CLAP: Classification of Android PUAs by Similarity of DNS Queries

Mitsuhiro HATADA  Tatsuya MORI  

IEICE TRANSACTIONS on Information and Systems   Vol.E103-D   No.2   pp.265-275
Publication Date: 2020/02/01
Publicized: 2019/11/11
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2019INP0003
Type of Manuscript: Special Section PAPER (Special Section on Security, Privacy, Anonymity and Trust in Cyberspace Computing and Communications)
Category: Network Security
PUA,  PUP,  potentially unwanted,  DNS query,  classification,  

Full Text: PDF(580.2KB)>>
Buy this Article

This work develops a system called CLAP that detects and classifies “potentially unwanted applications” (PUAs) such as adware or remote monitoring tools. Our approach leverages DNS queries made by apps. Using a large sample of Android apps from third-party marketplaces, we first reveal that DNS queries can provide useful information for detection and classification of PUAs. We then show that existing DNS blacklists are limited when performing these tasks. Finally, we demonstrate that the CLAP system performs with high accuracy.