Detecting and characterizing self hiding behavior in android applications

Applications (apps) that conceal their activities are fundamentally deceptive; app marketplaces and end-users should treat such apps as suspicious. However, due to its nature and intent, activity concealing is not disclosed up-front, which puts users at risk. This study focuses on characterization and detection of such techniques, e.g., hiding the app or removing traces, known as 'self hiding' (SH) behavior. SH behavior has not been studied per se - rather it has been reported on only as a byproduct of malware investigations. This gap is addressed via a study and suite of static analyses targeted at SH in Android apps.SH behavior ranges from hiding the app's presence or activity to covering an app's traces, e.g., by blocking phone calls/ text messages or removing calls and messages from logs. Using static analysis tools on a large dataset of 9,452 Android apps (benign as well as malicious) the frequency of 12 such SH behaviors is exposed. It has revealed that malicious apps employ 1.5 SH behaviors per app on average. Surprisingly, SH behavior is also employed by legitimate ('benign') apps, which can affect users negatively in multiple ways. The approach has high precision and recall (combined F-measure = 87.19%). This approach is also efficient, with analysis typically taking just 37 seconds per app.