Towards Demystifying Android Adware: Dataset and Payload Location

Adware represents a pervasive threat in the mobile ecosystem, yet its inherent characteristics have been largely overlooked by previous research. This work takes a crucial step towards demystifying Android adware. We present a comprehensive, well-annotated Android adware dataset AdwareZoo, which comprises 15,996 adware samples across 118 distinct adware families collected from both security reports and app repositories, providing a robust foundation for in-depth analysis and future research. We identify adware family payloads by isolating packages from adware samples for VirusTotal rescanning. Our analysis unveils critical insights into the adware ecosystem, highlighting distinctive patterns in family naming conventions and exposing the unexpected classification of widely-used ad networks as adware. We identify diverse payload location strategies, with a notable finding that over 30% of adware families employ payloads beyond conventional Java/Kotlin code. Furthermore, we reveal several evasion techniques utilized by adware, including package name obfuscation and dynamic payload loading. This research not only offers a robust foundation for understanding and combating adware but also highlights the pressing need for increased scrutiny of mobile advertising practices.