The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android

Adjibi, Boladji Vinny; MBODJI, Fatou Ndiaye; Allix, Kevin; KLEIN, Jacques; BISSYANDE, Tegawendé François D Assise

doi:10.1109/SCAM55253.2022.00023

Télécharger

Communication publiée dans un périodique (Colloques, congrès, conférences scientifiques et actes)

The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android

Adjibi, Boladji Vinny; MBODJI, Fatou Ndiaye; Allix, Kevin et al.

2022 • In 2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM), p. 153-163

Peer reviewed

Permalien
https://hdl.handle.net/10993/54308

DOI
10.1109/SCAM55253.2022.00023

Documents (1)Envoyer vers Détails Statistiques Bibliographie Publications similaires

Documents

Texte intégral

Cryptojacking.pdf

Postprint Auteur (504.69 kB)

Télécharger

Tous les documents dans ORBilu sont protégés par une licence d'utilisation.

Envoyer vers

RIS BibTex APA Chicago Permalink X Linkedin

Détails

Mots-clés :

android; cryptojacking; malware; manual analysis; google play store

Résumé :

[en] This paper investigates the various technical and non-technical tools and techniques that software developers use to build and disseminate crypto mining apps on Android devices. Our study of 346 potential Android mining apps, collected between April 2019 and May 2022, has revealed the presence of more than ten mining apps on the Google Play Store, with at least half of those still available at the time of writing this (June 2022). We observed that many of those mining apps do not conceal their usage of the device’s resource for mining which is considered a violation of the store’s policies for developers. We estimate that more than ten thousand users have run mining apps downloaded directly from the Google Play Store, which puts the supposedly ”stringent” vetting process into question. Furthermore, we prove that covert mining apps tend to be embedded into supposedly free versions of premium apps or pose as utility apps that provide valuable features to users. Finally, we empirically demonstrate that cryptojacking apps’ resource consumption and malicious behavior could be insignificant. We presume that typical users, even though they might be running a mobile antivirus solution, could execute a mining app for an extended period without being alerted. We expect our results to inform the various actors involved in the security of Android devices against the lingering threat of cryptojacking and help them better assess the problem.

Disciplines :

Sciences informatiques

Auteur, co-auteur :

Adjibi, Boladji Vinny; Georgia Institute of Technology

MBODJI, Fatou Ndiaye ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Allix, Kevin

KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

BISSYANDE, Tegawendé François D Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Co-auteurs externes :

yes

Langue du document :

Anglais

Titre :

The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android

Date de publication/diffusion :

octobre 2022

Nom de la manifestation :

2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)

Lieu de la manifestation :

Limassol, Chypre

Date de la manifestation :

from 3-10-2022 to 4-10-2022

Manifestation à portée :

International

Titre du périodique :

2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)

Maison d'édition :

IEEE

Pagination :

153-163

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

URL complémentaire :

https://ieeexplore.ieee.org/abstract/document/10006806

Disponible sur ORBilu :

depuis le 31 janvier 2023

Statistiques

Nombre de vues

202 (dont 22 Unilu)

Nombre de téléchargements

344 (dont 22 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

citations OpenAlex

citations WoS^™

Bibliographie

N. Tovanich, N. Soulie, N. Heulot, and P. Isenberg, "The evolution of mining pools and miners? behaviors in the Bitcoin blockchain, " IEEE Trans. Netw. Service Manage., vol. 19, no. 3, pp. 1-12, Mar. 2022, early access.
Google, "Google keynote (Google I/O ?21)-American sign language, " May 2021, accessed June 2022. [Online]. Available: https://www.youtube.com/watch?v=Mlk888FiI8A
Google, "Google keynote (Google I/O ?22), " May 2022, accessed June 2022. [Online]. Available: https://www.youtube.com/watch?v= nP-nMZpLM1A
S. Dashevskyi, Y. Zhauniarovich, O. Gadyatskaya, A. Pilgun, and H. Ouhssain, "Dissecting Android cryptocurrency miners, " in Proc. 10th ACM Conf. Data Appl. Secur. Privacy, ser. CODASPY ?20, SIGSAC. New York, NY, USA: Association for Computing Machinery, Mar. 2020, pp. 191-202.
Z. Li, W. Liu, H. Chen, X. Wang, X. Liao, L. Xing, M. Zha, H. Jin, and D. Zou, "Robbery on DevOps: Understanding and mitigating illicit cryptomining on continuous integration service platforms, " in IEEE Symp. Secur. Privacy, ser. SP ?22. Los Alamitos, CA, USA: IEEE Computer Society, May 2022, pp. 363-378.
Google, "Financial services: Play console help, " 2022, accessed June 2022. [Online]. Available: https://support.google.com/googleplay/android-developer/answer/9876821?hl=en
BBC News, "Google bans crypto-mining apps from Play Store, " Jul. 2018, accessed in June 2022. [Online]. Available: https://www.bbc.com/news/technology-44980936
S. Varlioglu, B. Gonen, M. Ozer, and M. Bastug, "Is cryptojacking dead after coinhive shutdown?" in 3rd Int. Conf. Inf.comput. Techn., ser. ICICT ?20, San Jose, CA, USA, Mar. 2020, pp. 385-389.
F. Tommasi, C. Catalano, U. Corvaglia, and I. Taurino, "MinerAlert: An hybrid approach for web mining detection, " J.comput. Virol. Hack. Techn., pp. 1-14, Mar. 2022.
F. Naseem, A. Aris, L. Babun, E. Tekiner, and A. S. Uluagac, "MINOS: A lightweight real-Time cryptojacking detection system, " in Netw. Distrib. Syst. Secur. Symp., ser. NDSS ?21, no. 28. Virtual: Internet Society, Feb. 2021, pp. 244-259.
M. Caprolu, S. Raponi, G. Oligeri, and R. Di Pietro, "Cryptomining makes noise: Detecting cryptojacking via machine learning, " Comput.commun., vol. 171, pp. 126-139, Feb. 2021.
S. Varlioglu, N. Elsayed, Z. ElSayed, and M. Ozer, "The dangerous combo: Fileless malware and cryptojacking, " in SoutheastCon 2022. IEEE, Mar. 2022, pp. 125-132.
H. Badih and Y. Alagrash, "Crypto-jacking threat detection based on blockchain framework and deception techniques, " Amer. J. Sci. Eng., vol. 2, no. 1, pp. 1-10, Jul. 2021.
N. Lachtar, A. A. Elkhail, A. Bacha, and H. Malik, "An application agnostic defense against the dark arts of cryptojacking, " in 51st Annu. Int. Conf. Dependable Syst. Netw., ser. DSN ?21, IEEE/IFIP. Taipei, Taiwan: IEEE, Jun. 2021, pp. 314-325.
J. Clay, A. Hargrave, and R. Sridhar, "A power analysis of cryptocurrency mining: A mobile device perspective, " in 16th Annu. Conf. Privacy, Secur. Trust, ser. PST ?18. Belfast, Ireland: IEEE, Aug. 2018, pp. 1-5.
P. Kotzias, J. Caballero, and L. Bilge, "How did that get in my phone? unwanted app distribution on Android devices, " in IEEE Symp. Secur. Privacy, ser. SP ?21. San Francisco, CA, USA: IEEE, May 2021, pp. 53-69.
A. Kharraz, Z. Ma, P. Murley, C. Lever, J. Mason, A. Miller, N. Borisov, M. Antonakakis, and M. Bailey, "Outguard: Detecting in-browser covert cryptocurrency mining in the wild, " in World Wide Web Conf., ser. WWW ?19. New York, NY, USA: Association for Computing Machinery, 2019, pp. 840-852.
M. Russo, N. Srndic, and P. Laskov, "Detection of illicit cryptomining using network metadata, " EURASIP J. Inf. Secur., vol. 1, no. 11, pp. 1-20, Dec. 2021.
M. Cao, K. Ahmed, and J. Rubin, "Rotten apples spoil the bunch: An anatomy of Google Play malware, " in Proc. 44th Int. Conf. Softw. Eng., ser. ICSE ?22. New York, NY, USA: Association for Computing Machinery, May 2022, pp. 1919-1931.
Y. Zhou and X. Jiang, "Dissecting Android malware: Characterization and evolution, " in Symp. Secur. Privacy, ser. SP ?12. San Francisco, CA, USA: IEEE, May 2012, pp. 95-109.
H. Wang, J. Si, H. Li, and Y. Guo, "RmvDroid: Towards a reliable Android malware dataset with app metadata, " in IEEE/ACM 16th Int. Conf. Mining Softw. Repositories, ser. MSR ?19. Montreal, QC, Canada: IEEE, May 2019, pp. 404-408.
D. Arp, Michael, Spreitzenbarth, M. Huebner, and H. G. K. Rieck, "DREBIN: effective and explainable detection of Android malware in your pocket, " in 21th Annu. Netw. Distrib. Syst. Secur. Symp., ser. NDSS ?14, San Diego, Carlifornia, USA, Feb. 2014. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2017/09/11 3 1.pdf
K. Allix, T. F. Bissyande, J. Klein, and Y. Le Traon, "AndroZoo: Collecting millions of Android apps for the research community, " in Proc. 13th Int. Conf. Mining Softw. Repositories, ser. MSR ?16. New York, NY, USA: Association for Computing Machinery, 2016, pp. 468-471.
L. Li, D. Li, T. F. Bissyande, J. Klein, Y. Le Traon, D. Lo, and L. Cavallaro, "Understanding Android app piggybacking: A systematic study of malicious code grafting, " IEEE Trans. Inf. Forensics Secur., vol. 12, no. 6, pp. 1269-1284, Jan. 2017.
K. Khanmohammadi, N. Ebrahimi, A. Hamou-Lhadj, and R. Khoury, "Empirical study of android repackaged applications, " Empirical Softw. Eng., vol. 24, no. 6, pp. 3587-3629, Dec. 2019.
M. A. Harris, R. Brookshire, and A. G. Chin, "Identifying factors influencing consumers? intent to install mobile applications, " Int. J. Inf. Manage., vol. 36, no. 3, pp. 441-450, Jun. 2016.
S. Pastrana and G. Suarez-Tangil, "A first look at the crypto-mining malware ecosystem: A decade of unrestricted wealth, " in Proc. Internet Meas. Conf., ser. IMC ?19. New York, NY, USA: Association for Computing Machinery, Oct. 2019, pp. 73-86.
A. Saif, H. AL-KILANI, M. Qasaimeh, and A. Al-Refai, "Analysis of Android applications permissions, " in Int. Conf. Data Sci., E-Learn. Inf. Syst., ser. DATA ?21. New York, NY, USA: Association for Computing Machinery, Jun. 2021, pp. 243-249.
A. Alshehri, P. Marcinek, A. Alzahrani, H. Alshahrani, and H. Fu, "Puredroid: Permission usage and risk estimation for android applications, " in Proc. 3rd Int. Conf. Inf. Syst. Data Mining, ser. ICISDM ?19. Houston, TX, USA: Association for Computing Machinery, Apr. 2019, pp. 179-184.
E. Tekiner, A. Acar, A. S. Uluagac, E. Kirda, and A. A. Selcuk, "SoK: Cryptojacking malware, " in Eur. Symp. Secur. Privacy, ser. EuroS P ?21. Vienna, Austria: IEEE, Sep. 2021, pp. 120-139.
Meta Platforms, Inc., "Facebook-Apps on Google Play, " Aug. 2022, accessed on 2nd August 2022. [Online]. Available: https://play.google.com/store/apps/details?id=com.facebook.katana
H. Liu, P. Patras, and D. J. Leith, "Android mobile OS snooping by Samsung, Xiaomi, Huawei and Realme handsets, " techreport, Oct. 2021. [Online]. Available: https://www.scss.tcd.ie/doug.leith/Android privacy report.pdf
S. Frier, "Samsung phone users perturbed to find they can?t delete Facebook, " Jan. 2019, accessed on 2nd August 2022. [Online]. Available: https://www.bloomberg.com/news/articles/2019-01-08/samsung-phone-users-get-A-shock-They-can-T-delete-facebook# xj4y7vzkg
E. Tekiner, A. Acar, and A. S. Uluagac, "A lightweight IoT cryptojacking detection mechanism in heterogeneous smart home networks, " in Netw. Distrib. Syst. Secur. Symp., ser. NDSS ?22, no. 29. San Diego, CA, USA: Internet Society, Apr. 2022, pp. 208-223.
A. Mylonas, A. Kastania, and D. Gritzalis, "Delegate the smartphone user? security awareness in smartphone platforms, " Comput, Secur., vol. 34, pp. 47-66, May 2013.