Finding unknown malice in 10 seconds: mass vetting for new threats at the Google-play scale

摘要: An app market's vetting process is expected to be scalable and effective. However, today's mechanisms are slow less capable of catching new threats. In our research, we found that a more powerful solution can by exploiting the way Android malware constructed disseminated, which typically through repackaging legitimate apps with similar malicious components. As result, such attack payloads often stand out from those same origin also show up in not supposed relate each other. Based upon this observation, developed technique, called MassVet, for at massive scale, without knowing what looks like how it behaves. Unlike existing detection mechanisms, utilize heavyweight program analysis techniques, approach simply compares submitted all already on market, focusing difference between sharing UI structure (indicating possible relation), commonality among seemingly unrelated. Once public libraries other code reuse removed, diff/common components become highly suspicious. built "Diff-Com" top an efficient similarity comparison algorithm, maps salient features app's or method's control-flow graph value fast comparison. We implemented MassVet over stream processing engine evaluated nearly 1.2 million 33 markets around world, scale Google Play. Our study shows technique vet within 10 seconds low false rate. Also, outperformed 54 scanners VirusTotal (NOD32, Symantec, McAfee, etc.) terms coverage, capturing hundred thousand apps, including 20 likely zero-day installed millions times. A close look these brings light intriguing observations e.g., Google's strategy authors' countermoves cause mysterious disappearance reappearance some Play apps.