| Android is currently the most popular mobile operating system platform in the world.More and more attackers have repackaged Android applications and released them to the application markets in order to gain illegal benefits,posing huge threats to users’ privacy and security.Therefore,in the past,many researchers have devoted themselves to the detection of Android repackaged applications.But most researches in the past have focused on code similarity detection.These algorithms cannot detect obfuscated or encrypted applications.The recently proposed detection algorithms based on UI features is resistant to reinforcement.Some detection algorithms based on dynamically acquiring UI features have shown their effectiveness in repackaging detection.However,these methods require executing each application dynamically to obtain features.So,it is not scalable and cannot detect large-scale applications.The speed of the detection method obtaining layout features based on static method is fast,but it cannot obtain sufficient effective information,and it is also easily affected by noise.Aiming at the above problems,a two-phase Android repackaged application detection framework DSMDroid which combines dynamic and static methods is proposed.The main work contents and innovations are as follows:(1)A static coarse-grained detection framework based on multi-features is designed.Firstly,the image features are extracted which are the components of the Android application appearance interfaces,and the similar scores of the Android applications are calculated through perceptual hash and Hungarian algorithms.Then the component and permission features are extracted,and the similar scores of the Android applications are calculated by the method given in this thesis.Through the analysis of the above two repackaging detection algorithms based on static features,it is found that there are high false alarm rates.In order to solve this problem,these two features are combined by assigning different weights to calculate the final similar score.Based on the data set published by Andro Zoo,the optimal values of the weight and threshold corresponding to the lowest omissive judgement rate and the lower misdiagnosis rate are obtained through experimental analysis.This coarse-grained framework can quickly pick out suspicious repackaged applications and provide data sets for fine-grained detection.(2)Based on the static coarse-grained screening framework,a dynamic fine-grained detection framework based on the layouts of the user interfaces at runtime is proposed.For suspicious repackaged applications selected by the coarse-grained framework,a deep traversal automation framework based on interactive components is designed by using ADB and uiautomator2 to execute Android applications automatically and extract the layout files of the visual interfaces during the running process.Then the layouts are converted to layout trees.A new similarity comparison algorithm based on multi-dimensional sequences is used to compare the similarity of layout trees,and it is proved that it has better evaluation performance than the similarity algorithm based on tree edit distance or tree kernel function by experimental analysis.Finally,the Hungarian algorithm was used to compare the feature sets combined by the layout trees of Android applications to obtain the final similar score.The fine-grained detection framework can detect repackaged applications more accurately.(3)The prototype system of MDSDroid are designed and implemented.MDSDroid combines static and dynamic detection frameworks,which has both the rapid scalability of static methods and the accuracy of dynamic methods.Then tens of thousands of Android applications are crawled from two third-party application markets for experimental analysis.And comparing MDSDroid with two representative repackaging detection tools Androguard and FSqua DRA,the experimental results show that MDSDroid has good performance in terms of accuracy,scalability,and resistance to reinforcement. |
PDF Full Text Request