A team of researchers have created an app vetting scanner referred to as “MassVet,” and they used it to identify more than 127,000 potentially harmful applications (PHA) in more than 30 Android markets – including Google Play.
In their whitepaper, “Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale,” the researchers explained how they used MassVet to evaluate more than 1.2 million Android apps from 33 app markets around the world.
Altogether, the team identified 127,429 malicious apps, meaning the apps exhibited potentially harmful behaviors – this includes collecting user data such as installed app lists and locations, as well as sending contact lists and photos without the user's consent.
“MassVet is designed to compare individual components of an app (called “method”) with those of other apps in a large scale (we can do this across over 1 million apps in seconds),” the researchers told SCMagazine.com in a Thursday email correspondence, also stating, “In this way, we can even detect the PHA never known before, including some zero-day malware.”
Among the more than 127,000 malicious apps were at least 20 apps that are believed to be zero-day malware, the report indicated. The researchers explained that more than 90 percent of the PHAs they found were reported by VirusTotal, and from the remaining 10 percent they randomly chose 40 apps and analyzed their behaviors.
“[Twenty] of them (including those from Google Play and other markets) look suspicious to us,” the researchers said. “They are likely to be zero-day because no scanner has reported them. Their behavior includes installing apps without user's consent, collecting user's private data, etc.”
In Google Play, the team found that 30,552 of 401,549 apps were malicious. The researchers said that 400 of the malicious apps had been downloaded more than a million times each, and 2,000 had been downloaded more than 50,000 times each.
The whitepaper explained that MassVet is unlike current detection mechanisms that rely on heavyweight program analysis techniques.
The researcher's approach “simply compares a submitted app with all those already on a market, focusing on the difference between those sharing a similar UI structure (indicating a possible repackaging relation), and the commonality among those seemingly unrelated,” the whitepaper said. “Once public libraries and other legitimate code reuse are removed, such diff/common program components become highly suspicious.”
The researchers said they are in the process of reaching out to Google with their new vetting technique.