Real or Rogue? Detecting Malicious Miniapps with Deceptive Reporting Interface

Today, mobile super apps such as WeChat offer a wide array of services through integrated miniapps. While the miniapps provide self-contained services via JavaScript and Web interfaces, the existence of a centralized authority, i.e., super app platform, enables strong protection against malware. Among the many mechanisms, the built-in report interface is an essential security countermeasure, allowing users to report any suspicious miniapp that is released to the market. Alarmingly, our study reveals that there are malicious miniapps implementing deceptive reporting interfaces to impersonate the official ones. If users are guided to these fake reporting interfaces that discard or rerouting the reports, the platforms will never be alarmed about the malware existence, thus enabling the malware to circumvent post-vetting regulation. In response to this imminent threat, this paper identifies, analyzes, and constructs a dataset consisting of 3,587 malware with detailed information among 135,274 official-alike reporting interfaces among over 4 million miniapps. Our findings further reveal abundant variations of behavior, including discarding or redirecting reports, applying obfuscation to escape vetting, and batch registration to lower the risk of platform removal. We have reported these malware to parties of interest, and we will release this dataset to facilitate further detection and analysis for the web community.