Rooting is the process of allowing users of devices, such as mobile devices like smartphones and tablets or other devices using mobile-type operating systems, to attain privileged control, also known as root access, within the subsystem. Non-rooted devices are devices that do not permit root access to third-party applications. Mobile devices can be infected with malicious software, also known as “malware.” Malware, short for malicious or malevolent software, is used or created by attackers to disrupt computer operations, gather sensitive information or gain access to private computer systems. Malware may also refer to a variety of forms of hostile or intrusive software. Malware may include computer viruses, worms, trojan horses, spyware, adware, and other malicious programs. One way that malware is installed on mobile devices is by a user installing a mobile application (sometimes referred to just as “app”) from an online software store, sometimes referred to as application marketplaces, application stores, or app stores. These application marketplaces are mobile software distribution platforms that deliver software without the use of physical media usually over online delivery mediums, such as the Internet, to requesting devices. There are various application marketplaces, such as, for example, App Store (iOS), Amazon Appstore, Mac App Store, Windows Store, Pokki Store, Google Play or the like.
Identifying the source (application marketplace) from where the mobile apps are downloaded may be helpful in detecting malware and privacy risks. Among other things, the identification of the source can help security providers prioritize crawling efforts and sample application marketplaces to determine reputations and confidences in these application marketplaces, since some application marketplaces are more likely to host malware than others. Mobile security products, such as mobile security products for the Android platform, submit information about applications (sometime referred to as telemetry) that are installed by users on their mobile devices. This telemetry includes, for each application, a field called “Installer,” which is supposed to contain the application marketplace installer that installed the application. Android users sometimes use an application marketplace installer to install a new application. For example, users may use the Google play app to install apps from the official Google Marketplace, or the Amazon Appstore app to install apps from the Amazon Appstore. The “Installer” field that is submitted is based on a return value of the PackageManager.getPackageInstaller( ) API. Unfortunately, in some cases this value is NULL. This is because the installer name is optionally set by the application marketplace and some application marketplaces do not set it. This deficiency may be particularly relevant on non-rooted devices since mobile security apps are typically run on non-rooted devices.