Mobile Application Impersonation Detection Using Dynamic User Interface Extraction

  • Luka MalisaEmail author
  • Kari Kostiainen
  • Michael Och
  • Srdjan Capkun
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


In this paper we present a novel approach for detection of mobile app impersonation attacks. Our system uses dynamic code analysis to extract user interfaces from mobile apps and analyzes the extracted screenshots to detect impersonation. As the detection is based on the visual appearance of the application, as seen by the user, our approach is robust towards the attack implementation technique and resilient to simple detection avoidance methods such as code obfuscation. We analyzed over 150,000 mobile apps and detected over 40,000 cases of impersonation. Our work demonstrates that impersonation detection through user interface extraction is effective and practical at large scale.


Mobile Visual Repackaging Phishing Impersonation 



This work was partially supported by the Zurich Information Security Center. It represents the views of the authors.


  1. 1.
    Android malware genome project.
  2. 2.
    Amalfitano, D., Fasolino, A.R., Tramontana, P., De Carmine, S., Memon, A.M.: Using gui ripping for automated testing of android applications. In: International Conference on Automated Software Engineering (ASE) (2012)Google Scholar
  3. 3.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.: Drebin: effective and explainable detection of android malware in your pocket. In: Network and Distributed System Security (NDSS)Google Scholar
  4. 4.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: ACM SIGPLAN Notices, vol. 49, pp. 259–269. ACM (2014)Google Scholar
  5. 5.
    Azim, T., Neamtiu, I.: Targeted and depth-first exploration for systematic testing of android apps. In: ACM Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA) (2013)Google Scholar
  6. 6.
    Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 73–84. ACM (2010)Google Scholar
  7. 7.
    Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app. is that? deception and countermeasures in the android user interface. In: Symposium on Security and Privacy (SP) (2015)Google Scholar
  8. 8.
  9. 9.
    Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown malice in 10 seconds: mass vetting for new threats at the google-play scale. In: USENIX Security Symposium (2015)Google Scholar
  10. 10.
    Datar, M., Immorlica, N., Indyk, P., Mirrokni, V.S.: Locality-sensitive hashing scheme based on p-stable distributions. In: Annual symposium on Computational Geometry (CG) (2004)Google Scholar
  11. 11.
    Datar, M., Immorlica, N., Indyk, P., Mirrokni, V.S.: Locality-sensitive hashing scheme based on p-stable distributions. In: Proceedings of the Twentieth Annual Symposium on Computational Geometry, pp. 253–262. ACM (2004)Google Scholar
  12. 12.
    Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software EngineeringGoogle Scholar
  13. 13.
    Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J.: Vision: automated security validation of mobile apps at app. markets. In: Proceedings of the Second International Workshop on Mobile Cloud Computing and Services, pp. 21–26. ACM (2011)Google Scholar
  14. 14.
    Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and ServicesGoogle Scholar
  15. 15.
    Griffin, K., Schneider, S., Hu, X., Chiueh, T.: Automatic generation of string signatures for malware detection. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 101–120. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Hanna, S., Huang, L., Wu, E., Li, S., Chen, C., Song, D.: Juxtapp: a scalable system for detecting code reuse among android applications. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 62–81. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Kropp, M., Morales, P.: Automated gui testing on the android platform. In: International Conference on Testing Software and Systems (ICTSS) (2010)Google Scholar
  18. 18.
    Lin, Y.-D., Lai, Y.-C., Chen, C.-H., Tsai, H.-C.: Identifying android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39, 340–350 (2013)CrossRefGoogle Scholar
  19. 19.
    Malisa, L., Kostiainen, K., Capkun, S.: Detecting mobile application spoofing attacks by leveraging user visual similarity perception. Cryptology ePrint Archive, Report 2015/709 (2015).
  20. 20.
    Memon, A., Banerjee, I., Nagarajan, A.: Gui ripping: reverse engineering of graphical user interfaces for testing. In: Working Conference on Reverse Engineering (WCRE) (2003)Google Scholar
  21. 21.
    Mutti, S., Fratantonio, Y., Bianchi, A., Invernizzi, L., Corbetta, J., Kirat, D., Kruegel, C., Vigna, G.: Baredroid: large-scale analysis of android apps on real devices. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 71–80. ACM (2015)Google Scholar
  22. 22.
    Nguyen, B.N., Robbins, B., Banerjee, I., Memon, A.: Guitar an innovative tool for automated testing of gui-driven software. Autom. Softw. Eng. 21(1), 65–105 (2014)CrossRefGoogle Scholar
  23. 23.
    Oberheide, J., Miller, C.: Dissecting the android bouncer. In: SummerCon (2012)Google Scholar
  24. 24.
    Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 209–220. ACM (2013)Google Scholar
  25. 25.
    Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: andromaly: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)CrossRefGoogle Scholar
  26. 26.
  27. 27.
    Sun, M., Li, M., Lui, J.: Droideagle: seamless detection of visually similar android apps. In: Conference on Security and Privacy in Wireless and Mobile Networks (Wisec) (2015)Google Scholar
  28. 28.
    Symantec. Will Your Next TV Manual Ask You to Run a Scan Instead of Adjusting the Antenna? April 2015.
  29. 29.
    Tang, Z., Dai, Y., Zhang, X.: Perceptual hashing for color images using invariant moments. Appl. Math 6(2S), 643S–650S (2012)Google Scholar
  30. 30.
    Tikir, M.M., Hollingsworth, J.K.: Efficient instrumentation for code coverage testing. In: ACM International Symposium on Software Testing and Analysis (ISSTA) (2002)Google Scholar
  31. 31.
    Vidas, T., Tan, J., Nahata, J., Tan, C.L., Christin, N., Tague, P.: A5: automated analysis of adversarial android applications. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile DevicesGoogle Scholar
  32. 32.
    Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 569–584 (2012)Google Scholar
  33. 33.
    Yang, W., Prasad, M.R., Xie, T.: A grey-box approach for automated GUI-model generation of mobile applications. In: Cortellessa, V., Varró, D. (eds.) FASE 2013 (ETAPS 2013). LNCS, vol. 7793, pp. 250–265. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  34. 34.
    Zadgaonkar, H.: Robotium Automated Testing for Android. Packt Publishing, Birmingham (2013)Google Scholar
  35. 35.
    Zauner, C.: Implementation and benchmarking of perceptual image hash functions (2010)Google Scholar
  36. 36.
    Zhang, F., Huang, H., Zhu, S., Wu, D., Liu, P.: Viewdroid: towards obfuscation-resilient mobile application repackaging detection. In: ACM Conference on Security and Privacy in Wireless and Mobile Networks (Wisec) (2014)Google Scholar
  37. 37.
    Zhang, Q., Reeves, D.S.: Metaaware: identifying metamorphic malware. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 411–420. IEEE (2007)Google Scholar
  38. 38.
    Zhou, W., Zhou, Y., Grace, M., Jiang, X., Zou, S.: Fast, scalable detection of piggybacked mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196. ACM (2013)Google Scholar
  39. 39.
    Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the Second ACM Conference on Data and Application Security and PrivacyGoogle Scholar
  40. 40.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy (S&P), May 2012Google Scholar
  41. 41.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: NDSS (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Luka Malisa
    • 1
    Email author
  • Kari Kostiainen
    • 1
  • Michael Och
    • 1
  • Srdjan Capkun
    • 1
  1. 1.Institute of Information SecurityETH ZurichZürichSwitzerland

Personalised recommendations