research-article

Fast, scalable detection of "Piggybacked" mobile applications

Authors:

Shihong ZouAuthors Info & Claims

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Pages 185 - 196

https://doi.org/10.1145/2435349.2435377

Published: 18 February 2013 Publication History

Abstract

Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

References

[1]

MMSBG: An Open-Source Project. https://code.google.com/p/mmsbg. Online; accessed at Dec 1, 2011.

[2]

ProGuard | Android Developers. http://developer.android.com/guide/developing/tools/proguard.html. Online; accessed at Dec 1, 2011.

[3]

Smali - An Assembler/Disassembler for Android's dex Format. http://code.google.com/p/smali/. Online; accessed at Dec 1, 2011.

[4]

AndroidCommunity. {ALERT} New Trojan Called Hong Tou Tou Lurking. http://androidcommunity.com/android-trojan-alert-hong-tou-tou-20110216/. Online; accessed at Dec 1, 2011.

[5]

Nicolas Anquetil, Cédric Fourrier, and Timothy C. Lethbridge. Experiments with Clustering as a Software Remodularization Method. In Proceedings of the Sixth Working Conference on Reverse Engineering, WCRE'99, pages 235--, Washington, DC, USA, 1999. IEEE Computer Society.

Digital Library

[6]

AppBrain. Number of Available Android Applications. http://www.appbrain.com/stats/number-of-android-apps. Online; accessed at Dec 1, 2011.

[7]

David Barrera, William Enck, and Paul Oorschot. Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems. Technical report, School of Computer Science, Carleton University, http://www.scs.carleton.ca/shared/research/tech_reports/2010/TR-11-06%20Barrera.pdf. Online; accessed at Dec 1, 2011.

[8]

David Barrera, H. Güneş Kayacik, Paul C. van Oorschot, and Anil Somayaji. A Methodology for Empirical Analysis of Permission-Based Security Models and Its Application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS'10, 2010.

Digital Library

[9]

Joany Boutet. Malicious Android Applications: Risks and Exploitation - A Spyware Story about Android Application and Reverse Engineering. http://www.sans.org/reading_room/whitepapers/malicious/malicious-android-applications_risks-exploitation_33578. Online; accessed at Dec 1, 2011.

[10]

Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, and Bhargava Shastry. Towards Taming Privilege-Escalation Attacks on Android. In 19th Annual Network & Distributed System Security Symposium (NDSS), Feb 2012.

[11]

Erika Chin, Adrienne Felt, Kate Greenwood, and David Wagner. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2011, 2011.

Digital Library

[12]

Jonathan Crussell, Clint Gibler, and Hao Chen. Attack of the Clones: Detecting Cloned Applications on Android Markets. In Sara Foresti, Moti Yung, and Fabio Martinelli, editors, Computer Security âAS ESORICS 2012, volume 7459 of Lecture Notes in Computer Science, pages 37--54. Springer Berlin Heidelberg, 2012.

[13]

Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, USENIX Security'11, San Francisco, CA, 2011.

Digital Library

[14]

Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS '11, February 2011.

[15]

William Enck, Peter Gilbert, Byung-gon Chun, Landon Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, USENIX OSDI'11, 2011.

Digital Library

[16]

William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, USENIX Security'11, San Francisco, CA, 2011.

Digital Library

[17]

Adrienne Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS'11, 2011.

Digital Library

[18]

Adrienne Felt, Helen Wang, Alexander Moschhuk, Steve Hanna, and Erika Chin. Permission Re-Delegation: Attacks and Defense. In Proceedings of the 20th USENIX Security Symposium, USENIX Security'11, San Francisco, CA, 2011.

Digital Library

[19]

Adam Fuchs, Avik Chaudhuri, and Jeffrey Foster. SCanDroid: Automated Security Certification of Android Applications. http://www.cs.umd.edu/ avik/projects/scandroidascaa/paper.pdf. Online; accessed at Dec 1, 2011.

[20]

Michael Grace, Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2012.

Digital Library

[21]

Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS'12, February 2012.

[22]

Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, and Xuxian Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In 10th International Conference on Mobile Systems, Applications and Services, June 2012.

Digital Library

[23]

Xin Hu, Tzi-cker Chiueh, and Kang G. Shin. Large-Scale Malware Indexing using Function-Call Graphs. In Proceedings of the 16th ACM conference on Computer and communications security, CCS'09, pages 611--620, New York, NY, USA, 2009. ACM.

Digital Library

[24]

Google Inc. Admob for Android Developers. http://developer.admob.com/wiki/Android.

[25]

Google Inc. Android Market. https://market.android.com/. Online; accessed at Dec 1, 2011.

[26]

Lookout Inc. App Genome Report: February 2011. https://www.mylookout.com/appgenome/. Online; accessed at Dec 1, 2011.

[27]

Lookout Inc. Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild. http://blog.mylookout.com/2010/12/geinimi_trojan/. Online; accessed at Dec 1, 2011.

[28]

Lookout Inc. Update: Security Alert: DroidDream Malware Found in Official Android Market. http://blog.mylookout.com/2011/03/security-alert-malware-found-in_offic%ial-android-market-droiddream/. Online; accessed at Dec 1, 2011.

[29]

MobClix Inc. Mobclix SDK Integration Guide. http://support.mobclix.com/attachments/token/lvbgrqsfpjgvgxb/?name=Detailed_Start_Guide_for_Android.pdf. Online; accessed at Dec 1, 2011.

[30]

Scoreloop Inc. Scoreloop : Cross Platform Mobile Gaming SDK for Virtual Currency, Social Games and Distribution. http://www.scoreloop.com/developers/.

[31]

Symantec Inc. Android Threats Getting Steamy. http://www.symantec.com/connect/blogs/android-threats-getting-steamy. Online; accessed at Dec 1, 2011.

[32]

Symantec Inc. Android.Basebridge: Technical Details. http://www.symantec.com/security_response/writeup.jsp?docid=2011-060915%-4938--99&tabid=2. Online; accessed at Dec 1, 2011.

[33]

Wooboo Inc. How to Add Wooboo Advertisement SDK into Android. http://admin.wooboo.com.cn:9001/cbFiles/down/1272545843644.swf.

[34]

Jiyong Jang, David Brumley, and Shobha Venkataraman. BitShred: Feature Hashing Malware for Scalable Triage and Semantic Analysis. In Proceedings of the 18th ACM conference on Computer and communications security, CCS'11, pages 309--320, New York, NY, USA, 2011. ACM.

Digital Library

[35]

Christian Lindig and Gregor Snelting. Assessing Modular Structure of Legacy Code based on Mathematical Concept Analysis. In Proceedings of the 19th international conference on Software engineering, ICSE'97, pages 349--359, New York, NY, USA, 1997. ACM.

Digital Library

[36]

S. Mancoridis, B. S. Mitchell, C. Rorres, Y. Chen, and E. R. Gansner. Using Automatic Clustering to Produce High-Level System Organizations of Source Code. In Proceedings of the 6th International Workshop on Program Comprehension, IWPC'98, pages 45--, Washington, DC, USA, 1998. IEEE Computer Society.

Digital Library

[37]

Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. Semantically Rich Application-Centric Security in Android. In Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC'09, 2009.

Digital Library

[38]

OpenFeint. OpenFeint Developers - Mobile Open Source Social SDK & Tools for iOS & Android. http://openfeint.com/developers. Online; accessed at Dec 1, 2011.

[39]

Paolo Passeri. One Year of Android Malware (Full List)). http://paulsparrows.wordpress.com/2011/08/11/one-year-of-android-malware-full-list/. Online; accessed at Dec 1, 2011.

[40]

Google Code Project. Android-apktool - Tool for Reengineering Android apk Files. http://code.google.com/p/android-apktool/. Online; accessed at Dec 1, 2011.

[41]

Helmuth Spaeth. Cluster Analysis Algorithms for Data Reduction and Classification of Objects. J. Wiley and Sons, 1980.

[42]

Paolo Tonella. Concept Analysis for Module Restructuring. IEEE Trans. Softw. Eng., 27:351--363, April 2001.

Digital Library

[43]

Peter N. Yianilos. Data Structures and Algorithms for Nearest Neighbor Search in General Metric Spaces. In Proceedings of the fourth annual ACM-SIAM Symposium on Discrete algorithms, SODA'93, pages 311--321, Philadelphia, PA, USA, 1993. Society for Industrial and Applied Mathematics.

Digital Library

[44]

Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. DroidMOSS: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, CODASPY'12, February 2012.

Digital Library

[45]

Yajin Zhou and Xuxian Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[46]

Yajin Zhou and Xuxian Jiang. Detecting Passive Content Leaks and Pollution in Android Applications. In Proceedings of the 20th Annual Symposium on Network and Distributed System Security, 2013.

[47]

Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS'12, February 2012.

Cited By

Zaidi SKhan SVyas PAafer YFilkov VRay BZhou M(2024)A Longitudinal Analysis Of Replicas in the Wild Wild AndroidProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695546(1821-1833)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695546
Zhang YMa CNing YWu QGuo Z(2024)Research and Implementation of Open Source Component Library Detection for Binary ProgramsIEEE Access10.1109/ACCESS.2024.344219112(111846-111857)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3442191
K.A. AP. VK.A. RRaveendran NConti M(2024)Android malware defense through a hybrid multi-modal approachJournal of Network and Computer Applications10.1016/j.jnca.2024.104035(104035)Online publication date: Sep-2024
https://doi.org/10.1016/j.jnca.2024.104035
Show More Cited By

Index Terms

Fast, scalable detection of "Piggybacked" mobile applications

Recommendations

AppInk: watermarking android apps for repackaging deterrence
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

With increased popularity and wide adoption of smartphones and mobile devices, recent years have seen a new burgeoning economy model centered around mobile apps. However, app repackaging, among many other threats, brings tremendous risk to the ecosystem,...
Android Applications Repackaging Detection Techniques for Smartphone Devices

The problem of malwares affecting Smartphones has been widely recognized by the researchers across the world. Majority of these malwares target Android OS. Studies have found that most of the Android malwares hide inside repackaged apps to get inside ...
Real-time detection and prevention of android SMS permission abuses
SESP '13: Proceedings of the first international workshop on Security in embedded systems and smartphones

The Android permission system informs users about the privileges demanded by applications (apps), and in principle allows users to assess potential risks of apps. Unfortunately, recent studies showed that the installation-time permission verification ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

February 2013

400 pages

ISBN:9781450318907

DOI:10.1145/2435349

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Lujo Bauer
Carnegie Mellon University, USA
,
Publications Chair:
Jaehong Park
University of Texas at San Antonio, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 February 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'13

Sponsor:

SIGSAC

CODASPY'13: Third ACM Conference on Data and Application Security and Privacy

February 18 - 20, 2013

Texas, San Antonio, USA

Acceptance Rates

CODASPY '13 Paper Acceptance Rate 24 of 107 submissions, 22%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

168
Total Citations
View Citations
971
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)1

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zaidi SKhan SVyas PAafer YFilkov VRay BZhou M(2024)A Longitudinal Analysis Of Replicas in the Wild Wild AndroidProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695546(1821-1833)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695546
Zhang YMa CNing YWu QGuo Z(2024)Research and Implementation of Open Source Component Library Detection for Binary ProgramsIEEE Access10.1109/ACCESS.2024.344219112(111846-111857)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3442191
K.A. AP. VK.A. RRaveendran NConti M(2024)Android malware defense through a hybrid multi-modal approachJournal of Network and Computer Applications10.1016/j.jnca.2024.104035(104035)Online publication date: Sep-2024
https://doi.org/10.1016/j.jnca.2024.104035
Xinyu LZe JJiaxi LWei LXiaoxi WQixu L(2023)ANDetect: A Third-party Ad Network Libraries Detection Framework for Android ApplicationsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627182(98-112)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627182
Alhashmi SAlneyadi AAlshehhi MLamaazi H(2023)Mobile and Web Applications Clones: A Comprehensive Study2023 International Wireless Communications and Mobile Computing (IWCMC)10.1109/IWCMC58020.2023.10182983(464-469)Online publication date: 19-Jun-2023
https://doi.org/10.1109/IWCMC58020.2023.10182983
Sharma ASingh SKumar SChhabra AGupta S(2023)Security of Android Banking Mobile Apps: Challenges and OpportunitiesInternational Conference on Cyber Security, Privacy and Networking (ICSPN 2022)10.1007/978-3-031-22018-0_39(406-416)Online publication date: 21-Feb-2023
https://doi.org/10.1007/978-3-031-22018-0_39
Zhan XLiu TLiu YLiu YLi LWang HLuo X(2022)A Systematic Assessment on Android Third-Party Library Detection ToolsIEEE Transactions on Software Engineering10.1109/TSE.2021.311550648:11(4249-4273)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TSE.2021.3115506
Zhan XLiu TFan LLi LChen SLuo XLiu Y(2022)Research on Third-Party Libraries in Android Apps: A Taxonomy and Systematic Literature ReviewIEEE Transactions on Software Engineering10.1109/TSE.2021.311438148:10(4181-4213)Online publication date: 1-Oct-2022
https://doi.org/10.1109/TSE.2021.3114381
Ma HLi SGao DJia C(2022)Secure Repackage-Proofing Framework for Android Apps Using Collatz ConjectureIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.309165419:5(3271-3285)Online publication date: 1-Sep-2022
https://doi.org/10.1109/TDSC.2021.3091654
Kumari NChen M(2022)Malware and Piracy Detection in Android Applications2022 IEEE 5th International Conference on Multimedia Information Processing and Retrieval (MIPR)10.1109/MIPR54900.2022.00061(306-311)Online publication date: Aug-2022
https://doi.org/10.1109/MIPR54900.2022.00061
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents