{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T10:00:07Z","timestamp":1775815207227,"version":"3.50.1"},"reference-count":69,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T00:00:00Z","timestamp":1733788800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Meas. Anal. Comput. Syst."],"published-print":{"date-parts":[[2024,12,10]]},"abstract":"<jats:p>The thriving mobile app ecosystem encompasses a wide range of functionalities. However, within this ecosystem, a subset of apps provides illicit services such as gambling and pornography to pursue economic gains, collectively referred to as \"underground economy apps\". While previous studies have examined these apps' characteristics and identification methods, investigations into their distribution via platforms beyond app markets (like Telegram) remain scarce, which has emerged as a crucial channel for underground activities and cybercrime due to the robust encryption and user anonymity.<\/jats:p>\n          <jats:p>This study provides the first comprehensive exploration of the underground mobile app ecosystem on Telegram. Overcoming the complexities of the Telegram environment, we build a novel dataset and analyze the prevalence, promotional strategies, and characteristics of these apps. Our findings reveal the significant prevalence of these apps on Telegram, with the total sum of subscription user numbers across channels promoting these apps equivalent to 1% of Telegram's user base. We find these apps primarily cater to gambling and pornography services. We uncover sophisticated promotional strategies involving complex networks of apps, websites, users, and channels, and identify significant gaps in Telegram's content moderation capabilities. Our analysis also exposes the misuse of iOS features for app distribution and the prevalence of malicious behaviors in these apps. This research not only enhances our understanding of the underground app ecosystem but also provides valuable insights for developing effective regulatory measures and protecting users from potential risks associated with these covert operations. Our findings provide implications for platform regulators, app market operators, law enforcement agencies, and cybersecurity professionals in combating the proliferation of underground apps on encrypted messaging platforms.<\/jats:p>","DOI":"10.1145\/3700432","type":"journal-article","created":{"date-parts":[[2024,12,13]],"date-time":"2024-12-13T12:12:12Z","timestamp":1734091932000},"page":"1-25","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Beyond App Markets: Demystifying Underground Mobile App Distribution Via Telegram"],"prefix":"10.1145","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0051-3397","authenticated-orcid":false,"given":"Yanhui","family":"Guo","sequence":"first","affiliation":[{"name":"Beijing University of Posts and Telecommunications, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-6067-8007","authenticated-orcid":false,"given":"Dong","family":"Wang","sequence":"additional","affiliation":[{"name":"Beijing University of Posts and Telecommunications, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3982-4993","authenticated-orcid":false,"given":"Liu","family":"Wang","sequence":"additional","affiliation":[{"name":"Beijing University of Posts and Telecommunications, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-5734-759X","authenticated-orcid":false,"given":"Yongsheng","family":"Fang","sequence":"additional","affiliation":[{"name":"Beijing University of Posts and Telecommunications, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-8117-0352","authenticated-orcid":false,"given":"Chao","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, Hubei, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3772-4240","authenticated-orcid":false,"given":"Minghui","family":"Yang","sequence":"additional","affiliation":[{"name":"OPPO, Shenzhen, Guangdong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5216-933X","authenticated-orcid":false,"given":"Tianming","family":"Liu","sequence":"additional","affiliation":[{"name":"Monash University &amp; Huazhong University of Science and Technology, Melbourne, Victoria, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1100-8633","authenticated-orcid":false,"given":"Haoyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, Hubei, China"}]}],"member":"320","published-online":{"date-parts":[[2024,12,13]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"2019. Cyber Security Asean. https:\/\/cybersecurityasean.com\/news-press-releases\/july-2019%E2%80%99s-most-wantedmalware-vulnerability-opendreambox-200-webadmin-plugin."},{"key":"e_1_2_1_2_1","unstructured":"2020. Telegram's massive revenge porn problem has made these women's lives hell. https:\/\/mashable.com\/article\/nudesrevenge-porn-crime-telegram."},{"key":"e_1_2_1_3_1","unstructured":"2021. A Threat Analysis of Sideloading. https:\/\/www.apple.com\/privacy\/docs\/Building_a_Trusted_Ecosystem_for_ Millions_of_Apps_A_Threat_Analysis_of_Sideloading.pdf."},{"key":"e_1_2_1_4_1","unstructured":"2022. Telegram: A Cybercriminal Hotspot - Compromised Financial Accounts. https:\/\/cybersixgill.com\/news\/articles\/ telegram-a-cybercriminal-hotspot-compromised-financial-accounts."},{"key":"e_1_2_1_5_1","unstructured":"2023. Is Telegram turning into a hub for cybercrime activities? https:\/\/10guards.com\/en\/articles\/is-telegram-turninginto-a-hub-for-cybercrime-activities\/."},{"key":"e_1_2_1_6_1","unstructured":"2023. Money mules: Scam syndicates use Telegram to recruit young people for bank and Singpass accounts. https:\/\/www.straitstimes.com\/singapore\/courts-crime\/money-mules-scam-syndicates-use-telegram-torecruit-young-people-for-bank-and-singpass-accounts."},{"key":"e_1_2_1_7_1","unstructured":"2023. Stories and 10 Years of Telegram. https:\/\/telegram.org\/blog\/stories."},{"key":"e_1_2_1_8_1","volume-title":"Telegram and OSINT Investigations: An Essential Platform","year":"2023","unstructured":"2023. Telegram and OSINT Investigations: An Essential Platform in 2023. https:\/\/flare.io\/learn\/resources\/blog\/telegraminvestigation\/."},{"key":"e_1_2_1_9_1","unstructured":"2023. Top Industries Significantly Impacted by Illicit Telegram Networks. https:\/\/thehackernews.com\/2023\/08\/topindustries-significantly-impacted.html."},{"key":"e_1_2_1_10_1","unstructured":"2024. androguard: Reverse engineering and pentesting for Android applications. https:\/\/github.com\/androguard\/ androguard."},{"key":"e_1_2_1_11_1","unstructured":"2024. AppBrain. https:\/\/www.appbrain.com\/stats\/libraries\/development-tools."},{"key":"e_1_2_1_12_1","unstructured":"2024. Apple Apple Developer Enterprise Program. https:\/\/developer.apple.com\/programs\/enterprise."},{"key":"e_1_2_1_13_1","unstructured":"2024. Apple iTunes search API. https:\/\/affiliate.itunes.apple.com\/resources\/documentation\/itunes-store-web-servicesearch-api\/."},{"key":"e_1_2_1_14_1","unstructured":"2024. Apple Web Clips MDM payload settings for Apple devices. https:\/\/support.apple.com\/en-mn\/guide\/deployment\/ depbc7c7808\/1\/web\/1.0."},{"key":"e_1_2_1_15_1","unstructured":"2024. Build for any screen. https:\/\/flutter.dev."},{"key":"e_1_2_1_16_1","unstructured":"2024. Burp Suite: Application Security Testing Software. https:\/\/portswigger.net\/burp."},{"key":"e_1_2_1_17_1","unstructured":"2024. Google Google play store. https:\/\/play.google.com\/store\/apps."},{"key":"e_1_2_1_18_1","unstructured":"2024. Huawei Huawei app store. https:\/\/consumer.huawei.com\/cn\/support\/appgallery\/."},{"key":"e_1_2_1_19_1","unstructured":"2024. IPinfo Official Python Library for IPinfo API (IP geolocation and other types of IP data). https:\/\/github.com\/ ipinfo\/python."},{"key":"e_1_2_1_20_1","unstructured":"2024. Kaspersky Threats - AdWare.Win32.SoftPulse.gokp. https:\/\/threats.kaspersky.com\/en\/threat\/AdWare.Win32. SoftPulse.gokp\/."},{"key":"e_1_2_1_21_1","unstructured":"2024. Kaspersky Threats - Boogr. https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.AndroidOS.Boogr\/."},{"key":"e_1_2_1_22_1","unstructured":"2024. Kaspersky Threats - Mobtes. https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.AndroidOS.Mobtes\/."},{"key":"e_1_2_1_23_1","unstructured":"2024. Kaspersky Threats - Trojan.AndroidOS.Piom.bbdw. https:\/\/threats.kaspersky.com\/en\/threat\/Trojan.AndroidOS. Piom.bbdw\/."},{"key":"e_1_2_1_24_1","unstructured":"2024. macaca: Automation solution for multi-platform. https:\/\/github.com\/alibaba\/macaca."},{"key":"e_1_2_1_25_1","unstructured":"2024. PaddleOCR: Awesome multilingual OCR toolkits based on PaddlePaddle. https:\/\/github.com\/PaddlePaddle\/ PaddleOCR."},{"key":"e_1_2_1_26_1","unstructured":"2024. plistlib: Generate and parse Apple .plist files. https:\/\/docs.python.org\/3\/library\/plistlib.html."},{"key":"e_1_2_1_27_1","unstructured":"2024. requests A simple yet elegant HTTP library. https:\/\/pypi.org\/project\/requests\/."},{"key":"e_1_2_1_28_1","unstructured":"2024. The Rise of Cybercrime on Telegram and Discord and the Need for Continuous Monitoring. https:\/\/www. cloudsek.com\/blog\/the-rise-of-cybercrime-on-telegram-and-discord-and-the-need-for-continuous-monitoring."},{"key":"e_1_2_1_29_1","unstructured":"2024. Selenium automates browsers. That's it! https:\/\/www.selenium.dev\/."},{"key":"e_1_2_1_30_1","unstructured":"2024. Telegram channels and groups catalog | TGStat. https:\/\/tgstat.com\/."},{"key":"e_1_2_1_31_1","unstructured":"2024. Telegram Search Engine Send keywords to search for groups and channels! This advertising space is available for sponsorship. https:\/\/t.me\/TGbaiduCN."},{"key":"e_1_2_1_32_1","unstructured":"2024. Telegram Telegram API. https:\/\/core.telegram.org."},{"key":"e_1_2_1_33_1","unstructured":"2024. TelegramChannels: Discover The Best Telegram Channels. https:\/\/telegramchannels.me\/."},{"key":"e_1_2_1_34_1","unstructured":"2024. Telethon: Pure Python 3 MTProto API Telegram client library for bots too! https:\/\/github.com\/LonamiWebs\/ Telethon."},{"key":"e_1_2_1_35_1","unstructured":"2024. TestFlight: Beta Testing made simple with TestFlight. https:\/\/developer.apple.com\/cn\/testflight\/."},{"key":"e_1_2_1_36_1","unstructured":"2024. VirusTotal: Analyse suspicious files domains IPs and URLs to detect malware and other breaches automatically share them with the security community. https:\/\/www.virustotal.com\/."},{"key":"e_1_2_1_37_1","unstructured":"2024. whois. https:\/\/github.com\/richardpenman\/whois."},{"key":"e_1_2_1_38_1","unstructured":"2024. Xiaomi Xiaomi app store. https:\/\/app.mi.com\/."},{"key":"e_1_2_1_39_1","unstructured":"2024. ZXing (\"Zebra Crossing\") barcode scanning library for Java Android. https:\/\/github.com\/zxing\/zxing."},{"key":"e_1_2_1_40_1","volume-title":"Damien Octeau, and Patrick McDaniel.","author":"Arzt Steven","year":"2014","unstructured":"Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM sigplan notices 49, 6 (2014), 259--269."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1088\/1742-5468\/2008\/10\/P10008"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3387903.3389308"},{"key":"e_1_2_1_43_1","first-page":"0","article-title":"An underground industry application collection method based on flow analysis","volume":"35","author":"Chen Pei","year":"2024","unstructured":"Pei Chen, Gang Hong, Mengying Wu, Jinsong Chen, Haixin Duan, and Min Yang. 2024. An underground industry application collection method based on flow analysis. Journal of Software 35, 8 (2024), 0--0.","journal-title":"Journal of Software"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598051"},{"key":"e_1_2_1_45_1","volume-title":"Lifting The Grey Curtain: A First Look at the Ecosystem of CULPRITWARE. arXiv preprint arXiv:2106.05756","author":"Chen Zhuo","year":"2021","unstructured":"Zhuo Chen, Lei Wu, Jing Cheng, Yubo Hu, Yajin Zhou, Zhushou Tang, Yexuan Chen, Jinku Li, and Kui Ren. 2021. Lifting The Grey Curtain: A First Look at the Ecosystem of CULPRITWARE. arXiv preprint arXiv:2106.05756 (2021)."},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3449932"},{"key":"e_1_2_1_47_1","volume-title":"Measurement of Illegal Android Gambling App Ecosystem From Joint Promotion Perspective. In 2023 IEEE 10th International Conference on Data Science and Advanced Analytics (DSAA). IEEE, 1--11","author":"Han Yadi","year":"2023","unstructured":"Yadi Han, Shanshan Wang, Yiwen Li, Xueyang Cao, Limei Huang, and Zhenxiang Chen. 2023. Measurement of Illegal Android Gambling App Ecosystem From Joint Promotion Perspective. In 2023 IEEE 10th International Conference on Data Science and Advanced Analytics (DSAA). IEEE, 1--11."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833665"},{"key":"e_1_2_1_49_1","volume-title":"Measurement of the Usage of Web Clips in Underground Economy. arXiv preprint arXiv:2209.03319","author":"Hu Qinyu","year":"2022","unstructured":"Qinyu Hu, Songyang Wu, Wenqi Sun, Zhushou Tang, Chaofan Chen, Zhiguo Ding, and Xiaomei Zhang. 2022. Measurement of the Usage of Web Clips in Underground Economy. arXiv preprint arXiv:2209.03319 (2022)."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2019.2908939"},{"key":"e_1_2_1_51_1","volume-title":"Alessandro Mei, Alberto Maria Mongardini, and Francesco Sassi.","author":"Imperati Vincenzo","year":"2023","unstructured":"Vincenzo Imperati, Massimo La Morgia, Alessandro Mei, Alberto Maria Mongardini, and Francesco Sassi. 2023. The Conspiracy Money Machine: Uncovering Telegram's Conspiracy Channels and their Profit Model. arXiv preprint arXiv:2310.15977 (2023)."},{"key":"e_1_2_1_52_1","volume-title":"TGDataset: a Collection of Over One Hundred Thousand Telegram Channels. arXiv preprint arXiv:2303.05345","author":"Morgia Massimo La","year":"2023","unstructured":"Massimo La Morgia, Alessandro Mei, and Alberto Maria Mongardini. 2023. TGDataset: a Collection of Over One Hundred Thousand Telegram Channels. arXiv preprint arXiv:2303.05345 (2023)."},{"key":"e_1_2_1_53_1","volume-title":"Alberto Maria Mongardini, and Jie Wu","author":"Morgia Massimo La","year":"2021","unstructured":"Massimo La Morgia, Alessandro Mei, Alberto Maria Mongardini, and Jie Wu. 2021. Uncovering the dark side of Telegram: Fakes, clones, scams, and conspiracy movements. arXiv preprint arXiv:2111.13530 (2021)."},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICWS60048.2023.00026"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11390-019-1918-8"},{"key":"e_1_2_1_56_1","volume-title":"2017 IEEE\/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE, 23--26","author":"Li Yuanchun","year":"2017","unstructured":"Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017. Droidbot: a lightweight ui-guided test input generator for android. In 2017 IEEE\/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE, 23--26."},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2889160.2889178"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366424.3383567"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3487351.3488278"},{"key":"e_1_2_1_60_1","volume-title":"28th {USENIX} Security Symposium ({USENIX} Security 19). 729--746.","author":"Pendlebury Feargus","unstructured":"Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro. 2019. {TESSERACT}: Eliminating experimental bias in malware classification across space and time. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 729--746."},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427261"},{"key":"e_1_2_1_62_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Shen Yun","year":"2022","unstructured":"Yun Shen, Pierre-Antoine Vervier, and Gianluca Stringhini. 2022. A large-scale temporal measurement of android malicious apps: Persistence, migration, and lessons learned. In 31st USENIX Security Symposium (USENIX Security 22). 1167--1184."},{"key":"e_1_2_1_63_1","volume-title":"Social Networks and Texts: 9th International Conference, AIST 2020","author":"Tikhomirova Kseniia","year":"2021","unstructured":"Kseniia Tikhomirova and Ilya Makarov. 2021. Community detection based on the nodes role in a network: The telegram platform case. In Analysis of Images, Social Networks and Texts: 9th International Conference, AIST 2020, Skolkovo, Moscow, Russia, October 15--16, 2020, Revised Selected Papers 9. Springer, 294--302."},{"key":"e_1_2_1_64_1","volume-title":"Trade-based money laundering: a systematic literature review. Journal of Accounting Literature","author":"Tiwari Milind","year":"2024","unstructured":"Milind Tiwari, Jamie Ferrill, and Douglas MC Allan. 2024. Trade-based money laundering: a systematic literature review. Journal of Accounting Literature (2024)."},{"key":"e_1_2_1_65_1","volume-title":"Proceedings of the 2023 ACM on Internet Measurement Conference. 253--267","author":"Dong Feng","year":"2023","unstructured":"JingjingWang, LiuWang, Feng Dong, and HaoyuWang. 2023. Re-measuring the label dynamics of online anti-malware engines from millions of samples. In Proceedings of the 2023 ACM on Internet Measurement Conference. 253--267."},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3487553.3524629"},{"key":"e_1_2_1_67_1","volume-title":"Proceedings of the 32nd IEEE\/ACM International Conference on Program Comprehension. 358--369","author":"Zhao Yijun","year":"2024","unstructured":"Yijun Zhao, Lingjing Yu, Yong Sun, Qingyun Liu, and Bo Luo. 2024. No Source Code? No Problem! Demystifying and Detecting Mask Apps in iOS. In Proceedings of the 32nd IEEE\/ACM International Conference on Program Comprehension. 358--369."},{"key":"e_1_2_1_68_1","volume-title":"Proceedings 28","author":"Zhauniarovich Yury","year":"2014","unstructured":"Yury Zhauniarovich, Olga Gadyatskaya, Bruno Crispo, Francesco La Spina, and Ermanno Moser. 2014. FSquaDRA: Fast detection of repackaged applications. In Data and Applications Security and Privacy XXVIII: 28th Annual IFIP WG 11.3 Working Conference, DBSec 2014, Vienna, Austria, July 14--16, 2014. Proceedings 28. Springer, 130--145."},{"key":"e_1_2_1_69_1","volume-title":"29th USENIX Security Symposium (USENIX Security . 2361--2378","author":"Zhu Shuofei","year":"2020","unstructured":"Shuofei Zhu, Jianjun Shi, Limin Yang, Boqin Qin, Ziyi Zhang, Linhai Song, and Gang Wang. 2020. Measuring and modeling the label dynamics of online {Anti-Malware} engines. In 29th USENIX Security Symposium (USENIX Security . 2361--2378."}],"container-title":["Proceedings of the ACM on Measurement and Analysis of Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3700432","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3700432","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T00:14:57Z","timestamp":1755908097000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3700432"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,10]]},"references-count":69,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2024,12,10]]}},"alternative-id":["10.1145\/3700432"],"URL":"https:\/\/doi.org\/10.1145\/3700432","relation":{},"ISSN":["2476-1249"],"issn-type":[{"value":"2476-1249","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,12,10]]},"assertion":[{"value":"2024-12-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}