Android Application Repackaging Detection Based On Runtime Graphical User Interface

In recent years,with the explosive growth of mobile smart phones,the number of mobile applications increases rapidly.Android,the most used mobile operating sys-tem,has brought great convenience to people and changed people's way of life.And the Android applications,which run on Android system,has a large number and rich types.They have become important parts of Android ecosystem.However,due to the universality of Android applications,many attackers turn the target of attack to them,hoping to achieve their illegal purposes.In this regard,Android application repackag-ing is a prominent problem.Android application repackaging means that an attacker will download the appli-cation from the market(or other ways),use the tool to decompile the application,add malicious code or modify part of the function,and repackage it into a new application to the application market.To leverage the popularity of the original applications,at-tackers will do as much as possible to ensure that the repackaged applications and the original applications are consistent in the behavior of the software,so that users can not distinguish.Repackaging will bring great threat to users,Android market and even the whole Android ecosystem.In order to detect the Android repackaging,many works have been put forward and achieved some results.One of the most common methods is to extract birthmarks from the applications first,and comparing the application birthmarks to determine whether they are repackaged[1].Application birthmark is a model extracted from an application,which contains the characteristics of the application and can uniquely identify it.How-ever,with the continuous development of technology,more and more applications are obfuscated or encrypted by tools after development-such technologies can also be ap-plied to repackaged applications.In the early stage,the traditional static software birth-mark technology was used to extract the software birthmarks from the static analysis.However,such information is easily interfered by code obfuscation,such as inserting some permanent true-false branches,adding intermediate calls,will have an impact on the existing work.Methods like Viewdroid[2]and Resdroid[3]taking the graphical user interface of mobile applications into account which contains large extent reflection of the behavior characteristics of applications.These methods enhance the resistance of obfuscation applications,but there are still some shortcomings.For example,we can evade detection of such methods by using reflection substitution and inserting invisible Activity.Moveover,all of the above static work can not cope with the application of encryption.Research on mobile software birthmark for mobile software is just begin-ning.[4]uses the pressure test tool Monkey to drive the application execution,records the invocation of system API,and extracts the software birthmark based on this.[5]uses attributes in the graphical user interface as software birthmarks,but still relies too much on some static information,resulting in software birthmark is easily disturbed.In order to take advantage of the popularity of the original application,the repack-aged application usually maintains a similar sense of the original one.The repackaging and original application pair often has a high similarity in the graphical user interface layout and its interactive way.Therefore,we consider that extracting the birthmark from the dynamic interface information is a feasible technical scheme,and propose a Android application birthmark model from the runtime user interface transition:Ab-stract Group Transition Group(AGTG).Based on this model,we have instantiated two software birthmarks:Layout Group Graph(LGG)and Region Group Graph(RGG).LGG can effectively resist the application confusion and encryption,which signifi-cantly improves the resistance and credibility of Android application repackaging de-tection.The proposal of RGG improves the shortcomings of the LGG,and can also deal with the repackage detection of the hybrid Android applications.In summary,the main contributions of this article are:1.A software birthmark from the runtime Android application graphical user inter-face transition is proposed:the Abstract Group Transition Group(AGTG).AGTG models the interface transition in the running application,which divides the sim-ilar interface features into the same group as the graph nodes.At the same time,the AGTG generation algorithm and its similarity comparison algorithm are also proposed for the repackaging detection.2.In order to make the birthmark resistant to obfuscation and encryption,we propose an instantiation birthmark of AGTG:Layout Group Graph(LGG).We also imple-mented the prototype tool Repdroid,which generated and contrasted birthmarks.We used two data sets for experiment.According to the experimental results,all 98 obfuscated or encrypted repackage applications in the first group were all detected;in the second group,the false alarm rate was 0.08%.3.In order to improve the deficiencies in the LGG,we propose another AGTG based software birthmark:Region Group Graph(RGG).Repacking detection based on RGG can not only deal with obfuscated and encrypted applications,but also de-tect repackaging in hybrid applications.We also implemented the prototype tool RegionDroid for this method,and evaluated the effectiveness of the method in ob-fuscation and encryption applications.At the same time,we also downloaded 157 hybrid applications.The experimental results show that the false positive rate is 0.016%.