Mobile apps are extensively involved in cyber-crimes. Some apps are malware
which compromise users’ devices, while some others may lead to privacy leakage.
Apart from them, there also exist apps which directly make profit from victims
through deceiving, threatening or other criminal actions. We name these apps as
CULPRITWARE. They have become emerging threats in recent years. However, the
characteristics and the ecosystem of CULPRITWARE remain mysterious. This paper
takes the first step towards systematically studying CULPRITWARE and its
ecosystem. Specifically, we first characterize CULPRITWARE by categorizing and
comparing them with benign apps and malware. The result shows that CULPRITWARE
have unique features, e.g., the usage of app generators (25.27%) deviates from
that of benign apps (5.08%) and malware (0.43%). Such a discrepancy can be used
to distinguish CULPRITWARE from benign apps and malware. Then we understand the
structure of the ecosystem by revealing the four participating entities (i.e.,
developer, agent, operator and reaper) and the workflow. After that, we further
reveal the characteristics of the ecosystem by studying the participating
entities. Our investigation shows that the majority of CULPRITWARE (at least
52.08%) are propagated through social media rather than the official app
markets, and most CULPRITWARE (96%) indirectly rely on the covert fourth-party
payment services to transfer the profits. Our findings shed light on the
ecosystem, and can facilitate the community and law enforcement authorities to
mitigate the threats. We will release the source code of our tools to engage
the community.

By admin