ABSTRACT
According to Comscore1, Android users in the U.S spend an average of 2.8 hours per day using mobile media. On the other hand, according to Statista reports2, Android users were able to choose between 2.2 million applications on June 2016. Among these applications, there are ones reported by Google Android Security Service3 as malware, virus, or illegal theft. Many tools such as Dex2Jar4, apktool5, and jd-gui6 analyze and reverse engineer Android applications and can be used to illegally copy or transform the applications as well. In order to protect applications from piracy or illegal theft, it is necessary to detect theft by measuring application similarity. In the literature, previous studies on theft detection have measured application similarity at two levels, source or executable code level, which have some limitations. Source codes are not available if the codes are legacy one or are developed by upstream suppliers. In the case of the executable codes, application similarity is measured 1) using the source codes decompiled from the executables, or 2) using the characteristics extracted from the executables (i.e., birthmark). For example, DroidMoss [5] applied a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. Reference [4] proposed software birthmarks to show the unique characteristics of a program and detected software theft based on the birthmarks.
- Bowyer, K. W., and Hall, L. O. Experience using MOSS to detect cheating on programming assignments, IEEE FIE pp. 13B3/18--13B3/22 vol. 3, 1999Google Scholar
- Hamedani, M. R., Lee, S., and Kim, S. On Combining Text-based and Link-based Similarity Measures for Scientific Papers, ACM RACS, pp. 111--115, 2013 Google ScholarDigital Library
- RAMOS, Juan. Using tf-idf to determine word relevance in document queries, ICML, 2003Google Scholar
- Tamada, H., Nakamura, M., and Monden, A. Design and Evaluation of Birthmarks for Detecting Theft of Java Programs, IASTED, pp. 569--574, 2004Google Scholar
- Zhou, W., Zhou, Y., Jiang, X., and Ning, P. Detecting repackaged smartphone applications in third-party android marketplaces, ACM CODASPY, pp. 317--326, 2012 Google ScholarDigital Library
Recommendations
Static analysis of executables to detect malicious patterns
SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium - Volume 12Malicious code detection is a crucial component of any defense mechanism. In this paper, we present a unique viewpoint on malicious code detection. We regard malicious code detection as an obfuscation-deobfuscation game between malicious code writers ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
Polymorphic worm detection using structural information of executables
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion DetectionNetwork worms are malicious programs that spread automatically across networks by exploiting vulnerabilities that affect a large number of hosts. Because of the speed at which worms spread to large computer populations, countermeasures based on human ...
Comments