The Company You Keep: Mobile Malware Infection Rates and Inexpensive Risk Indicators

TL;DR

This study provides the first independent measurement of Android malware infection rates using data from over 55,000 devices, revealing higher infection rates than previous estimates and evaluating inexpensive indicators for identifying infected devices.

Contribution

It offers the first direct measurement of Android malware infection rates and assesses inexpensive device indicators as proxies for infection risk.

Findings

Infection rates are around 0.26-0.28%, higher than prior estimates.

Application set indicators improve infection detection by approximately 4.7 times.

Infected devices show marginally higher battery usage.

Abstract

There is little information from independent sources in the public domain about mobile malware infection rates. The only previous independent estimate (0.0009%) [12], was based on indirect measurements obtained from domain name resolution traces. In this paper, we present the first independent study of malware infection rates and associated risk factors using data collected directly from over 55,000 Android devices. We find that the malware infection rates in Android devices estimated using two malware datasets (0.28% and 0.26%), though small, are significantly higher than the previous independent estimate. Using our datasets, we investigate how indicators extracted inexpensively from the devices correlate with malware infection. Based on the hypothesis that some application stores have a greater density of malicious applications and that advertising within applications and cross-promotional deals may act as infection vectors, we investigate whether the set of applications used on a device can serve as an indicator for infection of that device. Our analysis indicates that this alone is not an accurate indicator for pinpointing infection. However, it is a very inexpensive but surprisingly useful way for significantly narrowing down the pool of devices on which expensive monitoring and analysis mechanisms must be deployed. Using our two malware datasets we show that this indicator performs 4.8 and 4.6 times (respectively) better at identifying infected devices than the baseline of random checks. Such indicators can be used, for example, in the search for new or previously undetected malware. It is therefore a technique that can complement standard malware scanning by anti-malware tools. Our analysis also demonstrates a marginally significant difference in battery use between infected and clean devices.