IconChecker: Anomaly Detection of Icon-Behaviors for Android Apps

As a result of the technical evolution in network technologies and the upper applications, the reliance of mobile apps on the Internet increased heavily on the purpose of excellent service in years. However, the speedy increase brought not only conveniences but also security risks. For instance, it is unveiled that there exists a series of malicious apps, which are aiming to collect users’ private data and imperceptibly send them to remote servers under the camouflage of normal users’ behaviors. To defend against the threat, although lots of research has been proposed, it is still a challenge to capture the abnormal behaviors more precisely. In this paper, we propose IconChecker, a GUI-based anomaly detection framework, to detect icons that can cause malicious network payloads under the premise of users’ normal intentions. IconChecker can detect the abnormal icon-behaviors with the icon's semantics and triggered network traffic in relatively high precision, and further generate a security report for analysis and development. To demonstrate the effectiveness, we evaluate IconChecker from: (1) the accuracy of network traffic sniffing; (2) the accuracy of icon semantics classification; (3) the overall precision of IconChecker towards real apps; (4) comparing IconChecker with the existing tool, i.e., DeepIntent. The detection results show that IconChecker can outperform at the precision of 84% in terms of our summarized 8 categories of icon-behaviors. We remark that IconChecker is the first work, which dynamically detects abnormal icon-behaviors, to identify the malicious network payloads in Android apps.