Classifying PUAs in the mobile environment

Vanja Svajcer Sophos
Sean McDonald Sophos

  download slides (PDF)

The issue of PUAs (Potentially Unwanted Applications) in a world of desktop sample processing is well understood. Typically, we classify as potentially unwanted executables which are borderline malicious but which may in some cases provide certain benefits to the end-user. These applications are assigned to one of the predefined PUA categories, giving the user the option to manually authorize their usage.

Has the world of PUAs changed with the advent of mobile apps? As the revenue model for application developers changes, should the security industry apply different criteria when considering potentially unwanted applications?

There are over 600,000 apps on Google Play and over 300,000 apps on iTunes, with numerous alternative application markets. The major source of income for most of the apps are advertising revenues realized by implementing one or more advertising frameworks.

The difference between malware, PUAs and legitimate apps for mobile platforms is often less clear than within the desktop world. We have seen several cases where not even security vendors agree on how to classify apps containing multiple advertising frameworks such as Plankton or NewYearL. This causes confusion for application developers, as well as developers of individual advertising frameworks, as to which features are acceptable.

This paper introduces a structured PUA taxonomy for mobile apps which can be applied by security vendors and by mobile app developers. Wherever possible, we use categories closely related to desktop PUAs and introduce new ones particularly relevant to mobile environments. We apply the categorization to an existing corpus of mobile PUA samples, legitimate apps and individual advertising frameworks.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.