research-article

Detecting Misuse of Google Cloud Messaging in Android Badware

Authors:

Mansour Ahmadi,

Battista Biggio,

Giorgio GiacintoAuthors Info & Claims

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

Pages 103 - 112

https://doi.org/10.1145/2994459.2994469

Published: 24 October 2016 Publication History

Abstract

Google Cloud Messaging (GCM) is a widely-used and reliable mechanism that helps developers to build more efficient Android applications; in particular, it enables sending push notifications to an application only when new information is available for it on its servers. For this reason, GCM is now used by more than 60\% among the most popular Android applications. On the other hand, such a mechanism is also exploited by attackers to facilitate their malicious activities; e.g., to abuse functionality of advertisement libraries in adware, or to command and control bot clients. However, to our knowledge, the extent to which GCM is used in malicious Android applications (badware, for short) has never been evaluated before. In this paper, we do not only aim to investigate the aforementioned issue, but also to show how traces of GCM flows in Android applications can be exploited to improve Android badware detection. To this end, we first extend Flowdroid to extract GCM flows from Android applications. Then, we embed those flows in a vector space, and train different machine-learning algorithms to detect badware that use GCM to perform malicious activities. We demonstrate that combining different classifiers trained on the flows originated from GCM services allows us to improve the detection rate up to 2.4%, while decreasing the false positive rate by 1.9%, and, more interestingly, to correctly detect 14 never-before-seen badware applications.

References

[1]

Enisa threat taxonomy. http://goo.gl/ATLpcA.

[2]

Mobile advertisement platforms. http://www.mobyaffiliates.com/mobile-advertising-networks/.

[3]

Y. Aafer, W. Du, and H. Yin. DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android, pages 86--103. 2013.

[4]

M. Ahmadi, D. Ulyanov, S. Semenov, M. Trofimov, and G. Giacinto. Novel feature extraction, selection and fusion for effective malware family classification. In CODASPY, pages 183--194, 2016.

Digital Library

[5]

AndroTotal. (another) android trojan scheme using google cloud messaging. https://goo.gl/W7ebNx,% http://blog.andrototal.org/post/89637972097/another-android-trojan-scheme-using-google-cloud, 2014.

[6]

M. Aresu, D. Ariu, M. Ahmadi, D. Maiorca, and G. Giacinto. Clustering android malware families by http traffic. In MALWARE, pages 128--135, 2015.

Digital Library

[7]

D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, and K. Rieck. Drebin: Effective and explainable detection of android malware in your pocket. In NDSS, 2014.

[8]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In PLDI, pages 259--269, 2014.

Digital Library

[9]

V. Avdiienko, K. Kuznetsov, A. Gorla, A. Zeller, S. Arzt, S. Rasthofer, and E. Bodden. Mining apps for abnormal usage of sensitive data. In ICSE, pages 426--436, 2015.

Digital Library

[10]

B. Biggio, G. Fumera, and F. Roli. Multiple classifier systems for robust classifier design in adversarial environments. Int'l J. M. Learn. Cyb., 1(1):27--41, 2010.

[11]

C. M. Bishop. Pattern Recognition and Machine Learning. Springer, 1st ed., Oct. 2007.

[12]

Y. Chen, T. Li, X. Wang, K. Chen, and X. Han. Perplexed messengers from the cloud: Automated security analysis of push-messaging integrations. In Comp. & Comm. Sec. (CCS), pages 1260--1272, 2015.

Digital Library

[13]

S. K. Dash, G. Suarez-Tangil, S. Khan, K. Tam, M. Ahmadi, J. Kinder, and L. Cavallaro. Droidscribe: Classifying android malware based on runtime behavior. In Mobile Sec. Technologies (MoST), 2016.

[14]

S. Fahl, M. Harbach, T. Muders, L. Baumgartner, B. Freisleben, and M. Smith. Why eve and mallory love android: An analysis of android ssl (in)security. In Comp. & Comm. Sec. (CCS), 2012.

Digital Library

[15]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Comp. & Comm. Sec. (CCS), pages 627--638, 2011.

Digital Library

[16]

M. Fern�ndez-Delgado, E. Cernadas, S. Barro, and D. Amorim. Do we need hundreds of classifiers to solve real world classification problems? Journal of Machine Learning Research (JMLR), 15:3133--3181, 2014.

Digital Library

[17]

Y. Fratantonio, A. Bianchi, W. Robertson, E. Kirda, C. Kruegel, and G. Vigna. TriggerScope: Towards Detecting Logic Bombs in Android Apps. In Sec. and Privacy (SP), May 2016.

[18]

P. Geurts, D. Ernst, and L. Wehenkel. Extremely randomized trees. Machine Learning, 63(1):3--42, 2006.

Digital Library

[19]

G. Giacinto, F. Roli, and L. Didaci. Fusion of multiple classifiers for intrusion detection in computer networks. Patt. Rec. Lett., 24(12):1795--1803, Aug. 2003.

Digital Library

[20]

M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In NDSS, 2012.

[21]

J. Gui, S. Mcilroy, M. Nagappan, and W. G. J. Halfond. Truth in advertising: The hidden cost of mobile ads for software developers. In Int. Conf. on Software Engineering (ICSE), pages 100--110, 2015.

Digital Library

[22]

Y. Jiang and Z. Xuxian. Detecting passive content leaks and pollution in android applications. Network and Distributed System Sec. Symp. (NDSS), 2013.

[23]

Kaspersky. Gcm in malicious attachments. https://goo.gl/zcRLQi, https://securelist.com/blog/mobile/57471/gcm-in-malicious-attachments/, Aug. 2013.

[24]

L. I. Kuncheva. Combining Pattern Classifiers: Methods and Algorithms. J. Wiley & Sons, Inc., 2014.

Digital Library

[25]

L. Li, A. Bartel, T. F. Bissyand�, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel. Iccta: Detecting inter-component privacy leaks in android apps. In Int'l Conf. on Softw. Eng. (ICSE), pages 280--291, 2015.

Digital Library

[26]

L. Li, T. F. Bissyand�, D. Octeau, and J. Klein. Reflection-aware static analysis of android apps. In Automated Softw. Eng., Demo Track (ASE), 2016.

Digital Library

[27]

T. Li, X. Zhou, L. Xing, Y. Lee, M. Naveed, X. Wang, and X. Han. Mayhem in the push clouds: Understanding and mitigating security hazards in mobile push-messaging services. In Comp. & Comm. Sec. (CCS), pages 978--989, 2014.

Digital Library

[28]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Comp. & Comm. Sec. (CCS), pages 229--240, 2012.

Digital Library

[29]

D. Maiorca, D. Ariu, I. Corona, M. Aresu, and G. Giacinto. Stealth attacks: An extended insight into the obfuscation effects on android malware. Comp. Sec., 51(C):16--31, June 2015.

Digital Library

[30]

P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. Addroid: Privilege separation for applications and advertisers in android. In Symp. on Information, Comp. & Comm. Sec. (ASIACCS), pages 71--72, 2012.

Digital Library

[31]

R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee. Mcpad: A multiple classifier system for accurate payload-based anomaly detection. Comput. Netw., 53(6):864--881, Apr. 2009.

Digital Library

[32]

I. Prochkova, V. Singh, and J. K. Nurminen. Energy cost of advertisements in mobile games on the android platform. In Int'l Conf. Next Generation Mobile App., Services and Tech., pages 147--152, Sept 2012.

Digital Library

[33]

C. Qian, X. Luo, Y. Shao, and A. T. S. Chan. On tracking information flows through jni in android applications. In Dependable Systems and Networks (DSN), pages 180--191, 2014.

Digital Library

[34]

S. Rasthofer, S. Arzt, and E. Bodden. A machine-learning approach for classifying and categorizing android sources and sinks. In Network & Distributed System Sec. Symp. (NDSS), Feb. 2014.

[35]

S. Rasthofer, S. Arzt, M. Miltenberger, and E. Bodden. Harvesting runtime values in android applications that feature anti-analysis techniques. NDSS, 2016.

[36]

V. Rastogi, Y. Chen, and X. Jiang. Droidchameleon: Evaluating android anti-malware against transformation attacks. In Information, Comp. & Comm. Sec. (ASIA CCS), pages 329--334, 2013.

Digital Library

[37]

S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In USENIX Conf. on Sec. Symp., pages 28--28, 2012.

Digital Library

[38]

R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In Mobile Sec. Technologies (MoST), 2012.

[39]

G. Suarez-Tangil, J. E. Tapiador, P. Peris-Lopez, and J. Blasco. Dendroid: A text mining approach to analyzing and classifying code structures in android malware families. Expert Syst. Appl., 41(4):1104--1117, Mar. 2014.

Digital Library

[40]

Trendmicro. Android malware use ssl for evasion. https://goo.gl/OHeThO,% http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-use-ssl-for-evasion/, Sep 2014.

[41]

N.vSrndic and P. Laskov. Practical evasion of a learning-based classifier: A case study. In Sec. and Privacy (SP), pages 197--211, 2014.

Digital Library

[42]

L. Wu, M. Grace, Y. Zhou, C. Wu, and X. Jiang. The impact of vendor customizations on android security. In Comp. & Comm. Sec. (CCS), pages 623--634, 2013.

Digital Library

[43]

M. Xia, L. Gong, Y. Lyu, Z. Qi, and X. Liu. Effective real-time android application auditing. In Sec. & Privacy (SP), pages 899--914, May 2015.

Digital Library

[44]

C. Yang, Z. Xu, G. Gu, V. Yegneswaran, and P. Porras. DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications. In European Symp. Research in Comp. Sec. (ESORICS), pages 163--182, 2014.

[45]

M. Zhang, Y. Duan, H. Yin, and Z. Zhao. Semantics-aware android malware classification using weighted contextual api dependency graphs. In Comp. & Comm. Sec. (CCS), pages 1105--1116, 2014.

Digital Library

[46]

S. Zhao, P. P. C. Lee, J. C. S. Lui, X. Guan, X. Ma, and J. Tao. Cloud-based push-styled mobile botnets: A case study of exploiting the cloud to device messaging service. In ACSAC, pages 119--128, 2012.

Digital Library

[47]

W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, scalable detection of "piggybacked" mobile applications. In CODASPY, pages 185--196, 2013.

Digital Library

Cited By

Al lelah TTheodorakopoulos GJaved AAnthi E(2023)Machine Learning Detection of Cloud Services Abuse as C&C InfrastructureJournal of Cybersecurity and Privacy10.3390/jcp30400393:4(858-881)Online publication date: 1-Dec-2023
https://doi.org/10.3390/jcp3040039
Al lelah TTheodorakopoulos GReinecke PJaved AAnthi E(2023)Abuse of Cloud-Based and Public Legitimate Services as Command-and-Control (C&C) Infrastructure: A Systematic Literature ReviewJournal of Cybersecurity and Privacy10.3390/jcp30300273:3(558-590)Online publication date: 1-Sep-2023
https://doi.org/10.3390/jcp3030027
Lou JZhang XZhang YLi XYuan XZhang N(2023)Devils in Your Apps: Vulnerabilities and User Privacy Exposure in Mobile Notification Systems2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00017(28-41)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00017
Show More Cited By

Index Terms

Detecting Misuse of Google Cloud Messaging in Android Badware
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Supervised learning
        Supervised learning by classification
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Network security
    1. Mobile and wireless security

Recommendations

Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers

Android platform has dominated the markets of smart mobile devices in recent years. The number of Android applications (apps) has seen a massive surge. Unsurprisingly, Android platform has also become the primary target of attackers. The management of ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
An improved Android malware detection scheme based on an evolving hybrid neuro-fuzzy classifier (EHNFC) and permission-based features

The increasing number of Android devices and users has been attracting the attention of different types of attackers. Malware authors create new versions of malware from previous ones by implementing code obfuscation techniques. Obfuscated malware is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

October 2016

130 pages

ISBN:9781450345644

DOI:10.1145/2994459

Program Chairs:
Long Lu
Stony Brook University
,
Mohammad Mannan
Concordia University

Copyright � 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24, 2016

Vienna, Austria

Acceptance Rates

SPSM '16 Paper Acceptance Rate 13 of 31 submissions, 42%;

Overall Acceptance Rate 46 of 139 submissions, 33%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
338
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)2

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Al lelah TTheodorakopoulos GJaved AAnthi E(2023)Machine Learning Detection of Cloud Services Abuse as C&C InfrastructureJournal of Cybersecurity and Privacy10.3390/jcp30400393:4(858-881)Online publication date: 1-Dec-2023
https://doi.org/10.3390/jcp3040039
Al lelah TTheodorakopoulos GReinecke PJaved AAnthi E(2023)Abuse of Cloud-Based and Public Legitimate Services as Command-and-Control (C&C) Infrastructure: A Systematic Literature ReviewJournal of Cybersecurity and Privacy10.3390/jcp30300273:3(558-590)Online publication date: 1-Sep-2023
https://doi.org/10.3390/jcp3030027
Lou JZhang XZhang YLi XYuan XZhang N(2023)Devils in Your Apps: Vulnerabilities and User Privacy Exposure in Mobile Notification Systems2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00017(28-41)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00017
Farooq UKhurana SSingh PKumar M(2023)An Empirical Study on Detection of Android Adware Using Machine Learning TechniquesMultimedia Tools and Applications10.1007/s11042-023-16920-783:13(38753-38792)Online publication date: 6-Oct-2023
https://doi.org/10.1007/s11042-023-16920-7
Reddy Lakkireddy SThomas AShree TMamatha T(2022)Web-based Application for Real-Time Chatting using Firebase2022 International Conference on Knowledge Engineering and Communication Systems (ICKES)10.1109/ICKECS56523.2022.10060845(1-4)Online publication date: 28-Dec-2022
https://doi.org/10.1109/ICKECS56523.2022.10060845
Mokar MFageeri SFattoh S(2021)Building a model to unify E-payment and access in Sudan with help of firebase cloud messaging2020 International Conference on Computer, Control, Electrical, and Electronics Engineering (ICCCEEE)10.1109/ICCCEEE49695.2021.9429645(1-4)Online publication date: 26-Feb-2021
https://doi.org/10.1109/ICCCEEE49695.2021.9429645
Mozumder MAdnan M(2020)CloudPush: Smart Delivery of Push Notification to Secure Multi-User Support for IoT Devices2020 IEEE International Conference on Cloud Engineering (IC2E)10.1109/IC2E48712.2020.00008(11-19)Online publication date: Apr-2020
https://doi.org/10.1109/IC2E48712.2020.00008
Liu TWang HLi LBai GGuo YXu GZimmermann TLawall JMarinov D(2019)DaPandaProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00017(66-78)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00017
Ahmadi MSotgiu AGiacinto G(2017)IntelliAV: Toward the Feasibility of Building Intelligent Anti-malware on Android DevicesMachine Learning and Knowledge Extraction10.1007/978-3-319-66808-6_10(137-154)Online publication date: 24-Aug-2017
https://doi.org/10.1007/978-3-319-66808-6_10

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents