Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint...
-
Upload
antony-bishop -
Category
Documents
-
view
217 -
download
0
Transcript of Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint...
![Page 1: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/1.jpg)
Attack of the Clones: Detecting Cloned Applications
on Android MarketsJonathan Crussell1,2, Clint Gibler1, and Hao Chen1
1 University of California, Davis2 Sandia National LabsSource: ESORICS 2012
![Page 2: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/2.jpg)
Outline
• Introduction• Background• Threat Model• Clone Detection Approaches and Related Work• Methodology• Evaluation• Case Studies• Discussion• Conclusion
![Page 3: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/3.jpg)
Introduction
• Much of the user experience of Android relies on third-party apps.• Android has numerous marketplaces.• Protect users from malicious apps.• Protect developers from plagiarists.
![Page 4: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/4.jpg)
Introduction
• Developers can charge directly for their apps.• Offer free apps that are ad-supported or contain in-game billing.• Some apps have two version.
• Paid app -> cracked & release for free• Free app -> cloned & change ad libraries
![Page 5: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/5.jpg)
Introduction
![Page 6: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/6.jpg)
Background
• Android Markets• Android Application Structure
![Page 7: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/7.jpg)
Threat Model - Definition of “Clone”.• Clones occur when two applications
have similar code but have different ownership.• Ignore
Third-party libraries Multiple versions of the same application if they have the same ownership.
![Page 8: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/8.jpg)
Resistance to Evasion Techniques.
• High level modifications• Method Restructurings• Control Flow Alterations• Addition/Deletion• Reordering
![Page 9: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/9.jpg)
Non Goals
• Find cloning in native code.• Determine which applications are the victims and which are clones.
![Page 10: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/10.jpg)
Clone Detection Approaches -Feature Based• Feature based approaches analyze a program and extract a set of
features.• Number or size of classes, methods, loops, or variables to included
libraries.• Low detection rate or high false positive rate.
![Page 11: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/11.jpg)
Clone Detection Approaches -Structure Based• Structure based systems convert programs into a stream of tokens
and then compare the streams between two programs.• More robustly than feature based systems.• JPLAG, Winnowing and MOSS.• Comparing DEX byte code streams could be a quite quick and scalable
method to find exactly or near exactly copied code.• But byte code streams contain no higher level semantic knowledge
about the code.
![Page 12: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/12.jpg)
Clone Detection Approaches - PDG Based• Program Dependence Graph:
each node is a statement each edge shows a dependency between statements two types of dependencies: data and control• A data dependency edge between statements and exists if there is a
variable in whose value depends on .• A control dependency between two statements exists if the truth
value of the first statement controls whether the second statement executes.
![Page 13: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/13.jpg)
Related Work
• Androguard, DEXCD and DroidMOSS.• All these approaches are structure based or structure based
approximations.• None of these tools use any semantic information to aid in detecting
plagiarism.
![Page 14: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/14.jpg)
Methodology
![Page 15: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/15.jpg)
Selecting Potentially Cloned Applications• The goal of an application plagiarist is to entice unwary users to
choose her cloned application instead of the original.• Name and description.
![Page 16: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/16.jpg)
Determining Application Similarity Based on Attributes
• We use Solr to mimic the search engines on Android markets.• Attributes of the apps:
name, package, market, owner, and description
![Page 17: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/17.jpg)
Constructing PDGs
• dex2jar: Convert both apps’ code from the DEX format to a JAR.• WALA: Construct PDGs for each method in every class of the
applications.• Only data dependency edges: More robust against statement
reordering, insertion and deletion.
![Page 18: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/18.jpg)
Comparing PDGs-Excluding Common Libraries• Ad library Admob, Facebook API, etc.• Dumped both the package name and SHA-1 hash of known library
files and recorded the most frequent SHA-1 hashes for each library.
![Page 19: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/19.jpg)
Lossless and Lossy Filters
• Lossless filter: Removes PDGs from consideration that are smaller than a specified size (< 10 nodes).• Lossy filter: Calculate a frequency vector for each of the methods in
the pair.• This vector counts how many times a specific node type occurs in the
PDG.• Compare these two vectors using hypothesis testing (G-test).
![Page 20: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/20.jpg)
Subgraph Isomorphism
• Find a mapping between nodes in and nodes in .• Subgraph isomorphism is NPComplete.• VF2 algorithm.
![Page 21: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/21.jpg)
Computing Similarity Scores
• For each method (excluding the methods in known libraries) in application , let be the number of nodes in this method’s PDG. Find the best match of this PDG in ’s PDGs and denote it as .• Similarity score:
![Page 22: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/22.jpg)
Evaluation
• 75,000 free apps from 13 Android markets.• Randomly selected 9,400 pairs from the potential clones.• Hadoop: parallelize DNADroid.• HDFS: share data across a small cluster.• The average throughput of DNADroid on this small cluster is 0.71
application pairs per minute.
![Page 23: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/23.jpg)
Similarity between Applications
![Page 24: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/24.jpg)
Similarity between Applications
![Page 25: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/25.jpg)
Clustering Cloned Applications
![Page 26: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/26.jpg)
Clustering Cloned Applications
![Page 27: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/27.jpg)
![Page 28: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/28.jpg)
Filter Performance
![Page 29: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/29.jpg)
Filter Performance
![Page 30: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/30.jpg)
Visual and Behavioral Verification
![Page 31: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/31.jpg)
Case Studies
![Page 32: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/32.jpg)
“Benign” Cloning
• DNADroid found 30 pairs that both have a 100% similarity score.• Translation.
![Page 33: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/33.jpg)
Changes to Advertising Libraries
• We can see when an application has most likely been cloned for monetary gain.• Ex: XWind Downloader• For the 141 apps, we found that 91 (65%) of these pairs had different
libraries, all of which included changes to advertising libraries.
![Page 34: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/34.jpg)
Malware Added to an Application
• “HippoSMS” is a malicious application requires 10 permissions.• It shares the same package name as a Chinese video player requires
11 permissions.• 6 permissions that video player doesn’t use.
![Page 35: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/35.jpg)
Two Variants of the Same Malware
• Two malicious apps that are identified by VirusTotal as being variants of the “BaseBridge” malware family.• Both applications have been stripped of meaningful class and method
names.• DNADroid found coverages of 35% and 28% between the two
variants.
![Page 36: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/36.jpg)
Use of Freeware Cracking Tool in the Wild• AntiLVL
Decompiling an app with baksmali Inserts a new file: SmaliHook.class And hide AntiLVL’s modifications from the app itself by returning the original file size, MD5, and signatures.• Android License Verification Library (LVL), Amazon Appstore DRM and
Verizon DRM.• 189 of 310 applications containing SmaliHook.class• 235 of 310 containing references to AntiLVL in their signature files.• Only 8% of our total apps were acquired from Chinese markets, 88% of the
apps including AntiLVL traces were from Chinese markets.
![Page 37: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/37.jpg)
Discussion
![Page 38: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/38.jpg)
False Positive
• Since it is a serious allegation to claim an application is a clone, we design DNADroid to have a very low false positive rate.
![Page 39: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/39.jpg)
False Negative
• Cloned applications often have similar attributes as the original. (?)• There exist advanced program transformations that can evade PDG-
based clone detection.
![Page 40: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/40.jpg)
Comparison to Other Approaches
• Androguard: miss 18%• DEXCD had problems running on the pairs DNADroid identified.• DroidMOSS is not currently publicly available.
![Page 41: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/41.jpg)
Performance
• DNADroid are more expensive but result in fewer false positives and false negatives.
![Page 42: Attack of the Clones: Detecting Cloned Applications on Android Markets Jonathan Crussell 1,2, Clint Gibler 1, and Hao Chen 1Clint GiblerHao Chen 1 University.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d055503460f949d8464/html5/thumbnails/42.jpg)
Conclusion
• DNADroid is a tool for finding clones on a large scale.• We evaluated DNADroid on applications crawled from 13 Android
markets. Identified at least 141 apps that have been cloned An additional 310 apps that were cracked with AntiLVL• We describe five case studies• DNADroid has a very low false positive rate• DNADroid is an effective tool.