{"title":"手机市场的归因:识别开发者账户多态性","authors":"Silvia Sebastián, Juan Caballero","doi":"10.1145/3372297.3417281","DOIUrl":null,"url":null,"abstract":"Malicious developers may succeed at publishing their apps in mobile markets, including the official ones. If reported, the apps will be taken down and the developer accounts possibly be banned. Unfortunately, such take-downs do not prevent the attackers to use other developer accounts to publish variations of their malicious apps. This work presents a novel approach for identifying developer accounts, and other indicators of compromise (IOCs) in mobile markets, that belong to the same operation, i.e., to the same owners. Given a set of seed IOCs, our approach explores app and version metadata to identify new IOCs that belong to the same operation. It outputs an attribution graph, which details the attribution inferences, so that they can be reviewed. We have implemented our approach into Retriever, a tool that supports multiple mobile markets including the official GooglePlay and AppleStore. We have evaluated Retriever on 17 rogueware and adware operations. In 94% of the operations, Retriever discovers at least one previously unknown developer account. Furthermore, Retriever reveals that operations that look dead still have active developer accounts.","PeriodicalId":20481,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","volume":"10 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2020-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":"{\"title\":\"Towards Attribution in Mobile Markets: Identifying Developer Account Polymorphism\",\"authors\":\"Silvia Sebastián, Juan Caballero\",\"doi\":\"10.1145/3372297.3417281\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Malicious developers may succeed at publishing their apps in mobile markets, including the official ones. If reported, the apps will be taken down and the developer accounts possibly be banned. Unfortunately, such take-downs do not prevent the attackers to use other developer accounts to publish variations of their malicious apps. This work presents a novel approach for identifying developer accounts, and other indicators of compromise (IOCs) in mobile markets, that belong to the same operation, i.e., to the same owners. Given a set of seed IOCs, our approach explores app and version metadata to identify new IOCs that belong to the same operation. It outputs an attribution graph, which details the attribution inferences, so that they can be reviewed. We have implemented our approach into Retriever, a tool that supports multiple mobile markets including the official GooglePlay and AppleStore. We have evaluated Retriever on 17 rogueware and adware operations. In 94% of the operations, Retriever discovers at least one previously unknown developer account. Furthermore, Retriever reveals that operations that look dead still have active developer accounts.\",\"PeriodicalId\":20481,\"journal\":{\"name\":\"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security\",\"volume\":\"10 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-10-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"16\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3372297.3417281\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3372297.3417281","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Towards Attribution in Mobile Markets: Identifying Developer Account Polymorphism
Malicious developers may succeed at publishing their apps in mobile markets, including the official ones. If reported, the apps will be taken down and the developer accounts possibly be banned. Unfortunately, such take-downs do not prevent the attackers to use other developer accounts to publish variations of their malicious apps. This work presents a novel approach for identifying developer accounts, and other indicators of compromise (IOCs) in mobile markets, that belong to the same operation, i.e., to the same owners. Given a set of seed IOCs, our approach explores app and version metadata to identify new IOCs that belong to the same operation. It outputs an attribution graph, which details the attribution inferences, so that they can be reviewed. We have implemented our approach into Retriever, a tool that supports multiple mobile markets including the official GooglePlay and AppleStore. We have evaluated Retriever on 17 rogueware and adware operations. In 94% of the operations, Retriever discovers at least one previously unknown developer account. Furthermore, Retriever reveals that operations that look dead still have active developer accounts.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
