Lifting The Grey Curtain: A First Look at the Ecosystem of CULPRITWARE

Mobile apps are extensively involved in cyber-crimes. Some apps are malware which compromise users' devices, while some others may lead to privacy leakage. Apart from them, there also exist apps which directly make profit from victims through deceiving, threatening or other criminal actions. We name these apps as CULPRITWARE. They have become emerging threats in recent years. However, the characteristics and the ecosystem of CULPRITWARE remain mysterious. This paper takes the first step towards systematically studying CULPRITWARE and its ecosystem. Specifically, we first characterize CULPRITWARE by categorizing and comparing them with benign apps and malware. The result shows that CULPRITWARE have unique features, e.g., the usage of app generators (25.27%) deviates from that of benign apps (5.08%) and malware (0.43%). Such a discrepancy can be used to distinguish CULPRITWARE from benign apps and malware. Then we understand the structure of the ecosystem by revealing the four participating entities (i.e., developer, agent, operator and reaper) and the workflow. After that, we further reveal the characteristics of the ecosystem by studying the participating entities. Our investigation shows that the majority of CULPRITWARE (at least 52.08%) are propagated through social media rather than the official app markets, and most CULPRITWARE (96%) indirectly rely on the covert fourth-party payment services to transfer the profits. Our findings shed light on the ecosystem, and can facilitate the community and law enforcement authorities to mitigate the threats. We will release the source code of our tools to engage the community.

[1]  Narseo Vallina-Rodriguez,et al.  Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem , 2018, NDSS.

[2]  Alex Blaszczynski Online gambling and crime: causes, controls and controversies , 2015 .

[3]  Ali Mesbah,et al.  Mining and characterizing hybrid apps , 2016, WAMA@SIGSOFT FSE.

[4]  Gianluca Stringhini,et al.  Quit Playing Games with My Heart: Understanding Online Dating Scams , 2015, DIMVA.

[5]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[6]  R. Volberg,et al.  Forms of gambling, gambling involvement and problem gambling: evidence from a Swedish population survey , 2017 .

[7]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[8]  Wilson Huang,et al.  A Study of Social Engineering in Online Frauds , 2013 .

[9]  Giovane C. M. Moura,et al.  Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs , 2018, AsiaCCS.

[10]  Li Li,et al.  Dating with Scambots: Understanding the Ecosystem of Fraudulent Dating Applications , 2018, IEEE Transactions on Dependable and Secure Computing.

[11]  Ziming Zhao,et al.  Uncovering the Face of Android Ransomware: Characterization and Real-Time Detection , 2018, IEEE Transactions on Information Forensics and Security.

[12]  Abhinav Srivastava,et al.  Credit Card Fraud Detection Using Hidden Markov Model , 2008, IEEE Transactions on Dependable and Secure Computing.

[13]  Stephen McCombie,et al.  A Preliminary Profiling of Internet Money Mules: An Australian Perspective , 2009, 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing.

[14]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[15]  Nicola Dell,et al.  The Many Kinds of Creepware Used for Interpersonal Attacks , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[16]  Rosanna E. Guadagno,et al.  Weapons of Influence Misused: A Social Influence Analysis of Why People Fall Prey to Internet Scams , 2014 .

[17]  David G. Lowe,et al.  Distinctive Image Features from Scale-Invariant Keypoints , 2004, International Journal of Computer Vision.

[18]  Lucas C.K. Hui,et al.  A privilege escalation vulnerability checking system for android applications , 2011, 2011 IEEE 13th International Conference on Communication Technology.

[19]  Gillian Dobbie,et al.  Weighted association rule mining via a graph based connectivity model , 2013, Inf. Sci..

[20]  Chris Kanich,et al.  Spamcraft: An Inside Look At Spam Campaign Orchestration , 2009, LEET.

[21]  Qing Wang,et al.  Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps , 2017, NDSS.

[22]  B. B. Gupta,et al.  A Survey of Phishing Email Filtering Techniques , 2013, IEEE Communications Surveys & Tutorials.

[23]  Witawas Srisa-an,et al.  SigPID: significant permission identification for android malware detection , 2016, 2016 11th International Conference on Malicious and Unwanted Software (MALWARE).

[24]  Jignesh Joshi,et al.  Android smartphone vulnerabilities: A survey , 2016, 2016 International Conference on Advances in Computing, Communication, & Automation (ICACCA) (Spring).

[25]  Erik Derr,et al.  The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[26]  Agustí Verde Parera,et al.  General data protection regulation , 2018 .

[27]  Ryan Brunt Booted : An Analysis of a Payment Intervention on a DDoS-for-Hire Service , 2017 .

[28]  Silvia Sebastian,et al.  Towards Attribution in Mobile Markets: Identifying Developer Account Polymorphism , 2020, CCS.

[29]  Mauro Conti,et al.  PermPair: Android Malware Detection Using Permission Pairs , 2020, IEEE Transactions on Information Forensics and Security.

[30]  Peng Liu,et al.  Achieving accuracy and scalability simultaneously in detecting application clones on Android markets , 2014, ICSE.

[31]  Gianluca Stringhini,et al.  Automatically Dismantling Online Dating Fraud , 2019, IEEE Transactions on Information Forensics and Security.