Spy app is a class of malware for mobile devices that allows an adversary to steal sensitive information. Detecting spy apps is challenging because they do not rely on classic malware techniques, for instance, they use standard services to store stolen data, and do not perform privileges escalation on the victim phone. Thus, their behavior is generally closer to the benign apps and poses new challenges for their detection. In this paper, we propose ASAINT: A Spy App Identification System based on Network Traffic. To the best of our knowledge, ASAINT is the first system capable of detecting spy apps in a network without any physical or software control of the victim mobile device. Core of our approach is a wide range of non-intrusive network detection methods designed by studying several popular spy apps. We test ASAINT on a self-collected dataset containing network traffic from both spy and benign applications, either on Android and iOS. Our result is an F1-score of 0.85 on average, that confirms the effectiveness of ASAINT. Moreover, our analysis provides a methodological classification of the exfiltration strategies used by spy apps in different operating systems. In sum, our work gives new and practical insights about the detection of modern spy apps, paving the way for future research in detecting this class of malware.

ASAINT: A spy App identification system based on network traffic

Conti M.;Rigoni G.;Toffalini F.
2020

Abstract

Spy app is a class of malware for mobile devices that allows an adversary to steal sensitive information. Detecting spy apps is challenging because they do not rely on classic malware techniques, for instance, they use standard services to store stolen data, and do not perform privileges escalation on the victim phone. Thus, their behavior is generally closer to the benign apps and poses new challenges for their detection. In this paper, we propose ASAINT: A Spy App Identification System based on Network Traffic. To the best of our knowledge, ASAINT is the first system capable of detecting spy apps in a network without any physical or software control of the victim mobile device. Core of our approach is a wide range of non-intrusive network detection methods designed by studying several popular spy apps. We test ASAINT on a self-collected dataset containing network traffic from both spy and benign applications, either on Android and iOS. Our result is an F1-score of 0.85 on average, that confirms the effectiveness of ASAINT. Moreover, our analysis provides a methodological classification of the exfiltration strategies used by spy apps in different operating systems. In sum, our work gives new and practical insights about the detection of modern spy apps, paving the way for future research in detecting this class of malware.
2020
ACM International Conference Proceeding Series
15th International Conference on Availability, Reliability and Security, ARES 2020
9781450388337
File in questo prodotto:
Non ci sono file associati a questo prodotto.
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11577/3352641
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? ND
  • OpenAlex ND
social impact