Re-checking App Behavior against App Description in the Context of Third-party Libraries

Recent research suggested promising approaches that identify potential malware by checking the inconsistence between app description and actual behavior of the app. However, state-of-the-art approaches have ignored the impact of thirdparty libraries (TPLs) when detecting outliers, which could affect the detection results greatly in two folds. On one hand, most Android apps would not list the functionality of TPLs in app description, which could cause false positives, as many apps that use TPLs will be identified as outliers. On the other hand, it is important to separate TPLs from custom code when analyzing the sensitive behaviors, otherwise the malicious behaviors of custom code will be obscured by TPLs. In this paper, we revisit the study of checking app behavior against app description in the context of TPLs. Experiment results on more than 400K Android apps suggest that more than 54% of apps are no longer identified as outliers after filtering TPLs, and we could identify roughly 50% of new outliers. Furthermore, removing the impact of TPLs could help to identify malware and pinpoint the malicious behavior of custom code. Out results shed a light on applying the TPL analysis to enhance a variety of mobile app analysis tasks.