5.3 Result of Ad fraud detection
5.3.4 Result of Overlay-view violation Ad fraud
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
5.3.4 Result of Overlay-view violation Ad fraud
We record the results of checking the Overlay-view violation Ad fraud as the Table 9 and Table 10 shows. We find there is a totally 39 times violation in 19 apps. In Figure 27, we show that two apps violate five times, three apps violate four times and so on
Figure 27: App number in each times of Overlay-view violation Ad fraud
A ViewController node may call addSubView multiple times to add various views.
However, we are only interested in Ad views and full-screen views. We perform Overlay-view violation Ad fraud detection and record the ViewController nodeId when we detect that one ViewController node calls addSubView functions to add an Ad view and a full-screen view at the same time. The results also contain unknown nodes when we detect the instance is Ad view or full-screen view.
Table 9 contains the columns cfgId, nodeId, ad, full, unknown, unknown-node, and expression. We use cfgId column as our identifier ID in our analysis, and it is also the app Trace Id. NodeId column shows the ViewController Node of the app which calls Full view API and Ad related API at the same time. Column Ad, full and unknown means that the ad view nodes added by addSubView functions belong to the constants of Ad relate API, Full relate API or unknown.
As we mention in algorithm 7, we will record only one time once we found the View-Controller Node add Ad view or full view, so the total number among columns Ad, full
‧
cfgId nodeId ad full unknown unknown-node expression
335445524 378795 1 1 0 0 no
335445524 386340 1 1 0 0 no
335445524 609434 1 1(union) 0 0 no
335445524 1051321 1 1 0 0 no
335445524 1535002 1 1 0 0 no
480095719 378660 1 1 0 0 no
480095719 1334917 1 1 0 0 no
480095719 1704148 1 1 0 0 no
480095719 1908419 1 1 0 0 no
480095719 321154 1 1(union) 0 0 no
1095262475 240750 0 1 1 1 unknown(\NO CALLER CALL TO SUB149849
1095262475 280779 0 0 2(union,directly) 3 union(unknown(\NO CALLER CALL
1095262475 1934194 1 0 1 1 unknown(\UNREABHABLE LOCATION\””
1095262475 1934265 1 0 1 1 unknown(\UNREABHABLE LOCATION\””
1084814632 239977 0 1 1 1 unknown(\NO CALLER CALL TO SUB149076
1084814632 280006 0 0 2(union,directly) 4 union(unknown(\NO CALLER CALL 282038
1084814632 1921166 1 0 1 1 unknown(\UNREABHABLE LOCATION\””
1084814632 1921237 1 0 1 1 unknown(\UNREABHABLE LOCATION\””
1093771902 241911 0 1(union) 1 1 unknown(\NO CALLER CALL TO SUB151010
1093771902 281940 0 0 2(union,directly) 6 union(unknown(\NO CALLER CALL 283972
1093771902 1955856 1 0 1(union) 8 union(union(union(union(union(
1093771902 1955927 1 0 1 1 unknown(\UNREABHABLE LOCATION\””
and unknown is 2. If the Ad view or full view contains unknown nodes, we will add one time in column unknown instead. The (union, directly) after the number in columns Ad, full and unknown means the operation of the DPG. If the number does not append parenthesis, it means the operation of this DPG is directly.
We will record the total number of unknown nodes in the unknown DPG and expres-sion of it in column unknown-node and expresexpres-sion. The expresexpres-sion of an unknown DPG is so long that we cut the first 30 characters of it to show.
Figure 28: Overlay-view violation Dependency Graph 1
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 28 is F ull U nion dependency graph. From this DPG, we can see that the union node connects three literal nodes. It means that the parameter of the NSClassFromString will be three possible values: ImmFullView, ImmTableView, and ImmView. We also found that the ViewController node of app 335445524 used addSubView function to add this node. That is to say, the ViewController node attaches a Full related API view node.
In the Table 9, we record it as follows: 1(union) in column full.
Figure 29: Overlay-view violation Dependency Graph 2
Figure 29 is U nknown U nion dependency graph. We can reveal the potential API which invocations with their argument values on NSClassFromString functions will be two unknown nodes.
We record it in Table 9 as follows: 1(union) in column unknown, the number in unknown-node add 2 times. In Table 9, we can see that it is one of the unknown nodes in ViewController nodeId 280779 of app 1095262475. Another one is U nknown Directly dependency graph with 1 unknown-node. So it will record 2(union, directly) in column unknown, 3 in column unknown-node. The unknown nodes in U nknown U nion depen-dency graph will be different, we will record in the Table 9 to show.
The information of 19 Overlay-view violation apps is shown in Table 10. The cfgId(App Trace Id), file-size, genre, and the link can give more information about these apps. With the cfgId column, we can know the information about the apps we found in Table 9, such
‧
Table 10: Related information of Overlay-view violation apps Table
cfgId file-size genre link
299515267 36454400 Food & Drink https://itunes.apple.com/us/app/allrecipes-dinner-spinner/id299515267?mt=8&uo=4 445853367 42564608 Games https://itunes.apple.com/us/app/rail-maze-train-puzzler/id445853367?mt=8&uo=4 466317305
882119723 108783616 Games https://itunes.apple.com/us/app/beach-buggy-racing/id882119723?mt=8&uo=4
as file size, genre, and link. There are various types of apps we found in this Ad fraud such as Games, LifeStyle, Business, and so on. More information on an app can be found through the link we provided. We download the severe apps in Overlay-view violation apps. We try to find the reason why they violate the Overlay-view violation.
In app 335445524, it shows a full-page view to introduce their other games in front of the main view. There are several advertisements in the main view, so we think it will violate Overlay-view violation, shown in Figure 30. Figure 30 is a full view that contains a button to close it in the upper left. Under this view, it will be a view of showing advertisements. The severe app 480095719 is a game that provided a virtual slot machine to users for gambling. We think that the view of a virtual slot machine is a full view, and it may overlay an Ad view.
Figure 30: Overlay View of app 335445524
‧
Table 11: Interstitial violation apps Table
cfgId violation violation-notunknown (directly,union,concat) violation-unknown (directly,union,concat) unknown-node
3 5 1 (1,0,0) 4 (4,0,0) 4
6 2 0 (0,0,0) 2 (2,0,0) 2
9 2 0 (0,0,0) 2 (2,0,0) 2
13 13 0 (0,0,0) 13 (7,6,0) 19
17 3 0 (0,0,0) 3 (2,1,0) 4