Repackaging brings serious threats to Android ecosystem.Software birthmark techniques are typically applied to detect repackaged apps.Birthmarks based on apps'runtime graphical user interfaces(GUI)are effective,es...Repackaging brings serious threats to Android ecosystem.Software birthmark techniques are typically applied to detect repackaged apps.Birthmarks based on apps'runtime graphical user interfaces(GUI)are effective,especially for obfuscated or encrypted apps.However,existing studies are time-consuming and not suitable for handling apps in large scale.In this paper,we propose an effective yet efficient dynamic GUI birthmark for Android apps.Briefly,we run an app with automatically generated GUI events and dump its layout after each event.We divide each dumped layout into a grid,count in each grid cell the vertices of boundary rectangles corresponding to widgets within the layout,and generate a feature vector to encode the layout.Similar layouts are merged at runtime,and finally we obtain a graph as the birthmark of the app.Given a pair of apps to be compared,we build a weighted bipartite graph from their birthmarks and apply a modified version of the maximum-weight-bipartite-matching algorithm to determine whether they form a repackaging pair(RP)or not.We implement the proposed technique in a prototype,GridDroid,and apply it to detect RPs in three datasets involving 527 apks.GridDroid reports only six false negatives and seven false positives,and it takes GridDroid merely 20 microseconds on average to compare a pair of birthmarks.展开更多
In order to enhance the security of Android applications, we propose a repackaging and dynamic authority management scheme based on Android application reinforcement methods Instead of using root privileges and system...In order to enhance the security of Android applications, we propose a repackaging and dynamic authority management scheme based on Android application reinforcement methods Instead of using root privileges and system modification, we introduce a user-level sandbox, which utilizes the native C-level interception mechanism, to further reinforce the risk applications and improve the entire security of Android system. Additionally, by importing and improving the repackaging features, this proposed scheme reduces the potential risks of applications and achieves the goal of the dynamic monitoring of permissions. Finally, a comprehensive evaluation, including efficiency analysis and detection evaluation with 1 000 malwares, whose overall average success rate is about 96%, shows the feasibility and univer- sality of the proposed scheme.展开更多
The increasing popularity of Android devices gives birth to a large amount of feature-rich applications (or apps) in various Android markets. Since adversaries can easily repackage mali- cious code into benign apps ...The increasing popularity of Android devices gives birth to a large amount of feature-rich applications (or apps) in various Android markets. Since adversaries can easily repackage mali- cious code into benign apps and spread them, it is urgent to detect the repackaged apps to maintain healthy Android mar- kets. In this paper we propose an efficient detection scheme based on twice context triggered piecewise hash (T-CTPH), in which CTPH process is called twice so as to generate two fin- gerprints for each app to detect the repackaged Android appli- cations. We also optimize the similarity calculation algorithm to improve the matching efficiency. Experimental results show that there are about 5% repackaged apps in pre- collected 6438 samples of 4 different types. The proposed scheme im- proves the detection accuracy of the repackaged apps and has positive and practical significance for the ecological system of the Android markets.展开更多
基金supported by the Leading-Edge Technology Program of Jiangsu Natural Science Foundation of China under Grant No.BK20202001the National Natural Science Foundation of China under Grant No.61932021.
文摘Repackaging brings serious threats to Android ecosystem.Software birthmark techniques are typically applied to detect repackaged apps.Birthmarks based on apps'runtime graphical user interfaces(GUI)are effective,especially for obfuscated or encrypted apps.However,existing studies are time-consuming and not suitable for handling apps in large scale.In this paper,we propose an effective yet efficient dynamic GUI birthmark for Android apps.Briefly,we run an app with automatically generated GUI events and dump its layout after each event.We divide each dumped layout into a grid,count in each grid cell the vertices of boundary rectangles corresponding to widgets within the layout,and generate a feature vector to encode the layout.Similar layouts are merged at runtime,and finally we obtain a graph as the birthmark of the app.Given a pair of apps to be compared,we build a weighted bipartite graph from their birthmarks and apply a modified version of the maximum-weight-bipartite-matching algorithm to determine whether they form a repackaging pair(RP)or not.We implement the proposed technique in a prototype,GridDroid,and apply it to detect RPs in three datasets involving 527 apks.GridDroid reports only six false negatives and seven false positives,and it takes GridDroid merely 20 microseconds on average to compare a pair of birthmarks.
基金Supported by the National Natural Science Foundation of China(61303212,61332019,U1135004)the Hubei Provincial Natural Science Foundation of China(2014CFB192)the Fundamental Research Founds for National University,China University of Geosciences(Wuhan)(CUGL130234)
文摘In order to enhance the security of Android applications, we propose a repackaging and dynamic authority management scheme based on Android application reinforcement methods Instead of using root privileges and system modification, we introduce a user-level sandbox, which utilizes the native C-level interception mechanism, to further reinforce the risk applications and improve the entire security of Android system. Additionally, by importing and improving the repackaging features, this proposed scheme reduces the potential risks of applications and achieves the goal of the dynamic monitoring of permissions. Finally, a comprehensive evaluation, including efficiency analysis and detection evaluation with 1 000 malwares, whose overall average success rate is about 96%, shows the feasibility and univer- sality of the proposed scheme.
基金supported by ZTE Industry-Academia-Research Cooperation Funds
文摘The increasing popularity of Android devices gives birth to a large amount of feature-rich applications (or apps) in various Android markets. Since adversaries can easily repackage mali- cious code into benign apps and spread them, it is urgent to detect the repackaged apps to maintain healthy Android mar- kets. In this paper we propose an efficient detection scheme based on twice context triggered piecewise hash (T-CTPH), in which CTPH process is called twice so as to generate two fin- gerprints for each app to detect the repackaged Android appli- cations. We also optimize the similarity calculation algorithm to improve the matching efficiency. Experimental results show that there are about 5% repackaged apps in pre- collected 6438 samples of 4 different types. The proposed scheme im- proves the detection accuracy of the repackaged apps and has positive and practical significance for the ecological system of the Android markets.