Research On Multi-Level Detection Method For Android Application Repackaging Based On Static Multi-Features

Due to the open source nature of the Android system,more and more malicious developers are using repackaging techniques to release malware and gain illegal profits.This behavior causes serious damage to user privacy and developer intellectual property.This phenomenon has attracted widespread attention from academia,and previous research on both static and dynamic detection has some shortcomings,such as static feature-based detection being easily confused and dynamic feature-based detection being time-consuming and unable to obtain detailed application features.Given the issues present in the aforementioned research,this paper proposes a multi-level detection framework for Android application repackaging called MSDroid.The framework extracts various static features that are difficult to obfuscate and employs a two-stage detection method.The main work and innovation of this framework are as follows:(1)We designed a coarse-grained primary screening framework based on static multiple features.Firstly,we extracted the application name feature and used Jaro distance to calculate the similarity score of preprocessed application name features.Then,we extracted the application component feature and used Jaccard coefficient to calculate the similarity score of preprocessed component features.Through the study of the two static feature-based repackaging detection algorithms,we found that using only one static feature to detect repackaged applications leads to high false positive and false negative rates.To solve this problem,we proposed a method of combining the two features and assigning different weights to obtain the similarity score of the final combined feature.Through experimental analysis,we found the optimal weight allocation and detection threshold that maximizes the difference between true positive rate and false positive rate.(2)Based on the coarse-grained primary screening framework,a fine-grained secondary detection framework based on activity relationship graph is proposed.For suspected repackaged applications screened out by the coarse-grained framework,an algorithm based on traversing the application interface transfer relationship is designed using the API provided by Androguard,in order to traverse the suspected repackaged applications.During the traversal process,the member variable feature set of the activity class is extracted,and the interface transfer relationship is abstracted into an activity relationship graph.Then,a method of adding labels to activity nodes is proposed to solve the problems of subgraph matching failure and node mapping errors in the use of VF2 subgraph isomorphism.(3)We have designed and implemented a prototype system called MSDroid,which combines fast coarse-grained detection with accurate fine-grained detection.We conducted experimental analysis on thousands of Android applications from three popular third-party app markets and compared the results with two representative repackaging detection tools,FSqua DRA and uit RAAD.The experimental results show that MSDroid performs well in terms of accuracy,resistance to obfuscation,and framework scalability.