Research On Android Application Repackaging Detection Technology Based On Whole Layout Tree

The openness of the Android platform makes the repackaged applications continue to be on the market.The major Android markets and original application developers are both affected.Android application repackaging means that attackers decompile the official application and add malicious codes,then re-sign the recompiled application and publish it.Because of the low cost and good profit,the situation of Android application repackaging is more serious.Android repackaging detection can be divided into two steps:finding similar applications using the similarity measure and using the Android signature mechanism for verification.In contrary to repackaging detection is the obfuscation technology.Earlier methods are based on applications' codes,these methods use code similarity to detect repackaging.But with the development of code obfuscation,code-based methods become invalid.After that,resource-based and UI-based methods have been proposed,which detect repackaging by analyzing the type and amount of the decompiled resource files or layout files.However,with the development of resource and UI obfuscation,these methods also become invalid.How to design an effective method for Android application repackaging detection is a challenging research area.In order to solve the problem of previous measures,we proposed a novel dynamic UI-based repackaging detection method.This method uses applications' view layout information and view transfer information to build Whole Layout Tree(WLT),then employs the Context Triggered Piecewise Hashing(CTPH)algorithm to calculate the similarity of WLTs and find similar applications.After that,Android signature mechanism is adopted to realize repackaging detection.Since WLT is based on the information which is extracted from user interfaces and interface transfers of running application.It represents applications' external display interface information and inherent operational logic information.WLT is extracted dynamically during the running of the testing application.It can avoid the interference of the layout file obfuscation with its strong resistance.At the same time,WLT has high accuracy.Building WLT only needs to run applications instead of decompiling apk files,which makes detection simple and effective.We designed two experiments with three data sets to verify the resistance and accuracy of the WLT-based detection method.In the resistance experiment,the data set SR was confused by five mainstream obfuscation to generate 150 data groups.We used the WLT-based detection method WLTDroid to compare with the code-based detection method AndroGuard,the resource-based detection method FSquaDRA,and the UI-based detection method SUIDroid.The experiment results show that WLTDroid is more resistant than other detection methods.The accuracy experiment is divided into two steps:threshold determination and accuracy test.First,we used four encryption techniques to encrypt the data set S1 so that we can generate 63 data groups.Based on these data groups,the best thresholds of WLTDroid and the Ul-trance-based detection method RepDroid were determined.Then we used the real-world applications data set S2 to generate 5253 data groups.Based on these data groups and the best thresholds determined in the previous step,we compare WLTDroid with RepDroid.The experimental results show that WLTDroid is more accurate than RepDroid.