A Detection Method for Android Repackaged Malware Based on Sensitive Component Function Call Graph

DU Rui-ying; CHEN Jing; WU Cong; YAN Xi-yu

doi:10.12263/DZXB.20250075

您当前的位置：

首页 >

文章列表页 >

A Detection Method for Android Repackaged Malware Based on Sensitive Component Function Call Graph

PAPERS | 更新时间：2025-12-10

- A Detection Method for Android Repackaged Malware Based on Sensitive Component Function Call Graph
- ACTA ELECTRONICA SINICA Vol. 53, Issue 7, Pages: 2372-2388(2025)
- 作者机构：
  
  1.河南师范大学计算机与信息工程学院，河南新乡 453007
  2.武汉大学国家网络安全学院，湖北武汉 430072
  3.武汉大学空天信息安全与可信计算教育部重点实验室，湖北武汉 430072
  4.武汉大学日照信息技术研究院，山东日照 276800
  5.香港大学工学院，电机电子工程学系，中国香港 999077
- 作者简介：
- 基金信息：
  
  National Key R&D Program of China(2021YFB2700200;2022YFB3103300);National Natural Science Foundation of China(62206203;62076187);the Key R&D Program of Hubei Province(2022BAA039;2021BAA190);The Key Research and Development Program of Shandong Province(2022CXPT055)
- DOI：10.12263/DZXB.20250075
  CLC： TP309.5;
- Received：22 January 2025，
  
  Revised：2025-05-09，
  
  Published：25 July 2025
- 稿件说明：
移动端阅览
杜瑞颖, 陈晶, 吴聪, 等. 基于敏感组件函数调用图的安卓重打包恶意软件检测方法[J]. 电子学报, 2025, 53(07): 2372-2388.

DU Rui-ying, CHEN Jing, WU Cong, et al. A Detection Method for Android Repackaged Malware Based on Sensitive Component Function Call Graph[J]. Acta Electronica Sinica, 2025, 53(07): 2372-2388.
杜瑞颖, 陈晶, 吴聪, 等. 基于敏感组件函数调用图的安卓重打包恶意软件检测方法[J]. 电子学报, 2025, 53(07): 2372-2388. DOI：10.12263/DZXB.20250075

DU Rui-ying, CHEN Jing, WU Cong, et al. A Detection Method for Android Repackaged Malware Based on Sensitive Component Function Call Graph[J]. Acta Electronica Sinica, 2025, 53(07): 2372-2388. DOI：10.12263/DZXB.20250075

摘要

安卓系统占据移动操作系统七成以上的市场份额，成为许多不法分子传播恶意软件的平台.其中，重打包恶意软件通过嵌入少量恶意代码到良性软件中，利用大量良性行为掩盖恶意行为，从而绕过普通恶意软件检测方法.然而，当前学术界对重打包恶意软件的研究相对较少，现有基于函数调用图分区的检测方法存在通用性不足的问题，且在敏感API（Application Programming Interface）中心性特征方面未充分考虑恶意行为的语义特征.本文提出了一种安卓重打包恶意软件检测方法Partdroid，该方法通过分析清单文件和smali代码，提取应用程序的组件信息并生成组件函数调用图，将所有含有敏感API的组件的函数调用图合并，利用污点分析的方法发掘组件间调用关系，形成敏感组件函数调用图来避免函数调用图分区的局限性.同时，该方法通过挖掘敏感API与入口函数、交互函数的关系突出恶意行为的特征，并结合中心性算法综合计算敏感API的重要性，避免直接使用中心性算法提取特征的局限性.实验结果表明，本方法对安卓重打包恶意软件检测的综合性能优于其他同类工具，随机森林分类器的F1值和准确率分别达到91.34%和91.93%，投票算法则为91.63%和92.15%.此外，Partdroid在新恶意软件检测中表现突出，从谷歌应用商店随机选取的2 000个应用中检出3个可疑软件.

Abstract

The Android system occupies over 70% of the market share of mobile operating systems

making it a key platform for malicious actors to distribute malware. Repackaged malware embeds a small amount of malicious code into legitimate software

masking malicious activities with a majority of benign behaviors to evade traditional malware detection methods. However

academic research on repackaged malware remains relatively limited. Existing detection methods based on partitioning function call graphs often lack generalizability and fail to fully capture the semantic features of malicious behavior associated with sensitive API(Application Programming Interface) centrality. To solve these problems

we propose Partdroid

a detection method for Android repackaged malware. The method analyzes manifest files and smali code to extract application component information and generate component function call graphs. It combines graphs of components with sensitive APIs and uses taint analysis to uncover inter-component relationships

forming a sensitive component function call graph to overcome partitioning limitations. Additionally

Partdroid highlights malicious behavior by exploring the relationships between sensitive APIs

entry functions

and interaction functions. It also integrates centrality algorithms to calculate the importance of sensitive APIs comprehensively

addressing the limitations of directly using centrality algorithms for feature extraction. Experimental results demonstrate that Partdroid outperforms other tools in detecting Android repackaged malware

achieving an F1 score of 91.34% and accuracy of 91.93% with a random forest classifier

and 91.63% and 92.15% with a voting algorithm. Moreover

Partdroid performs outstandingly in detecting new malware

identifying 3 suspicious software among 2 000 randomly selected applications from the Google Play Store.

关键词

Keywords

references

IDC . Smartphone market share [EB/OL ] . ( 2024-5-14 )[ 2024-12-30 ] . https://www.idc.com/promo/smartphone-market-share https://www.idc.com/promo/smartphone-market-share .

KASPERSKY . IT threat evolution in Q 3 2023 . Mobile statistics [EB/OL ] . ( 2023-11-1 )[ 2024-12-30 ] . https://securelist.com/it-threat-evolution-q3-2023-mobile-statistics https://securelist.com/it-threat-evolution-q3-2023-mobile-statistics .

DAHIYA A , SINGH S , SHRIVASTAVA G . Android malware analysis and detection: A systematic review [J ] . Expert Systems , 2025 , 42 : e13488 .

WANG W , WANG X , FENG D W , et al . Exploring permission-induced risk in Android applications for malicious application detection [J ] . IEEE Transactions on Information Forensics and Security , 2014 , 9 ( 11 ): 1869 - 1882 .

KIM T , KANG B , RHO M , et al . A multimodal deep learning method for Android malware detection using various features [J ] . IEEE Transactions on Information Forensics and Security , 2019 , 14 ( 3 ): 773 - 788 .

潘建文 , 张志华 , 林高毅 , 等 . 基于特征选择的恶意Android应用检测方法 [J ] . 计算机工程与应用 , 2023 , 59 ( 21 ): 287 - 295 .

PAN J W , ZHANG Z H , LIN G Y , et al . Android malware detection based on feature selection [J ] . Computer Engineering and Applications , 2023 , 59 ( 21 ): 287 - 295 . (in Chinese)

MARICONTI E , ONWUZURIKE L , ANDRIOTIS P , et al . MaMaDroid: Detecting Android malware by building Markov chains of behavioral models [C ] // Proceedings 2017 Network and Distributed System Security Symposium . San Diego : NDSS , 2017 : 3313391 .

WU Y M , LI X D , ZOU D Q , et al . MalScan: Fast market-wide mobile malware scanning by social-network centrality analysis [C ] // 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE) . Piscataway : IEEE , 2019 : 139 - 150 .

MAFAKHERI A , SULAIMANY S . Android malware detection through centrality analysis of applications network [J ] . Applied Soft Computing , 2024 , 165 : 112058 .

ZOU D Q , WU Y M , YANG S R , et al . Intdroid: Android malware detection based on API intimacy analysis [J ] . ACM Transactions on Software Engineering and Methodology(TOSEM) , 2021 , 30 : 3442588 .

HUANG L , XUE J F , WANG Y , et al . WHGDroid: Effective Android malware detection based on weighted heterogeneous graph [J ] . Journal of Information Security and Applications , 2023 , 77 : 103556 .

LI Y K , HU Y K , WANG Y Z , et al . RGDroid: Detecting Android malware with graph convolutional networks against structural attacks [C ] // 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) . Piscataway : IEEE , 2023 : 639 - 650 .

YANG H Y , WANG Y W , ZHANG L , et al . A novel Android malware detection method with API semantics extraction [J ] . Computers & Security , 2024 , 137 : 103651 .

郭燕慧 , 王东 , 王晓煊 , 等 . 一种面向图神经网络安卓恶意代码检测的通用解释定位方法 [J ] . 软件学报 , 2024 , 35 ( 8 ): 1 .

GUO Y H , WANG D , WANG X X , et al . A generic explaining & locating method for malware detection based on graph neural networks [J ] . Journal of Software , 2024 , 35 ( 8 ): 1 . (in Chinese)

GU J T , ZHU H L , HAN Z W , et al . GSEDroid: GNN-based Android malware detection framework using lightweight semantic embedding [J ] . Computers & Security , 2024 , 140 . DOI: 10.1016/j.cose.2024.103807 http://dx.doi.org/10.1016/j.cose.2024.103807 .

ZHAO W X , WU J T , MENG Z Y . AppPoet: Large language model based Android malware detection via multi-view prompt engineering [J ] . Expert Systems with Applications , 2025 , 262 : 125546 .

ZHAN Z X , JI S , ZHEGN W Y , et al . DroidExaminer: An Android malware hybrid detection system based on ensemble learning [J ] . Journal of Internet Technology , 2024 , 25 ( 1 ): 105 - 116 .

DESNOS A . Androguard: Reverse engineering and pentesting for Android applications [EB/OL ] . ( 2013-01-01 )[ 2024-12-30 ] . https://gitcode.com/gh_mirrors/an/androguard https://gitcode.com/gh_mirrors/an/androguard .

SINGH S , CHATURVEDY K , MISHRA B . Multi-view learning for repackaged malware detection [C ] // Proceedings of the 16th International Conference on Availability, Reliability and Security . New York : ACM , 2021 : 1 - 9 .

LIU B Y , YUN D Y , GUO X , et al . Detecting sensor-based repackaged malware [C ] // 2020 IEEE International Conference on Big Data (Big Data) . Piscataway : IEEE , 2020 : 5759 - 5761 .

HE G F , XU B F , ZHANG L , et al . On-device detection of repackaged Android malware via traffic clustering [J ] . Security and Communication Networks , 2020 , 2020 : 8630748 .

HU W J , TAO J , MA X B , et al . MIGDroid: Detecting APP-Repackaging Android malware via method invocation graph [C ] // 2014 23rd International Conference on Computer Communication and Networks (ICCCN) . Piscataway : IEEE , 2014 : 1 - 7 .

TIAN K , YAO D F , RYDER B G , et al . Detection of repackaged Android malware with code-heterogeneity features [J ] . IEEE Transactions on Dependable and Secure Computing , 2020 , 17 ( 1 ): 64 - 77 .

SHI L M , MING J , FU J M , et al . VAHunt: Warding off new repackaged Android malware in app-virtualization’s clothing [C ] // Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2020 : 535 - 549 .

SALEM A , PAULUS F F , PRETSCHNER A . Repackman: A tool for automatic repackaging of Android apps [C ] // Proceedings of the 1st International Workshop on Advances in Mobile App Analysis . New York : ACM , 2018 : 25 - 28 .

HAGBERG A , CONWAY D . Networkx: Network analysis with python [EB/OL ] . ( 2020-01-01 )[ 2024-12-30 ] . https://networkx. github. Io https://networkx.github.Io .

CAO Y Z , FRATANTONIO Y , BIANCHI A , et al . EdgeMiner: Automatically detecting implicit control flow transitions through the Android framework [C ] // Proceedings 2015 Network and Distributed System Security Symposium . San Diego : NDSS , 2015 .

ALLIX K , BISSYANDÉ T F , KLEIN J , et al . AndroZoo: Collecting millions of Android apps for the research community [C ] // 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR) . Piscataway : IEEE , 2016 : 468 - 471 .

CAI H P , RYDER B . A longitudinal study of application structure and behaviors in Android [J ] . IEEE Transactions on Software Engineering , 2021 , 47 ( 12 ): 2934 - 2955 .

GONG L Y , LI Z H , QIAN F , et al . Experiences of landing machine learning onto market-scale mobile malware detection [C ] // Proceedings of the Fifteenth European Conference on Computer Systems . New York : ACM , 2020 : 1 - 14 .

LI L , LI D Y , BISSYANDÉ T F , et al . Understanding Android app piggybacking: A systematic study of malicious code grafting [J ] . IEEE Transactions on Information Forensics and Security , 2017 , 12 ( 6 ): 1269 - 1284 .

virustotal . VirusTotal [EB/OL ] . ( 2024-11-30 )[ 2024-12-30 ] . https://www.virustotal.com/gui/home/upload https://www.virustotal.com/gui/home/upload Î.

SKYLOT . Jadx [EB/OL ] . ( 2024-01-01 )[ 2024-12-30 ] . https://github. com/skylot/jadx https://github.com/skylot/jadx .

WINSNIEWSKI R . Apktool: A tool for reverse engineering android apk files [EB/OL ] . ( 2012-01-01 )[ 2024-12-30 ] . https://ibotpeaches.github.io/Apktool https://ibotpeaches.github.io/Apktool .

GAO C Y , HUANG G Z , LI H , et al . A comprehensive study of learning-based Android malware detectors under challenging environments [C ] // Proceedings of the IEEE/ACM 46th International Conference on Software Engineering . New York : ACM , 2024 : 1 - 13 .

SUN X Y , LI L , BISSYANDÉ T F , et al . Taming reflection: An essential step toward whole-program analysis of android apps [J ] . ACM Transactions on Software Engineering and Methodology (TOSEM) , 2021 , 30 ( 3 ): 1 - 36 .

HUANG J J , XUE B , JIANG J S , et al . Scalably detecting third-party Android libraries with two-stage bloom filtering [J ] . IEEE Transactions on Software Engineering , 2022 , 49 ( 4 ): 2272 - 2284 .

ZHAN X , FAN L L , CHEN S , et al . ATVHunter: Reliable version detection of third-party libraries for vulnerability identification in Android applications [C ] // 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE) . Piscataway : IEEE , 2021 : 1695 - 1707 .

ZHAN X , LIU T M , FAN L L , et al . Research on third-party libraries in Android apps: A taxonomy and systematic literature review [J ] . IEEE Transactions on Software Engineering , 2022 , 48 ( 10 ): 4181 - 4213 .

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Research on High-Efficiency Integrated Circuit DFT Technology Based on Machine Learning

DRHA-UIE: An Underwater Image Enhancement Method Based on Dual Residual Hybrid Attention Block

Cognitive Learning: A New Paradigm for Machine Learning in Electromagnetic Spectrum Environment

Transfer-Learning-Based Virtual Process Optimization for LiPON

Related Author

DU Rui-ying

CHEN Jing

WU Cong

YAN Xi-yu

CAI Zhi-kuang

ZHAO Ze-yu

YANG Han

WANG Zi-xuan

Related Institution

School of Cyber Science and Engineering, Wuhan University

Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education

Department of Electrical and Electronic Engineering, Faculty of Engineering, The University of Hong Kong

武汉大学日照信息技术研究院

香港大学工学院，电机电子工程学系

⁰