Wu Zhou
Peng Ning
ABSTRACT
Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized in different application marketplaces, can be conveniently browsed by mobile users and then simply clicked to install on a variety of mobile devices. In practice, besides the official marketplaces from platform vendors (e.g., Google and Apple), a number of third-party alternative marketplaces have also been created to host thousands of apps (e.g., to meet regional or localization needs). To maintain and foster a hygienic smartphone app ecosystem, there is a need for each third-party marketplace to offer quality apps to mobile users.
In this paper, we perform a systematic study on six popular Android-based third-party marketplaces. Among them, we find a common "in-the-wild" practice of repackaging legitimate apps (from the official Android Market) and distributing repackaged ones via third-party marketplaces. To better understand the extent of such practice, we implement an app similarity measurement system called DroidMOSS that applies a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. The experiments with DroidMOSS show a worrisome fact that 5% to 13% of apps hosted on these studied marketplaces are repackaged. Further manual investigation indicates that these repackaged apps are mainly used to replace existing in-app advertisements or embed new ones to "steal" or re-route ad revenues. We also identify a few cases with planted backdoors or malicious payloads among repackaged apps. The results call for the need of a rigorous vetting process for better regulation of third-party smartphone application marketplaces.
- Smali - An Assembler/Disassembler for Android's dex Format. http://code.google.com/p/smali/. Online; accessed at May 17, 2011.Google Scholar
- Tridgell Andrew. Spamsum README. http://samba.org/ftp/unpacked/junkcode/spamsum/README. Online; accessed at May 17, 2011.Google Scholar
- AndroLib. Android Market Statistics from AndroLib. http://www.androlib.com/appstats.aspx. Online; accessed at June 1, 2011.Google Scholar
- David Barrera, William Enck, and Paul Oorschot. Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems. Technical report, School of Computer Science, Carleton University, http://www.scs.carleton.ca/shared/research/tech_reports/2010/TR-11-06%20Barrera.pdf. Online; accessed at May 17, 2011.Google Scholar
- David Barrera, H. Güneş Kayacik, Paul C. van Oorschot, and Anil Somayaji. A Methodology for Empirical Analysis of Permission-Based Security Models and Its Application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, 2010. Google ScholarDigital Library
- Alastair Beresford, Andrew Rice, Nicholas Skehin, and Ripduman Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, HotMobile '11, 2011. Google ScholarDigital Library
- Joany Boutet. Malicious Android Applications: Risks and Exploitation - A Spyware Story about Android Application and Reverse Engineering. http://www.sans.org/reading_room/whitepapers/malicious/malicious-androi%d-applications_risks-exploitation_33578. Online; accessed at May 17, 2011.Google Scholar
- Erika Chin, Adrienne Felt, Kate Greenwood, and David Wagner. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2011, 2011. Google ScholarDigital Library
- Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. Mining Specifications of Malicious Behavior. In Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC-FSE '07, pages 5--14. ACM, 2007. Google Scholar
- Cydia. Cydia App Store. http://cydia.saurik.com/. Online; accessed at May 17, 2011.Google Scholar
- Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, USENIX Security '11, San Francisco, CA, 2011. Google ScholarDigital Library
- Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS '11, February 2011.Google Scholar
- William Enck, Peter Gilbert, Byung-gon Chun, Landon Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, USENIX OSDI '11, 2011. Google ScholarDigital Library
- William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, USENIX Security '11, San Francisco, CA, 2011. Google ScholarDigital Library
- William Enck, Machigar Ongtang, and Patrick McDaniel. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS '09, pages 235--245, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- Adrienne Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS' 11, 2011. Google ScholarDigital Library
- Adrienne Felt, Helen Wang, Alexander Moschhuk, Steve Hanna, and Erika Chin. Permission Re-Delegation: Attacks and Defense. In Proceedings of the 20th USENIX Security Symposium, USENIX Security '11, San Francisco, CA, 2011. Google ScholarDigital Library
- Adam Fuchs, Avik Chaudhuri, and Jeffrey Foster. SCanDroid: Automated Security Certification of Android Applications. http://www.cs.umd.edu/ avik/projects/scandroidascaa/paper.pdf. Online; accessed at June 1, 2011.Google Scholar
- Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS '12, February 2012.Google Scholar
- James Hunt and McIlroy Douglas. An Algorithm for Differential File Comparison. Technical report, Computing Science Technical Report, Bell Laboratories, 1976.Google Scholar
- Dustin Hurlbut. Fuzzy Hashing for Digital Forensic Investigators. Technical report, Access Data Inc., http://accessdata.com/downloads/media/Fuzzy_Hashing_for_Investigators.p%df. Online; accessed at May 17, 2011.Google Scholar
- Amazon.com Inc. Amazon AppStore for Android. http://www.amazon.com/mobile-apps/b?ie=UTF8&node=2350149011. Online; accessed at May 17, 2011.Google Scholar
- Apple Inc. Apple App Store for IPhone. http://www.apple.com/iphone/apps-for-iphone/. Online; accessed at May 17, 2011.Google Scholar
- Google Inc. Admob for Android Developers. http://developer.admob.com/wiki/Android. Online; accessed at May 17, 2011.Google Scholar
- Google Inc. Android Dvelopment Guide: Signing Your Applications. http://developer.android.com/guide/publishing/app-signing.html. Online; accessed at May 17, 2011.Google Scholar
- Google Inc. Android Market. https://market.android.com/. Online; accessed at May 17, 2011.Google Scholar
- Lookout Inc. App Genome Report: February 2011. https://www.mylookout.com/appgenome/. Online; accessed at May 17, 2011.Google Scholar
- Lookout Inc. Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild. http://blog.mylookout.com/2010/12/geinimi_trojan/. Online; accessed at May 17, 2011.Google Scholar
- Lookout Inc. Update: Security Alert: DroidDream Malware Found in Official Android Market. http://blog.mylookout.com/2011/03/security-alert-malware-found-in_offic%ial-android-market-droiddream/. Online; accessed at May 17, 2011.Google Scholar
- Symantec Inc. Android Threats Getting Steamy. http://www.symantec.com/connect/blogs/android-threats-getting-steamy. Online; accessed at May 17, 2011.Google Scholar
- Wooboo Inc. How to add Wooboo advertisement SDK into Android. http://admin.wooboo.com.cn:9001/cbFiles/down/1272545843644.swf. Online; accessed at May 17, 2011.Google Scholar
- Xuxian Jiang. Security Alert: New Sophisticated Android Malware DroidKungFu Found in Alternative Chinese App Markets. http://www.csc.ncsu.edu/faculty/jiang/DroidKungFu.html. Online; accessed at Sep 17, 2011.Google Scholar
- Jesse Kornblum. Identifying Almost Identical Files Using Context Triggered Piecewise Hashing. DFRWS '06, 2006.Google Scholar
- Greg Kumparak. TechCrunch: Android Now Seeing 550,000 Activations Per Day. http://techcrunch.com/2011/07/14/android-now-seeing-550000-activations-per-day/. Online; accessed at Sep 15, 2011.Google Scholar
- Kaspersky Lab. First SMS Trojan Detected for Smartphones Running Android. http://www.kaspersky.com/about/news/virus/2010/First_SMS_Trojan_detected_for_smartphones_running_Android. Online; Accessed at May 17, 2011.Google Scholar
- Ginger Myles and Christian Collberg. K-gram Based Software Birthmarks. In Proceedings of the 2005 ACM Symposium on Applied Computing, SAC '05, pages 314--318, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- Mohammad Nauman, Sohail Khan, and Xinwen Zhang. Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, 2010. Google ScholarDigital Library
- Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. Semantically Rich Application-Centric Security in Android. In Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC '09, 2009. Google ScholarDigital Library
- Saul Schleimer, Daniel S. Wilkerson, and Alex Aiken. Winnowing: Local Algorithms for Document Fingerprinting. In Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, SIGMOD '03, pages 76--85, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- New York Times. Angry Birds, Flocking to Cellphones Everywhere. http://www.nytimes.com/2010/12/12/technology/12birds.htm. Online; accessed at May 17, 2011.Google Scholar
- Xinran Wang, Chi-Chun Pan, Peng Liu, and Sencun Zhu. SigFree: a Signature-Free Buffer Overflow Attack Blocker. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- Youmi.net. Wiki - Youmi Android Banner Version 2.1. http://wiki.youmi.net/wiki/Youmi_Android_Banner_Version_2.1. Online; accessed at May 17, 2011.Google Scholar
- Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS '12, February 2012.Google Scholar
- Yajin Zhou, Xinwen Zhang, Xuxian Jiang, and Vince Freeh. Taming Information-Stealing Smartphone Applications (on Android). In Proceeding of the 4th International Conference on Trust and Trustworthy Computing, TRUST '11, 2011. Google ScholarDigital Library
Index Terms
- Detecting repackaged smartphone applications in third-party android marketplaces
Recommendations
Android Applications Repackaging Detection Techniques for Smartphone Devices
The problem of malwares affecting Smartphones has been widely recognized by the researchers across the world. Majority of these malwares target Android OS. Studies have found that most of the Android malwares hide inside repackaged apps to get inside ...
An Efficient Method of Detecting Repackaged Android Applications
MINES '13: Proceedings of the 2013 Fifth International Conference on Multimedia Information Networking and SecurityWith the massive popularity of smartphones, many third-party marketplaces are emerged to meet smartphone users' need. These third-party marketplaces usually provide thousands of applications, but can't guarantee their security. Among the malicious ...
Understanding the security management of global third-party Android marketplaces
WAMA 2017: Proceedings of the 2nd ACM SIGSOFT International Workshop on App Market AnalyticsAs an open platform, Android enables the introduction of a variety of third-party marketplaces in which developers can provide mo- bile apps that are not provided in the official marketplace. Since the initial release of Android OS in 2008, many third-...
Comments