Tickets or Privacy? Understand the Ecosystem of Chinese Ticket Grabbing Apps

Due to the prevalence of scalping and the promotion of realname ticketing systems, user-oriented mobile ticket grabbing apps have become a popular pattern for scalpers. Compared with traditional scalper-oriented scalping, ticket grabbing apps pose security and privacy risks to users directly. In our study, we take the first step towards revealing the ticket grabbing app ecosystem from the perspectives of app developers, app users, and target platforms synthetically. We built a large-scale dataset of ticket grabbing apps in the wild within China, containing 758 Chinese ticket grabbing apps with 3,121 versions. Based on the detailed analysis of these apps, we found that ticket grabbing has formed a mature industrial chain, with various specialized technical characteristics to enhance the success rate, such as the abuse of Android accessibility services. We also revealed the profit model of ticket grabbing apps, and disclosed severe security and privacy hazards they pose to end users, including the collection of sensitive information and continuous screenshots. We further conducted an online survey involving 184 participants to get users' usage and privacy concerns on ticket grabbing apps, and regrettably found that users prioritize "tickets" over "privacy". Finally, we proposed an "Indirect Combat" approach to assist in the defense mechanisms. In summary, our findings provide target platforms and users with a better understanding of the ticket grabbing app ecosystem in China, enabling them to better detect and combat these apps.