Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.

Published byAntony Bishop Modified over 9 years ago

Similar presentations

Presentation on theme: "Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University."— Presentation transcript:

1 Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University of California, Davis 2 Sandia National Labs Source: ESORICS 2012ESORICS 2012

2 Outline Introduction Background Threat Model Clone Detection Approaches and Related Work Methodology Evaluation Case Studies Discussion Conclusion

3 Introduction Much of the user experience of Android relies on third-party apps. Android has numerous marketplaces. Protect users from malicious apps. Protect developers from plagiarists.

4 Introduction Developers can charge directly for their apps. Offer free apps that are ad-supported or contain in-game billing. Some apps have two version. Paid app -> cracked & release for free Free app -> cloned & change ad libraries

5 Introduction

6 Background Android Markets Android Application Structure

7 Threat Model - Definition of “Clone”. Clones occur when two applications have similar code but have different ownership. Ignore Third-party libraries Multiple versions of the same application if they have the same ownership.

8 Resistance to Evasion Techniques. High level modifications Method Restructurings Control Flow Alterations Addition/Deletion Reordering

9 Non Goals Find cloning in native code. Determine which applications are the victims and which are clones.

10 Clone Detection Approaches - Feature Based Feature based approaches analyze a program and extract a set of features. Number or size of classes, methods, loops, or variables to included libraries. Low detection rate or high false positive rate.

11 Clone Detection Approaches - Structure Based Structure based systems convert programs into a stream of tokens and then compare the streams between two programs. More robustly than feature based systems. JPLAG, Winnowing and MOSS. Comparing DEX byte code streams could be a quite quick and scalable method to find exactly or near exactly copied code. But byte code streams contain no higher level semantic knowledge about the code.

12 Clone Detection Approaches - PDG Based

13 Related Work Androguard, DEXCD and DroidMOSS. All these approaches are structure based or structure based approximations. None of these tools use any semantic information to aid in detecting plagiarism.

14 Methodology

15 Selecting Potentially Cloned Applications The goal of an application plagiarist is to entice unwary users to choose her cloned application instead of the original. Name and description.

16 Determining Application Similarity Based on Attributes We use Solr to mimic the search engines on Android markets.Solr Attributes of the apps: name, package, market, owner, and description

17 Constructing PDGs dex2jar: Convert both apps’ code from the DEX format to a JAR. dex2jar WALA: Construct PDGs for each method in every class of the applications. WALA Only data dependency edges: More robust against statement reordering, insertion and deletion.

18 Comparing PDGs-Excluding Common Libraries Ad library Admob, Facebook API, etc. Dumped both the package name and SHA-1 hash of known library files and recorded the most frequent SHA-1 hashes for each library.

19 Lossless and Lossy Filters Lossless filter: Removes PDGs from consideration that are smaller than a specified size (< 10 nodes). Lossy filter: Calculate a frequency vector for each of the methods in the pair. This vector counts how many times a specific node type occurs in the PDG. Compare these two vectors using hypothesis testing (G-test).

20 Subgraph Isomorphism

21 Computing Similarity Scores

22 Evaluation 75,000 free apps from 13 Android markets. Randomly selected 9,400 pairs from the potential clones. Hadoop: parallelize DNADroid. HDFS: share data across a small cluster. The average throughput of DNADroid on this small cluster is 0.71 application pairs per minute.

23 Similarity between Applications

24

25 Clustering Cloned Applications

26

27

28 Filter Performance

29

30 Visual and Behavioral Verification

31 Case Studies

32 “Benign” Cloning DNADroid found 30 pairs that both have a 100% similarity score. Translation.

33 Changes to Advertising Libraries We can see when an application has most likely been cloned for monetary gain. Ex: XWind Downloader For the 141 apps, we found that 91 (65%) of these pairs had different libraries, all of which included changes to advertising libraries.

34 Malware Added to an Application “HippoSMS” is a malicious application requires 10 permissions. It shares the same package name as a Chinese video player requires 11 permissions. 6 permissions that video player doesn’t use.

35 Two Variants of the Same Malware Two malicious apps that are identified by VirusTotal as being variants of the “BaseBridge” malware family. Both applications have been stripped of meaningful class and method names. DNADroid found coverages of 35% and 28% between the two variants.

36 Use of Freeware Cracking Tool in the Wild AntiLVL Decompiling an app with baksmali Inserts a new file: SmaliHook.class And hide AntiLVL’s modifications from the app itself by returning the original file size, MD5, and signatures. Android License Verification Library (LVL), Amazon Appstore DRM and Verizon DRM. 189 of 310 applications containing SmaliHook.class 235 of 310 containing references to AntiLVL in their signature files. Only 8% of our total apps were acquired from Chinese markets, 88% of the apps including AntiLVL traces were from Chinese markets.

37 Discussion

38 False Positive Since it is a serious allegation to claim an application is a clone, we design DNADroid to have a very low false positive rate.

39 False Negative Cloned applications often have similar attributes as the original. (?) There exist advanced program transformations that can evade PDG- based clone detection.

40 Comparison to Other Approaches Androguard: miss 18% DEXCD had problems running on the pairs DNADroid identified. DroidMOSS is not currently publicly available.

41 Performance DNADroid are more expensive but result in fewer false positives and false negatives.

42 Conclusion DNADroid is a tool for finding clones on a large scale. We evaluated DNADroid on applications crawled from 13 Android markets. Identified at least 141 apps that have been cloned An additional 310 apps that were cracked with AntiLVL We describe five case studies DNADroid has a very low false positive rate DNADroid is an effective tool.

Download ppt "Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University."

Similar presentations

Chao Liu, Chen Chen, Jiawei Han, Philip S. Yu

Chao Liu, Chen Chen, Jiawei Han, Philip S. Yu
Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
A PLFS Plugin for HDF5 for Improved I/O Performance and Analysis Kshitij Mehta 1, John Bent 2, Aaron Torres 3, Gary Grider 3, Edgar Gabriel 1 1 University.

A PLFS Plugin for HDF5 for Improved I/O Performance and Analysis Kshitij Mehta 1, John Bent 2, Aaron Torres 3, Gary Grider 3, Edgar Gabriel 1 1 University.
Data Mining Methodology 1. Why have a Methodology  Don’t want to learn things that aren’t true May not represent any underlying reality ○ Spurious correlation.

Data Mining Methodology 1. Why have a Methodology  Don’t want to learn things that aren’t true May not represent any underlying reality ○ Spurious correlation.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Extraction of.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Extraction of.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.

DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.
Reverse Engineering © SERG Code Cloning: Detection, Classification, and Refactoring.

Reverse Engineering © SERG Code Cloning: Detection, Classification, and Refactoring.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Mobile Web Search Personalization Kapil Goenka. Outline Introduction & Background Methodology Evaluation Future Work Conclusion.

Mobile Web Search Personalization Kapil Goenka. Outline Introduction & Background Methodology Evaluation Future Work Conclusion.
Analyzing Software Code and Execution – Plagiarism and Bug Detection Shoaib Jameel.

Analyzing Software Code and Execution – Plagiarism and Bug Detection Shoaib Jameel.
BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,
State of Connecticut Core-CT Project Query 4 hrs Updated 1/21/2011.

State of Connecticut Core-CT Project Query 4 hrs Updated 1/21/2011.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
A.C. Chen ADL M Zubair Rafique Muhammad Khurram Khan Khaled Alghathbar Muddassar Farooq The 8th FTRA International Conference on Secure and.

A.C. Chen ADL M Zubair Rafique Muhammad Khurram Khan Khaled Alghathbar Muddassar Farooq The 8th FTRA International Conference on Secure and.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot

Similar presentations

Ads by Google