Shifting to Mobile: Network-Based Empirical Study of Mobile Vulnerability Market

Abstract

With the increasing popularity and great economic benefit from vulnerability exploitation, it is important to study mobile vulnerability in the mobile ecosystem. Beyond the traditional technical solutions such as developing technologies to identify potential vulnerabilities, discover the widely available exploitations and protect consumers from attacks, constructing the vulnerability market, a marketplace for vulnerability discovery, disclosure and exploitation, has been considered as an effective approach. Therefore, understanding the mechanism of the vulnerability market for further optimizations is attracting attentions from both academia and industry. Since mobile ecosystem is playing an increasingly important role for the daily life, this paper aims to understand the evolution of the mobile vulnerability market in a data-driven approach, aiming to identify the important issues for further research. Specially, a five-layer heterogeneous network, consisting of the software vendors, products, public disclosed vulnerabilities, hunters, organizations and their relations, is established to formally represent the evolution of the mobile vulnerability market. Based on the data collected from a variety of agencies, including NVD, OSVDB, BID and vendor advisories, a comprehensive empirical analysis is reported, focusing on the growth of the mobile vulnerability market as well as the interactions between mobile and other PCs platforms. Finally, suggestions drawn from the observations, including security evaluation for code reused, data leaking protection and permission overuse identification, hunter's strategy and behavior understanding, information sharing and external workforce hiring, as well as cross-platform vulnerability digging are discussed for further security enhancement.