As a key UI feature of Android, overlay enables one app to draw over other apps by creating an extra
View layer on top of the host View. While greatly facilitating user
interactions with multiple apps at the same time, it is often
exploited by malicious apps (malware) to attack users. To
combat this threat, prior countermeasures concentrate on restricting the capabilities of overlays at the OS level,
while barely seeing adoption by Android due to the concern of
sacrificing overlays’ usability. To address this dilemma, a
more pragmatic approach is to enable the early detection of
overlay-based malware at the app market level during the
app review process, so that all the capabilities of overlays
can stay unchanged. Unfortunately, little has been known
about the feasibility and effectiveness of this approach for
lack of understanding of malicious overlays in the wild.
To fill this gap, in this paper we perform the first large-scale comparative study of overlay characteristics in benign and malicious apps using static and dynamic analyses. Our results reveal a set of suspicious overlay properties strongly correlated with the malice of apps, including several novel features. Guided by the study insights, we build OverlayChecker, a system that is able to automatically detect overlay-based malware at market scales. OverlayChecker has been adopted by one of the world’s largest Android app stores to check around 10K newly submitted apps per day. It can efficiently (within 2 minutes per app) detect nearly all (96%) overlay-based malware using a single commodity server.
Our paper has been conditionally accepted for
For some limitations, we partially disclose our dataset, data file and detailed descriptions can be referred on GitHub.
Please cite this study when using the data.