Semantics-Based Repackaging Detection for Mobile Apps

IEEE Trans.Inform.Forensic Secur.

et al. 2017

143

119

Abstract-The Android packaging model offers ample opportunities for malware writers to piggyback malicious code in popular apps, which can then be easily spread to a large user base. Although recent research has produced approaches and tools to identify piggybacked apps, the literature lacks a comprehensive investigation into such phenomenon. We fill this gap by 1) systematically building a large set of piggybacked and benign apps pairs, which we release to the community, 2) empirically studying the characteristics of malicious piggybacked apps in comparison with their benign counterparts, and 3) providing insights on piggybacking processes. Among several findings providing insights analysis techniques should build upon to improve the overall detection and classification accuracy of piggybacked apps, we show that piggybacking operations not only concern app code, but also extensively manipulates app resource files, largely contradicting common beliefs. We also find that piggybacking is done with little sophistication, in many cases automatically, and often via library code.

Section: Related Workmentioning

confidence: 99%

Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting

IEEE Trans.Inform.Forensic Secur.

et al. 2017

143

119

“…The results of those approaches, however, also need to be vetted through a comprehensive pairwise comparison (e.g., to confirm the final accuracy). Actually, like SimiDroid, the majority work in detecting similar Android apps at the moment are still based on pairwise similarity comparison [3], [6], [13].…”

Section: A Identifying Similar Android Appsmentioning

confidence: 99%

“…Most of repackaged app detection works [3], [6] indeed do not come with reusable tools for the research community. To the best of our knowledge, Androguard [7] and FSquaDRA [8] are the main publicly available tools for app similarity analysis.…”

Section: Introductionmentioning

confidence: 99%

SimiDroid: Identifying and Explaining Similarities in Android Apps

2017 IEEE Trustcom/BigDataSE/Icess

Klein

2017

Abstract-App updates and repackaging are recurrent in the Android ecosystem, filling markets with similar apps that must be identified and analyzed to accelerate user adoption, improve development efforts, and prevent malware spreading. Despite the existence of several approaches to improve the scalability of detecting repackaged/cloned apps, researchers and practitioners are eventually faced with the need for a comprehensive pairwise comparison to understand and validate the similarities among apps. This paper describes the design of SimiDroid, a framework for multi-level comparison of Android apps. SimiDroid is built with the aim to support the understanding of similarities/changes among app versions and among repackaged apps. In particular, we demonstrate the need and usefulness of such a framework based on different case studies implementing different analyzing scenarios for revealing various insights on how repackaged apps are built. We further show that the similarity comparison plugins implemented in SimiDroid yield more accurate results than the state-of-the-art.

“…The observed knowledge can then be used to invent advanced techniques for taming the Android app piggybacking problem. Although several approaches have been proposed to tackle this problem [34], [5], their associated datasets are not always released to public [35], [6], [31], [36]. In other words, the research on piggybacked apps is challenged by the scarcity of datasets and benchmarks.…”

Section: Approachmentioning

confidence: 99%

“…The connection between carrier to rider is known as hook, which defines the point where the execution of malicious code can be triggered. State-of-the-art works have mainly focused on detecting piggybacked apps (or cloned apps in general) through similarity comparison [5], [6], [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31]. However, pairwise comparison based approaches are not scalable for analyzing millions of Android apps that are now available in various markets.…”

Section: Introductionmentioning

confidence: 99%

Understanding Android App Piggybacking

2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C)

et al. 2017

The Android packaging model offers adequate opportunities for attackers to inject malicious code into popular benign apps, attempting to develop new malicious apps that can then be easily spread to a large user base. Despite the fact that the literature has already presented a number of tools to detect piggybacked apps, there is still lacking a comprehensive investigation on the piggybacking processes. To fill this gap, in this work, we collect a large set of benign/piggybacked app pairs that can be taken as benchmark apps for further investigation. We manually look into these benchmark pairs for understanding the characteristics of piggybacking apps and eventually we report 20 interesting findings. We expect these findings to initiate new research directions such as practical and scalable piggybacked app detection, explainable malware detection, and malicious code location.