Third-party Library Detection For Android Applications Based On Multi-Granularity Matching

The application of malicious or vulnerable third-party libraries into Android apps is a severe security problem that has existed for a long time in the evolution of Android apps.Static analysis and similarity matching of applications is a common and practical approach to detecting third-party libraries and the specific version information in Android apps.Commercial Android apps usually leverage various obfuscation techniques to prevent reverse analysis,including basic identifier renaming,dead code elimination,and other advanced obfuscation techniques(such as class repackaging and control flow randomization)making accurate detection of third-party libraries extremely difficult.Among the existing Android app third-party library detection tools,ATVHunter and Lib ID are difficult to detect applications confused by control flow randomization effectively.Lib Pecker and Lib Scout cannot effectively handle apps confused by class repackaging.Besides,the detection efficiency of Lib ID and Lib Pecker is low due to the pairwise similarity comparison of all classes or methods.Effectively detecting the third-party libraries inside the apps obfuscated by class repackaging and control flow randomization with high detection efficiency is still an open problem.To deal with this problem,we propose a multi-granularity and multi-phase matching approach for determining the third-party libraries used in Android apps as well as their versions.First,our scheme uses an efficient filter matching to greatly reduces the scope of subsequent matching apps.Then we use a coarse-grained method opcode similarity matching to support the third-party library detection of control flow randomized apps.Afterwards,to reduce the false matching of the coarse-grained matching,we use a fine-grained matching.The opcodes on the method call paths matches in this phase to realize one-to-one matching between the app’s classes and library classes.Finally,the library identification is performed based on fine-grained matching results.In the entire matching procedure,we do not depend on any package structure information.Therefore our tool can resist various obfuscation techniques.The usage of filters and multi-stage matching provide high detection efficiency.The main contributions of this study are as follows:(1)We study the characteristics of intermediate code decompiled from Android apps,and our filtering matching approach can efficiently find a potentially matchable set of application classes for the library classes.This step reduces the cost of subsequent similarity analysis and improves the detection efficiency.(2)We study the class repackaging and control flow randomization technology.We design the method opcode similarity matching and the call-path opcode similarity matching to resist control flow randomization and reduce method mismatches.(3)On the benchmark dataset published by Orlis and ATVHunter,which contains 1049 Android apps with library manifests and 452 library files,the detection effectiveness of our tool Lib Scan has been evaluated and compared with the existing third-party library detection approaches(Lib ID,Lib Pecker,Lib Scout).Compared with these tools,our tool is more effective.(4)The performance evaluation on popular commercial Android apps elaborates on the good performance of our tool.Our experiments are carried out on a large-scale Android app dataset to detect 205 CVE-specified vulnerable or malicious libraries from maven repositories.The results demonstrate the effectiveness of our approach in detecting vulnerable or malicious libraries on commercial Android applications.