DeviceWatch: Identifying Compromised Mobile Devices through Network Traffic Analysis and Graph Inference

TL;DR

DeviceWatch leverages network traffic analysis and graph inference to identify compromised mobile devices by detecting associations with malicious apps, achieving high accuracy and validating results through behavioral analysis.

Contribution

This work introduces a novel graph-based inference method to detect compromised devices by exploiting weak associations with malicious apps, validated on real mobile network data.

Findings

Achieves nearly 98% AUC in identifying compromised devices

Effectively magnifies weak device-app associations through graph parameters

Validated detection results correlate with undesirable privacy and network behaviors

Abstract

In this paper, we propose to identify compromised mobile devices from a network administrator's point of view. Intuitively, inadvertent users (and thus their devices) who download apps through untrustworthy markets are often allured to install malicious apps through in-app advertisement or phishing. We thus hypothesize that devices sharing a similar set of apps will have a similar probability of being compromised, resulting in the association between a device being compromised and apps in the device. Our goal is to leverage such associations to identify unknown compromised devices (i.e., devices possibly having yet currently not having known malicious apps) using the guilt-by-association principle. Admittedly, such associations could be quite weak as it is often hard, if not impossible, for an app to automatically download and install other apps without explicit initiation from a user. We describe how we can magnify such weak associations between devices and apps by carefully choosing parameters when applying graph-based inferences. We empirically show the effectiveness of our approach with a comprehensive study on the mobile network traffic provided by a major mobile service provider. Concretely, we achieve nearly 98\% accuracy in terms of AUC (area under the ROC curve). Given the relatively weak nature of association, we further conduct in-depth analysis of the different behavior of a graph-inference approach, by comparing it to active DNS data. Moreover, we validate our results by showing that detected compromised devices indeed present undesirable behavior in terms of their privacy leakage and network infrastructure accessed.