In recent years, the underground economy is proliferating in the mobile system. These underground economy apps (UEware) make profits from providing non-compliant services, especially in sensitive areas such as gambling, pornography, and loans. Unlike traditional malware, most of them (over 80%) do not have malicious payloads. Due to their unique characteristics, existing detection approaches cannot effectively and efficiently mitigate this emerging threat. To address this problem, we propose a novel approach to effectively and efficiently detect UEware by considering their UI transition graphs (UTGs). Based on the proposed approach, we design and implement a system named DeUEDroid to perform the detection. To evaluate DeUEDroid, we collect 25,717 apps and build the first large-scale ground-truth dataset (1,700 apps) of UEware. The evaluation result based on the ground-truth dataset shows that DeUEDroid can cover new UI features and statically construct precise UTG. It achieves 98.22% detection F1-score and 98.97% classification accuracy, significantly outperforming traditional approaches. The evaluation involving 24,017 apps demonstrates the effectiveness and efficiency of UEware detection in real-world scenarios. Furthermore, the result reveals that UEware are prevalent, with 54% of apps in the wild and 11% of apps in app stores being UEware. Our work sheds light on future work in analyzing and detecting UEware.

翻译：近年来，地下经济在移动系统中迅速蔓延。这些地下经济应用（UEware）通过提供不合规的服务（尤其是在赌博、色情和贷款等敏感领域）牟利。与传统恶意软件不同，其中大部分（超过80%）并不包含恶意负载。由于其独特性质，现有检测方法无法有效且高效地应对这一新兴威胁。为解决此问题，我们提出一种新颖方法，通过分析其用户界面转换图（UTG）来有效且高效地检测UEware。基于该方法，我们设计并实现了名为DeUEDroid的检测系统。为评估DeUEDroid，我们收集了25,717个应用，并构建了首个大规模地下经济应用真实数据集（1,700个应用）。基于真实数据集的评估结果表明，DeUEDroid能够覆盖新UI特征并静态构建精确的UTG。其检测F1分数达到98.22%，分类准确率达98.97%，显著优于传统方法。对24,017个应用的大规模评估验证了该系统在实际场景中检测地下经济应用的有效性与高效性。此外，结果揭示地下经济应用普遍存在：野生应用中占比达54%，应用商店中占比达11%。本研究为未来分析与检测地下经济应用的相关工作提供了重要启示。