Analysis of Malware Application Based on Massive Network Traffic

Security and privacy issues are magni- fied by velocity, volume, and variety of big data. User＇s privacy is an even more sensitive topic attracting most people＇s attention. While Xcode- Ghost, a malware of iOS emerging in late 2015, leads to the privacy-leakage of a large number of users, only a few studies have examined Xcode- Ghost based on its source code. In this paper we describe observations by monitoring the network activities for more than 2.59 million iPhone users in a provincial area across 232 days. Our analysis reveals a number of interesting points. For exam- ple, we propose a decay model for the prevalence rate of XcodeGhost and we find that the ratio of the infected devices is more than 60%; that a lot of popular applications, such as Wechat, railway 12306, didi taxi, Youku video are also infected; and that the duration as well as the traffic volume of most XcodeGhost-related HTTP-requests is similar with usual HTTP-request which makes it difficult to be found. Besides, we propose a heuristic model based on fingerprint and its web-knowledge to identify the infected applications. The identifying result shows the efficiency of this model.