Detecting Code Reuse in Android Applications Using Component-Based Control Flow Graph

Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 428)


Recently smartphones and mobile devices have gained incredible popularity for their vibrant feature-rich applications (or apps). Because it is easy to repackage Android apps, software plagiarism has become a serious problem. In this paper, we present an accurate and robust system DroidSim to detect code reuse. DroidSim calculates similarity score only with component-based control flow graph (CB-CFG). CB-CFG is a graph of which nodes are Android APIs and edges represent control flow precedence order in each Android component. Our system can be applied to detect repackaged apps and malware variants. We evaluate DroidSim on 121 apps and 706 malware variants. The results show that our system has no false negative and a false positive of 0.83% for repackaged apps, and a detection ratio of 96.60% for malware variants. Besides, ADAM is used to obfuscate apps and the result reveals that ADAM has no influence on our system.


Mobile Applications Code Reuse Repackaging Malware Variants 


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Android’s Google Play beats App Store with over 1 million apps, now officially largest,
  5. 5.
  6. 6.
  7. 7.
    Smali - An assembler/disassembler for Android’s dex format,
  8. 8.
  9. 9.
    AndroGuard: Reverse engineering, Malware and goodware of Android applications,
  10. 10.
    Clint, G., Ryan, S., Jonathan, C., Hao, C., Hui, Z., Heesook, C.: AdRob: Examining the Landscape and Impact of Android Application Plagiarism. In: 11th International Conference on Mobile Systems, Applications and Services (Mobisys), pp. 431–444. ACM Press, Taipei (2013)Google Scholar
  11. 11.
    Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: The 2012 IEEE Symposium on Security and Privacy (S&P), pp. 95–109. IEEE Press, Oakland (2012)CrossRefGoogle Scholar
  12. 12.
    Wu, Z., Yajin, Z., Xuxian, J., Peng, N.: DroidMoss: Detecting Repackaged Smartphone Applications in Third-party Android Marketplaces. In: 2nd ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 317–326. ACM Press, San Antonio (2012)Google Scholar
  13. 13.
    Wu, Z., Yajin, Z., Michael, G., Xuxian, J., Shihong, Z.: Fast, Scalable Detection of Piggybacked Mobile Applications. In: 3rd ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 185–196. ACM Press, San Antonio (2013)Google Scholar
  14. 14.
    Crussell, J., Gibler, C., Chen, H.: AnDarwin: Scalable Semantics-Based Detection of Similar Android Applications. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 182–199. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  15. 15.
    Huang, H., Zhu, S., Liu, P., Wu, D.: A framework for evaluating mobile app repackaging detection. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) TRUST 2013. LNCS, vol. 7904, pp. 169–186. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. 16.
    Vaibhav, R., Yan, C., Xuxian, J.: DroidChameleon: Evaluating Android anti-malware against transformation attacks. In: 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIACCS), pp. 329–334. ACM Press, Hangzhou (2013)Google Scholar
  17. 17.
    Crussell, J., Gibler, C., Chen, H.: Attack of the Clones: Detecting Cloned Applications on Android Markets. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 37–54. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Potharaju, R., Newell, A., Nita-Rotaru, C., Zhang, X.: Plagiarizing smartphone applications: Attack strategies and defense techniques. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 106–120. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Liugi, P., Pasquale, F., Carlo, S., Mario, V.: A (sub)graph isomorphism algorithm for matching large graphs. IEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), 1367–1372 (2004)Google Scholar
  20. 20.
    Hanna, S., Huang, L., Wu, E., Li, S., Chen, C., Song, D.: Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 62–81. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  21. 21.
    Saul, S., Danial, S., Alex, A.: Winnowing: Local Algorithms for Document Fingerprinting. In: 2003 ACM SIGMOD International Conference on Management of Data (SIGMOD), pp. 76–85. ACM Press, New York (2003)Google Scholar
  22. 22.
    Zheng, M., Lee, P.P.C., Lui, J.C.S.: ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 82–101. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  23. 23.
    Silvio, C., Yang, X.: Malware Variant Detection Using Similarity Search over Sets of Control Flow Graphs. In: 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 181–189. IEEE Press, Changsha (2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  1. 1.State Key Laboratory for Novel Software Technology, Department of Computer Science and TechnologyNanjing UniversityChina

Personalised recommendations