Dating with Scambots: Understanding the Ecosystem of Fraudulent Dating Applications

In this work, we are focusing on a new and yet uncovered way for malicious apps to gain profit. They claim to be dating apps. However, their sole purpose is to lure users into purchasing premium/VIP services to start conversations with other (likely fake female) accounts in the app. We call these apps as fraudulent dating apps. This paper performs a systematic study to understand the whole ecosystem of fraudulent dating apps. Specifically, we have proposed a three-phase method to detect them and subsequently comprehend their characteristics via analyzing the existing account profiles. Our observation reveals that most of the accounts are not managed by real persons, but by chatbots based on predefined conversation templates. We also analyze the business model of these apps and reveal that multiple parties are actually involved in the ecosystem, including producers who develop apps, publishers who publish apps to gain profit, and the distribution network that is responsible for distributing apps to end users. Finally, we analyze the impact of them to users (i.e., victims) and estimate the overall revenue. Our work is the first systematic study on fraudulent dating apps, and the results demonstrate the urge for a solution to protect users.


INTRODUCTION
M OBILE malware is rapidly becoming a serious threat in recent years. The main incentive for attackers to develop malware is that they could gain illegal profit. For example, previous research showed that malware authors could gain a profit by injecting advertisements in benign applications (or apps in short) [1], or by sending SMS messages to premium-rate numbers [2]. With the deployment of new defenses in the latest Android versions, these methods become less effective. However, we have observed a trend that malware authors have invented new ways to make a profit.
In this paper, we focus on a new and yet uncovered way for malicious apps to make a profit. Users are lured into installing a particular kind of dating apps and paying subscription fees for the right to chatting with existing users. However, the sole purpose of these apps is to cheat new users into paying, as the existing accounts in these apps are usually fake identities managed by chatbots. This kind of apps is therefore referenced as fraudulent dating apps (or FD apps in short). Properties of FD Apps FD apps are usually distributed through online advertising networks, enticing users to install them with attractive pictures or fake claims. Once it is installed, users need to register an account to use the app. Surprisingly, this process is much simpler than what we have expected. Indeed, during our analysis of some apps, we find that the user only needs to click a few buttons • Yangyu Hu, Haoyu Wang  to register a new account, without providing any personal details such as email address or phone number. This is different from the traditional malware that aims to steal user's private information.
After registration and logging into the app, many (female) accounts will initialize conversation requests to the user within a few minutes and likely with seductive words or pictures. For instance, during the manual analysis of one of the apps in our study, seven users sent conversation requests after logging into the app for 5 minutes (Figure 1(a)). All of them were female with attractive profile avatars. Two different users (the last two) were sending the same message ("Where are you from?") at the same time (8:29).
Due to this abnormal user behavior, we suspect that the existing accounts in the app are not real people but chatbots. To confirm our speculation, we sent messages to a randomly picked user (nickname: Beautiful Mirror), and the replied messages were irrelevant to the topic of the conversation (Figure 1(b)). Interestingly, after sending one message, we cannot send messages for free anymore.
In order to continue the conversation, we have to subscribe to the monthly premium service (Figure 1(c)) with a cost around seven US dollars. After purchasing the service, the previously communicated users stop responding immediately and there were no more users attempting to communicate with us anymore.
This app is not a single case: there exists an underground ecosystem for these FD apps. In particular, if a dating app shows the following behaviors, it can be categorized as a FD app. 1) abnormal user behaviors: after a new user logs into the app, several users will start a conversation in a short period, e.g., a few minutes; 2) irrelevant messages: messages are usually irrelevant to the conversation and out of the topic; 3) premium services: a new user cannot send or can only send a few messages for free, unless a premium service is purchased. Finally, after purchasing the service, other users suddenly stop responding to any messages. To distinguish with the fake accounts in the app, we call the new user who is purchasing the services as a victim. Study Overview In this paper, we perform a systematic study of FD apps, including the characterization of the user profiles and interaction patterns, the business model and involved parties in the ecosystem, as well as the distribution and the impact of these apps to victims. In particular, our research aims to answer the following questions. First, are the existing user accounts in FD apps are real persons or chatbots? Second, what is the business model of the FD apps, and what parties are involved in the ecosystem? Third, how are the FD apps distributed? Fourth, what is the impact of these FD apps to mobile users? For instance, how much money might be charged to a victim?
To this end, we first propose a method to detect FD apps from 2.5 million apps downloaded from nine third-party Android app markets 1 , and the Google Play. In total, we have detected 967 distinct FD apps and classified them into 22 families based on their code similarity. We then perform detailed analysis on the detected apps and observe some interesting findings, listed as following. • We found that most of the accounts in these apps are chatbots, with fake user profile avatars. For instance, we find that the same user profile avatars are used by multiple different accounts in the same app, and even in different apps.

•
There are multiple parties involved in the ecosystem, including app producers, app publishers, and 1. Since the Google Play is not available in some countries or regions, these third-party app markets are the de facto official markets in these countries or regions. distribution networks. For example, we find that one developer key has been used to sign many FD apps with different package names, and published by different companies with the same legal representative(s).
• These apps are usually distributed through app markets and advertising networks. The fraudulent ranking techniques, e.g., fake user reviews and ratings are used to manipulate the ranking of the apps (i.e., promote the apps).

•
We conduct an estimation of the overall revenue for the FD apps we have detected based on several reports. Our estimation concludes that the total market scale is around 200 million US Dollars to 2 Billion US Dollars.
Contributions In summary, this paper makes the following main contributions: • We have presented a new way adopted by malware authors to make a profit through luring users into buying premium services in dating apps. • We have conducted a systematic study of FD apps and answered several key research questions. To the best of our knowledge, our study is the first systematic study of such kind of apps.
• Our investigation has revealed various interesting findings that are previously unknown to the community. We believe our study is the first step towards a better detection and regulation of such apps.
To engage the community, we will release all the FD apps we identified in this study and the experiment results to the research community for further analysis.  Baidu Market  227,454  673  3,227  360 Market  163,121  177  1,761  Tencent Myapp 636,265  432  2,782  Xiaomi  91,190  91  974  Wandoujia  554,138  285  2,767  Huawei  51,303  308  1,994  Lenovo  37,716  186  1,994  OPPO  426,419  305  1,628  Meizu  80,573  512  2,571  Google Play  287,110  7  123   Total  2,555,199  967  3,697 2 FRAUDULENT DATING APPS CHARACTERIZA- TION In this section, we first present our approach to identify FD apps in Section 2.1. Then, in order to answer the following research question: Are the existing user accounts in these apps real persons or chatbots?, we dissect the existing account profiles in different FD app families and then analyze the interaction patterns between users of those dating apps in Section 2.2 and Section 2.3, respectively. Table 1 presents an overview of our raw dataset that contains more than 2.5 million apps collected from ten Android app markets, including the official Google Play store. All of these apps were downloaded between April and August 2017. We have also crawled the metadata of these apps, including app name, publisher company name, app version, rating, the number of downloads, etc.

Methodology
We propose a semi-automated approach to identify FD apps, as shown in Figure 2. We first use a fast keywords matching method on the app metadata (e.g., app description and app name) to filter dating app candidates from the millions of apps we have crawled. Then we perform static code analysis on the selected candidate apps to check whether they have embedded in-app purchase services. The rationale behind this checking is that those services are essential for the app publisher to gain a profit, i.e., for victims to purchase premium services. For the dating apps that embed in-app purchase services, we then cluster them based on resource similarity and code similarity. For apps in each cluster, we manually select several apps to inspect whether they have suspicious characteristics such as abnormal user behaviors and irrelevant messages, which make those apps as fraudulent app candidates. We also analyze the user comments to further confirm that there exist victims of these apps in the real world.

Keywords Matching
Because the FD apps usually use seductive texts to attract victims, we first collect several common words (in both English and Chinese) that frequently occur in the descriptions or app names of those apps, including "secret dating", "local single", "find girl", etc. We use a fast keyword matching method to identify  potential dating app candidates. Eventually, we are able to identify 61, 133 apps (out of 2.5 million apps) that contain at least two keywords.
In-app Purchase Analysis One of the most important characteristics of FD apps is that they try to entice users to purchase their premium services. For the selected dating app candidates, we perform static code analysis to detect whether they contain embedded in-app purchase services. If so, they will be identified as candidates for further analysis. In our study, we take advantage of LibRadar [3], an open source obfuscation-resilient tool to identify third-party libraries used in Android apps. We consider 18 popular third-party in-app purchases SDKs that are widely used in both China and worldwide, as shown in Table 2.
Note that, besides the third-party in-app purchase services, the in-app purchase service provided by the Google Play is also considered in our study. In some countries or regions where the Google Play service is not available, app developers tend to use third-party in-app purchase services. For instance, the AliPay [4] and WeChatPay [5] are the two most popular third-party in-app payment services in China.
Since some apps may implement their own payment functions (e.g., send SMS to premium number) instead of directly embedding third-party payment services, we further investigate the related English and Chinese keywords (e.g., "Purchase & VIP", "Privilege", etc.) in the layout configuration files to identify app candidates as supplementary. In total, we have identified 23, 546 dating apps that contain embedded in-app purchase services. App Clustering For the dating apps that embed in-app purchase services, we then cluster them based on resource similarity and code similarity. We first take advantage of the open source system FSquaDRA2 [6] to measure the resource similarity of each app pair based on a feature set of resource names and asset signatures (the MD5 hash of each asset of an application excluding its icon and XML files).
We then use an app clone detection tool WuKong [7] to measure code-level similarity. For the apps with resource similarity scores higher than 90% and code-level similarity scores higher than 85% 2 , we group them into the same cluster. Finally, we select the cluster whose size is equal or bigger than 2. In total, we identified 5, 547 candidate apps into 226 clusters (size >= 2). Manual Inspection For apps in each cluster, we manually select three apps 3 (596 apps in total). We installed them on smartphones and then registered real accounts to check whether they have the typical characteristics such as abnormal user behaviors (many users will start conversations even though our registration information is empty or totally unattractive), irrelevant messages and premium services.
With the help of manual inspection, we eventually flag 22 out of the 226 clusters as FD app families.

Statistics of Fraudulent Dating Apps
As shown in Table 3, we have identified 3,697 FD apps (APKs) that share 967 unique package names 4 . These apps account for 6% of dating apps in our dataset, which is much higher than we expected. For each family, we choose the keyword from the package name that has the most number of downloads as the family name. For example, the family Youyuan includes the most number of unique package names and APKs, as roughly one third of the APKs and more than half of the packages belong to this family.
The distribution of FD apps for different markets is shown in Table 1. The Baidu Market hosts the most number of FD apps, where more than two-thirds of total FD apps are from this market. The official Google Play market contains the least number of FD apps, where only 7 apps are flagged. 2. we choose the threshold empirically based on the previous studies 3. If the cluster size is 2, we select both apps. 4. One app (package name) corresponds to several APKs because our crawler downloads different versions of apps during a 4 months span.

Protocol Analysis
It is non-trivial to harvest account profiles from FD apps, as they are not directly available on the devices. We hence resort to the network traffic traces to retrieve user profiles. Particularly, we randomly select three apps in each family and run them on real smartphones. We then leverage tcpdump to record the network traffic traces. Table 4 shows the server addresses of user profile requests and the download addresses of avatar files for each family. Surprisingly, all three apps we analyzed for each family share the same server address, even if they have different package names or developer signatures.
We further investigate the request and response messages for user information retrieval, as shown in Figure 3. The request messages usually contain information like geo-location data, platform information, the number of requested user information, etc. The response messages contain a list of users where each of them is represented by a unique identifier, a URL of the avatar file, and some other personal information (e.g., nickname, age, etc.).
By deeply looking into those request and response messages, we observe that some apps (e.g., app com.hzsj.qmrl and app com.wanjiang.tcyasq in the app family Youyuan) embed a fingerprint or package name in the request message to differentiate the apps ( Figure 3). Moreover, some apps (e.g., app com.yuanfenapp.tcyyjiaoyou and app ltd.onedream.snsapp.moaiyueai in the app family Tongchengsupei) may share exactly the same request and response messages, resulting in identical accounts.

Crawling Account Profiles
To crawl the account profiles, one straightforward approach is to simulate the protocol for each app. However, because account information is usually shown based on geo-location (e.g., you could only browse the user locations in the same city), and each request could only get limited number of users (e.g., one page), we need to analyze the request URLs to identify the corresponding fields, and construct request messages (e.g., change the city or the page number of user profiles) so as to crawl as many as possible user profiles. Unfortunately, app developers could use anti-crawling techniques such as embedding hash values in the request URLs, to keep us away from automatically harvesting their account profiles. Due to this reason, we propose to employ automated app testing techniques to infer user profiles. In particular, we leverage an automated UI testing tool DroidBot [8] to generate UI pull-down events and send to the tested apps to emulate real user behaviors of browsing the account list.

The Presence of Fake Account Profiles
It is difficult to measure how many fake accounts actually exist in each app since it is impossible for us to start a conversation with each account to check whether he/she is a real person or not. Motivated by the characteristics of Romance Scam fraud [9] that the scammers usually post profiles using stolen photographs of attractive people, we believe the fake accounts in FD apps may also use stolen/online photos too. To identify fake accounts in a fast manner, we regard the accounts with the same avatar photos but totally different account information (e.g., nickname, hometown, age, etc.) within the same app as fake accounts.
In this study, we use Dup Detector [10], a pixel-level comparison technique to identify duplicate images. Note that some apps offer default avatar photos during registration, which could mislead our detection. Thus we exclude all the default avatars from photo comparison. For each family, we randomly choose an app and crawl all the account profiles. As shown in Table 5, for the app com.jqyuehui.main belonging to the Youairen family, we are able to crawl over 263,000 account profiles. Figure 4 shows examples of fake account profiles we have found in our crawled data, from which we can observe that fake accounts may exist within the same app, within the same family, or even across different families.

Fake Accounts within the Same App
We first measure the fake account profiles within each app. As shown in Table 5, although we have identified fake account profiles in most of the apps, the percentage of fake account profiles within each app is not high. Only three apps have more than 10% of their account profiles detected as fake ones. Most of the apps have less than 1% of fake account profiles.
Note that, this is a conservative way to identify fake account since different fake accounts inside one app could use different avatar photos. We will analyze the interaction patterns in Section 2.3 to further detect the fake accounts.
Fake Accounts within the Same Family For each family, we choose three apps to examine fake account profiles across apps but within the same family.
Since it is generally time-consuming to analyze the protocol of a given app to simulate the request messages, in this work, we select four popular families (12 apps in total) to perform our measurements. For every app family considered, we ensure that the apps inside the family are different (i.e., has different package names). The type of account information (e.g., age, location) may slightly vary across different apps, we therefore regard the accounts with same avatar photos but different nicknames as suspicious fake accounts.
As shown in Table 6, the rate of suspicious fake accounts within the same family is significantly high. For example, around 95% of account photos of the selected three apps in Youyuan family are overlapped. The ratio of overlapping account profiles in Appforwhom family even achieves 100%. Further analysis reveals that all the apps in this family use the same protocol for accessing account information.    account profiles overlapping across different families. As shown in Table 6, the overlapping ratios across different families are not high, where all of them are less than 10%. One possible reason is that apps in different families are from different developers and have different sources of account profiles.

Mostly Used Fake User Avatars
We found many fake accounts using the same avatar photos but totally different account information. We list the top 20 popular fake user photos in Figure 5. All of the top 14 apps belong to com.huizheng.yasq (family Youyuan), while all of them have appeared in at least 130 different accounts. We also calculate the number of different accounts with each avatar photo and show it under the avatar in the Figure.

Interaction Pattern Analysis
We now attempt to identify fake accounts from another perspective, i.e., the interaction patterns. If the accounts are real persons, then the messages should be relevant to the topic of the conversation. Thus, we perform a field study to analyze the interaction patterns of these fraudulent dating apps.
For each family, we randomly choose an app and install it on a real device. Then we register two accounts (1 male user and 1 female user) to log in and start a conversation. Furthermore, we purchase the premium service for each app and compare the results before and after purchasing their services.
As shown in Table 8, we have observed several interesting findings: 1) The registration process is quite easy, and most apps do not need any personal information. As shown in the second column of Table 8, only 4 (out of 22) apps require the phone number, social networking or email account during registration. 2) Several apps use template-based conversations. As shown in the third column of Table 8, 3 (out of 22) apps use template-based conversations, which could be found in the resource files of the app. 3) There is a huge difference between male users and female users. For male users, when they are online, many female accounts will reach to them within a short time (see column #4). For example, more than 10 girls talked to our registered user for the app com.yueai.ya007 (family: Yueaiapp) and com.myhoney (family: Sipuhaiwei) within five minutes during our experiment. However, for female users, there was no one trying to initiate conversation for almost all the apps during our experiment (see column #5). Specifically, for some apps (e.g., com.liaoba), the the default gender is male during registration and users cannot change it. This suggests that these apps are mainly targeting male users. 4) For more than 70% of the apps, users cannot reply to the messages unless premium services are purchased. For the remaining 6 apps, users could only respond to at most 3 messages. 5) Irrelevant messages are prevalent in the conversations.
Before we purchased the premium services, we were only able to reply to the messages in 6 apps. However, only 4 accounts in these apps replied to us and

# #
the response messages were totally irrelevant. 6) After purchasing the premium services, the app stops responding to messages. In this field study, we spent roughly 176 US dollars to purchase premium services for these 22 apps. Unfortunately, once we had purchased the premium services, all apps stopped responding to our messages. It appears that the sole mission of these apps is to lure users into purchasing its so-called premium services, which in reality do not exist at all.

Summary
Based on the results of user profile and interaction pattern analysis, we suspect that the accounts (except for the victims) in the apps are chatbots, instead of real persons. First, the account profiles in different apps in a family are mostly identical. These account profiles may be automatically generated. Second, our suspicion can be further confirmed by the interaction patterns. For instance, the messages in the conversation for the apps we evaluated are irrelevant to the topic, and no messages will be received after purchasing the premium services. These patterns are more likely generated from computer programs instead of real persons.

BUSINESS MODEL ANALYSIS
We now analyze the business model of FD apps aiming at revealing the involved parties in the ecosystem, so as to answer the research question: what are the involved parties and how they make a profit?
We first retrieve the signature of the developer's key inside the app. If the signatures are the same in two different apps, we assume that these two apps are developed by the same developer 5 . These developers are referred as app producers.
5. This is a reasonable assumption since the leakage of the developer's key is not a common case in practice.  Youyuan  496  48  113  107  Appforwhom  70  43  21  10  Youairen  140  133  27  21  Yueaiapp  20  5  4  4  Tanliani  26  10  11  10  Wmlover  32  31  9  9  Tongchengsupei  42  5  16  16  Jiangaijiaoyou  13  6  7  7  Aiaihunlian  10  5  3  3  Sipuhaiwei  13  8  5  5  Yuanfenba  11  10  5  5  Yuanlai  12  1  3  3  Qianshoulian  272  12  7  We then collect the released company names of the FD apps from the app markets. Usually, the company name is a required entry when publishing apps to an app market. We also collect the name of the legal representative [11] of the company, based on the public records from the corresponding government agencies. These companies are the ones who publish apps and obtain payments from victims. We call them app publishers. Table 9 shows the data of multiple parties involved in the FD app ecosystem. In particular, the first column shows the family name of the app, and the second column shows the number of distinct package names in each family. The third column shows the number of distinct developer signatures for the apps in each family, while the last two columns show the number of distinct company names and that of legal representatives of the companies. The number of legal representatives is less or equal to the number of companies since the same person can serve as the legal representatives of multiple companies.
Based on the data in Table 9, we obtain the following observations.
• The number of developer signatures is usually much fewer than the number of distinct package names in each family. This evidence indicates that the developers of different apps may be the same person. We also find the case that even the developer signatures of some apps are different, the names of the RSA files inside the META-INF directory of those apps are identical. For example, there are 130 apps in the family youairen sharing the same signature file name, namely KEY KEYS.RSA. For each signature, the values of the CN (Common Name) and OU (Organization Unit) fields are meaningless strings such as estituan, umgfoubq. We believe even though the signatures of these 130 keys are different, they are probably automatically generated by the same person. Table 10 shows the randomly generated CN and OU fields of 20  hyuhzwhl  fstxzj  btxetuui  pfsmdm  oymorwlp  vrnnuv  estituan  hvhskr  umgfoubq  vvshla  mdjgjpuc  tkwcpk  agggefmk  zhmipw  kovkokxi  jzmmeh  pbvdysyg  kychif  uzqoaawn  usfzum  gfpsbhmz  sejwql  dgvcmhxh  sqsqrf  pebbomoy  dacyfr  xwvoirgr  pgupio  vdsqjkvk  alzrly  ugqljbld  swkcom  memqwnon  nmscvv  wcjhpfkb  lxkruk  xdttilqo  zaamyd  hrzwtnzj  hvsbwp developers' signatures.

•
The apps belonging to the same family are published by multiple companies. This could be explained by the fact that the producers may sell their apps to different companies for publishing. For instance, as shown in the code snippet of Listing 1, the app developer hard-coded the relationship between the package names and the payment accounts that are used to receive payments from victims. By doing so, app producers could sell the same app with different package names to different companies (or publishers).

•
One legal representative could own multiple companies so that FD apps can be published multiple times via different companies. If the apps from one company are removed from app markets due to user complains, the apps from other companies can still survive.
1 s t r =package name ; 2 i f ( "com . huizheng . l a s q " . e q u a l s ( s t r ) ) { Specifically, the app producers develop apps and sell them to publishers. The publishers usually register multiple companies and use these companies to distribute their apps, e.g., via app markets. In order to promote these apps, the ranking fraud techniques are used (Table 11 in Section 4.1). Moreover, the publishers could also pay the advertising network to distribute their apps (Section 4.2). When the victims are lured into installing these apps and buying the premium services, publishers will receive the money and gain a profit. Note that, the producers and publishers in some cases may come from the same companies, and act as both roles in the ecosystem.

DISTRIBUTION NETWORK ANALYSIS
App publishers usually distribute their apps through both app markets and advertising networks ( Figure 6). In this section, we analyze the distribution of the FD apps and answer the following question: how these apps are distributed,   and what techniques are used by publishers to promote these apps in app markets? In particular, we collect the names and user reviews of these apps in app markets and monitor the app distribution through an online service [12].

App Markets
As expected, we find that app markets are the primary choice for app publishers to distribute apps (see Table 1 for the app markets in which FD apps are detected). Unfortunately, the ranking system of app markets could be manipulated (known as ranking fraud) by the owners of FD apps so as to attract more victims. Ranking Fraud Ranking fraud [13] refers to the behaviors that aim to promote the ranking of apps inside app markets. Based on the ranking mechanisms of app markets, this could be achieved by manipulating the user reviews and rating of an app. For each app in our study, we therefore crawl the reviews and the ratings (if it is available) of the app in each market as well as the names of users who have posted the reviews, aiming at identifying fake reviews and fake reviewers. Specifically, our analysis is based on the following reasonable heuristic: reviews from different users should be different in most cases. Though some simple reviews such as "great app" could be posted by different users, other reviews with more meaningful words should not be exactly the same. Based on this heuristic, our analysis works in the following steps and the overall result is shown in Table 11.
First, we remove the reviews that have less than 5 words from our analysis to avoid potential false positives introduced by simple reviews. The number of reviews, and reviews with the highest rating (five-star) are shown in the second and third column. We also calculate the number of users who have posted the reviews in the eighth column.
Second, we compare the similarity of the reviews from different users using exact text matching. If we find that reviews from different users are exactly the same, we classify such reviews as repeated reviews and log the number in the fourth column. The users who have posted repeated reviews are classified as fake reviewers correspondingly (shown in the ninth column).
Third, we further mark all the reviews from fake reviewers as fake reviews, which is shown in the fifth column. This step is added because the criteria used to determine repeated reviews is too strict (exact text matching), and hence may have missed reviews with only little changes, e.g., from the sentence "This is really a good app" to "This is really an excellent app". By adding all the reviews from users who have posted fake reviews, we could cover the reviews that may be otherwise missed in the previous step. At last, we calculate the percentage of fake reviews and users in the sixth and last column. We also calculate the percentage of five-star ratings of fake reviews (the seventh column).
The percentage of fake reviews are surprisingly high, where over 90% of reviews in 10 families are fake and more than 95% (96.70%) of the user ratings in the fake reviews are five-star, demonstrating that the ranking system is actively manipulated by the publishers of those FD apps.

Advertising Networks
Previous research [14] has revealed that mobile malware could be distributed through mobile advertising networks. In this study, we perform an initial investigation to check whether FD apps have been distributed through this channel. Our study leverages a third-party online service App-Growing [12] to collect the corresponding data. In particular, given an app, AppGrowing provides a report containing whether this app has been distributed through an advertising network, and if so which networks have been involved. Note that, their data is through sampling the traffics of advertisement SDKs and thus is not complete. Nevertheless, the data still provide some insights of the distribution of FD apps.
Based on the three-month data from October to December 2017, the following advertising networks have been involved in the distribution of FD apps: the Cheetah Ad [15], IntelligentTui [16], Tencent Social Ad [17] and Baidu Ad [18]. The first one belongs to the Cheetah Mobile [19], a company listed in New York Stock Exchange, and the second and third advertising network belong to Tencent [20], the producer of QQ and WeChat and one of the largest Internet and technology companies in the world. The last one belongs to Baidu [21], the largest searching engine and one of the biggest mobile advertising networks in China. Table 12 shows the 26 apps we monitored and the advertising networks that have been leveraged to distribute those apps. In the table, we use the following abbreviations CH, IT, TD and BD to denote the Cheetah Ad, IntelligentTui, Tencent Social Ad and Baidu Ad, respectively.

USER IMPACT ANALYSIS
In this section, we analyze the user impact of the FD apps from the following three aspects. First, we measure the upper-and lower-bound of the number of victims. In particular, we first measure the downloads distribution of these apps, which could be used to calculate the upperbound of the number of victims. Then we crawl the negative comments of these apps from app markets, which could be used to estimate the lower-bound of the number of victims, since these negative comments are likely to be posted by real victims. Second, we estimate the overall revenue of these apps based on several reports that disclose the revenue model of these FD apps. Third, we upload all these apps to VirusTotal to understand how many of them could be flagged by existing anti-virus engines.

Number of Victims Estimation
Downloads Analysis: the Upper-bound We first analyze the number of accumulated downloads for these apps crawled from 10 app markets. Figure 7 shows the distribution. Surprisingly, around 50% of apps have been downloaded more than 100K times, and roughly 25% of them have the number of downloads over 1 million. App cn.feichengwuyue has the most number of downloads (143 million).
We then examine the downloads distribution across families. As shown in Table 13, there are 6 families that have achieved more than 100 million accumulated downloads, in which the family Youyuan has accumulated downloads of 784 million. The total number of downloads for these 967 apps is surprisingly high, which has achieved 2.4 billion. Each app has an average of 2.5 million of downloads.

Negative Review Analysis: the Lower-bound
Although we have shown that the positive reviews of these apps are mainly manipulated by ranking fraud techniques, the negative reviews are usually about the complaints of victim users. We have analyzed the negative reviews of these apps. Figure 8 shows the word cloud for the negative reviews. Almost all of the users complain that they have been cheated to purchase the premium services.
Thus we measure the number of victims based on the negative comments. As shown in Table 13, we have collected 44, 752 negative reviews in total, and the family Youyuan has occupied more than half of the negative comments. This result could be used to estimate the lower-bound of the victims.

Price and Payment Method Analysis
For each family, we randomly choose three apps to analyze the price of the premium services they offered. As shown in Figure 9, the average price varies from 5 US dollars to 15 US dollars. We further analyze the payment method for each family. All the families support Alipay and WeChatPay, roughly 80% of them also embed the Union Pay service, while 30% of them provide the functionalities to send SMS to premium numbers.

Payment Identifier Analysis
To use WeChatPay, the merchant should define three necessary parameters: appid, mch_id and secret key. The appid and mch id are usually hard-coded in the app by app developers, which are used as the identification of the merchant. Note that the appid is an 18-byte string with the prefix wx, the mch id is a 10-byte digit string. Thus we first locate eligible strings in the decompiled code and then query the WeChatPay Web API to check whether we find the correct strings. At last, we have identified 232 unique WeChatPay identifiers (appid). With further analysis, we found that one developer signature usually corresponds to several payment identifiers, while one payment identifier always corresponds to one company name (the distributor). This finding once again provides evidence suggesting that app developers might sell FD apps to different distributors.

Profit Estimation of FD Apps
It is non-trivial for us to estimate the profit of these FD apps.
Although we found several apps have the vulnerabilities (e.g., leaking their WeChat Payment security key) that could be exploited, we do not resort to exploit these apps to collect the unpublished revenue data due to ethical consideration. Several reports 6 have disclosed some information related with the revenue of this kind of apps. For example, it is reported that the Chinese polices have uncovered a case of fraudulent dating app at the early 2018, and the app was reported to have the revenue of more than 100 million US dollars one year. Thus we resort to these reports, and based on the real-world cases mentioned in the reports, we estimate the payment rate of these apps varies between 1% to 10% of the download number on average. As shown in Table 13, the accumulated revenue estimated for all the FD apps in this paper could be around 200 million US Dollars to 2 Billion US Dollars, and each app has an estimated revenue around 4 Million dollars to 40 million dollars, which is in line with the referred reports.

Detection Results of VirusTotal
We upload all the identified FD apps to VirusTotal to explore how many of them could be flagged by existing anti-virus engines. Surprisingly, more than half of them are labeled as malware by less than 1 anti-virus engine, meaning that most anti-virus engines are not able to flag those FD apps. Only 5% of these apps are flagged by more than 10 antivirus engines. This result suggests that the FD apps cannot be sufficiently identified by existing anti-virus engines. We then analyze the distribution of malware families labeled by VirusTotal, as shown in Table 14. It is interesting to see that although roughly 700 APKs (18.7%) are labeled as LoveFraud (PUA) by at least one engine, more than 80% of the apps in our dataset are not identified as LoveFraud, even if they share the same behaviors and belong to the same families.

Implication
Besides showing the fact that there are many FD apps, our paper also delivers the following implications: New approaches to detect FD apps. As demonstrated experimentally, FD apps cannot be sufficiently identified by VirusTotal, showing that our community needs to introduce new automated/semi-automated approaches to detect them. The various characteristics of FD apps summarized in this work could be helpful to create such detectors. For example, one malicious developer signature usually corresponds to several company names, which could be helpful in identifying suspicious apps in the markets. Besides, the detection results of FD apps could be used to help policies and regulators to identify the fraud rings behind-the-scenes. A new and yet uncovered possible business model for developing and distributing malware. Empirically, we found that many FD apps share similar code implementation (e.g., unlikely be implemented independently) while being released with different package names by different companies. We hence hypothesize that these apps are bought (cloned) from some app developers by these so-called distributors (implemented once and sold many times). This sheds light on the possible business model of other kinds of malware (e.g., ransomware), though further investigations are expected. Ranking fraud in app markets. FD apps use ASO methods (e.g., fake positive reviews) and various channels (app markets and ad networks) for app promotion and distribution, which could offer insights for general malware detection. Moreover, it raises the implication that market operators need to apply effective means to detect and hence avoid ranking fraud.

Ethical Consideration
Indeed, any data collected from real users need to be carefully processed. We take a series of steps to preserve the privacy of (possible) involved users/malicious developers in our data set. First, all raw data collected for this study are open to public, we do not resort to exploit the apps to collect the unpublished data (e.g., the revenue data), even though we found several apps have the vulnerabilities could be exploited. Second, we do not store all the account profiles we crawled from the apps after our experiment, even though almost all of them are fake. Third, all the user avatars we listed in the paper are convinced to be fake profiles and they could be found on the public INTERNET, which we believe do not violate the privacy of them.

Limitation
First, the method used to detect the FD apps is conservative and may miss some of them. For instance, we use the keywords and embedded in-app purchase libraries to find candidate apps. Though this method leads us to the discovery of 23, 546 candidate apps, the list of keywords and in-app purchase libraries may not be complete and could introduce false negatives. In addition, we use the heuristic to find the fake reviews. Specifically, we use the exact text matching to find the repeated reviews. This may miss the reviews that have same meanings but in different texts. Second, we find that FD apps are distributed through app markets and advertising networks. These include the app markets of leading phone vendors, e.g., Huawei, and advertising networks from world-class Internet companies, e.g., Baidu and Tencent. The detection result of VirusTotal shows that most anti-virus engines cannot detect these apps. These worrisome facts urge a more effective detection schema of these apps, and a better vetting process of apps in app markets and advertising networks.
Our study is mainly focused on the apps in the Chinese app markets. Most of the fraudulent dating apps analyzed in this paper are targeting users in China, possibly due to the biased region distribution of apps in our dataset. However, we believe such kind of apps may exist in many other countries and in other languages as well, especially the places where app vetting is not strictly enforced when they are uploaded to an app market. In our future work, we plan to extend our crawler to download more apps from app markets in other countries.

RELATED WORK
This paper is motivated by the work of Caballero et al. [22] and of Thomas [23], who have investigated the so-called "underground economy" associated with malicious apps (or unwanted software). FD apps fall into the same research line. To the best of our knowledge, the ecosystem of FD apps has not yet been investigated. Nevertheless, various studies have explored the general fraudulent behaviors in the mobile app ecosystem as well as the security aspect of dating apps.

Fraudulent Behaviors
Fraudulent behaviors have been widely explored in the mobile app ecosystem [24], [25], [26], [27], [28], [29]. The most common issue is ad fraud, where a miscreant's code fetches ads without displaying them to the user or "clicks" ads automatically [30], [31], [32], [33], [34]. For example, Crussell et al. [30] have revealed two fraudulent ad behaviors: (1) ads are requested by apps that are running in the background and (2) ads are clicked without user interaction (also known as click frauds [35]). More recently, Dong et al. [28] reveal seven types of ad frauds and further demonstrate that such ad fraudulent apps are also likely to violate the policy of app markets, resulting in risks to be removed from app markets [29]. Besides ad fraud, there are also other types of frauds disclosed by several researchers. For example, Liu et al. [26] have explored usage fraud, which is invented to boost usage statistics on third-party analytics like Google Analytics, resulting in inaccurate numbers that could eventually fool investors to make wrong decisions. Xie et al. [36] have analyzed the review fraud in mobile apps and found that some mobile app developers turn to the underground market to buy positive reviews. We also found in this paper that FD apps use fake positive reviews for app promotion. Our work is focusing on fraudulent dating Android apps and has revealed a new type of fraudulent behaviors, which have not been systemically studied.

Security and Privacy in Dating Apps/Online Dating Website
Dating apps have raised security and privacy-related concerns in recent years [37], [38], [39], [40], [41]. As shown by Shetty et al. [37], mobile dating apps are potentially vulnerable to security risks. For example, they have demonstrated that it is quite trivial to conduct a man-in-the-middle attack against most dating apps, resulting in private data leaks of app users. Similarly, Hoang et al. [42] argue that trilateration threatens location privacy of users of locationbased mobile apps. They demonstrate that it is possible for an adversary to identify the location of an individual when she/he is using dating apps, even under the situation where location-hiding features are enabled. Similar findings have also been reported by Carman et al. [43], who have empirically presented their experiments on a popular dating app called Tinder. In addition to leaking location information directly, certain sensitive information (e.g., nearly usernames, profile pictures, messages, etc.) can also be recovered from user's devices based on the residual data generated by dating apps [38]. Our work is not towards the potential security and privacy concerns of legitimate dating apps, but revealing a new type of malicious dating apps, i.e., fraudulent dating apps.
Moreover, we want to clarify that, the fraudulent behaviors of these apps are different from the well-known romance scam [9], [44], [45], [46]. In particular, the fraudulent acts in romance scam are usually with the involvement of real persons, who are communicating with victims through phones, emails and try to access to victims' money or bank account. However, in FD apps, the chatbots instead of real persons, are communicating with victims. The main purpose is to lure the victim into buying premium service, not the financial information. Though, we find there are still some common aspects between them. For instance, seductive account profile avatars are used to attract victims in both romance scam and FD apps.

CONCLUSION
In this work, we perform a systematic study of fraudulent dating apps, including its characteristics, business model, distribution networks and their impact on affected users. Our research has observed various findings that are previously unknown to the community. Due to the financial loss to victims and the fact that current anti-virus engines cannot detect most of these apps, we argue that an effective solution should be proposed to detect such apps or block the distribution of these apps in the first place to protect users.