| In recent years,Android has grown rapidly and becomes the world's dominant mobile operating system with millions of apps.The rapid growth of Android apps is largely due to a large number of third-party libraries.These third-party libraries encapsulate many useful functions,such as account logins,mapping services,game engines,advertising services,etc.To improve the efficiency of application development,application developers will import these third-party libraries into the applications and directly use the functions already implemented in the libraries to speed up the application development periodHowever,third-party libraries not only bring convenience but also introduce many security issues.More and more malicious libraries have been discovered,bringing new security challenges.For example,a malicious library was found in the apps developed by Migu Company,which had suspicious behaviors such as downloading and installing apps in the background,reading the user's SMS and contacts,and even monitoring the device's incoming calls,which posed a serious threat to the user's privacy and security Because the functionality encapsulated by a malicious library can be used by many different applications,its impact can be more severe than that of a single malicious application.There has been a lot of work about third-party libraries,such as research on advertising libraries and some extraction approaches.Although there have been some studies of malicious libraries,most of them focused on specific types of libraries or individual cases.The security community still lacks a comprehensive understanding of malicious libraries.Without systematic research,the security of these malicious libraries cannot be completely solvedTo solve the above problems,in this paper we propose the first systematically behavioral study on third-party malicious libraries used by Android apps.Specifically,our paper is divided into two parts.First,we propose a new dependency model,candidate library construction approach and candidate feature value generation algorithm,and then proposes a new extraction model of third-party libraries,which solves the shortcomings of other approaches such as low speed and incomplete libraries After that,we proposed a lightweight approach for malicious library identification.The model can quickly and accurately extract third-party libraries and identify malicious libraries from large-scale applications.,In the second phase,we developed the corresponding tool based on the third-party library extraction model,and ran on the data set of more than 200,000 benign applications and more than 300,000 malicious applications,and identify malicious libraries from the third-party libraries extracted from the malicious apps.In the end,nearly 20,000 benign libraries and nearly 5,000 malicious libraries were obtained.After that,we conduct five aspects of behavior research on these libraries,including behavior comparison,repackaging,exposed suspicious behaviors,permissions,and connection between malicious libraries and application developers.By comparing the behaviors of the malicious library and the benign library,the experiment summarizes the behavior characteristics of the malicious library,such as reading device ID to identify the user and executing shell command We found many repackaging malicious libraries,and these libraries are used by a large number of malicious applications.The exposed components and exposed suspicious behavior in the malicious library are found but not common.The most commonly used sensitive permissions of malicious libraries are studied,such as identifying devices and obtaining location-related permissions.And through the certificate association between the malicious libraries and the apps,we found some possible connections between the malicious library and developers of apps and found that many malicious libraries with large usage may be developed by the same author.The research in this paper will provide new knowledge for the research of the malicious libraries,which can help to design the target defense solution and reduce the corresponding security risks. |
PDF Full Text Request