Detect repackaged Android application based on HTTP traffic similarity

摘要

In recent years, more and more malicious authors aim to Android platform because of the rapid growth number of Android (Google, Menlo Park, California, USA) applications (or apps). They embedded malicious code into Android apps to execute their special malicious behaviors, such as sending text messages to premium numbers, stealing privacy information, or even converting the infected phones into bots. We called the app, which has been embedded with malicious code, as embedded repackaged app. This phenomena leads a big security risk to the Android users and how to detect them becomes an urgent problem. Previous research efforts focus on extracting the app's characteristics for comparison from its static program code, which neither can handle the code obfuscation technologies, nor can analyze the app's dynamic behaviors feature. To address these limitations, we propose an approach based on extracting the app's characteristics from the HTTP traffic, which is generated by the app. Moreover, we have implemented a multi‐thread comparison algorithm based on the balanced Vantage Point Tree (VPT), which can remarkably reduce the experiment time. In this experiment, we successfully detected 266 embedded repackaged apps from 7619 Android apps downloaded from six popular Android markets, and the distribution rate of each market ranges from 2.57% to 6.07%. Then based on the analyzing of the HTTP traffic generated by these embedded codes, we found that majority of them are advertisement traffic and malicious traffic. Copyright ? 2015 John Wiley & Sons, Ltd. We call the app that has been embedded additional code as embedded repackaged app, which causes security issues to Android users. To address the existing approaches' limitations, we first capture and parse the traffic generated by apps, and classify them into primary and non‐primary module traffic set. Then we calculate the similarity of primary module and use the balanced vantage point tree comparison algorithm to detect them. Finally, we detected 266 embedded repackaged apps from 7619 Android apps.