Hongyu Lin (Zhejiang University), Yicheng Hu (Zhejiang University), Haitao Xu (Zhejiang University), Yanchen Lu (Zhejiang University), Mengxia Ren (Zhejiang University), Shuai Hao (Old Dominion University), Chuan Yue (Colorado School of Mines), Zhao Li (Hangzhou Yugu Technology), Fan Zhang (Zhejiang University), Yixin Jiang (Electric Power Research Institute, CSG)
Chameleon apps evade iOS App Store review by presenting legitimate functionality during submission while transforming into illicit variants post-installation. While prevalent, their underlying transformation methods and developer-user collusion dynamics remain poorly understood. Existing detection approaches, constrained by static analysis or metadata dependencies, prove ineffective against hybrid implementations, novel variants, or metadata-scarce instances. To address these limitations, we establish a curated dataset of 500 iOS Chameleon apps collected through covert distribution channels, enabling systematic identification of 10 categories of distinct transformation patterns (including 4 previously undocumented variants). Building upon these findings, we present ChameleoScan, the first LLM-driven automated UI exploration framework for reliable Chameleon app verification. The system maintains local decision interpretability while ensuring global detection consistency through its core innovation - predictive metadata analytics, semantic interface comprehension, and human-comparable interaction strategies. Comprehensive evaluation on 1,644 iOS apps demonstrates operational efficacy (9.85% detection rate, 92.59% precision), with findings formally acknowledged by Apple. Implementation and datasets are available at https://github.com/ChameleoScan.