Evaluation of resource-based app repackaging detection in android

Olga Gadyatskaya, Andra Lidia Lezza, Yury Zhauniarovich

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Citations (Scopus)

Abstract

Android app repackaging threatens the health of application markets, as repackaged apps, besides stealing revenue for honest developers, are also a source of malware distribution. Techniques that rely on visual similarity of Android apps recently emerged as a way to tackle the repackaging detection problem, as code-based detection techniques often fail in terms of efficiency, and effectiveness when obfuscation is applied [19,21]. Among such techniques, the resource-based repackaging detection approach that compares sets of files included in apks has arguably the best performance [10,17,20]. Yet, this approach has not been previously validated on a dataset of repackaged apps. In this paper we report on our evaluation of the approach, and present substantial improvements to it. Our experiments show that the stateof- art tools applying this technique rely on too restrictive thresholds. Indeed, we demonstrate that a very low proportion of identical resource files in two apps is a reliable evidence for repackaging. Furthermore, we have shown that the Overlap similarity score performs better than the Jaccard similarity coefficient used in previous works. By applying machine learning techniques, we give evidence that considering separately the included resource file types significantly improves the detection accuracy of the method. Experimenting with a balanced dataset of more than 2700 app pairs, we show that with our enhancements it is possible to achieve the F-measure of 0. 9919.

Original languageEnglish
Title of host publicationSecure IT Systems - 21st Nordic Conference, NordSec 2016, Proceedings
PublisherSpringer Verlag
Pages135-151
Number of pages17
ISBN (Print)9783319475592
DOIs
Publication statusPublished - 1 Jan 2016
Event21st Nordic Conference on Secure IT Systems, NordSec 2016 - Oulu, Finland
Duration: 2 Nov 20164 Nov 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10014 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other21st Nordic Conference on Secure IT Systems, NordSec 2016
CountryFinland
CityOulu
Period2/11/164/11/16

Fingerprint

Application programs
Resources
Evaluation
Similarity Coefficient
Obfuscation
Malware
Overlap
Machine Learning
Health
Proportion
Enhancement
Learning systems
Android (operating system)
Demonstrate
Experiment
Experiments
Evidence
Similarity

Keywords

  • Android security
  • Repackaging
  • Resource files

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Gadyatskaya, O., Lezza, A. L., & Zhauniarovich, Y. (2016). Evaluation of resource-based app repackaging detection in android. In Secure IT Systems - 21st Nordic Conference, NordSec 2016, Proceedings (pp. 135-151). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10014 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-47560-8_9

Evaluation of resource-based app repackaging detection in android. / Gadyatskaya, Olga; Lezza, Andra Lidia; Zhauniarovich, Yury.

Secure IT Systems - 21st Nordic Conference, NordSec 2016, Proceedings. Springer Verlag, 2016. p. 135-151 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10014 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Gadyatskaya, O, Lezza, AL & Zhauniarovich, Y 2016, Evaluation of resource-based app repackaging detection in android. in Secure IT Systems - 21st Nordic Conference, NordSec 2016, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10014 LNCS, Springer Verlag, pp. 135-151, 21st Nordic Conference on Secure IT Systems, NordSec 2016, Oulu, Finland, 2/11/16. https://doi.org/10.1007/978-3-319-47560-8_9
Gadyatskaya O, Lezza AL, Zhauniarovich Y. Evaluation of resource-based app repackaging detection in android. In Secure IT Systems - 21st Nordic Conference, NordSec 2016, Proceedings. Springer Verlag. 2016. p. 135-151. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-47560-8_9
Gadyatskaya, Olga ; Lezza, Andra Lidia ; Zhauniarovich, Yury. / Evaluation of resource-based app repackaging detection in android. Secure IT Systems - 21st Nordic Conference, NordSec 2016, Proceedings. Springer Verlag, 2016. pp. 135-151 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{8010238f4a8043568c3208773d112487,
title = "Evaluation of resource-based app repackaging detection in android",
abstract = "Android app repackaging threatens the health of application markets, as repackaged apps, besides stealing revenue for honest developers, are also a source of malware distribution. Techniques that rely on visual similarity of Android apps recently emerged as a way to tackle the repackaging detection problem, as code-based detection techniques often fail in terms of efficiency, and effectiveness when obfuscation is applied [19,21]. Among such techniques, the resource-based repackaging detection approach that compares sets of files included in apks has arguably the best performance [10,17,20]. Yet, this approach has not been previously validated on a dataset of repackaged apps. In this paper we report on our evaluation of the approach, and present substantial improvements to it. Our experiments show that the stateof- art tools applying this technique rely on too restrictive thresholds. Indeed, we demonstrate that a very low proportion of identical resource files in two apps is a reliable evidence for repackaging. Furthermore, we have shown that the Overlap similarity score performs better than the Jaccard similarity coefficient used in previous works. By applying machine learning techniques, we give evidence that considering separately the included resource file types significantly improves the detection accuracy of the method. Experimenting with a balanced dataset of more than 2700 app pairs, we show that with our enhancements it is possible to achieve the F-measure of 0. 9919.",
keywords = "Android security, Repackaging, Resource files",
author = "Olga Gadyatskaya and Lezza, {Andra Lidia} and Yury Zhauniarovich",
year = "2016",
month = "1",
day = "1",
doi = "10.1007/978-3-319-47560-8_9",
language = "English",
isbn = "9783319475592",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "135--151",
booktitle = "Secure IT Systems - 21st Nordic Conference, NordSec 2016, Proceedings",

}

TY - GEN

T1 - Evaluation of resource-based app repackaging detection in android

AU - Gadyatskaya, Olga

AU - Lezza, Andra Lidia

AU - Zhauniarovich, Yury

PY - 2016/1/1

Y1 - 2016/1/1

N2 - Android app repackaging threatens the health of application markets, as repackaged apps, besides stealing revenue for honest developers, are also a source of malware distribution. Techniques that rely on visual similarity of Android apps recently emerged as a way to tackle the repackaging detection problem, as code-based detection techniques often fail in terms of efficiency, and effectiveness when obfuscation is applied [19,21]. Among such techniques, the resource-based repackaging detection approach that compares sets of files included in apks has arguably the best performance [10,17,20]. Yet, this approach has not been previously validated on a dataset of repackaged apps. In this paper we report on our evaluation of the approach, and present substantial improvements to it. Our experiments show that the stateof- art tools applying this technique rely on too restrictive thresholds. Indeed, we demonstrate that a very low proportion of identical resource files in two apps is a reliable evidence for repackaging. Furthermore, we have shown that the Overlap similarity score performs better than the Jaccard similarity coefficient used in previous works. By applying machine learning techniques, we give evidence that considering separately the included resource file types significantly improves the detection accuracy of the method. Experimenting with a balanced dataset of more than 2700 app pairs, we show that with our enhancements it is possible to achieve the F-measure of 0. 9919.

AB - Android app repackaging threatens the health of application markets, as repackaged apps, besides stealing revenue for honest developers, are also a source of malware distribution. Techniques that rely on visual similarity of Android apps recently emerged as a way to tackle the repackaging detection problem, as code-based detection techniques often fail in terms of efficiency, and effectiveness when obfuscation is applied [19,21]. Among such techniques, the resource-based repackaging detection approach that compares sets of files included in apks has arguably the best performance [10,17,20]. Yet, this approach has not been previously validated on a dataset of repackaged apps. In this paper we report on our evaluation of the approach, and present substantial improvements to it. Our experiments show that the stateof- art tools applying this technique rely on too restrictive thresholds. Indeed, we demonstrate that a very low proportion of identical resource files in two apps is a reliable evidence for repackaging. Furthermore, we have shown that the Overlap similarity score performs better than the Jaccard similarity coefficient used in previous works. By applying machine learning techniques, we give evidence that considering separately the included resource file types significantly improves the detection accuracy of the method. Experimenting with a balanced dataset of more than 2700 app pairs, we show that with our enhancements it is possible to achieve the F-measure of 0. 9919.

KW - Android security

KW - Repackaging

KW - Resource files

UR - http://www.scopus.com/inward/record.url?scp=84994504550&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84994504550&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-47560-8_9

DO - 10.1007/978-3-319-47560-8_9

M3 - Conference contribution

SN - 9783319475592

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 135

EP - 151

BT - Secure IT Systems - 21st Nordic Conference, NordSec 2016, Proceedings

PB - Springer Verlag

ER -