Abstract

Android <i>overlay</i> enables one app to draw over other apps by creating an extra <monospace>View</monospace> layer atop the host <monospace>View</monospace> , which nevertheless can be exploited by malicious apps (malware) to attack users. To combat this threat, prior countermeasures concentrate on restricting the capabilities of overlays at the OS level while sacrificing overlays’ usability; recently, the overlay mechanism has been substantially updated to prevent a variety of attacks, which however can still be evaded by considerable adversaries. To address these shortcomings, a more pragmatic approach is to enable <i>early detection</i> of overlay-based malware during the app market review process, so that all the capabilities of overlays can stay unchanged. For this purpose, in this paper we first conduct a large-scale comparative study of overlay characteristics in benign and malicious apps, and then implement the OverlayChecker system to automatically detect overlay-based malware for one of the world’s largest Android app stores. In particular, we have made systematic efforts in feature engineering, UI exploration, emulation architecture, and run-time environment, thus maintaining high detection accuracy (97 percent precision and 97 percent recall) and short per-app scan time ( <inline-formula><tex-math notation="LaTeX">$\sim$</tex-math></inline-formula> 1.7 minutes) with only two commodity servers, under an intensive workload of <inline-formula><tex-math notation="LaTeX">$\sim$</tex-math></inline-formula> 10K newly submitted apps per day.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.