research-article

DroidEagle: seamless detection of visually similar Android apps

Authors:

John C. S. LuiAuthors Info & Claims

WiSec '15: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks

Article No.: 9, Pages 1 - 12

https://doi.org/10.1145/2766498.2766508

Published: 22 June 2015 Publication History

Abstract

Repackaged malware and phishing malware consist 86% [35] of all Android malware, and they significantly affect the Android ecosystem. Previous work use disassembled Dalvik bytecode and hashing approaches to detect repackaged malware, but these approaches are vulnerable to obfuscation attacks and they demand large computational resources on mobile devices. In this work, we propose a novel methodology which uses the layout resources within an app to detect apps which are "visually similar", a common characteristic in repackaged apps and phishing malware. To detect visually similar apps, we design and implement DroidEagle which consists of two sub-systems: RepoEagle and HostEagle. RepoEagle is to perform large scale detection on apps repositories (e.g., apps markets), and HostEagle is a lightweight mobile app which can help users to quickly detect visually similar Android app upon download. We demonstrate the high accuracy and efficiency of DroidEagle: Within 3 hours RepoEagle can detect 1298 visually similar apps from 99 626 apps in a repository. In less than one second, HostEagle can help an Android user to determine whether a downloaded mobile app is a repackaged apps or a phishing malware. This is the first work which provides both speed and scalability in discovering repackaged apps and phishing malware in Android system.

References

[1]

Androguard. https://code.google.com/p/androguard/.

[2]

Android signing mechanism. http://developer.android.com/tools/publishing/app-signing.html.

[3]

Apktool. https://code.google.com/p/android-apktool/.

[4]

Axml. https://code.google.com/p/axml/.

[5]

Google play bouncer. http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-google-bouncer/.

[6]

Smali/baksmali. https://code.google.com/p/smali/.

[7]

ssdeep. http://ssdeep.sourceforge.net/.

[8]

Virtuous ten studio. http://virtuous-ten-studio.com/.

[9]

AppBrain. Number of android applications. http://www.appbrain.com/stats/number-of-android-apps.

[10]

J. Crussell, C. Gibler, and H. Chen. Attack of the clones: Detecting cloned applications on android markets. In Computer Security--ESORICS 2012. Springer, 2012.

[11]

J. Crussell, C. Gibler, and H. Chen. Andarwin: Scalable detection of semantically similar android applications. In Computer Security--ESORICS 2013. Springer, 2013.

[12]

F-Secure. Threat report h2 2013. http://www.f-secure.com/static/doc/labs_global/Research/Threat_Report_H2_2013.pdf.

[13]

A. Y. Fu, L. Wenyin, and X. Deng. Detecting phishing web pages with visual similarity assessment based on earth mover's distance (emd). Dependable and Secure Computing, IEEE Transactions on, 2006.

Digital Library

[14]

Gartner. Gartner says annual smartphone sales surpassed sales of feature phones for the first time in 2013. http://www.gartner.com/newsroom/id/2665715.

[15]

C. Gibler, R. Stevens, J. Crussell, H. Chen, H. Zang, and H. Choi. Adrob: Examining the landscape and impact of android application plagiarism. In Proceeding of the 11th annual international conference on Mobile systems, applications, and services. ACM, 2013.

Digital Library

[16]

S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A scalable system for detecting code reuse among android applications. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 62--81. Springer, 2013.

Digital Library

[17]

G. Inc. Google play. https://play.google.com.

[18]

Kaspersky. Kaspersky security bulletin 2013. overall statistics for 2013. http://media.kaspersky.com/pdf/KSB_2013_EN.pdf.

[19]

J. Kornblum. Identifying almost identical files using context triggered piecewise hashing. Digital investigation, 3:91--97, 2006.

Digital Library

[20]

W. Liu, X. Deng, G. Huang, and A. Y. Fu. An antiphishing strategy based on visual similarity assessment. Internet Computing, IEEE, 2006.

Digital Library

[21]

Y. Pan and X. Ding. Anomaly based web phishing page detection. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual. IEEE, 2006.

Digital Library

[22]

V. Rastogi, Y. Chen, and X. Jiang. Droidchameleon: evaluating android anti-malware against transformation attacks. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, 2013.

Digital Library

[23]

T. Strazzere. Dex education: Practicing safe dex. In Blackhat USA 2012, 2012.

[24]

Umeng. 2013 umeng insight report. http://www.slideshare.net/umengnews/2013-umeng-insight-report.

[25]

Yourstory. Google play is not the place to be in china, "app in china" connects you to top 20 chinese android app stores. http://yourstory.com/2014/02/google-play-place-china-app-china-connects-top-20-chinese-android-app-stores/.

[26]

C. Zauner. Implementation and benchmarking of perceptual image hash functions. na, 2010.

[27]

F. Zhang, H. Huang, S. Zhu, D. Wu, and P. Liu. View-droid: Towards obfuscation-resilient mobile application repackaging detection. In Proceedings of the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2014). ACM, 2014.

Digital Library

[28]

K. Zhang and D. Shasha. Simple fast algorithms for the editing distance between trees and related problems. SIAM journal on computing, 1989.

Digital Library

[29]

M. Zheng, P. P. Lee, and J. C. Lui. Adam: An automatic and extensible platform to stress test android anti-virus systems. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 2013.

Digital Library

[30]

M. Zheng, M. Sun, and J. Lui. Droid analytics: A signature based analytic system to collect, extract, analyze and associate android malware. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on, pages 163--171. IEEE, 2013.

Digital Library

[31]

W. Zhou, Z. Wang, Y. Zhou, and X. Jiang. Divilar: diversifying intermediate language for anti-repackaging on android platform. In Proceedings of the 4th ACM conference on Data and application security and privacy. ACM, 2014.

Digital Library

[32]

W. Zhou, X. Zhang, and X. Jiang. Appink: watermarking android apps for repackaging deterrence. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, 2013.

Digital Library

[33]

W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, scalable detection of piggybacked mobile applications. In Proceedings of the third ACM conference on Data and application security and privacy, pages 185--196. ACM, 2013.

Digital Library

[34]

W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In Proceedings of the second ACM conference on Data and Application Security and Privacy. ACM, 2012.

Digital Library

[35]

Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on. IEEE.

Digital Library

Cited By

Faruki PBhan RJain VBhatia SEl Madhoun NPamula R(2023)A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection FrameworksInformation10.3390/info1407037414:7(374)Online publication date: 30-Jun-2023
https://doi.org/10.3390/info14070374
Chen ZLiu JHu YWu LZhou YHe YLiao XWang KLi JQin ZJust RFraser G(2023)DeUEDroid: Detecting Underground Economy Apps Based on UTG SimilarityProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598051(223-235)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598051
Hageman KFeal ÁGamba JGirish ABleier JLindorfer MTapiador JVallina-Rodriguez N(2023)Mixed Signals: Analyzing Software Attribution Challenges in the Android EcosystemIEEE Transactions on Software Engineering10.1109/TSE.2023.323658249:4(2964-2979)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2023.3236582
Show More Cited By

Index Terms

DroidEagle: seamless detection of visually similar Android apps

Recommendations

Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
A Measurement-based Study on Application Popularity in Android and iOS App Stores
Mobidata '15: Proceedings of the 2015 Workshop on Mobile Big Data

Mobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '15: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks

June 2015

256 pages

ISBN:9781450336239

DOI:10.1145/2766498

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
US Army Research Office: US Army Research Office
NSF: National Science Foundation

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 June 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

WiSec'15

Sponsor:

SIGSAC
US Army Research Office
NSF

WiSec'15: 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks

June 22 - 26, 2015

New York, New York

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
534
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)3

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Faruki PBhan RJain VBhatia SEl Madhoun NPamula R(2023)A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection FrameworksInformation10.3390/info1407037414:7(374)Online publication date: 30-Jun-2023
https://doi.org/10.3390/info14070374
Chen ZLiu JHu YWu LZhou YHe YLiao XWang KLi JQin ZJust RFraser G(2023)DeUEDroid: Detecting Underground Economy Apps Based on UTG SimilarityProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598051(223-235)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598051
Hageman KFeal ÁGamba JGirish ABleier JLindorfer MTapiador JVallina-Rodriguez N(2023)Mixed Signals: Analyzing Software Attribution Challenges in the Android EcosystemIEEE Transactions on Software Engineering10.1109/TSE.2023.323658249:4(2964-2979)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2023.3236582
Elsersy WFeizollah AAnuar N(2022)The rise of obfuscated Android malware and impacts on detection methodsPeerJ Computer Science10.7717/peerj-cs.9078(e907)Online publication date: 9-Mar-2022
https://doi.org/10.7717/peerj-cs.907
Zhan XLiu TFan LLi LChen SLuo XLiu Y(2022)Research on Third-Party Libraries in Android Apps: A Taxonomy and Systematic Literature ReviewIEEE Transactions on Software Engineering10.1109/TSE.2021.311438148:10(4181-4213)Online publication date: 1-Oct-2022
https://doi.org/10.1109/TSE.2021.3114381
Ding JNie LLiu YDing ZXuan J(2022)An Exploratory Study for GUI Posts on Stack Overflow2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00114(1113-1124)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00114
Rafiq HAslam NAleem MIssac BRandhawa R(2022)AndroMalPack: enhancing the ML-based malware classification by detection and removal of repacked apps for Android systemsScientific Reports10.1038/s41598-022-23766-w12:1Online publication date: 14-Nov-2022
https://doi.org/10.1038/s41598-022-23766-w
Ma JSun QXu CTao X(2022)GridDroid—An Effective and Efficient Approach for Android Repackaging Detection Based on Runtime Graphical User InterfaceJournal of Computer Science and Technology10.1007/s11390-021-1659-337:1(147-181)Online publication date: 31-Jan-2022
https://doi.org/10.1007/s11390-021-1659-3
Li LBissyande TKlein J(2021)Rebooting Research on Detecting Repackaged Android Apps: Literature Review and BenchmarkIEEE Transactions on Software Engineering10.1109/TSE.2019.290167947:4(676-693)Online publication date: 1-Apr-2021
https://doi.org/10.1109/TSE.2019.2901679
Liu XYu ZSong ZChen LQin Z(2021)MDSDroid: A Multi-level Detection System for Android Repackaged Applications2021 IEEE 6th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP52628.2021.9688672(1128-1133)Online publication date: 22-Oct-2021
https://doi.org/10.1109/ICSIP52628.2021.9688672
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents