DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 ·...
Transcript of DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 ·...
![Page 1: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/1.jpg)
DroidEagle: Seamless Detection of Visually SimilarAndroid Apps
Mingshen Sun, Mengmeng Li and John C.S. Lui
Department of Computer Science and EngirneeringThe Chinese University of Hong Kong
June 25, 2015
![Page 2: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/2.jpg)
Introduction – Android Malware is Coming
Mingshen Sun (CUHK) DroidEagle June 25, 2015 2 / 21
![Page 3: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/3.jpg)
Introduction – Android Malware
Android malware samples accounted for 98% of all mobile threats99% came from many third-party marketstrojan, fake and phishing apps: can you tell which one is realTaobao, one of the largest online shopping platform in China?
Mingshen Sun (CUHK) DroidEagle June 25, 2015 3 / 21
![Page 4: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/4.jpg)
Introduction – Repackaging Technique
86% of Android malware are using the repackaging techniquedisassemble a legitimate app using some well-known toolshackers can add or modify logics of the original apps, and thenassemble it backdistribute them in third-party markets
malicious functions using repackaging techniquecrack paid apps to bypass payment functionsreplace developers’ advertisement IDsacquire sensitive information: account password and credit cardnumber
Mingshen Sun (CUHK) DroidEagle June 25, 2015 4 / 21
![Page 5: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/5.jpg)
Introduction – Related Work
Related Workinstruction sequences
fuzzy hashingsensitive to instruction sequence obfuscation
semantic informationcall reference graphhacking tricks to bypass existing disassembling tools
Mingshen Sun (CUHK) DroidEagle June 25, 2015 5 / 21
![Page 6: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/6.jpg)
Introduction – DroidEagle
Observations:repackaged apps should have similar appearance as original onephishing malware relies on similar appearances as banks orshopping apps to deceive usersby comparing visual similarity, one can quickly determine potentialrepackaged malware or phishing malware
DroidEagle is based on visual characteristics to detect similar Androidapps.
detect visually similar apps in app repository and Android devicerespectivelyRepoEagle and HostEagle implementation
Mingshen Sun (CUHK) DroidEagle June 25, 2015 6 / 21
![Page 7: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/7.jpg)
Background – Android App User Interface
Android app user interfaceView: objects on the screen which can interact with users anddisplay objects (e.g., ImageView, EditText)ViewGroup: define the layout arrangement of its elements (e.g.,ScrollView, LinearLayout)
layout files in /res/layout*directory
Mingshen Sun (CUHK) DroidEagle June 25, 2015 7 / 21
![Page 8: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/8.jpg)
Detection Methodologies – Layout Tree
Overviewaccuracy, efficiency, scalability and flexibilityvisual resources in an app: layout files and drawable images
A layout tree is a tree data structure over a layout file where:A node in the layout tree represents an element in the layout file.The parent/child relationship of nodes in a layout tree is the sameas that in the layout file.attributes for each node
Mingshen Sun (CUHK) DroidEagle June 25, 2015 8 / 21
![Page 9: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/9.jpg)
Detection Methodologies – Layout Tree
1 layout tree defines the visual structure of an app’s user interface2 repackaged malware and phishing malware rely on same layout
tree to deceive users3 detailed attributes in layout tree accurately describe visual
appearance4 layout tree is easily obtained in android package file5 modifications on layout files can mess up appearance
Mingshen Sun (CUHK) DroidEagle June 25, 2015 9 / 21
![Page 10: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/10.jpg)
RepoEagle: Repository Analysis
Repository AnalysisRepoEagle can analyze all apps in an app repository to discoverall visually similar apps
layout tree extractor, certificate extractor, similarity comparator,certificate verifier
Mingshen Sun (CUHK) DroidEagle June 25, 2015 10 / 21
![Page 11: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/11.jpg)
RepoEagle: Repository Analysis
Similarity Comparison: layout edit distance (LED)measure the similarity between two layout treesLED is the minimum number of operations required to transformfrom one layout tree to another tree
Mingshen Sun (CUHK) DroidEagle June 25, 2015 11 / 21
![Page 12: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/12.jpg)
HostEagle: Host-based Detection
Host-based Detectionsafety and authenticity of apps from unknown sourceshost-based detection system for AndroidHostEagle can detect repackaged malware and phishing malwarein-device
layout hashing, certificate extractor, detector, local detection &cloud detection
Mingshen Sun (CUHK) DroidEagle June 25, 2015 12 / 21
![Page 13: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/13.jpg)
HostEagle: Host-based Detection – Layout Hashing
leaf pruning: all leaves in the layout treeView objects in leaveslayout skeleton of the user interface
tree hashing
Mingshen Sun (CUHK) DroidEagle June 25, 2015 13 / 21
![Page 14: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/14.jpg)
Evaluation – Repository Statistics
We crawled and collected 100,126 apps fromGoogle official marketthird party marketspublic cloud storage
Category Name URL #of Apps Size
Official Google Play play.google.com 500 7.0GB
Third-party
appchina appchina.com 34 989 238GBappfun appfun.cn 12 427 154GBhiapk apk.hiapk.com 5287 87GBandroid.d.cn android.d.cn 4064 163GBjimi168 jimi168.com 23 723 76GBanzhi anzhi.com 18 736 118GB
Cloud Storage Baidu pan.baidu.com 200 3.5GBHuawei dbank.com 200 3.1GB
Total 100 126 849.6GB
Mingshen Sun (CUHK) DroidEagle June 25, 2015 14 / 21
![Page 15: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/15.jpg)
Evaluation – Results of Repository Analysis
RepoEagle statically analyze apps in the repository.most of repackaged apps are cracked games with unlockedin-app paid marketsmalware samples are found in public cloud storage
hide identityspread in forum and social media
Market # of Visually SimilarApps (Percentage)
# ofMalware
Third-party Market 1159 (1.6%) 10Cloud Storage (Baidu) 50 (10.0%) 0Cloud Storage (Huawei) 89 (17.8%) 15
Mingshen Sun (CUHK) DroidEagle June 25, 2015 15 / 21
![Page 16: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/16.jpg)
Experiment – Repackaged Apps
Case study of repository for Andry Bird app8 apps which are visually similar with the official app “Angry Bird”from the Google Playdifferent certificate issuersdetection results: DroidKungFu malware can contact remoteserver and download malware, gain the root privilege and preventuninstalling.
App ID LED LH Certificate Issuer Cert Rpkg Market Detection Result22d3 0 1cd5 Rovio Mobile Ltd. 5557 Google Play233c 0 1cd5 Rovio Mobile Ltd. 5557 appfun.com5803 0 1cd5 Rovio Mobile Ltd. 5557 appfun.com666c 0 1cd5 Virtuous Ten Studio A925 3 appfun.com Android.Adware.
Jumptap.a7a43 0 1cd5 Rovio Mobile Ltd. 5557 appfun.com9ee4 0 1cd5 databin FC00 3 appfun.com22d3 0 1cd5 Rovio Mobile Ltd. 5557 android.d.cn0f6f 0 1cd5 android-debug 264B 3 android.d.cn Android.Adware.
Dowgin3b52 0 1cd5 keystore3 990B 3 dbank.com Android.Trojan.
DroidKungFued0e 2 1cd5 Rovio Mobile Ltd. 5557 jimi168.com
Mingshen Sun (CUHK) DroidEagle June 25, 2015 16 / 21
![Page 17: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/17.jpg)
Experiment – Phishing Malware
Experimental result of layout hashing for phishing malware (fake apps).
FakeAV masquerades as the “Avast” anti-virus softwareFakeMart masquerades as the Google official market “GooglePlay”Agent: network agent utility
Name # of Samples Layout File LH TimeFakeAV 8 activity_scanning.xml 5a7e 0.466FakeMart 3 main.xml d41d 0.355Agent 5 activity_main.xml 9344 0.501
∗ Generation time of LH in second on Nexus 5.
Mingshen Sun (CUHK) DroidEagle June 25, 2015 17 / 21
![Page 18: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/18.jpg)
Evaluation – Detection Accuracy
The impact of nodes number in layout files in the repository analysissystem.
number of qualified appsdetection accuracy of repackaged “Fruit Ninja” and “PPS”respectively
0 10 20 30 40 50
200
300
400
500
Number of Nodes in Layout Tree (N )
Number
ofApps
0
0.2
0.4
0.6
0.8
1
Accuracy
Repackaged “Fruit Ninja”
Repackaged “PPS”
Repackaged “Fruit Ninja” with Supplementary Detction
Mingshen Sun (CUHK) DroidEagle June 25, 2015 18 / 21
![Page 19: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/19.jpg)
Evaluation – Detection Efficiency
Time of hash value generation on Android device for different sizes ofDEX file.
traditional fuzzy hashing method should disassemble the sourcecode, which will be affected by dex file sizeHostEeagle will not be affected
2 4 6 8
0
50
100
150
DEX File Size (MB)
Tim
e(secon
d)
HostEagle
Fuzzy Hashing
Mingshen Sun (CUHK) DroidEagle June 25, 2015 19 / 21
![Page 20: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/20.jpg)
Evaluation – Others
relationship between threshold and the analysis timepre-processing time for different numbers of apps
0 200 400 600 800 1,000
0
200
400
600
800
Number of Apps
Tim
e(secon
d)
T = 0 T = 1
T = 2 T = 3
T = 4 T = 5
0 200 400 600 800 1,000
0
1,000
2,000
3,000
Number of Apps
Pre-processing
Tim
e(secon
d)
RepoEagle
Code-based System
Mingshen Sun (CUHK) DroidEagle June 25, 2015 20 / 21
![Page 21: DroidEagle: Seamless Detection of Visually Similar Android Apps · 2020-06-16 · Experiment–RepackagedApps CasestudyofrepositoryforAndryBirdapp 8appswhicharevisuallysimilarwiththeofficialapp“AngryBird”](https://reader034.fdocuments.net/reader034/viewer/2022050403/5f810851b2d5502e8c4323c9/html5/thumbnails/21.jpg)
Conclusion
repackaged malware and phishing malwaredetection based on visual resource: layout file3 hours, 1298 visually similar apps with 25 malware
Questions?
Mingshen Sun (CUHK) DroidEagle June 25, 2015 21 / 21