AnDarwin: Scalable Detection of Semantically Similar Android Applications

Crussell, Jonathan; Gibler, Clint; Chen, Hao

doi:10.1007/978-3-642-40203-6_11

Cited by 112 publications

(77 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To evaluate the quality of our approach we would like to compare our results with some state-of-art code similarity-based repackaging detection technique, e.g., [16,15,7,10]. Unfortunately, these tools were not released publicly, and we were not able to obtain them.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

FSquaDRA: Fast Detection of Repackaged Applications

Zhauniarovich

Gadyatskaya

Crispo

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The ease of Android applications repackaging and proliferation of application clones in Google Play and other markets call for new effective techniques to detect repackaged code and combat distribution of cloned applications. Today all existing techniques for repackaging detection are based on code similarity or feature (e.g., permission set) similarity evaluation. We propose a new approach to detect repackaging based on the resource files available in application packages. Our tool called FSquaDRA performs a quick pairwise application comparison (full pairwise comparison for 55,000 applications in just 80 hours on a laptop), as it measures how many identical resources are present inside both packages under analysis. The intuition behind our approach is that malicious repackaged applications still need to maintain the "look and feel" of the originals by including the same images and other resource files, even though they might have additional code included or some of the original code removed. To evaluate the reliability of our approach we perform a comparison of the FSquaDRA similarity scores with the code-based similarity scores of AndroGuard for a dataset of randomly selected application pairs, and our results demonstrate strong positive correlation of the FSquaDRA resource-based score with the code-based similarity score.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Currently the problem of Android app repackaging is widely explored and several solutions to identify plagiarized applications were proposed, e.g., [9,7,6,10,16,12]. All these solutions are based on features extracted from the app code.…”

Section: Introductionmentioning

confidence: 99%

FSquaDRA: Fast Detection of Repackaged Applications

Zhauniarovich

Gadyatskaya

Crispo

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Moreover, it can also capture dynamic behaviours of the programs by executing the compiled code. In the last few years, there have been several studies to discover cloned and plagiarised programs (especially mobile applications) based on compiled code (Chae et al 2013;Chen et al 2014;Gibler et al 2013;Crussell et al 2012Crussell et al , 2013Tian et al 2014;Tamada et al 2004;Myles and Collberg 2004;Hi et al 2009;Zhang et al 2012Zhang et al , 2014McMillan et al 2012;Luo et al 2014).…”

Section: Code Similarity Measurementmentioning

confidence: 99%

A comparison of code similarity analysers

2017

View full text Add to dashboard Cite

Copying and pasting of source code is a common activity in software engineering. Often, the code is not copied as it is and it may be modified for various purposes; e.g. refactoring, bug fixing, or even software plagiarism. These code modifications could affect the performance of code similarity analysers including code clone and plagiarism detectors to some certain degree. We are interested in two types of code modification in this study: pervasive modifications, i.e. transformations that may have a global effect, and local modifications, i.e. code changes that are contained in a single method or code block. We evaluate 30 code similarity detection techniques and tools using five experimental scenarios for Java source code. These are (1) pervasively modified code, created with tools for source code and bytecode obfuscation, and boiler-plate code, (2) source code normalisation through compilation and decompilation using different decompilers, (3) reuse of optimal configurations over different data sets, (4) tool evaluation using ranked-based measures, and (5) local + global code modifications. Our experimental results show that in the presence of pervasive modifications, some of the general textual similarity measures can offer similar performance to specialised code similarity tools, whilst in the presence of boiler-plate code, highly specialised source code similarity detection techniques and tools outperform textual similarity measures. Our study strongly validates the use of compilation/decompilation as a normalisation technique. Its use reduced false classifications to zero for three of the tools. Moreover, we demonstrate that optimal configurations are very sensitive to a specific data set. After directly applying optimal configurations derived from one data set to another, the tools perform poorly on the new data set. The code similarity analysers are thoroughly evaluated not only based on several well-known pair-based and query-based error measures but also on each specific type of pervasive code modification. This broad, thorough study is the largest in existence and potentially an invaluable guide for future users of similarity detection in source code.

show abstract

“…Some recent papers address the detection of re-packaged apps which often inject adware or malicious features into legitimate apps [39,38,15,14]. While some repackaged apps may contain malware, these techniques mainly focus on clone rather than malware detection.…”

Section: Related Workmentioning

confidence: 99%

Apposcopy: semantics-based detection of Android malware through static analysis

Anand

Dillig

et al. 2014

Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering

342

183

View full text Add to dashboard Cite

We present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a highlevel language for specifying signatures that describe semantic characteristics of malware families and (ii) a static analysis for deciding if a given application matches a malware signature. The signature matching algorithm of Apposcopy uses a combination of static taint analysis and a new form of program representation called Inter-Component Call Graph to efficiently detect Android applications that have certain control-and data-flow properties. We have evaluated Apposcopy on a corpus of real-world Android applications and show that it can effectively and reliably pinpoint malicious applications that belong to certain malware families.

show abstract

AnDarwin: Scalable Detection of Semantically Similar Android Applications

Cited by 112 publications

References 16 publications

FSquaDRA: Fast Detection of Repackaged Applications

FSquaDRA: Fast Detection of Repackaged Applications

A comparison of code similarity analysers

Apposcopy: semantics-based detection of Android malware through static analysis

Contact Info

Product

Resources

About