Research Of The Android Repackaged Applications' Detection Based-on The Analysis Of Network Traffic's Similarity

In recent years,due to the openness of the Android plat form,the number of Android applicat ions(or apps)is rapid ly growing wit h.At the same time,a growing number of ma lware writers are also target ing this p latfor m.Malware writers embed ma lic ious code into Android apps to execute ma lic ious behaviors,such as send ing text messages to premium numbers,stea l privac y infor matio n,or change Android phone to botnet node.We called the apps been mod ified or imp lanted new or ma lic ious codes as repackaged apps.Those apps lead certain sec ur it y prob lems to t he user and market provider,then how to detect them becomes an urge nt prob lem.Previous research efforts focus on extracting Android app characterist ics by stat ic analys is and calculate the characterist ics' similar it y,which are simp le and mature,but not able to hand le code obfuscation techno logies or to ana lys is app dyna mic behaviors.To address these limitat io ns,we propose a repackaged app detect ion approach based on extracting app characterist ics fro m traffic which ge nerated by app running,which is a new detection technology.This techniq ue first ly needs to establis h an Andro id app's traffic similar it y model,which can accurately capture the traffic generated by the app,parse the traffic into flows or flow figures,then c lassify the m into differe nt flow figure sets,and fina lly for m the flow characterist ics of the app.In order to accurately calc ulate the apps' similar it y,we proposed a set of a lgor it hms to calc ulate the flows,flow figures and flow figure sets' similar it y.Secondly,this techniq ue also requires a detection a lgorit hm to quickly find out the repackaged apps.From a different point o f view,this artic le respectively put forward two different detectio n systems : the Pair-Wise comparison detection syste m and the balance VP-Tree comparison detection syste m.Each has its own mer its a nd both can quick ly detect out the repackaged apps in its respect ive detection field.This paper fina lly imple me nted the prototype of the traffic's s imilar it y model,and the two kinds of detect ion syste m,and used the m to detect the repackaged apps fro m 7619 Android apps,which are all popular apps downloaded fro m six different Android markets in the second week of January,2013.In our exper iment,we successfully detected a total of 658 repackaged apps.The repackaged rate is between 5.05% at 12.13%,and the average repackaged rate is 8.64%.Based on these results,we did a deta il analys is and compariso n on the detected repackaged apps.It fo und that the repackaged app always ge nerates more traffic tha n its origina l app.The y commonly e mbed some ad library to earn advert is ing re venue or ma lic ious code to achie ve partic ular purposes,such as changing the mobile phone into a botnet node.All these results show that the Android applicat ion market,whatever the offic ia l market or the third-party market,are in ur gent need of a str ingent process to better regulate the intelligent mobile phone application market order.