skip to main content
10.1145/2627393.2627395acmconferencesArticle/Chapter ViewAbstractPublication PageswisecConference Proceedingsconference-collections
research-article

ViewDroid: towards obfuscation-resilient mobile application repackaging detection

Published: 23 July 2014 Publication History

Abstract

In recent years, as mobile smart device sales grow quickly, the development of mobile applications (apps) keeps accelerating, so does mobile app repackaging. Attackers can easily repackage an app under their own names or embed advertisements to earn pecuniary profits. They can also modify a popular app by inserting malicious payloads into the original app and leverage its popularity to accelerate malware propagation. In this paper, we propose ViewDroid, a user interface based approach to mobile app repackaging detection. Android apps are user interaction intensive and event dominated, and the interactions between users and apps are performed through user interface, or views. This observation inspires the design of our new birthmark for Android apps, namely, feature view graph, which captures users' navigation behavior across app views. Our experimental results demonstrate that this birthmark can characterize Android apps from a higher level abstraction, making it resilient to code obfuscation. ViewDroid can detect repackaged apps at a large scale, both effectively and efficiently. Our experiments also show that the false positive and false negative rates of ViewDroid are both very low.

References

[1]
Android-Apktool: A tool for reverse engineering Android apk Øles. http://code.google.com/p/android-apktool/.
[2]
Dexguard. http://www.saikoa.com/dexguard.
[3]
Intent android developers. developer.android.com/reference/android/content/Intent.html.
[4]
KlassMaster. http://www.zelix.com/klassmaster/docs/index.html.
[5]
Number of avaliable Android applications. http://www.appbrain.com/stats/number-of-android-apps.
[6]
Proguard. http://developer.android.com/tools/help/proguard.html/.
[7]
Security alert: New stealthy android spyware - plankton - found in official android market. http://www.csc.ncsu.edu/faculty/jiang/Plankton/.
[8]
Smali: An assembler/disassembler for Android's dex format. http://code.google.com/p/smali/
[9]
K. Chen, P. Liu, and Y. Zhang. Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In 36th International Conference on Software Engineering (ICSE), 2014.
[10]
K. Z. Chen, N. Johnson, V. D'Silva, S. Dai, K. MacNamara, T. Magrino, E. X. Wu, M. Rinard, and D. Song. Contextual policy enforcement in Android applications with permission event graphs. In NDSS'13, 2013.
[11]
C. Collberg, G. Myles, and A. Huntwork. Sandmarks - a tool for software protection research. In IEEE Security and Privacy, vol. 1, no. 4, 2003.
[12]
C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical report, 1997.
[13]
L. P. Cordella, P. Foggia, C. Sansone, and M. Vento. A (sub) graph isomorphism algorithm for matching large graphs. Pattern Analysis and Machine Intelligence, IEEE Transactions on, 26(10), 2004.
[14]
J. Crussell, C. Gibler, and H. Chen. Attack of the clones: Detecting cloned applications on android markets. In ESORICS, pages 37--54, 2012.
[15]
J. Crussell, C. Gibler, and H. Chen. Scalable semantics-based detection of similar android applications. In ESORICS, 2013.
[16]
A. Desnos and G. Gueguen. Android: From reversing to decompilation. In Black hat 2011, Abu Dhabi.
[17]
C. Gibler, R. Stevens, J. Crussell, H. Chen, H. Zang, and H. Choi. Adrob: Examining the landscape and impact of Android application plagiarism. In Proceedings of 11th International Conference on Mobile Systems, Applications and Services, 2013.
[18]
S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A scalable system for detecting code reuse among android applications. In Proceedings of the 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2012.
[19]
H. Huang, S. Zhu, P. Liu, and D. Wu. A framework for evaluating mobile app repackaging detection algorithms. In Proceedings of the 6th International Conference on Trust & Trustworthy Computing, 2013.
[20]
Y.-C. Jhi, X. Wang, X. Jia, S. Zhu, P. Liu, and D. Wu. Value-based program characterization and its application to software plagiarism detection. In Proceedings of the 33rd International Conference on Software Engineering, pages 756--765. ACM, 2011.
[21]
H. Lim, H. Park, S. Choi, and T. Han. Detecting theft of Java applications via a static birthmark based on weighted stack patterns. IEICE - Trans. Inf. Syst., E91-D(9), 2008.
[22]
C. Liu, C. Chen, J. Han, and P. S. Yu. GPLAG: detection of software plagiarism by program dependence graph analysis. In KDD '06: Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining, 2006.
[23]
B. Lu, F. Liu, X. Ge, B. Liu, and X. Luo. A software birthmark based on dynamic opcode n-gram. International Conference on Semantic Computing, 2007.
[24]
G. Myles and C. Collberg. Detecting software theft via whole program path birthmarks. Information Security, 3225/2004, 2004.
[25]
G. Myles and C. Collberg. K-gram based software birthmarks. In SAC '05: Proceedings of the 2005 ACM symposium on Applied computing, 2005.
[26]
J. Ostrander. Android UI Fundamentals: Develop and Design. Peachpit Press, 2012.
[27]
S. Schleimer, D. S. Wilkerson, and A. Aiken. Winnowing: local algorithms for document fingerprinting. In Proc. of ACM SIGMOD Int. Conf. on Management of Data, 2003.
[28]
D. Schuler, V. Dallmeier, and C. Lindig. A dynamic birthmark for Java. In Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, 2007.
[29]
H. Tamada, K. Okamoto, M. Nakamura, A. Monden, and K. ichi Matsumoto. Dynamic software birthmarks to detect the theft of windows applications. In Int. Symp. on Future Software Technology, 2004.
[30]
X. Wang, Y.-C. Jhi, S. Zhu, and P. Liu. Detecting software theft via system call based birthmarks. In Computer Security Applications Conference, 2009. ACSAC'09. Annual, pages 149{158. IEEE, 2009.
[31]
F. Zhang, Y. Jhi, D. Wu, P. Liu, and S. Zhu. A first step towards algorithm plagiarism detection. In Proceedings of the 2012 International Symposium on Software Testing and Analysis. ACM, 2012.
[32]
C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou. SmartDroid: an automatic system for revealing UI-based trigger conditions in Android applications. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pages 93--104. ACM, 2012.
[33]
W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, scalable detection of piggybacked mobile applications. In Proceedings of the third ACM conference on Data and application security and privacy, pages 185--196. ACM, 2013.
[34]
W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party Android marketplaces. In Proceedings of the second ACM conference on Data and Application Security and Privacy, 2012.
[35]
Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. Security and Privacy, IEEE Symposium on, 2012.

Cited By

View all
  • (2024)WASMixer: Binary Obfuscation for WebAssemblyComputer Security – ESORICS 202410.1007/978-3-031-70896-1_5(88-109)Online publication date: 6-Sep-2024
  • (2024)Analyzing Implementation-Based SSL/TLS Vulnerabilities with Binary Semantics AnalysisSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_19(371-394)Online publication date: 15-Oct-2024
  • (2023)A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection FrameworksInformation10.3390/info1407037414:7(374)Online publication date: 30-Jun-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WiSec '14: Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks
July 2014
246 pages
ISBN:9781450329729
DOI:10.1145/2627393
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 July 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. mobile application
  2. obfuscation resilient
  3. repackaging
  4. user interface

Qualifiers

  • Research-article

Funding Sources

Conference

WiSec'14
Sponsor:

Acceptance Rates

WiSec '14 Paper Acceptance Rate 25 of 96 submissions, 26%;
Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)41
  • Downloads (Last 6 weeks)2
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)WASMixer: Binary Obfuscation for WebAssemblyComputer Security – ESORICS 202410.1007/978-3-031-70896-1_5(88-109)Online publication date: 6-Sep-2024
  • (2024)Analyzing Implementation-Based SSL/TLS Vulnerabilities with Binary Semantics AnalysisSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_19(371-394)Online publication date: 15-Oct-2024
  • (2023)A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection FrameworksInformation10.3390/info1407037414:7(374)Online publication date: 30-Jun-2023
  • (2023)DeUEDroid: Detecting Underground Economy Apps Based on UTG SimilarityProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598051(223-235)Online publication date: 12-Jul-2023
  • (2023)DAISY: Dynamic-Analysis-Induced Source Discovery for Sensitive DataACM Transactions on Software Engineering and Methodology10.1145/356993632:4(1-34)Online publication date: 27-May-2023
  • (2023)A Comprehensive Study on ARM Disassembly ToolsIEEE Transactions on Software Engineering10.1109/TSE.2022.318781149:4(1683-1703)Online publication date: 1-Apr-2023
  • (2023)Libra: Library Identification in Obfuscated Android AppsInformation Security10.1007/978-3-031-49187-0_11(205-225)Online publication date: 1-Dec-2023
  • (2023)Predicate Anti-unification in (Constraint) Logic ProgrammingLogic-Based Program Synthesis and Transformation10.1007/978-3-031-45784-5_9(131-149)Online publication date: 16-Oct-2023
  • (2022)A Systematic Assessment on Android Third-Party Library Detection ToolsIEEE Transactions on Software Engineering10.1109/TSE.2021.311550648:11(4249-4273)Online publication date: 1-Nov-2022
  • (2022)Research on Third-Party Libraries in Android Apps: A Taxonomy and Systematic Literature ReviewIEEE Transactions on Software Engineering10.1109/TSE.2021.311438148:10(4181-4213)Online publication date: 1-Oct-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media