Lifting The Grey Curtain: A First Look at the Ecosystem of CULPRITWARE

TL;DR

This paper systematically studies CULPRITWARE, a new category of malicious mobile apps, revealing their unique features and ecosystem structure, including propagation methods and profit transfer mechanisms, to aid detection and mitigation efforts.

Contribution

First comprehensive analysis of CULPRITWARE, characterizing its features and ecosystem, and identifying key entities and workflows involved in its propagation and profit transfer.

Findings

CULPRITWARE often uses app generators (25.27%) unlike benign apps (5.08%) and malware (0.43%)

Majority of CULPRITWARE (over 52%) propagate via social media rather than app stores

Most CULPRITWARE (96%) rely on covert third-party payment services for profits

Abstract

Mobile apps are extensively involved in cyber-crimes. Some apps are malware which compromise users' devices, while some others may lead to privacy leakage. Apart from them, there also exist apps which directly make profit from victims through deceiving, threatening or other criminal actions. We name these apps as CULPRITWARE. They have become emerging threats in recent years. However, the characteristics and the ecosystem of CULPRITWARE remain mysterious. This paper takes the first step towards systematically studying CULPRITWARE and its ecosystem. Specifically, we first characterize CULPRITWARE by categorizing and comparing them with benign apps and malware. The result shows that CULPRITWARE have unique features, e.g., the usage of app generators (25.27%) deviates from that of benign apps (5.08%) and malware (0.43%). Such a discrepancy can be used to distinguish CULPRITWARE from benign apps and malware. Then we understand the structure of the ecosystem by revealing the four participating entities (i.e., developer, agent, operator and reaper) and the workflow. After that, we further reveal the characteristics of the ecosystem by studying the participating entities. Our investigation shows that the majority of CULPRITWARE (at least 52.08%) are propagated through social media rather than the official app markets, and most CULPRITWARE (96%) indirectly rely on the covert fourth-party payment services to transfer the profits. Our findings shed light on the ecosystem, and can facilitate the community and law enforcement authorities to mitigate the threats. We will release the source code of our tools to engage the community.