Although there are over 1,900,000 third-party Android apps in the Google Play Store, little is understood about how their security and privacy characteristics, such as dangerous permission usage and the vulnerabilities they contain, have evolved over time. Our research is two-fold: we take quarterly snapshots of the Google Play Store over a two-year period to understand how permission usage by apps has changed; and we analyse 30,000 apps to understand how their security and privacy characteristics have changed over the same two-year period. Extrapolating our findings, we estimate that over 35,000 apps in the Google Play Store ask for additional dangerous permissions every three months. Our statistically significant observations suggest that free apps and popular apps are more likely to ask for additional dangerous permissions when they are updated. Worryingly, we discover that Android apps are not getting safer as they are updated. In many cases, app updates serve to increase the number of distinct vulnerabilities contained within apps, especially for popular apps. We conclude with recommendations to stakeholders for improving the security of the Android ecosystem.

Incentivized by monetary gain, some app developers launch fraudulent campaigns to boost their apps’ rankings in the mobile app stores. They pay some service providers for boost services, which then organize large groups of collusive attackers to take fraudulent actions such as posting high app ratings or inflating apps’ downloads. If not addressed timely, such attacks will increasingly damage the healthiness of app ecosystems. In this work, we propose a novel approach to identify attackers of collusive promotion groups in an app store. Our approach exploits the unusual ranking change patterns of apps to identify promoted apps, measures their pairwise similarity, forms targeted app clusters (TACs), and finally identifies the collusive group members. Our evaluation based on a dataset of Apple’s China App store has demonstrated that our approach is able and scalable to report highly suspicious apps and reviewers. App stores may use our techniques to narrow down the suspicious lists for further investigation.

Inter-Component Communication (ICC) provides a message passing mechanism for data exchange between Android applications. It has been long believed that inter-app ICCs can be abused by malware writers to launch collusion attacks using two or more apps. However, because of the complexity of performing pairwise program analysis on apps, the scale of existing analyses is too small (e.g., up to several hundred) to produce concrete security evidence. In this paper, we report our findings in the first large-scale detection of collusive and vulnerable apps, based on inter-app ICC data flows among 110,150 real-world apps. Our system design aims to balance the accuracy of static ICC resolution/data-flow analysis and run-time scalability. This large-scale analysis provides real-world evidence and deep insights on various types of inter-app ICC abuse. Besides the empirical findings, we make several technical contributions, including a new open-source ICC resolution tool with improved accuracy over the state-of-the-art, and a large database of inter-app ICCs and their attributes.