieck Konrad, and Siemens CERT. 2014. DREBIN: Effective and explainable detection of Android malware in your pocket. In NDSS, Vol. 14. 2326.Google ScholarGoogle Scholar
  6. [6] Bilge Leyla, Kirda Engin, Kruegel Christopher, and Balduzzi Marco. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In NDSS. 117.Google ScholarGoogle Scholar
  7. [7] Brubaker Chad. 2018. Protecting users with TLS by default in Android P. https://android-developers.googleblog.com/2018/04/protecting-users-with-tls-by-default-in.html.Google ScholarGoogle Scholar
  8. [8] Brubaker Chad. 2019. An Update on Android TLS Adoption. https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html.Google ScholarGoogle Scholar
  9. [9] Burton Graeme. 2017. Australia wants to force ISPs to protect customers from malware. https://www.theinquirer.net/inquirer/news/3009045/australian-wants-to-force-isps-to-protect-customers-from-malware.Google ScholarGoogle Scholar
  10. [10] Cai Fangda, Chen Hao, Wu Yuanyi, and Zhang Yuan. 2015. AppCracker: Widespread vulnerabilities in user and session authentication in mobile apps. MoST (2015).Google ScholarGoogle Scholar
  11. [11] Cangialosi Frank, Chung Taejoong, Choffnes David, Levin Dave, Maggs Bruce M., Mislove Alan, and Wilson Christo. 2016. Measurement and analysis of private key sharing in the https ecosystem. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 628640.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. [12] Chau Duen Horng, Nachenberg Carey, Wilhelm Jeffrey, Wright Adam, and Faloutsos Christos. 2011. Polonium: Tera-scale graph mining and inference for malware detection. In SDM. SIAM, 131142.Google ScholarGoogle Scholar
  13. [13] Chen Kai, Wang Peng, Lee Yeonjoon, Wang XiaoFeng, Zhang Nan, Huang Heqing, Zou Wei, and Liu Peng. 2015. Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-Play scale. In Usenix Security 15. 659674.Google ScholarGoogle Scholar
  14. [14] Chen Xin and Zhu Sencun. 2015. DroidJust: Automated functionality-aware privacy leakage analysis for Android applications. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 5.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. [15] Chen Zhenxiang, Yan Qiben, Han Hongbo, Wang Shanshan, Peng Lizhi, Wang Lin, and Yang Bo. 2018. Machine learning based mobile malware detection using highly imbalanced network traffic. Information Sciences 433 (2018), 346364.Google ScholarGoogle ScholarCross RefCross Ref
  16. [16] Conti Mauro, Li Qian Qian, Maragno Alberto, and Spolaor Riccardo. 2018. The dark side (-channel) of mobile devices: A survey on network traffic analysis. IEEE Communications Surveys & Tutorials 20, 4 (2018), 26582713.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. [17] Dai Shuaifu, Tongaonkar Alok, Wang Xiaoyin, Nucci Antonio, and Song Dawn. 2013. NetworkProfiler: Towards automatic fingerprinting of Android apps. Proceedings - IEEE INFOCOM, 809817.Google ScholarGoogle Scholar
  18. [18] Denniss William and Bradley John. 2016. OAuth 2.0 for native apps. Internet Engineering Task Force, Internet-Draft draft-ietf-oauthnative-apps-05 (2016).Google ScholarGoogle Scholar
  19. [19] Developers Google. 2019. Mixed content weakens HTTPS. https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content.Google ScholarGoogle Scholar
  20. [20] Enck William, Gilbert Peter, Han Seungyeop, Tendulkar Vasant, Chun Byung-Gon, Cox Landon P., Jung Jaeyeon, McDaniel Patrick, and Sheth Anmol N.. 2014. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 5.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. [21] Eyers James. 2017. Cyber Security Minister says firms need to tell customers more about threats. https://www.afr.com/technology/cyber-security-minister-says-firms-need-to-tell-customers-more-about-threats-20170422-gvqbl7.Google ScholarGoogle Scholar
  22. [22] Inc. Farsight Security2019. DNS Database. https://www.dnsdb.info/.Google ScholarGoogle Scholar
  23. [23] Felt Adrienne Porter, Finifter Matthew, Chin Erika, Hanna Steve, and Wagner David. 2011. A survey of mobile malware in the wild. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. 314.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. [24] Grover Aditya and Leskovec Jure. 2016. Node2Vec: Scalable feature learning for networks. In KDD’16 (San Francisco, California, USA). New York, NY, USA, 855864.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. [25] Holz Thorsten, Gorecki Christian, Rieck Konrad, and Freiling Felix C.. 2008. Measuring and detecting fast-flux service networks. In NDSS.Google ScholarGoogle Scholar
  26. [26] Hu Boyang, Lin Qicheng, Zheng Yao, Yan Qiben, Troglia Matthew, and Wang Qingyang. 2019. Characterizing location-based mobile tracking in mobile ad networks. arXiv preprint arXiv:1903.09916 (2019).Google ScholarGoogle Scholar
  27. [27] Ikram Muhammad, Vallina-Rodriguez Narseo, Seneviratne Suranga, Kaafar Mohamed Ali, and Paxson Vern. 2016. An analysis of the privacy and security risks of Android VPN permission-enabled apps. In IMC. ACM, 349364.Google ScholarGoogle Scholar
  28. [28] Jaccard Paul. 1912. The distribution of the flora in the alpine zone. 1. New Phytologist 11, 2 (1912), 3750.Google ScholarGoogle ScholarCross RefCross Ref
  29. [29] Jin Ruofan and Wang Bing. 2013. Malware detection for mobile devices using software-defined networking. In 2013 Second GENI Research and Educational Experiment Workshop. IEEE, 8188.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. [30] Khalil Issa M., Guan Bei, Nabeel Mohamed, and Yu Ting. 2018. A domain is only as good as its buddies: Detecting stealthy malicious domains via graph inference. In CODASPY. ACM, 330341.Google ScholarGoogle Scholar
  31. [31] Kotzias Platon, Caballero Juan, and Bilge Leyla. 2021. How did that get in my phone? Unwanted app distribution on Android devices. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 5369.Google ScholarGoogle ScholarCross RefCross Ref
  32. [32] Kwon Bum Jun, Mondal Jayanta, Jang Jiyong, Bilge Leyla, and Dumitraş Tudor. 2015. The dropper effect: Insights into malware distribution with downloader graph analytics. In CCS. ACM, 11181129.Google ScholarGoogle Scholar
  33. [33] Lever Charles, Antonakakis Manos, Reaves Bradley, Traynor Patrick, and Lee Wenke. 2013. The core of the matter: Analyzing malicious traffic in cellular carriers. In NDSS.Google ScholarGoogle Scholar
  34. [34] Malik Jyoti and Kaushal Rishabh. 2016. CREDROID: Android malware detection by network traffic analysis. In Proceedings of the 1st ACM Workshop on Privacy-Aware Mobile Computing. ACM, 2836.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. [35] Manadhata Pratyusa K., Yadav Sandeep, Rao Prasad, and Horne William. 2014. Detecting malicious domains via graph inference. In European Symposium on Research in Computer Security. Springer, 118.Google ScholarGoogle Scholar
  36. [36] Marforio Claudio, Masti Ramya Jayaram, Soriente Claudio, Kostiainen Kari, and Capkun Srdjan. 2015. Personalized security indicators to detect application phishing attacks in mobile platforms. arXiv preprint arXiv:1502.06824 (2015).Google ScholarGoogle Scholar
  37. [37] McAfee. 2019. McAfee mobile threat report 2019. (2019).Google ScholarGoogle Scholar
  38. [38] Mirsky Yisroel, Shabtai Asaf, Rokach Lior, Shapira Bracha, and Elovici Yuval. 2016. Sherlock vs Moriarty: A smartphone dataset for cybersecurity research. In Proc. of the 2016 ACM Workshop on Artificial Intelligence and Security. 112.Google ScholarGoogle Scholar
  39. [39] Miskovic Stanislav, Lee Gene Moo, Liao Yong, and Baldi Mario. 2015. AppPrint: Automatic fingerprinting of mobile applications in network traffic. In International Conference on Passive and Active Network Measurement. Springer, 5769.Google ScholarGoogle ScholarCross RefCross Ref
  40. [40] Najafi Pejman, Mühle Alexander, Pünter Wenzel, Cheng Feng, and Meinel Christoph. 2019. MalRank: A measure of maliciousness in SIEM-based knowledge graphs. In ACSAC. 417429.Google ScholarGoogle Scholar
  41. [41] Narudin Fairuz Amalina, Feizollah Ali, Anuar Nor Badrul, and Gani Abdullah. 2016. Evaluation of machine learning classifiers for mobile malware detection. Soft Computing 20, 1 (2016), 343357.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. [42] Oprea Alina, Li Zhou, Yen Ting-Fang, Chin Sang H., and Alrwais Sumayah. 2015. Detection of early-stage enterprise infection by mining large-scale log data. In DSN. IEEE, 4556.Google ScholarGoogle Scholar
  43. [43] Papadopoulos Elias P., Diamantaris Michalis, Papadopoulos Panagiotis, Petsas Thanasis, Ioannidis Sotiris, and Markatos Evangelos P.. 2017. The long-standing privacy debate: Mobile websites vs mobile apps. In WWW. 153162.Google ScholarGoogle Scholar
  44. [44] Perdisci Roberto, Lee Wenke, and Feamster Nick. 2010. Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In NSDI, Vol. 10. 14.Google ScholarGoogle Scholar
  45. [45] Possemato Andrea and Fratantonio Yanick. 2020. Towards HTTPS everywhere on Android: We are not there yet. In USENIX Security’20. USENIX Association, 343360.Google ScholarGoogle Scholar
  46. [46] Rahbarinia Babak, Balduzzi Marco, and Perdisci Roberto. 2016. Real-time detection of malware downloads via large-scale URL file machine graph mining. In ASIACCS. ACM, 783794.Google ScholarGoogle Scholar
  47. [47] Ranjan Gyan. 2015. SAMPLES: Self adaptive mining of persistent lexical snippets for classifying mobile application traffic.Google ScholarGoogle Scholar
  48. [48] Ranjan Gyan, Tongaonkar Alok, and Torres Ruben. 2016. Approximate matching of persistent lexicon using search-engines for classifying mobile app traffic. In IEEE INFOCOM. IEEE, 19.Google ScholarGoogle Scholar
  49. [49] Ren Jingjing, Lindorfer Martina, Dubois Daniel J., Rao Ashwin, Choffnes David, and Vallina-Rodriguez Narseo. 2018. Bug fixes, improvements, ...and privacy leaks. (2018).Google ScholarGoogle Scholar
  50. [50] Ren Jingjing, Rao Ashwin, Lindorfer Martina, Legout Arnaud, and Choffnes David. 2016. ReCon: Revealing and controlling PII leaks in mobile network traffic. In 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 361374.Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. [51] Roundy Kevin A., Mendelberg Paula Barmaimon, Dell Nicola, McCoy Damon, Nissani Daniel, Ristenpart Thomas, and Tamersoy Acar. 2020. The many kinds of creepware used for interpersonal attacks. In IEEE S&P.Google ScholarGoogle Scholar
  52. [52] Shabtai Asaf, Tenenboim-Chekina Lena, Mimran Dudu, Rokach Lior, Shapira Bracha, and Elovici Yuval. 2014. Mobile malware detection through analysis of deviations in application network behavior. Computers & Security 43 (2014), 118.Google ScholarGoogle ScholarCross RefCross Ref
  53. [53] Sharif Mahmood, Urakawa Jumpei, Christin Nicolas, Kubota Ayumu, and Yamada Akira. 2018. Predicting impending exposure to malicious content from user behavior. In CCS. ACM, 14871501.Google ScholarGoogle Scholar
  54. [54] Stringhini Gianluca, Shen Yun, Han Yufei, and Zhang Xiangliang. 2017. Marmite: Spreading malicious file reputation through download graphs. In ACSAC. ACM, 91102.Google ScholarGoogle Scholar
  55. [55] Tamersoy Acar, Roundy Kevin, and Chau Duen Horng. 2014. Guilt by association: Large scale malware detection by mining file-relation graphs. In KDD. ACM, 15241533.Google ScholarGoogle Scholar
  56. [56] Tang Jinjun, Wang Yinhai, Wang Hua, Zhang Shen, and Liu Fang. 2014. Dynamic analysis of traffic time series at different temporal scales: A complex networks approach. Physica A: Statistical Mechanics and Its Applications 405 (2014), 303315.Google ScholarGoogle ScholarCross RefCross Ref
  57. [57] Taylor Vincent F., Spolaor Riccardo, Conti Mauro, and Martinovic Ivan. 2016. AppScanner: Automatic fingerprinting of smartphone apps from encrypted network traffic. In Euro S&P. IEEE, 439454.Google ScholarGoogle Scholar
  58. [58] Taylor Vincent F., Spolaor Riccardo, Conti Mauro, and Martinovic Ivan. 2017. Robust smartphone app identification via encrypted network traffic analysis. IEEE Transactions on Information Forensics and Security (2017).Google ScholarGoogle Scholar
  59. [59] Tongaonkar Alok, Dai Shuaifu, Nucci Antonio, and Song Dawn. 2013. Understanding mobile app usage patterns using in-app advertisements. In International Conference on Passive and Active Network Measurement. Springer, 6372.Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. [60] Traynor Patrick, Lin Michael, Ongtang Machigar, Rao Vikhyath, Jaeger Trent, McDaniel Patrick, and Porta Thomas La. 2009. On cellular botnets: Measuring the impact of malicious devices on a cellular network core. In CCS. ACM, 223234.Google ScholarGoogle Scholar
  61. [61] Ede Thijs van, Bortolameotti Riccardo, Continella Andrea, Ren Jingjing, Dubois Daniel J., Lindorfer Martina, Choffnes David, Steen Maarten van, and Peter Andreas. [n. d.]. FLOWPRINT: Semi-supervised mobile-app fingerprinting on encrypted network traffic. ([n. d.]).Google ScholarGoogle Scholar
  62. [62] Vanrykel Eline, Acar Gunes, Herrmann Michael, and Diaz Claudia. 2017. Leaky birds: Exploiting mobile application traffic for surveillance. 367384.Google ScholarGoogle Scholar
  63. [63] Verizon. 2019. Mobile Security Index. (2019).Google ScholarGoogle Scholar
  64. [64] VirusTotal. 2019. VirusTotal. http://www.virustotal.com.Google ScholarGoogle Scholar
  65. [65] Vissers Thomas, Spooren Jan, Agten Pieter, Jumpertz Dirk, Janssen Peter, Wesemael Marc Van, Piessens Frank, Joosen Wouter, and Desmet Lieven. 2017. Exploring the ecosystem of malicious domain registrations in the .eu TLD. In Research in Attacks, Intrusions, and Defenses. Springer International Publishing, 472493.Google ScholarGoogle Scholar
  66. [66] Wang Haoyu, Liu Zhe, Liang Jingyue, Vallina-Rodriguez Narseo, Guo Yao, Li Li, Tapiador Juan, Cao Jingcun, and Xu Guoai. 2018. Beyond Google Play: A large-scale comparative study of Chinese Android app markets. In IMC 2018 (Boston, MA, USA). ACM, 293307.Google ScholarGoogle Scholar
  67. [67] Wang Shanshan, Chen Zhenxiang, Zhang Lei, Yan Qiben, Yang Bo, Peng Lizhi, and Jia Zhongtian. 2016. TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic. In IwQoS. IEEE, 16.Google ScholarGoogle Scholar
  68. [68] Wei Fengguo, Li Yuping, Roy Sankardas, Ou Xinming, and Zhou Wu. 2017. Deep ground truth analysis of current Android malware. In International Conf. on Detection of Intrusions and Malware, and Vulnerability Assessment. 252276.Google ScholarGoogle Scholar
  69. [69] Xia Ning, Song Han Hee, Liao Yong, Iliofotou Marios, Nucci Antonio, Zhang Zhi-Li, and Kuzmanovic Aleksandar. 2013. Mosaic: Quantifying privacy leakage in mobile networks. In ACM SIGCOMM Computer Communication Review, Vol. 43. 279290.Google ScholarGoogle Scholar
  70. [70] Yan Lok-Kwong and Yin Heng. 2012. DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In USENIX Security Symposium. 569584.Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. [71] Yang Chao, Xu Zhaoyan, Gu Guofei, Yegneswaran Vinod, and Porras Phillip. 2014. DroidMiner: Automated mining and characterization of fine-grained malicious behaviors in Android applications. In European Symposium on Research in Computer Security. Springer, 163182.Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. [72] Yoo Jaemin, Jo Saehan, and Kang U. 2017. Supervised belief propagation: Scalable supervised inference on attributed networks. In ICDM. IEEE, 595604.Google ScholarGoogle Scholar
  73. [73] Zarras Apostolis, Papadogiannakis Antonis, Gawlik Robert, and Holz Thorsten. 2014. Automated generation of models for fast and precise detection of HTTP-based malware. In PST. IEEE, 249256.Google ScholarGoogle Scholar
  74. [74] Zhao Min, Zhang Tao, Ge Fangbin, and Yuan Zhijian. 2012. RobotDroid: A lightweight malware detection framework on smartphones. Journal of Networks 7, 4 (2012), 715.Google ScholarGoogle ScholarCross RefCross Ref
  75. [75] Zhu Xiaojin and Ghahramani Zoubin. 2002. Learning from labeled and unlabeled data with label propagation.Google ScholarGoogle Scholar
  76. [76] Zhu Zhichao, Cao Guohong, Zhu Sencun, Ranjan Supranamaya, and Nucci Antonio. 2012. A social network based patching scheme for worm containment in cellular networks. In Handbook of Optimization in Complex Networks. Springer, 505533.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. DeviceWatch: A Data-Driven Network Analysis Approach to Identifying Compromised Mobile Devices with Graph-Inference

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Privacy and Security
      ACM Transactions on Privacy and Security  Volume 26, Issue 1
      February 2023
      342 pages
      ISSN:2471-2566
      EISSN:2471-2574
      DOI:10.1145/3561959
      Issue’s Table of Contents

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 7 November 2022
      • Online AM: 25 August 2022
      • Accepted: 17 August 2022
      • Revised: 21 June 2022
      • Received: 19 January 2021
      Published in tops Volume 26, Issue 1

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Refereed
    • Article Metrics

      • Downloads (Last 12 months)270
      • Downloads (Last 6 weeks)22

      Other Metrics

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Full Text

    View this article in Full Text.

    View Full Text

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!