Dr Xiao Chen

It is important to understand the evolution of Android malware as this facilitates the development of defence techniques by proactively capturing malware features. So far, researchers mainly rely on dendrogram or family-tree analysis for malware&#x0027;s evolutionary development. However, our research finds that these techniques cannot support comprehensive malware evolution modelling, which provides a detailed explanation for why Android malware samples evolve in specific ways. This shortcoming is mainly caused by the coarse-grained clustering and analysis of malware samples. For example, because these works do not divide malware samples of a family into variant sets and explore the evolution principles among those sets, they usually fail to capture new variants that have been empowered by the feature &#x2018;drifting&#x2019; in evolution. To address this problem, we propose a fine-grained and in-depth analysis of Android malware. Our experimental work systematically reveals the phylogenetic relationships among the variant sets for a deeper malware evolution analysis. We introduce five metrics: silhouette coefficient, creation date, variant labels, the presentativeness of the variant set formula, and the correctness of the linked edges to evaluate the correctness of our analysis. The results show that our variant clustering achieved a high silhouette value at a small sample distance (0.3), a small standard deviation (three months and 16 days) date based on when the malware samples are lastly modified, a high label consistency (91.4&#x0025;), a high representativeness (93.1&#x0025;) of the variant set formula. All the linked variant sets are connected based on our PhyloNet construction rules. We further analyse the coding details of Android malware for each variant set and summarise models of their evolutionary development. In this work, we successfully expose two major models of malware evolution: <italic>active evolution</italic> and <italic>passive evolution</italic>. We also disclose four technical explanations on the incentives of the two evolution models (two for each model respectively). These findings are valuable for proactive defence against newly emerged malware samples.

React Native is a widely-used open-source frame-work that facilitates the development of cross-platform mobile apps. The framework enables JavaScript code to interact with native-side code, such as Objective-C/Swift for iOS and Java/Kotlin for Android, via a communication mechanism provided by React Native. However, previous research and tools have overlooked this mechanism, resulting in incomplete analysis of React Native app code. To address this limitation, we have developed REUNIFY, a prototype tool that integrates the JavaScript and native-side code of React Native apps into an intermediate language that can be processed by the Soot static analysis framework. By doing so, REUNIFY enables the generation of a comprehensive model of the app's behavior. Our evaluation indicates that, by leveraging REUNIFY, the Soot-based framework can improve its coverage of static analysis for the 1,007 most popular React Native Android apps, augmenting the number of lines of Jimple code by 70%. Additionally, we observed an average increase of 84% in new nodes reached in the callgraph for these apps, after integrating REUNIFY. When REUNIFY is used for taint flow analysis, an average of two additional privacy leaks were identified. Overall, our results demonstrate that REUNIFY significantly enhances the Soot-based framework's capability to analyze React Native Android apps.

The Android system manages access to sensitive APIs by permission enforcement. An application (app) must declare proper permissions before invoking specific Android APIs. However, there is no official documentation providing the complete list of permission-protected APIs and the corresponding permissions to date. Researchers have spent significant efforts extracting such API protection mapping from the Android API framework, which leverages static code analysis to determine if specific permissions are required before accessing an API. Nevertheless, none of them has attempted to analyze the protection mapping in the native library (i.e., code written in C and C++), an essential component of the Android framework that handles communication with the lower-level hardware, such as cameras and sensors. While the protection mapping can be utilized to detect various security vulnerabilities in Android apps, such as permission over-privilege, imprecise mapping will lead to false results in detecting such security vulnerabilities. To fill this gap, we thereby propose to construct the protection mapping involved in the native libraries of the Android framework to present a complete and accurate specification of Android API protection. We develop a prototype system, named NatiDroid, to facilitate the cross-language static analysis and compare its performance with two state-of-the-practice tools, termed Axplorer and Arcade. We evaluate NatiDroid on more than 11,000 Android apps, including system apps from custom Android ROMs and third-party apps from the Google Play. Our NatiDroid can identify up to 464 new API-permission mappings, in contrast to the worst-case results derived from both Axplorer and Arcade, where approximately 71% apps have at least one false positive in permission over-privilege. We have disclosed all the potential vulnerabilities detected to the stakeholders.

Despite being one of the largest and most popular projects, the official Android framework has only provided test cases for less than 30% of its APIs. Such a poor test case coverage rate has led to many compatibility issues that can cause apps to crash at runtime on specific Android devices, resulting in poor user experiences for both apps and the Android ecosystem. To mitigate this impact, various approaches have been proposed to automatically detect such compatibility issues. Unfortunately, these approaches have only focused on detecting signature-induced compatibility issues (i.e., a certain API does not exist in certain Android versions), leaving other equally important types of compatibility issues unresolved. In this work, we propose a novel prototype tool, JUnitTestGen, to fill this gap by mining existing Android API usage to generate unit test cases. After locating Android API usage in given real-world Android apps, JUnitTestGen performs inter-procedural backward data-flow analysis to generate a minimal executable code snippet (i.e., test case). Experimental results on thousands of real-world Android apps show that JUnitTestGen is effective in generating valid unit test cases for Android APIs. We show that these generated test cases are indeed helpful for pinpointing compatibility issues, including ones involving semantic code changes.

Despite that our community has spent numerous efforts on analyzing mobile apps, there is no study proposed for characterizing the relationship between smartphone and smartwatch apps. To fill this gap, we present to the community a comparative study of smartphone and smartwatch apps, aiming at understanding the status quo of cross-phone/watch apps. Specifically, in this work, we first collect a set of cross-phone/watch app pairs and then experimentally look into them to explore their similarities or dissimilarities from different perspectives. Experimental results show that (1) Approximately, up to 40% of resource files, 30% of code methods are reused between smartphone/watch app pairs, (2) Smartphone apps may require more than twice as many as permissions and adopt more than five times as many as user interactions than their watch counterparts, and (3) Smartwatch apps can be released as either standalone (can be run independently) or companion versions (i.e., have to co-work with their smartphone counterparts), for which the former type of apps tends to require more permissions and reuse more code, involve more user interactions than the latter type. Our findings can help developers and researchers understand the ecosystem of smartwatch apps and further gain insight into migrating smartphone apps for smartwatches.

POI (point-of-interest) recommendation as an important type of location-based services has received increasing attention with the rise of location-based social networks. Although significant efforts have been dedicated to learning and recommending users' next POIs based on their historical mobility traces, there still lacks consideration of the discrepancy of users' check-in time preferences and the inherent relationships between POIs and check-in times. To fill this gap, this paper proposes a novel recommendation method which applies multi-task learning over historical user mobility traces known to be sparse. Specifically, we design a cross-graph neural network to obtain time-aware user modeling and control how much information flows across different semantic spaces, which makes up the inadequate representation of existing user modeling methods. In addition, we design a check-in time prediction task to learn users' activities from a time perspective and learn internal patterns between POIs and their check-in times, aiming to reduce the search space to overcome the data sparsity problem. Comprehensive experiments on two real-world public datasets demonstrate that our proposed method outperforms several representative POI recommendation methods with 8.93% to 20.21 % improvement on Recall@1, 5, 10, and 9.25% to 17.56% improvement on Mean Reciprocal Rank.

While extremely valuable to achieve advanced functions, mobile phone sensors can be abused by attackers to implement malicious activities in Android apps, as experimentally demonstrated by many state-of-the-art studies. There is hence a strong need to regulate the usage of mobile sensors so as to keep them from being exploited by malicious attackers. However, despite the fact that various efforts have been put in achieving this, i.e., detecting privacy leaks in Android apps, we have not yet found approaches to automatically detect sensor leaks in Android apps. To fill the gap, we designed and implemented a novel prototype tool, Seeker, that extends the famous FlowDroid tool to detect sensor-based data leaks in Android apps. Seeker conducts sensor-focused static taint analyses directly on the Android apps' bytecode and reports not only sensor-triggered privacy leaks but also the sensor types involved in the leaks. Experimental results using over 40,000 real-world Android apps show that Seeker is effective in detecting sensor leaks in Android apps, and malicious apps are more interested in leaking sensor data than benign apps.