APP-NTS: a network traffic similarity-based framework for repacked Android apps detection

Abstract

The popularity of Android brings much functionality to its users but it also brings many threats. Repacked Android application is one such threat which is the root of many other threats such as malware, phishing, adware, and economical loss. Earlier many techniques have been proposed for the detection of repacked application but they have their limitations and bottlenecks. The issue of malware and duplicate apps affecting the smartphones are being reported on a large scale and has drawn the attention of many researchers. Major of these issues target Android-based phones. Repackaged apps are usually infected versions of popular apps. Adversaries download a popular Android app, and obtain the code using reverse engineering and then add their code (often malicious) to it and repackage and release the app. The existing methods focus primarily on the extraction of apps’ behavior and comparing the same with their static code. These have the least chance of detecting the code obfuscation and the dynamic behavior of apps. Therefore, a framework of App-NTS is proposed which extracts the dynamic behavior of the apps from the network traffic analysis. The dynamic vantage point algorithm used for the comparative analysis of the apps’ behavior, which significantly helps in reducing the time complexity. Experimental analysis has detected 365 repacked apps from 8645 apps that are downloaded from various online markets and have also brought dramatic results in terms of better performance with Mean Square Error value decreased by 41% and Log loss reduced by 35.2%. There is an increase in accuracy of 18.3% when compared to other states of the art techniques.