Analyzing Android Repackaged Malware by Decoupling Their Event Behaviors

  • Zimin Lin
  • Rui WangEmail author
  • Xiaoqi Jia
  • Shengzhi Zhang
  • Chuankun Wu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9836)


Malware have threatened Android security for a long time. One of main sources of those Android malware is that attackers inject malicious payloads into legitimate apps and then republish them, called repackaged malware. In this paper, we propose a new dynamic approach to analyze and detect the behaviors of Android repackaged malware. Our approach mainly concerns the framework-level behaviors of apps with rich semantics and a special execution sandbox is firstly constructed to extract them. Then, assuming that malicious payloads are usually triggered by certain events, we reconstruct the execution dependency graph to distinguish different event behaviors of malware. Thus, based on the independent event behavior sequences, only a small amount of malware samples from the same family are required to accurately compare and locate their common behaviors, which can be further used as signatures to detect other suspicious Android apps or to analyze malware’s activities. For evaluation, we have implement the prototype system and 9 families of real world repackaged malware are detected in our experiments. Although only 3 samples for each family are randomly chosen to extract their common malware behaviors, the results show that our approach still has a high detection accuracy (96.3 %). In addition, some attacks such as code encryption and delay attack are also studied in this work.


Android Repackaged malware Malicious payload Execution dependency graph Execution sandbox Framework-level behavior 



This work was supported by National Key Research and Development Plan under Grant No. 2016YFB0800603, National Natural Science Foundation of China (NSFC) under Grant No. 61402477 and No. 61100228, the Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No. XDA06010703.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
    Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Afonso, V.M., de Amorim, M.F., Grégio, A.R.A., Junquera, G.B., de Geus, P.L.: Identifying android malware using dynamically obtained features. J. Comput. Virol. Hacking Tech. 11(1), 9–17 (2015)CrossRefGoogle Scholar
  7. 7.
    Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In: 36th International Conference on Software Engineering, ICSE 2014, Hyderabad, India, 31 May – 07 June 2014, pp. 175–186 (2014)Google Scholar
  8. 8.
    Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown malice in 10 seconds: mass vetting for new threats at the google-play scale. In: 24th USENIX Security Symposium, USENIX Security 2015, Washington, D.C. USA, 12–14 August 2015, pp. 659–674 (2015)Google Scholar
  9. 9.
    Crussell, J., Gibler, C., Chen, H.: Scalable semantics-based detection of similar android applications. In: Proceedings of Esorics, vol. 13. Citeseer (2013)Google Scholar
  10. 10.
    Ellson, J., Gansner, E.R., Koutsofios, L., North, S.C., Woodhull, G.: Graphviz - open source graph drawing tools. In: Mutzel, P., Jünger, M., Leipert, S. (eds.) GD 2001. LNCS, vol. 2265, pp. 483–484. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, (FSE-22), Hong Kong, China, 16–22 November 2014, pp. 576–587 (2014)Google Scholar
  12. 12.
    Isohara, T., Takemori, K., Kubota, A.: Kernel-based behavior analysis for android malware detection. In: Seventh International Conference on Computational Intelligence and Security, CIS 2011, Sanya, Hainan, China, 3–4 December 2011, pp. 1011–1015 (2011)Google Scholar
  13. 13.
    Lin, Y., Lai, Y., Chen, C., Tsai, H.: Identifying android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39, 340–350 (2013)CrossRefGoogle Scholar
  14. 14.
    Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: 8th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2013, Hangzhou, China, 08–10 May 2013, pp. 329–334 (2013)Google Scholar
  15. 15.
    Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)CrossRefGoogle Scholar
  16. 16.
    Su, X., Chuah, M., Tan, G.: Smartphone dual defense protection framework: detecting malicious applications in android markets. In: 8th International Conference on Mobile Ad-hoc and Sensor Networks, MSN 2012, Chengdu, China, 14–16 December 2012, pp. 153–160 (2012)Google Scholar
  17. 17.
    Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part I. LNCS, vol. 8712, pp. 163–182. Springer, Heidelberg (2014)Google Scholar
  18. 18.
    Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., Enck, W.: Appcontext: differentiating malicious and benign mobile app behaviors using context. In: 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, 16–24 May 2015, vol. 1, pp. 303–313 (2015)Google Scholar
  19. 19.
    Yang, W., Li, J., Zhang, Y., Li, Y., Shu, J., Gu, D.: Apklancet: tumor payload diagnosis and purification for android applications. In: 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014, Kyoto, Japan, 03–06 June 2014, pp. 483–494 (2014)Google Scholar
  20. 20.
    Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: Appintent: analyzing sensitive data transmission in android for privacy leakage detection. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 1043–1054 (2013)Google Scholar
  21. 21.
    Zhang, F., Huang, H., Zhu, S., Wu, D., Liu, P.: Viewdroid: towards obfuscation-resilient mobile application repackaging detection. In: 7th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec 2014, Oxford, United Kingdom, 23–25 July 2014, pp. 25–36 (2014)Google Scholar
  22. 22.
    Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 1105–1116 (2014)Google Scholar
  23. 23.
    Zhou, W., Zhou, Y., Grace, M.C., Jiang, X., Zou, S.: Fast, scalable detection of “piggybacked” mobile applications. In: Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, San Antonio, TX, USA, 18–20 February 2013, pp. 185–196 (2013)Google Scholar
  24. 24.
    Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Second ACM Conference on Data and Application Security and Privacy, CODASPY 2012, San Antonio, TX, USA, 7–9 February 2012, pp. 317–326 (2012)Google Scholar
  25. 25.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy, SP 2012, San Francisco, California, USA, 21–23 May 2012, pp. 95–109 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Zimin Lin
    • 1
    • 2
  • Rui Wang
    • 1
    Email author
  • Xiaoqi Jia
    • 1
  • Shengzhi Zhang
    • 3
  • Chuankun Wu
    • 1
  1. 1.State Key Laboratory of Information SecurityInstitute of Information Engineering, Chinese Academy of SciencesBeijingChina
  2. 2.University of Chinese Academy of SciencesBeijingChina
  3. 3.Florida Institute of TechnologyMelbourneUSA

Personalised recommendations