Spy app is a class of malware for mobile devices that allows an adversary to steal sensitive information. Detecting spy apps is challenging because they do not rely on classic malware techniques, for instance, they use standard services to store stolen data, and do not perform privileges escalation on the victim phone. Thus, their behavior is generally closer to the benign apps and poses new challenges for their detection. In this paper, we propose ASAINT: A Spy App Identification System based on Network Traffic. To the best of our knowledge, ASAINT is the first system capable of detecting spy apps in a network without any physical or software control of the victim mobile device. Core of our approach is a wide range of non-intrusive network detection methods designed by studying several popular spy apps. We test ASAINT on a self-collected dataset containing network traffic from both spy and benign applications, either on Android and iOS. Our result is an F1-score of 0.85 on average, that confirms the effectiveness of ASAINT. Moreover, our analysis provides a methodological classification of the exfiltration strategies used by spy apps in different operating systems. In sum, our work gives new and practical insights about the detection of modern spy apps, paving the way for future research in detecting this class of malware.
ASAINT: A spy App identification system based on network traffic
Conti M.;Rigoni G.;Toffalini F.
2020
Abstract
Spy app is a class of malware for mobile devices that allows an adversary to steal sensitive information. Detecting spy apps is challenging because they do not rely on classic malware techniques, for instance, they use standard services to store stolen data, and do not perform privileges escalation on the victim phone. Thus, their behavior is generally closer to the benign apps and poses new challenges for their detection. In this paper, we propose ASAINT: A Spy App Identification System based on Network Traffic. To the best of our knowledge, ASAINT is the first system capable of detecting spy apps in a network without any physical or software control of the victim mobile device. Core of our approach is a wide range of non-intrusive network detection methods designed by studying several popular spy apps. We test ASAINT on a self-collected dataset containing network traffic from both spy and benign applications, either on Android and iOS. Our result is an F1-score of 0.85 on average, that confirms the effectiveness of ASAINT. Moreover, our analysis provides a methodological classification of the exfiltration strategies used by spy apps in different operating systems. In sum, our work gives new and practical insights about the detection of modern spy apps, paving the way for future research in detecting this class of malware.Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.