Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS

Kai Chen                                                  Xiaofeng Wang
IIE                                                            SoIC
Chinese Academy of Sciences                 Indiana University Bloomington



It is reported recently that legitimate libraries are repackaged for propagating malware. An in-depth analysis of such potentially-harmful libraries (PhaLibs) , however, has never been done before, due to the challenges in identifying those libraries whose code can be unavailable online (e.g., removed from the public repositories, spreading underground, etc.). Particularly, for an iOS app, the library it integrates cannot be trivially recovered from its binary code and cannot be analyzed by any publicly available anti-virus (AV) systems.

In this paper, we report the first systematic study on PhaLibs across Android and iOS, based upon a key observation that many iOS libraries have Android versions that can potentially be used to understand their behaviors and the relations between the libraries on both sides. To this end, we utilize a methodology that first clusters similar packages from a large number of popular Android apps to identify libraries, and strategically analyze them using AV systems to find PhaLibs. Those libraries are then used to search for their iOS counterparts within Apple apps based upon the invariant features shared cross platforms. On each discovered iOS PhaLib, our approach further identifies its suspicious behaviors that also appear on its Android version and uses the AV system on the Android side to confirm that it is indeed potentially harmful. Running our methodology on 1.3 million Android apps and 140,000 popular iOS apps downloaded from 8 markets, we discovered 117 PhaLibs with 1008 variations on Android and 23 PhaLibs with 706 variations on iOS. Altogether, the Android PhaLibs is found to infect 6.84% of Google Play apps and the iOS libraries are embedded within thousands of iOS apps, 2.94% among those from the official Apple App Store. Looking into the behaviors of the PhaLibs, not only do we discover the recently reported suspicious iOS libraries such as mobiSage, but also their Android counterparts and 6 other back-door libraries never known before. Those libraries are found to contain risky behaviors such as reading from their host apps’ keychain, stealthily recording audio and video and even attempting to make phone calls. Our research shows that most Android-side harmful behaviors have been preserved on their corresponding iOS libraries, and further identifies new evidence about libraries repackaging for harmful code propagations on both sides.

This project was presented at IEEE Symposium on Security & Privacy, 2016.


Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS
Kai Chen, Xueqiang Wang, Yi Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Bin Ma, Aohui Wang, Yingjun Zhang, Wei Zou
Proceedings of the 37th IEEE Symposium on Security and Privacy (Oakland 2016)
San Jose, CA, May 2016

Dataset Release

To mitigate the threat and help better understanding of potentially harmful iOS apps, we are releasing part of our samples to the community. Please visit download page for detailed instructions.


We also thank VirusTotal for the help in validating suspicious apps in our study. Kai Chen was supported in part by NSFC U1536106, 61100226, Youth Innovation Promotion Association CAS, and strategic priority research program of CAS (XDA06010701). The IU authors are supported in part by the NSF CNS-1223477, 1223495 and 1527141. Yingjun Zhang was supported by National High Technology Research and Development Program of China (863 Program) (No. 2015AA016006) and NSFC 61303248.