Device Administrator Use and Abuse in Android: Detection and Characterization

Document Type

Conference Proceeding

Publication Date

1-1-2019

Abstract

Device Administrator (DA) capabilities for mobile devices, e.g., remote locking/wiping, or enforcing password strength, were originally introduced to help organizations manage phone fleets or enable parental control. However, DA capabilities have been subverted and abused: malicious apps have used DA to create ransomware or lock users out, while benign apps have used DA to prevent or hinder uninstallation; in certain cases the only remedy is to factory-reset the phone. We call these apps "Deathless Device Administrator"(DDA), i.e., apps that cannot be uninstalled. We provide the first systematic study of Android DA capabilities, DDA apps, DDA-attack resistance across Android versions, and DDA-induced families in malicious apps. To enable scalable studies of questionable DA behavior, we developed DAAX, a static analyzer which exposes potential DA abuse effectively and efficiently. In a corpus of 39,459 apps (20,467 malicious and 18,992 benign) DAAX has found 4,135 DA apps and 691 potential DDA apps. The static analysis results on the 4,135 apps were cross-checked via dynamic analysis on at least 3 phones, confirming 578 true DDAs, including apps currently on Google Play. The study has shown that DAAX is effective (84.8% F-measure) and efficient (analysis typically takes 205 seconds per app).

Identifier

85098080702 (Scopus)

Publication Title

Proceedings of the Annual International Conference on Mobile Computing and Networking MOBICOM

External Full Text Location

https://doi.org/10.1145/3300061.3345452

Volume

2019-January

Grant

CNS-1617584

Fund Ref

National Science Foundation

This document is currently not available here.

Share

COinS