AndRadar: Fast Discovery of Android Applications in Alternative Markets

  • Martina Lindorfer
  • Stamatis Volanis
  • Alessandro Sisto
  • Matthias Neugschwandtner
  • Elias Athanasopoulos
  • Federico Maggi
  • Christian Platzer
  • Stefano Zanero
  • Sotiris Ioannidis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8550)


Compared to traditional desktop software, Android applications are delivered through software repositories, commonly known as application markets. Other mobile platforms, such as Apple iOS and BlackBerry OS also use the marketplace model, but what is unique to Android is the existence of a plethora of alternative application markets. This complicates the task of detecting and tracking Android malware. Identifying a malicious application in one particular market is simply not enough, as many instances of this application may exist in other markets. To quantify this phenomenon, we exhaustively crawled 8 markets between June and November 2013. Our findings indicate that alternative markets host a large number of ad-aggressive apps, a non-negligible amount of malware, and some markets even allow authors to publish known malicious apps without prompt action.

Motivated by these findings, we present AndRadar, a framework for discovering multiple instances of a malicious Android application in a set of alternative application markets. AndRadar scans a set of markets in parallel to discover similar applications. Each lookup takes no more than a few seconds, regardless of the size of the marketplace. Moreover, it is modular, and new markets can be transparently added once the search and download URLs are known.

Using AndRadar we are able to achieve three goals. First, we can discover malicious applications in alternative markets, second, we can expose app distribution strategies used by malware developers, and third, we can monitor how different markets react to new malware. During a three-month evaluation period, AndRadar tracked over 20,000 apps and recorded more than 1,500 app deletions in 16 markets. Nearly 8% of those deletions were related to apps that were hopping from market to market. The most established markets were able to react and delete new malware within tens of days from the malicious app publication date while other markets did not react at all.


Android App Markets Measurements Malware Tracking 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Barrera, D., Clark, J., McCarney, D., van Oorschot, P.C.: Understanding and Improving App Installation Security Mechanisms Through Empirical Analysis of Android. In: Proceedings of the 2nd ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM (2012)Google Scholar
  5. 5.
    Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: MAST: Triage for Market-scale Mobile Malware Analysis. In: Proceedings of the 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec (2013)Google Scholar
  6. 6.
    Chen, H.: Underground Economy of Android Application Plagiarism. In: Proceedings of the 1st International Workshop on Security in Embedded Systems and Smartphones, SESP (2013)Google Scholar
  7. 7.
    Crussell, J., Gibler, C., Chen, H.: Attack of the Clones: Detecting Cloned Applications on Android Markets. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 37–54. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Desnos, A., Gueguen, G.: Android: From Reversing To Decompilation. In: Black Hat Abu Dhabi (2011)Google Scholar
  9. 9.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A Study of Android Application Security. In: Proceedings of the 20th USENIX Security Symposium (2011)Google Scholar
  10. 10.
  11. 11.
    Gibler, C., Stevens, R., Crussell, J., Chen, H., Zang, H., Choi, H.: AdRob: Examining the Landscape and Impact of Android Application Plagiarism. In: Proceedings of 11th International Conference on Mobile Systems, Applications and Services, MobiSys (2013)Google Scholar
  12. 12.
    Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, MobiSys (2012)Google Scholar
  13. 13.
    Gu, L.: The Mobile Cybercriminal Underground Market in China. Tech. rep., Trend Micro (March 2014),
  14. 14.
    Hanna, S., Huang, L., Wu, E., Li, S., Chen, C., Song, D.: Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 62–81. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  15. 15.
    IDC: Apple Cedes Market Share in Smartphone Operating System Market as Android Surges and Windows Phone Gains. (August 2013),
  16. 16.
    Lever, C., Antonakakis, M., Reaves, B., Traynor, P., Lee, W.: The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers. In: Proceedings of the 20th Annual Network & Distributed System Security Symposium, NDSS (2013)Google Scholar
  17. 17.
    Ludwig, A., Davis, E., Larimer, J.: Android - Practical Security From the Ground Up. In: Virus Bulletin Conference (2013)Google Scholar
  18. 18.
    Maggi, F., Valdi, A., Zanero, S.: AndroTotal: A Flexible, Scalable Toolbox and Service for Testing Mobile Malware Detectors. In: Proceedings of the 3rd Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM (2013)Google Scholar
  19. 19.
    McAfee Labs: McAfee Threats Report: Second Quarter (August 2013),
  20. 20.
    One Platform Foundation: List of Android Appstores,
  21. 21.
    Petsas, T., Papadogiannakis, A., Polychronakis, M., Markatos, E.P., Karagiannis, T.: Rise of the Planet of the Apps: A Systematic Study of the Mobile App Ecosystem. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC (2013)Google Scholar
  22. 22.
    Pouik, G0rfi3ld: Similarities for Fun & Profit. Phrack Magazine 14(68) (2012)Google Scholar
  23. 23.
    Rastogi, V., Chen, Y., Jiang, X.: DroidChameleon: Evaluating Android Anti-malware Against Transformation Attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIACCS (2013)Google Scholar
  24. 24.
    Ruddock, D.: Google Pushes Major Update To Play Developer Content Policy, Kills Notification Bar Ads For Real This Time, And A Lot More (September 2013),
  25. 25.
    Signals and Systems Telecom: The Mobile Device & Network Security Bible: 2013–2020. Tech. rep. (September 2013),
  26. 26.
    Simon, Z.: Adwares. Are they viruses or not? (July 2012),
  27. 27.
  28. 28.
    Uscilowski, B.: Mobile Adware and Malware Analysis. Tech. rep., Symantec (October 2013),
  29. 29.
    Vidas, T., Christin, N.: Sweetening Android Lemon Markets: Measuring and Combating Malware in Application Marketplaces. In: Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (CODASPY) (2013)Google Scholar
  30. 30.
    Weichselbaum, L., Neugschwandtner, M., Lindorfer, M., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis: Android Malware Under The Magnifying Glass. Tech. Rep. TR-ISECLAB-0414-001, Vienna University of Technology (2014)Google Scholar
  31. 31.
    Zhang, Y., Xue, H., Wei, T., Song, D.: Monitoring Vulnaggressive Apps on Google Play (November 2013),
  32. 32.
    Zheng, M., Lee, P.P.C., Lui, J.C.S.: ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 82–101. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  33. 33.
    Zhou, W., Zhou, Y., Grace, M., Jiang, X., Zou, S.: Fast, Scalable Detection of “Piggybacked” Mobile Applications. In: Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, CODASPY (2013)Google Scholar
  34. 34.
    Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, CODASPY (2012)Google Scholar
  35. 35.
    Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (2012)Google Scholar
  36. 36.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium, NDSS (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Martina Lindorfer
    • 1
  • Stamatis Volanis
    • 2
  • Alessandro Sisto
    • 3
  • Matthias Neugschwandtner
    • 1
  • Elias Athanasopoulos
    • 2
  • Federico Maggi
    • 3
  • Christian Platzer
    • 1
  • Stefano Zanero
    • 3
  • Sotiris Ioannidis
    • 2
  1. 1.Secure Systems LabVienna University of TechnologyAustria
  2. 2.Institute of Computer ScienceFoundation for Research & Technology – HellasGreece
  3. 3.Politecnico di MilanoItaly

Personalised recommendations