Abstract
Serious concerns have been raised about stealthy leakage of users privacy in mobile apps, and many recent approaches are also proposed to detect privacy leak in these apps. However, more and more benign mobile apps have to send out user's privacy for legitimate functions or user intention. To evade detection, new mobile malware starts to mimic privacy-related behaviors of benign apps that provide similar functionality, and mix malicious privacy leak with benign ones to reduce the chance of being observed. Since prior proposed approaches primarily focus on the privacy leak discovery, these evasive techniques in new mobile malware will make differentiating between malicious and benign privacy disclosures a difficult task during privacy leak analysis. In this paper, we propose DroidContext, an automated system that detects truly malicious privacy leakages in Android apps. DroidContext differentiates malicious and benign privacy disclosures using contexts (e.g., activation events and dependent operations that trigger and control privacy leak execution), purifying the privacy leak detection results for automatic and easy interpretation by filtering out benign privacy disclosures. We implement a prototype of DroidContext and evaluate DroidContext on 5560 mobile malware and 4800 Apkure apps. Experiment results show that, on average, DroidContext achieves a high 92.85% true positive during malicious privacy identification and the 95.45% true positive during benign privacy disclosures identification. The necessity of proposed contexts is also evaluated. Evaluation indicates that to keep the accuracy of privacy disclosure classification, our proposed contexts are all necessary.