NeighborWatcher：Detecting Piggybacked Smartphone Applications with Their Family Members

doi:10.3969/j.issn.0372-2112.2014.08.029

PDF(1455 KB)

ACTA ELECTRONICA SINICA ›› 2014, Vol. 42 ›› Issue (8) : 1642-1646. DOI: 10.3969/j.issn.0372-2112.2014.08.029

NeighborWatcher：Detecting Piggybacked Smartphone Applications with Their Family Members

ZHANG Huan¹, WU Jian-liang¹, TANG Jun-jie¹, BAN Tao², YU Yan³, GUO Shan-qing^1,4, WANG Li-ming⁵, HU An-lei⁵

Author information +

History +

Abstract

Through the analysis of some mobile malwares,we found that malware is similar with its original application in semantics of the program,and the similarity is different with the similarity between other members of the family.Based on this fact,by means of hierarchical clustering technology for the function call graph,we propose a program based on family relationships to detect the malicious mobile applications and build a system named as "NeighborWatcher".Experimental results show that when each family contains four or more members,the detection rate of Piggybacked application can reach 92.86%.

Key words

piggybacked application / call function graph / family clustering / mobile security

Cite this article

EndNote

Ris (Procite)

Bibtex

Download Citations

ZHANG Huan, WU Jian-liang, TANG Jun-jie, BAN Tao, YU Yan, GUO Shan-qing, WANG Li-ming, HU An-lei. NeighborWatcher：Detecting Piggybacked Smartphone Applications with Their Family Members[J]. Acta Electronica Sinica, 2014, 42(8): 1642-1646. https://doi.org/10.3969/j.issn.0372-2112.2014.08.029

References

[1] Nielsen.Who is winning the u.s.smartphone battle?[EB/OL].http://blog.nielsen.com/nielsenwire/onlinemobile/who-is-winning-the-u-s-smartphone-battle/.2011-03-03.
[2] Lookout.App genome report[CP].https://www.mylookout.com/,2011-02-16.
[3] apktool[CP].http://code.google.com/p/android-apktool/,2012-12-14.
[4] J Crussell,C Gibler,et al.Attack of the clones:Detecting cloned applications on android markets[A].ESORICS 2012[C].Berlin:Springer,2012.37-54.
[5] W Zhou,Y Zhou,et al.Fast,scalable detection of “piggybacked” mobile applications[A].CODASPYD Grove,C Chambers.A framework for call graph construction algorithms[J].ACM Trans Program Lang Syst,2001,23(6):685-746.
[7] T J Watson libraries for analysis wala[EB/OL].http://wala.sourceforge.net/,2011-07-17.
[8] A Gupta,P Kuppili,et al.An empirical study of malware evolution[A].COMSNETS 2009[C].Piscataway:IEEE,2009.1-10.
[9] T Dumitras，I Neamtiu.Experimental challenges in cyber security:A story of provenance and lineage for malware[A].CSET'11[C].Berkeley,CA,USA:USENIX Association,2011.9-9.
[10] M Lindorfer,A Di Federico,et al.Lines of malicious code:Insights into the malicious software industry[A].ACSAC'12[C].New York,NY,USA:ACM,2012.349-358.
[11] Jiyong Jang,Maverick Woo,et al.Towards Automatic Software Lineage Inference[A].USENIX Security'13[C].Berkeley,CA,USA:USENIX Association,2013.81-96.
[12] A P Fuchs,A Chaudhuri,et al.SCanDroid:Automated security certification of android applications[R].Maryland:Department of Computer Science,University of Maryland,2009.
[13] Z W Michael Grace,et al.Systematic detection of capability leaks in stock android smartphones[A].Proceedings of the 19^th Annual Network and Distributed System Security Symposium[C].San Diego,CA:NDSS Symposium,2012.
[14] C Kruegel,E Kirda,et al.Polymorphic worm detection using structural information of executables[A].Recent Advances in Intrusion Detection[C].Berlin:Springer,2006.207-226.
[15] George Karypis.Cluto[CP].http://glaros.dtc.umn.edu/gkhome/cluto/cluto/overview,2006-10-18.

Funding

National Natural Science Foundation of China (No.61173139, No.61303243); Science and Technology Research and Development Project of Shandong Province (No.2010GGX10117); Open Laboratory Foundation for Internet Basic Technologies (No.K201206007)