Evaluation of Resource-Based App Repackaging Detection in Android

  • Olga GadyatskayaEmail author
  • Andra-Lidia Lezza
  • Yury Zhauniarovich
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10014)


Android app repackaging threatens the health of application markets, as repackaged apps, besides stealing revenue for honest developers, are also a source of malware distribution. Techniques that rely on visual similarity of Android apps recently emerged as a way to tackle the repackaging detection problem, as code-based detection techniques often fail in terms of efficiency, and effectiveness when obfuscation is applied [19, 21]. Among such techniques, the resource-based repackaging detection approach that compares sets of files included in apks has arguably the best performance [10, 17, 20]. Yet, this approach has not been previously validated on a dataset of repackaged apps.

In this paper we report on our evaluation of the approach, and present substantial improvements to it. Our experiments show that the state-of-art tools applying this technique rely on too restrictive thresholds. Indeed, we demonstrate that a very low proportion of identical resource files in two apps is a reliable evidence for repackaging. Furthermore, we have shown that the Overlap similarity score performs better than the Jaccard similarity coefficient used in previous works. By applying machine learning techniques, we give evidence that considering separately the included resource file types significantly improves the detection accuracy of the method. Experimenting with a balanced dataset of more than 2700 app pairs, we show that with our enhancements it is possible to achieve the F-measure of 0.9919.


Android security Repackaging Resource files 


  1. 1.
    Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on Android markets. In: Proceedings of ICSE. IEEE/ACM (2014)Google Scholar
  2. 2.
    Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown malice in 10  s: mass vetting for new threats at the Google-Play scale. In: Proceedings of USENIX Security Symposium (2015)Google Scholar
  3. 3.
    Crussell, J., Gibler, C., Chen, H.: Attack of the clones: detecting cloned applications on Android markets. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 37–54. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33167-1_3 CrossRefGoogle Scholar
  4. 4.
    Crussell, J., Gibler, C., Chen, H.: Scalable semantics-based detection of similar Android applications. In: Proceedings of ESORICS (2013)Google Scholar
  5. 5.
    Desnos, A.: Android: static analysis using similarity distance. In: Proceedings of HICSS 2012, pp. 5394–5403 (2012)Google Scholar
  6. 6.
    Gadyatskaya, O., Massacci, F., Zhauniarovich, Y.: Security in the Firefox OS and Tizen mobile platforms. IEEE Comput. 47(6), 57–63 (2014)CrossRefGoogle Scholar
  7. 7.
    Gonzalez, H., Kadir, A., Stackanova, N., Alzahrani, A., Ghorbani, A.: Exploring reverse engineering symptoms in Android apps. In: Proceedings of EuroSec. ACM (2015)Google Scholar
  8. 8.
    Guan, Q., Huang, H., Luo, W., Zhu, S.: Semantics-based repackaging detection for mobile apps. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 89–105. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-30806-7_6 CrossRefGoogle Scholar
  9. 9.
    Hanna, S., Huang, L., Wu, E., Li, S., Chen, C., Song, D.: Juxtapp: a scalable system for detecting code reuse among Android applications. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 62–81. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-37300-8_4 CrossRefGoogle Scholar
  10. 10.
    Ishii, Y., Watanabe, T., Akiyama, M., Mori, T.: Clone or relative? Understanding the originals of similar Android apps. In: Proceedings of IWSPA. ACM (2016)Google Scholar
  11. 11.
    Li, L., Li, D., Bissyandé, T.F., Lo, D., Klein, J., Le Traon, Y.: Ungrafting malicious code from piggybacked Android apps. Technical report, SnT, University of Luxembourg (2016)Google Scholar
  12. 12.
    Lindorfer, M., Volanis, S., Sisto, A., Neugschwandtner, M., Athanasopoulos, E., Maggi, F., Platzer, C., Zanero, S., Ioannidis, S.: AndRadar: fast discovery of Android applications in alternative markets. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 51–71. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-08509-8_4 Google Scholar
  13. 13.
    Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., Duchesnay, E.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Saeys, Y., Inza, I., Larrañaga, P.: A review of feature selection techniques in bioinformatics. Bioinformatics 23(19), 2507–2517 (2007)CrossRefGoogle Scholar
  15. 15.
    Shao, Y., Luo, X., Qian, C., Zhu, P., Zhang, L.: Towards a scalable resource-driven approach for detecting repackaged Android applications. In: Proceedings of ACSAC. ACM (2014)Google Scholar
  16. 16.
    Sun, M., Li, M., Lui, J.: DroidEagle: seamless detection of visually similar Android apps. In: Proceedings of WiSec. ACM (2015)Google Scholar
  17. 17.
    Viennot, N., Garcia, E., Nieh, J.: A measurement study of Google Play. In: Proceedings of SIGMETRICS. ACM (2014)Google Scholar
  18. 18.
    Wang, H., Guo, Y., Ma, Z., Chen, X.: WuKong: a scalable and accurate two-phase approach to Android app clone detection. In: Proceedings of ISSTA. ACM (2015)Google Scholar
  19. 19.
    Zhang, F., Huang, H., Zhu, S., Wu, D., Liu, P.: ViewDroid: towards obfuscation-resilient mobile application repackaging detection. In: Proceedings of WiSec. ACM (2014)Google Scholar
  20. 20.
    Zhauniarovich, Y., Gadyatskaya, O., Crispo, B., La Spina, F., Moser, E.: FSquaDRA: fast detection of repackaged applications. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 130–145. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43936-4_9 Google Scholar
  21. 21.
    Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: StaDynA: addressing the problem of dynamic code updates in the security analysis of Android applications. In: Proceedings of CODASPY (2015)Google Scholar
  22. 22.
    Zhauniarovich, Y., Gadyatskaya, O.: Small changes, big changes: an updated view on the Android permission system. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 346–367. Springer International Publishing, Switzerland (2016). doi: 10.1007/978-3-319-45719-2_16 CrossRefGoogle Scholar
  23. 23.
    Zhauniarovich, Y., Gadyatskaya, O., Crispo, B.: Demo: enabling trusted stores for Android. In: Proceedings of CCS, pp. 1345–1348. ACM (2013)Google Scholar
  24. 24.
    Zhauniarovich, Y., Philippov, A., Gadyatskaya, O., Crispo, B., Massacci, F.: Towards black box testing of Android apps. In: Proceedings of Software Assurance Workshop at ARES, pp. 501–510 (2015)Google Scholar
  25. 25.
    Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of CODASPY (2012)Google Scholar
  26. 26.
    Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: Proceedings of S&P. IEEE (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Olga Gadyatskaya
    • 1
    Email author
  • Andra-Lidia Lezza
    • 1
  • Yury Zhauniarovich
    • 2
  1. 1.SnT, University of LuxembourgLuxembourgLuxembourg
  2. 2.Qatar Computing Research InstituteHBKUDohaQatar

Personalised recommendations