Abstract
We present DNADroid, a tool that detects Android application copying, or “cloning”, by robustly computing the similarity between two applications. DNADroid achieves this by comparing program dependency graphs between methods in candidate applications. Using DNADroid, we found at least 141 applications that have been the victims of cloning, some as many as seven times. DNADroid has a very low false positive rate — we manually confirmed that all the applications detected are indeed clones by either visual or behavioral similarity. We present several case studies that give insight into why applications are cloned, including localization and redirecting ad revenue. We describe a case of malware being added to an application and show how DNADroid was able to detect two variants of the same malware. Lastly, we offer examples of an open source cracking tool being used in the wild.
Chapter PDF
References
Amazon appstore (May 2012), http://www.amazon.com/mobile-apps/
Android soft 4 u market (May 2012), http://www.androidsoft4u.com/
Androidonline market (May 2012), http://www.androidonline.net/
Apache hadoop (May 2012), http://hadoop.apache.org/
App china market (May 2012), http://www.appchina.com/
Brother soft market (May 2012), http://www.brothersoft.com/
Eoemarket (May 2012), http://www.eoemarket.com/
Freeware lovers market (May 2012), http://freewarelovers.com
Gartner says sales of mobile devices grew 5.6 percent in third quarter of 2011; smartphone sales increased 42 percent (May 2012), http://www.gartner.com/it/page.jsp?id=1848514
Goapk market (May 2012), http://market.goapk.com
Handango market (May 2012), http://www.handango.com/
M360 market (May 2012), http://app.m.360.cn/
One mobile market (May 2012), http://www.1mobile.com/
Slideme: Android community and application marketplace (May 2012), http://slideme.org/
Virustotal (May 2012), http://virustotal.com
Wooboo advertising library (May 2012), http://www.wooboo.com.cn/
Youmi advertising library (May 2012), http://www.youmi.net
Aiken, A.: Moss (measure of software similarity) plagiarism detection system (1998)
Androguard: Androguard: Manipulation and protection of android apps and more... (May 2012), http://code.google.com/p/androguard/
Apache. Solr (May 2012), http://lucene.apache.org/solr/
AppBrain. Number of available android applications (May 2012), http://www.appbrain.com/stats/number-of-android-apps
BajaBob. Smalihook. java found on my hacked application (May 2012), http://stackoverflow.com/questions/5600143/android-game-keeps-getting-hacked
Beard, S.: Market shocker! iron soldiers xda beta published by alleged thief (May 2012), http://androidheadlines.com/2011/01/market-shocker-iron-soldiers-xda-beta-published-by-alleged-thief.html
Burns, M.: 850k daily android activations, 300m total devices, says andy rubin (May 2012), http://techcrunch.com/2012/02/27/850k-android-activations-daily-300m-total-devices-says-andy-rubin/
IBM T. J. Watson Research Center. Watson libraries for analysis (wala) (May 2012), http://wala.sourceforge.net/wiki/index.php/Main_Page
Cordella, L.P., Foggia, P., Sansone, C., Vento, M.: A (sub) graph isomorphism algorithm for matching large graphs. IEEE Transactions on Pattern Analysis and Machine Intelligence 26(10), 1367–1372 (2004)
Davis, I.: Dexcd (May 2012), http://www.swag.uwaterloo.ca/dexcd/index.html
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)
Freke, J.: smali: An assembler/disassembler for android’s dex format (May 2012), https://code.google.com/p/smali/
Google. Android market (May 2012), http://market.android.com
Jhi, Y.C., Wang, X., Jia, X., Zhu, S., Liu, P., Wu, D.: Value-based program characterization and its application to software plagiarism detection. In: Proceeding of the 33rd International Conference on Software Engineering, pp. 756–765. ACM (2011)
Jiang, X.: Security alert: New android malware – hipposms – found in alternative android markets (May 2012), http://www.cs.ncsu.edu/faculty/jiang/HippoSMS/
Liu, C., Chen, C., Han, J., Yu, P.S.: Gplag: detection of software plagiarism by program dependence graph analysis. In: Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 872–881. ACM (2006)
Lockheimer, H.: Android and security (April 2012), http://googlemobile.blogspot.com/2012/02/android-and-security.html
lohan: Antilvl - android license verification library subversion (May 2012), http://androidcracking.blogspot.com/p/antilvl.html
Myles, G., Collberg, C.: Detecting software theft via whole program path birthmarks. In: Information Security, pp. 404–415 (2004)
Prechelt, L., Malpohl, G., Philippsen, M.: Finding plagiarisms among a set of programs with jplag. J. UCS 8(11), 1016 (2002)
pxb1988, dex2jar: A tool for converting android’s .dex format to java’s .class format (May 2012), https://code.google.com/p/dex2jar/
Schleimer, S., Wilkerson, D.S., Aiken, A.: Winnowing: local algorithms for document fingerprinting. In: Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data, pp. 76–85. ACM (2003)
Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of 2nd ACM Conference on Data and Application Security and Privacy, CODASPY 2012 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Crussell, J., Gibler, C., Chen, H. (2012). Attack of the Clones: Detecting Cloned Applications on Android Markets. In: Foresti, S., Yung, M., Martinelli, F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33167-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-33167-1_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33166-4
Online ISBN: 978-3-642-33167-1
eBook Packages: Computer ScienceComputer Science (R0)