Security Analyses of Android APPs on Ad Libs and Linked URLs
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 246
Security Analyses of Android APPs on Ad Libs
and Linked URLs
Ming-Yang Su, Sheng-Sheng Chen, Tsung-Ren Wu, Hao-Sen Chang, and You-Liang Liu
(Corresponding author: Ming-Yang Su)
Department of Computer Science and Information Engineering, Ming Chuan University
5 De Ming Rd., Gui Shan District, Taoyuan, Taiwan
(Email: minysu@mail.mcu.edu.tw)
(Received Aug. 9, 2020; Revised and Accepted Nov. 10, 2020; First Online Feb. 15, 2021)
Abstract and recognized 113,640,221 unique URLs as malicious in
Q1 2019. In addition, the number of advertising apps
Security threats posed by free apps with advertising have (adware) doubled compared to Q4 2018. In recent years,
become a significant concern recently. An app developer many noticeable security incidents have been related to
must put at least one Software Development Kit (SDK), ad libs and their connected URLs.
called ad library (ad lib), into his or her host program and
A malware named RottenSys, disguised as an app of
compile the host program and ad-lib(s) into an executable
System Wi-Fi service, appeared in 2018 and was esti-
Android Package (APK) file. Therefore, the ad-lib(s) be-
mated to have infected 5 million brand new smartphones
come part of the APK and have all permissions granted
through a supply chain attack [13]. In addition to display-
to the app. This study proposes a method of evaluat-
ing uninvited ads, CheckPoint researchers found that Rot-
ing apps’ security focusing on two types of threats: (1)
tenSys was designed to download and install some compo-
permission misuse of ad-libs in an app and (2) the risk
nents from its C&C server, which means the attackers can
of linked URLs when an app is executing. For the first
easily fully control the infected devices. Another family of
concern, this study observes the SecurityException and
malware, called Tekya, was disclosed in 2020 and gener-
checkPermission mechanisms used by ad-libs to attempt
ated fake clicks on ads and banners delivered by some well-
permission misuse. For the second concern, this study
known ad libs, like Google’s AdMob [10]. According to
conducts both static and dynamic analyses to identify all
the report, more than 56 apps with malware were down-
possible linked URLs of an app and evaluates their risks
load and installed on almost 1.7 million devices before
through third-party utilities. The two issues addressed in
CheckPoint found out about them. Kaspersky Lab iden-
this paper are beyond the reach of traditional anti-virus
tified an Android malware called Loapi [11]. Users’ mo-
software, which normally inspects the codes and is nor-
bile phones would be infected if they accidentally clicked
mally unable to determine threats posed by embedded
on a banner ad while browsing websites, which triggered
ad-lib(s) and linked URLs, because embedded ad-lib(s)
the download of a counterfeit anti-virus app or adult app.
may steal personal information using the host app’s per-
Loapi asks the user for administrator privileges, and if
missions, and the danger of linked URLs does not lie in
the request is declined, the prompt continues to display
the app itself. The proposed system thus complements
on the screen until the user gets fed up and clicks the
traditional anti-virus software to ensure free-app users’
confirm button. Once the privileges are obtained, due to
security and privacy.
its modular design, Loapi can download and install new
Keywords: Ad Lib; CheckPermission; Permission Misuse; components via remote server commands.
URL (Uniform Resource Locator); SecurityException
From the above-mentioned incidents, this study there-
fore addresses the threats of permission misuse of ad libs
1 Introduction and linked URLs by an app. In order to gain ad revenues,
the developer includes one or more ad libs in the host
An ad library (ad lib) is a Software Development Kit program and compiles them into an executable APK file,
(SDK) that allows app developers to get advertisement which means that all of the app’s declared permissions
income from their apps. However, ad libs also pose po- are now shared by the ad libs. For example, if an ad lib
tential security risks that traditional anti-virus software is claims to use only permissions p1 and p2 in the document
not designed to detect. Moreover, linked URLs may pose of its official website, and the host app claims to use per-
a security threat when an app is executed. Kaspersky missions p3, p4 and p5, then once combined and compiled
Lab [7] detected 905,174 malicious installation packages into an app, the ad lib can use all the permissions from p1
International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 247
to p5. Permission misuse occurs if the ad lib attempts to has forced free app developers to turn to less well-known
use permissions p3, p4, and p5. App developers usually ad networks and to include more ad libs in their apps in
include multiple ad libs in their apps to increase ad rev- order to raise their advertising revenue. Stevens et al. [20]
enue, which compounds the security risk. Gao et al. [9] evaluated 13 ad libs from different ad networks and found
designed a system called PmDroid, which uses graphical several security issues, like using permissions irrelevant to
interfaces to show the severity of permission misuse of ad advertising to send SMSs, read Calendars, or make phone
libs in an app. They found that a large amount of personal calls. In addition, seven of the thirteen ad libs analyzed
information is sent to sites like personal clouds instead of
in this study contained JavaScript interface, meaning that
advertising servers. In their experiment, which observed those modules could execute external JavaScript.
the use of the READ-PHONE-STATE permission, mobile Diamantaris et al. [8] mentioned that users do not have
phone status information was sent to advertising servers enough knowledge to distinguish whether a permission
89 times, to some cloud servers 29 times, and to unidenti- request is from the host app or possibly dangerous ad
fied servers 68 times. Wei et al. [24] noted that even somelibs. The authors examined over 5,000 popular apps and
apps that are identified by anti-virus software as normal found 65% of permission requests are not from the host
are likely to link to malicious websites during their oper-apps, but from ad libs. A system named Reaper was pro-
ations. The authors combined a static method (decom- posed to trace and tell if permission requests are issued
piling and checking program code) with a dynamic one by the functionality of host apps or the embedded ad libs.
(operating an app for two hours in an emulator and ob- Lee and Ryu [14] suggested that although app develop-
serving its behavior). They collected 13,500 normal apps, ers are informed about permissions required by the ad
and 1,260 known malicious apps and found they linked to libs, they may not be aware of the rich functionalities of
254,022 and 19,510 URLs during operations, respectively. the permissions declared for the ad libs, which mean they
According to the inspection of Web-Of-Trust (WOT) [25] pose serious security threats. Lee and Ryu showed some
and VirusTotal [23], in the experiment for normal apps, ad libs can exploit powerful APIs to conduct well-known
8.8% of apps linked to malicious sites, 15% linked to bad malicious behaviors. An open-source tool, ADLIB, was
websites, 73% linked to low-reputation websites, and a presented to detect APIs that are accessible from any ad-
total of 74% linked to sites unsuitable for children. In- vertisements.
terestingly, although the results of the experiment with Athanasopoulos et al. [5] suggested that more than half
known malicious apps were expected to be worse, it was of the apps on Google Play contain ad libs that link to
found that the distribution of linked URLs was similar to third-party advertisers, leading to possible privacy leak-
that of normal apps. age. Therefore, the NaClDroid architecture was proposed
This study therefore addresses two types of security in order to separate the code of ad libs from that of the
issues about apps: (1) permission misuse of ad libs in host app without sharing permissions. Zhu et al. [28] de-
an app, and (2) the security threat posed by app-linked veloped a system called AdCapsule, which included two
URLs. For the first issue, this study adopts SecurityEx- functions: a permission sandbox and a file sandbox. This
ception and/or checkPermission mechanisms to analyze system aimed to constrain the permission and file use of
permission misused by ad libs and builds a blacklist as ad libs to within a permissible range. AdCapsule did not
a reference for the proposed system. For the second is- need to change the framework of the Android system or
sue, this study applies static analysis through decompiled to root the mobile phone, and the cost of running AdCap-
APKs and dynamic analysis using an emulator to find sule was very low. He et al. [12] explored how to select ad
all linked URLs. The linked URLs are then assessed by networks from the perspective of app developers to maxi-
impartial third-party utilities, WOT [25] and VirusTo- mize their advertising profits and recommended including
tal [23], in a real-time manner. The two problems ad- no more than six ad libs in an app.
dressed in this paper are beyond the reach of traditional Ruiz et al. [17] discussed the problems caused by ad-lib
anti-virus software, because ad libs use permissions de- updating. According to their experiment, more than 90%
clared by the host app to steal private information, and of apps are free, and so the only income for these app
any linked URLs are not part of the app itself. developers is advertising, thereby making it important to
The remainder of this paper is organized as follows. ensure that the ad libs generate expected profits. Any
Section 2 reviews the related literature. Section 3 de- ad lib that fails to obtain expected profits should be re-
scribes the research method applied. Section 4 presents placed or supplemented with other ad libs. They collected
the experiment results obtained. Section 5 offers conclu- 13,983 versions of 5,937 apps and found that nearly 50%
sions. of those apps had changed their ad libs within 12 months
in the form of addition, removal, or update. Su et al. [22]
used HTTP data mining through network traffic, based
2 Literature Review on three aspects: quantitative, timing and semantic. The
authors claimed an accuracy rate of 95% for the traffic
According to Ruiz et al. [16], the recent notable increase of malicious ad libs. Shuba and Markopoulou [19] pro-
of free apps has caused the top 40 ad networks to respond posed a system called AntWall to prevent ad libs from
to less than 18% of ad requests from applications. This leaking users’ personal information. AntWall can be exe-
International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 248
cuted in the background without rooting the mobile phone way is to use ContextWrapper.checkPermission() in the
and utilizes low energy consumption and network traffic. android.content package name to confirm whether there
However, AntWall relies on the manual input of the name is a specific permission declaration.
of an ad network to operate effectively. Yan et al. [27] This study uses the Android emulator to analyze per-
designed a new Android model called RTDroid that ba- mission misuses of ad libs. This method inserts an ad
sically modifies some internal Android components to re- lib into an empty project, MyAPP, which does not de-
place the original Android Dalvik virtual machine (VM) clare any other permission than those required by the ad
with a real-time VM, ensuring that the execution of any lib. After execution, the Android SDK is monitored, and
app and its ad libs are more predictable. the permissions requested by the ad lib from the Android
Liu et al. [15] discussed analytics libraries, which are system is the output. If the ad lib only declares permis-
used to trace ad presence and clicks and are more likely sion A and permission B, but permission C is requested,
to leak users’ personal information than ad libs. The then permission C is determined to be a misuse. The
authors implemented a framework called Alde to check proposed method then adds permission C to the Android-
if users’ in-app actions were collected through analytics Manifest.XML for declaration and continues to find other
libraries. According to their experiments involving 300 misuses until no new ones can be found. The algorithm
apps, some apps did indeed leak users’ privacy to analytics is given formally as follows.
libraries without notifying users. Shao et al. [18] focused Algorithm: Determine permission misused by an ad
on whether the websites linked in the ad libs threatened lib.
the security of mobile phones. They designed a static
analysis tool that is able to find the embedded ad libs 1) Create an empty project using Android Studio with-
in an app and a dynamic analysis tool with three func- out any declaration of permissions. Insert a test ad
tions: identifying linking websites, detecting malware and lib into the project and add all permissions needed
fraud, and determining the source of an attack. Their ex- by the ad lib to the AndroidManifest.XML.
periment analyzed 242 ad libs from 600,000 apps, which 2) Set breakpoints for monitoring SecurityException()
were linked to a total of 1.5 million URLs. Some at- and ContextWrapper.checkPermission().
tacks originated through website connection, including
malicious anti-virus software fraud, free iPad fraud, and 3) Execute the project in debug mode and trigger ad
Trojan horse attacks that used messages to distribute ad- events to make sure the code of the ad lib can be
vertisements. Su et al. [21] noted that most ad libs have executed.
communication patterns when communicating with their
ad servers. The pattern, although probably not unique, 4) Scan the monitored messages and retrieve attempts
can help identify or group ad libs contained in an app. to access permissions.
5) Compare the permission access attempts obtained
from Step 4 with the permissions declared in the
3 Research Method AndroidManifest.XML to obtain permission misuses.
The proposed system herein has two functions: (1) anal- If any new one exists, then add the declaration of
ysis of permission misused by ad libs, and (2) risk assess- the misused permission to the AndroidManifest.XML
ment of URLs linked with apps. The proposed system is and go to Step 3; otherwise, no more permission mis-
introduced as follows. uses can be found, and thus terminate the procedure.
The idea behind this algorithm is basically that the
3.1 Analysis of Permission Misused by misused permissions are obtained through the difference
Ad Libs between the attempts to access permissions and the ad-
vertiser’s declaration. In order to find all permission mis-
Android’s safety mechanism is to allow the use of its func- uses, the first found one should be added to AndroidMan-
tionalities by declaring corresponding permissions in An- ifest.xml, and then Step 3 starts to find the next one until
droid Manifest.xml. If a functionality is used without no more can be found. For example, the ad lib may misuse
proper declaration, then errors cause the app’s execution the READ CONTACTS and SEND SMS permissions in
to end. Therefore, it is necessary to add an exception order. The proposed procedure will first find the attempt
mechanism to the code of ad libs that attempt permission to access READ CONTACTS. After adding the permis-
misuses, given that ad libs do not know which permissions sion to the AndroidManifest.xml, the process returns to
are declared by the host app. In order to avoid execution Step 3, and it will be able to find the attempt to access
errors, there are two ways for ad libs to deal with per- the SEND SMS permission. All permission misuses can
mission misuse. The first way is to use SecurityException be found in this way. Applying the method to investigate
in the java.lang package name to catch exceptions; i.e., different ad libs, a list of ad libs with declared and un-
the ad lib’s code is wrapped with try-catch. When errors declared permission accesses can be obtained. The list is
occur to an undeclared permission access, a new Securi- used in the proposed system to determine if a test APK
tyException() occurs for exception handling. The second contained ad libs committing permission misuse.
International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 249
(a) (b) (c)
Figure 1: Obtaining URLs statically and dynamically. (a) Part of the decompiled program codes, (b) Part of the
decompiled program codes when searching URLs from .smali after decompilation, (c) Part of the code to get URLs
in real time.
3.2 Risk Assessment of URLs Linked 4 Experiment Results
with the App
The whole process of this study appears in Figure 3. The
user selects a test APK on the smartphone and checks
either one or both functions described in Section 3. The
This function consists of four phases. The first phase APK is then sent to the proposed server. After the anal-
reads URLs statically after decompiling the APK. The yses, the results are returned to the user. In the server,
second phase gathers linked URLs in the emulator. The the APK file is decompiled in order to analyze permis-
third phase merges all URLs and sends them to Web- sion misuse and/or linked URL risk. The former searches
Of-Trust (WOT) [25] and VirusTotal [23] for inspection. Package Name to identify the ad libs embedded in the
The fourth phase receives responses from the two websites APK and then compares the results with the list of ad
and provides security information about the test APK to lib with permission misuses obtained in Section 3.1. The
users. latter includes a static search for URLs and a dynamic
search for URLs from the traffic in the emulator. All col-
In the first phase, the user selects an APK and sends lected URLs are sent to WOT [25] and VirusTotal [23]
it to the proposed server for static analysis. In the server for risk analysis. Finally, the server integrates the results
end, the uploaded APK is decompiled and parsed to get and sends them back to the user, as shown in Figure 3.
all URLs. Figure 1(a) shows the codes to decompile an
APK using Apktool [3], in which decoderSetting(true, 4.1 Results of Permission Misuse Analy-
true) means to decompile source code and resources. Fig-
ure 1(b) is the code to parse the .smali files after decompi-
sis
lation in order to get URLs statically. In the second stage, This study tests 26 ad libs on the AppBrain website [4],
the test APK is run in an emulator in order to record all presenting the results in Table 1. According to the list
the URLs with which it is linked. This study applies NOX of ad libs obtained by the algorithm in Section 3.1, the
emulator [6] and Monkeyrunner [1] to simulate user clicks. declared permissions by the ad libs are marked as “O”,
The URLs are then captured using Pcap4j [26]. Figure and the undeclared but requested permissions in run time
1(c) is the code to get URLs in real time. are marked as “X”. Most of the ad libs have undeclared
but requested permissions MODIFY AUDIO SETTINGS
The third stage collects all obtained URLs, removes and BLUETOOTH. Ad libs P and R in Table 1 at-
duplicates, and sends them to WOT [25] and VirusTo- tempted by requesting ACCESS FINE LOCATION/ AC-
tal [23], two trusted third-party security websites, for risk CESS COARSE LOCATION and READ CONTACTS,
assessments. The json files sent back from the two web- respectively. In addition, ad libs A and U appear to have
sites are then parsed, sorted, and presented to the mobile requested excessively dangerous permissions, although
phone user. This study uses the WOT Public API to they did not commit permission misuse. The permissions
send HTTP GET REQUEST, as shown in Figure 2(a), in red in Table 1 are dangerous, according to the official
and determines a score for the test APK based on the re- Android website [2].
turned results. Similarly, this study sends HTTP POST Figure 4 shows an example. After choosing an APK
REQUEST via the VirusTotal Academic API, as shown and sending it to the server, the results returned to the
in Figure 2(b), and determines a score for the test APK smartphone are shown in Figure 4(a). Here, the APK
based on the returned results. contains 9 ad libs, and all of the attempts to access per-
International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 250
(a) (b)
Figure 2: Program segments of communication between the proposed system and WOT and VirusTotal as well. (a)
Program segment of WOT API call, (b) Program segment of VirusTotal API call.
Figure 3: Flowchart of an APK analysis: Permission misuse and linked URL risk
(a) (b) (c)
Figure 4: Example: An APK with nine ad libs and their permission access attempts. (a) All ad libs and declared
permissions, (b) Permission misuses in red, (c) Permission access of an ad lib.
International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 251
Table 1: List of ad libs with permission misuses
mission are shown. Some permission misuses are shown the screens from either VirusTotal or WOT, in the middle
in Figure 4(b) in red. Clicking the Detail button shows of the figures, shows detailed information from the third-
all permission access attempts from every ad lib, as seen party risk analyses, as shown in Figure 6(c) and Figure
in Figure 4(c). Permissions in yellow in Figure 4 are con- 6(d) for VirusTotal and WOT, respectively.
sidered dangerous according to the official Android web- From the first row of Figures 6(c) and 6(d),
site [2]. it is obvious that VirusTotal focused on check-
ing malware/phishing/malicious/suspicious URLs, while
WOT focused on evaluating URLs’ trust/child-safety
4.2 Results of Linked URL Risk Assess- scores. In Figure 6(c), almost all URLs are clean,
ment as each of them gets 1.0 (i.e., a score of 100),
with the exception of the URL in the second row
This process includes static and dynamic analyses. The (https://api.appsflyer.com/install data/v3/), which got
static analysis decompiles the test APK and then parses 0.984375 (i.e., a score of 98.4375). Therefore, the aver-
the smali file of the classes.dex file to obtain the requested
age score is 99, as shown in Figure 6(a), with no URL
URLs by using regular expression. Dynamic analysis ana- scoring less than 70. Although the URLs have no mal-
lyzes the linked URLs during execution in an emulator by ware or are not phishing/malicious/suspicious, it is still
inspecting the network traffic caused by the APK. Finally, necessary to use WOT to evaluate their trust scores (rep-
all of the URLs obtained from static and dynamic anal- utation) and child-safety scores (whether the contents are
ysis were sent to WOT [25] and VirusTotal [23] for risk suitable for children). In Figure 6(d), every URL’s trust
analysis. The sites each returned a string in json format, score and child-safety score are given. While the average
as shown in Figure 5. trust score and child-safety scores are 73 and 70, respec-
The server then computes the scores from the returned tively, as shown in Figure 6(b), those URLs with scores
json files and presents them to the mobile phone user, as less than 70 (i.e., unsafe ones) can also be found at the
shown in Figures 6(a) and 6(b) for VirusTotal and WOT, lower part of Figure 6(b).
respectively. URLs with a score of less than 70 are con-
sidered dangerous and are also shown in the lower parts
of Figures 6(a) and 6(b). In this example, no URL re- 5 Conclusion
ceived a score of less than 70 from WOT (see Figure
6(a)), but several URLs received scores of less than 70 This study’s findings present from the experiments con-
from VirusTotal (see Figure 6(b)). Clicking the icon on ducted that most permission misuses involve MOD-International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 252
(a) (b)
Figure 5: Json files returned from WOT and VirusTotal. (a) WOT, (b) VirusTotal .
(a) (b) (c) (d)
Figure 6: Risk assessments of linked URLs of an app from VirusTotal and WOT. (a) Summary report from VirusTotal,
(b) Summary report from WOT, (c) Detailed information from VirusTotal, (d) Detailed information from WOT.International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 253
IFY AUDIO SETTINGS and BLUETOOTH permis- [10] D. Goodin, Google Play’s Malicious App
sions, which are fortunately not dangerous according to Problem Infects 1.7 Million More Devices,
the official Android website. Some ad libs did not commit Mar. 25, 2020. (https://arstechnica.
permission misuse, but did declare excessive permissions com/information-technology/2020/03/
beyond the needs of advertising. In addition, the linked found-malicious-google-play-apps-with-1-7
URLs of an app were obtained through static and dy- -million-downloads-many-by-children/)
namic analyses. Through the evaluation of these URLs [11] L. Grustniy, Loapi — this Trojan is hot!,
by impartial third-party websites, a quantitative security Dec. 18, 2017. (https://www.kaspersky.com/
score is presented to mobile phone users. In other words, blog/loapi-trojan/20510/)
the system proposed in this paper informs users clearly [12] B. He, H. Xu, L. Jin, G. Guo, Y. Chen, and G. Weng,
whether the ad libs in an app access permissions beyond “An investigation into android in-app ad practice:
their declarations, and of the risk of URLs linked in that Implications for app developers,” in The IEEE Con-
app. This work helps users achieve further awareness of ference on Computer Communications (IEEE INFO-
the security level of an app before installation, in contrast COM’18), pp. 2465-2473, 2018.
to traditional anti-virus tools. [13] S. Khandelwal, Pre-Installed Malware Found On
5 Million Popular Android Phones, The Hacker
News, Mar. 15, 2018. (https://thehackernews.
Acknowledgments com/2018/03/android-botnet-malware.html)
[14] S. Lee and S. Ryu, “Adlib: Analyzer for mobile
This research was partially supported by the Ministry of
ad platform libraries,” in The 28th ACM SIGSOFT
Science and Technology under grant numbers MOST 107-
International Symposium on Software Testing and
2221-E-130-003 and 109-2221-E-130-005.
Analysis, pp. 262-272, 2019.
[15] X. Liu, J. Liu, S. Zhu, W. Wang, and X. Zhang,
References “Privacy risk analysis and mitigation of analytics li-
braries in the android ecosystem,” IEEE Transac-
[1] Android, Monkeyrunner, Feb. 15, 2021. tions on Mobile Computing, vol. 19, no. 5, pp. 1184-
(https://developer.android.com/studio/test/ 1199, 2020.
monkeyrunner) [16] I. J. M. Ruiz, M. Nagappan, B. Adams, T. Berger,
[2] Android, Manifest.permission, Feb. 15, 2021. S. Dienst, and A. E. Hassan, “Impact of ad libraries
(https://developer.android.com/reference/ on ratings of android mobile apps,” IEEE Software,
android/Manifest.permission) vol. 31, no. 6, pp. 86-92, 2014.
[3] Apktool, A Tool for Reverse Engineering Android [17] I. J. M. Ruiz, M. Nagappan, B. Adams, T. Berger,
Apk Files, Feb. 15, 2021. (https://ibotpeaches. S. Dienst, and A. E. Hassan, “Analyzing ad library
github.io/Apktool/) updates in android apps,” IEEE Software, vol. 33,
[4] AppBrain, Android Ad Network Statistics And Mar- no. 2, pp. 74-80, 2016.
ket Share, Feb. 15, 2021. (http://www.appbrain.
[18] R. Shao, V. Rastogi, Y. Chen, X. Pan, G. Guo, S.
com/stats/libraries/ad)
Zou, and R. Riley,“Understanding in-app ads and
[5] E. Athanasopoulos, V. P. Kemerlis, G. Portoka-
detecting hidden attacks through the mobile app-web
lidis, and A. D. Keromytis,“NaClDroid: Native code
interface“, IEEE Transactions on Mobile Computing,
isolation for android applications,” Lecture Notes
vol. 17, no. 11, pp. 2675-2688, 2018.
on Computer Sciences, LNCS 9878, pp. 422-439,
[19] A. Shuba and A. Markopoulou, “Demo: AntWall-A
Springer, 2016.
[6] Bignox, NOX Emulator, Feb. 15, 2021. (https:// system for mobile adblocking and privacy exposure
tw.bignox.com/) prevention,” in The ACM International Symposium
[7] V. Chebyshev, F. Sinitsyn, D. Pari- on Mobile Ad Hoc Networking and Computing (Mo-
nov, B. Larin, O. Kupreev, E. Lopatin, biHoc’18), 2018.
IT Threat Evolution Q1 2019. Statistics, [20] R. Stevens, C. Gibler, J. Crussell, J. Ericksonand,
May 23, 2019. (https://securelist.com/ and H. Chen, “Investigating user privacy in android
it-threat-evolution-q1-2019-statistics/ ad libraries,” in The IEEE Mobile Security Technolo-
90916/) gies (MoST), 2012.
[8] M. Diamantaris, E. P. Papadopoulos, and E. P. [21] M. Y. Su, H.-S. Wei, X.-Y. Chen, P.-W. Lin, D.-Y.
Markatos, ”REAPER: Real-time app analysis for Qiu, “Using ad-related network behavior to distin-
augmenting the android permission system,” in The guish ad libraries,” Applied Sciences, vol. 8, no. 10,
Ninth ACM Conference on Data and Application Se- pp. 1-18, 2018.
curity and Privacy, pp. 37-48, 2019. [22] X. Su, X. Liu, J. Lin, S. He, Z. Fu, and W. Li,
[9] X. Gao, D. Liu, H. Wang, and K. Sun, “PmDroid: “De-cloaking malicious activities in smartphones us-
Permission supervision for android advertising,” in ing HTTP flow mining,” KSII Transactions on In-
The IEEE Symposium on Reliable Distributed Sys- ternet and Information Systems, vol. 11, no. 6, pp.
tems, pp. 120-129, 2015. 3230-3253, 2017.International Journal of Network Security, Vol.23, No.2, PP.246-254, Mar. 2021 (DOI: 10.6633/IJNS.202103 23(2).07) 254
[23] VirusTotal, Virustotal, Feb. 15, 2021. (https:// degrees from National Central University and National
www.virustotal.com/) Taiwan University in 1991 and 1997, respectively. He is
[24] X. Wei, I. Neamtiu, and M. Faloutsos, “Whom does a professor of the Department of Computer Science and
your android app talk to?,” in The IEEE Global Information Engineering at Ming Chuan University, Tai-
Communications Conference (GLOBECOM’15), pp. wan. His research interests include network security, in-
1-6, 2015. trusion detection/prevention, malware detection, mobile
[25] WOT, Protect Your Browsing with Web of Trust, security and wireless sensor networks.
Feb. 15, 2021. (http://www.mywot.com/)
Sheng-Sheng Chen received his B.S. degree in Com-
[26] K. Yamada, Pcap4j, Feb. 15, 2021. (https://
puter Science and Information Engineering from Ming
github.com/kaitoy/pcap4j)
Chuan University, Taiwan in 2019. His research inter-
[27] Y. Yan, S. Cosgrove, V. Anand, A. Kulkarni, S. H.
ests include mobile security and MANET.
Konduri, S. Y. Ko, and L. Ziarek, “RTDroid: A de-
sign for real-time android,” IEEE Transactions on Tsung-Ren Wu received his B.S. degree in Computer
Mobile Computing, vol. 15, no. 10, pp. 2564-2584, Science and Information Engineering from Ming Chuan
2016. University, Taiwan in 2019. His research interests include
[28] X. Zhu, J. Li, Y. Zhou, and J. Ma, “AdCap- mobile security and MANET.
sule: Practical confinement of advertisements in an-
Hao-Sen Chang received his B.S. degree in Computer
droid applications,” IEEE Transactions on Depend-
Science and Information Engineering from Ming Chuan
able and Secure Computing, vol. 17, no. 3, pp. 479-
University, Taiwan in 2019. His research interests include
492, 2020.
mobile security and MANET.
You-Liang Liu received his B.S. degree in Computer
Biography Science and Information Engineering from Ming Chuan
University, Taiwan in 2019. His research interests include
Ming-Yang Su received his B.S. degree in Computer
mobile security and MANET.
Science and Information Engineering from Tunghai Uni-
versity, Taiwan in 1989, and received his M.S. and Ph.D.You can also read
