construct its ARMv7 assembly with IDA Pro, then we generate its control flow graph.
The number of generated control flow graph nodes could be more than 10 thousand which makes it a memory-intensive task. Hence, we deploy a high-end server with 24 GB RAM to generate the control flow graph of an app.
After the preprocessing steps, we can get 1391 apps (Control flow graph) to perform our Ad fraud detection. we will check if an app has used Ad Related API first. If an app does not include any Ad Related API, the Ad frauds behaviors in this app are not possible. Among 1391 apps, we find there are 208 apps included Ad Related API.
We will represent the result of our Ad fraud detection in section 5.3. The count for each Ad fraud violation shown in Figure 12. In the 208 apps, We further identified 70 apps having Interstitial violation ads, 48 apps having size violation ads, 31 apps having multi-view violation ads, and 19 apps having overlay violation ads.
1.3 Contributions
The previous work on checking ad frauds detect vulnerability with dynamic analysis [8, 9, 10]. They need plenty of time to build the simulation for an app and perform ad fraud detection. In contrast, performing ad fraud detection with static analysis techniques on an app binary code spends little time. Besides, Apple Inc. does not provide View Simulation API for developers to do a simulation approach [15].
The simulation approach will not detect some vulnerability. For example, if an in-terstitial ad pops up too quickly so that the simulation recorder cannot record. Despite the previous situation happening, binary analysis and string analysis will still know the Interstitial violation due to its checks the behavior of interstitial ad creation from the code developers wrote.
Our approach, Static analysis on Ad Fraud Detection, will detect the Ad fraud intro-duced by previous work, and we can detect more Ad fraud violations that other works cannot find. Besides, our work can be used in iOS and the previous work not.
We will conduct binary analysis and string analysis to detect Interstitial violation Ad
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
fraud, Size violation Ad fraud, Multi-view violation Ad fraud, and Overlay-view violation Ad fraud in our works.
2 Related Works
2.1 Mobile Security
Mobile security has become more and more important. There is a lot of work about security issues in mobile have been presented. Ian Beer has presented iOS Exploit chains security problems in the blog of Google Project Zero[16]. Attackers use the security vulnerabilities to install a monitoring implant in the vulnerable iPhones. According to the report of Beer, these vulnerable mobile devices have been invaded by hackers if the users have visited the hacked sites through cell phones.
Wang’s team resolve the third-party Online Ads issue between Ad network publishers and developers [17]. They publish a tool which allows publishers to specify constraints on events associated with third-party ads, like URL requests, HTML element creations, and timers, AdJust is able to monitor and regulate resource abusing ads by transparently intercepting key JavaScript APIs.
Yang’s team [18] present Entity-based characterization and analysis of mobile mal-ware. They detect the interaction patterns of malware with characterizing mobile malware firstly. They perform a static analysis technique on the bytecode of the apps to identify the entities and entity references of them. We also perform static analysis techniques on binary code to detect Ad fraud in our Ad fraud detection analysis 4.2.
Take iOS exploit chain 1[19] as an example. The hackers will evaluate task threads() then thread terminate() to initial remote code execution, which can cause heap overflow in the function AGXAllocationList2 :: initW ithSharedResourceList. This method is a C++ virtual method that takes two arguments. These two arguments point to mem-ory which is shared with userspace, which means that the two parameters are attacker-controlled. The hackers will inject these two parameters externally, that is to say, the
‧
value of the iOS exploit chain flew to the parameter which is external input.
There’s an 0x18 byte header structure. The last dword n entries of which is a count of the number of following sub-descriptor structures. The kernel developers of iOS assume that each descriptor has at-most 6 entries, however, there’s actually space 7 sub-entries controlled resource id and f lag pairs. Attackers will use the vulnerability to perform their attack. Since n entries comes from external input completely, the hackers will pass the size to IOM alloc, which represents the location of n entries. The n entries will point to sub-descriptors where the code will execute, so attackers can control the number of sub-descriptors to be 7 rather than 6 entries. It will cause the end of the target IOM alloc allocation will be controlled by these attackers.
Ian Beer[16] finds that the kernel reading a structure from shared memory describe as above. The next step in the exploit is to use the AGX driver’s external method interface, such as AGXAllocationList2 :: initW ithSharedResourceList, to allocate two shared memory regions. Attackers call external method createshmem of the AGXSharedU ser− Client with the AGX driver’s external method interface. IOConnectCallM ethod is the main method to call external methods on user clients. More exactly, attackers can create a new IOAccelResource via the AGXSharedU serClient external method IOAccelSharedU serClient :: newresource due to they control the two shared memory regions.
We have a similar goal, which is discovering the risk of external flow. First, we identify ad-fraud-related functions and find the parameters of the functions. We then research the flow to the parameters, to confirm if the flow belongs to the constant, operation or unknown nodes. We create a dependency graph for the flow to the parameters, and we have found there might be an unknown node flowing to the parameter. The source of the unknown nodes may be an external input, so we will consider the unknown nodes to be possible sinks in our work. Take Size violation Ad fraud (Section 4.4.2) as an example, if the flow (to the parameters of setSize functions) is an unknown node, it means that the size of an advertisement may be controlled by external input. As a result, Ads in
‧
unsuitable size will be generated through this behavior.
Ian Beer’s team focused on buffer overflow attack, which resulting from external con-trol. Unlike previous research, we analyze the process of calling API functions with externally-input parameters.
The third-party issues of apps have been researched by Wang’s team [20]. They think there are many security issues in third-party libraries. They give a brief of existing approaches and their limitations on checking third-party libraries. In our work, we will also scan the code of third-party libraries in applications to find the vulnerability.
More research on the security issue has present in previous years. Fake news can cause potential impacts on individuals and businesses, it will cause security problem [21]. The data on VirusTotal for security issue is also important, both web and mobile security research has used it to obtain ground truth [22, 23, 24, 25, 26].
Detecting privacy leaks [27, 28] has also been researched in the Android app. Evasive malware analysis is also an important part of security [29, 30]. NLP analysis has also been widely adopted in security analysis [31, 32, 33, 34].