How Did That Get In My Phone? Unwanted App Distribution on Android Devices

“…Recall that we select PHAs (per SHA2) that we observe at least twice on the same device to carry out the measurements (see Section 2), hence our dataset is purposely designed to measure the temporal behavior. Our results are consistent with the most recent Android PHA device prevalence study [16]: 15 of the 20 PHA families in Table 3 were also among the top 20 PHA families found by [16]. As we can see in the PHA families exhibit bell shaped temporal patterns.…”

“…In this paper, we use mobile PHA reputation data collected from real-world Android devices by NortonLifeLock's mobile security product, which covers over 200 countries and regions in the world. Similar to the device geolocation distribution discussed in Kotzias et al [16], 25% of the devices used in our study were from the United States, 28% of the devices were from European countries, and 31% of the devices were from the APJ area (although this distribution was skewed towards Japan and India).…”

“…We consider an app as a PHA if VirusTotal returns a minimum of four detections in this paper. This is in line with the best practices recently proposed in the malware research community [16,41]. We refer the audience to Kotzias et al [16] and Zhu et al [41] for in-depth analysis of the impact of different detection threshold values of VirusTotal reports.…”

“…This is in line with the best practices recently proposed in the malware research community [16,41]. We refer the audience to Kotzias et al [16] and Zhu et al [41] for in-depth analysis of the impact of different detection threshold values of VirusTotal reports. In total, we identify 7M unique malicious SHA2s, and 3.5K PHA families.…”

“…However, such services may inadvertently migrate existing PHAs to the new device too, and compromise the security and privacy of the new phones, even though these PHAs may have been removed by the markets and therefore the user might not be able to manually install them anymore. Kotzias et al [16] showed that backup restoration is an unintended unwanted app distribution vector responsible for 4.8% of unwanted installs. Following this direction, we further investigate how long PHAs can persist after migrating via backup/clone services.…”

A Large-scale Temporal Measurement of Android Malicious Apps: Persistence, Migration, and Lessons Learned

“…Recall that we select PHAs (per SHA2) that we observe at least twice on the same device to carry out the measurements (see Section 2), hence our dataset is purposely designed to measure the temporal behavior. Our results are consistent with the most recent Android PHA device prevalence study [16]: 15 of the 20 PHA families in Table 3 were also among the top 20 PHA families found by [16]. As we can see in the PHA families exhibit bell shaped temporal patterns.…”

“…In this paper, we use mobile PHA reputation data collected from real-world Android devices by NortonLifeLock's mobile security product, which covers over 200 countries and regions in the world. Similar to the device geolocation distribution discussed in Kotzias et al [16], 25% of the devices used in our study were from the United States, 28% of the devices were from European countries, and 31% of the devices were from the APJ area (although this distribution was skewed towards Japan and India).…”

“…We consider an app as a PHA if VirusTotal returns a minimum of four detections in this paper. This is in line with the best practices recently proposed in the malware research community [16,41]. We refer the audience to Kotzias et al [16] and Zhu et al [41] for in-depth analysis of the impact of different detection threshold values of VirusTotal reports.…”

“…This is in line with the best practices recently proposed in the malware research community [16,41]. We refer the audience to Kotzias et al [16] and Zhu et al [41] for in-depth analysis of the impact of different detection threshold values of VirusTotal reports. In total, we identify 7M unique malicious SHA2s, and 3.5K PHA families.…”

“…However, such services may inadvertently migrate existing PHAs to the new device too, and compromise the security and privacy of the new phones, even though these PHAs may have been removed by the markets and therefore the user might not be able to manually install them anymore. Kotzias et al [16] showed that backup restoration is an unintended unwanted app distribution vector responsible for 4.8% of unwanted installs. Following this direction, we further investigate how long PHAs can persist after migrating via backup/clone services.…”

A Large-scale Temporal Measurement of Android Malicious Apps: Persistence, Migration, and Lessons Learned

D-Cloud-Collector: Admissible Forensic Evidence from Mobile Cloud Storage

uitXkernel: Android Kernel Forensic for Security Analysis Purposes