| Smartphone applications are rapidly growing in number and variety. These applications (or apps), typically organized in various app markets, can be conveniently browsed by users and simply tapped to install on a variety of mobile devices. In studying smartphone apps in these markets, we find a common "in-the-wild" practice of repackaging legitimate apps. This practice brings tremendous risks to app developers, mobile users, market operators, and the entire ecosystem. For example, malicious authors may attach destructive payloads to legitimate apps to infect unsuspecting users. Others may implant advertising code into popular apps to hijack ad revenue. To better understand the extent and threats of repackaged smartphone apps, we conduct two systematic studies. First, we implement an app similarity measurement system called DroidMOSS that applies fuzzy hashing technique to effectively localize and detect changes from app-repackaging behavior. Using DroidMOSS, we conduct an initial sampling-based study on apps from six popular third-party markets. The study reveals a worrisome fact that 5% to 13% of apps in these markets are repackaged apps. Further investigation indicates that these repackaged apps are mainly used to replace existing inapp advertisements or embed new ones to hijack ad revenues. There are also cases where malicious payloads are implanted. Not relying on sampling, the second study deals with all apps from the markets. Specifically, we employ a fast and scalable approach to detect piggybacked apps (the most serious category of repackaged apps). Realizing that attached payloads are not integral part of apps' primary functionality, we propose module decoupling technique to partition apps into primary and non-primary modules. Observing that piggybacked app shares the same primary module as the original app, we develop a fingerprinting technique to extract meaningful semantic features into feature vector. We then construct a metric space and propose a fast search algorithm to efficiently and scalably detect piggybacked apps. A prototype named PiggyApp is implemented to study 84, 767 apps collected from various markets. Results show the processing takes less than nine hours on a single machine and piggybacked apps constitute between 0.97% and 2.7% of all apps for these markets. Further investigation reveals a series of advertising libraries inserted into thousands of apps and a variety of malicious payloads implanted into dozens of apps. These results demonstrate the effectiveness and scalability of our approach. To defend against app repackaging threat, we explore two different approaches. First, we propose a watermarking mechanism for Android apps as a deterrence mechanism. To embed and extract watermark automatically, we introduce manifest app, which can trigger different app functionality to exhibit the watermark within an extended Dalvik VM. The extracted watermark can be used as the proof of app ownership when repackaged app is identified. The second approach uses diversified intermediate languages (other than Dalvik bytecode) to ship the code for various apps. Not knowing the instruction semantic, attackers will have difficulty in making meaningful modifications to the target app. To reduce performance overhead, we devise a lightweight in-app hooking mechanism to reuse Dalvik VM to interpret the new instructions. To eliminate developer's intervention, we develop an automatic process to transform normal apps into protected form. To demonstrate the effectiveness of these two methods in defending against app repackaging, we analyze their robustness in resisting well-known attacks, and evaluated them against available tools. Evaluations show that both approaches introduce a small performance overhead adequate for daily usage. |
