Detect repackaged Android application based on HTTP traffic similarity

Abstract

In recent years, more and more malicious authors aim to Android platform because of the rapid growth number of Android Google, Menlo Park, California, USA applications or apps. They embedded malicious code into Android apps to execute their special malicious behaviors, such as sending text messages to premium numbers, stealing privacy information, or even converting the infected phones into bots. We called the app, which has been embedded with malicious code, as embedded repackaged app. This phenomena leads a big security risk to the Android users and how to detect them becomes an urgent problem. Previous research efforts focus on extracting the app's characteristics for comparison from its static program code, which neither can handle the code obfuscation technologies, nor can analyze the app's dynamic behaviors feature. To address these limitations, we propose an approach based on extracting the app's characteristics from the HTTP traffic, which is generated by the app. Moreover, we have implemented a multi-thread comparison algorithm based on the balanced Vantage Point Tree VPT, which can remarkably reduce the experiment time. In this experiment, we successfully detected 266 embedded repackaged apps from 7619 Android apps downloaded from six popular Android markets, and the distribution rate of each market ranges from 2.57% to 6.07%. Then based on the analyzing of the HTTP traffic generated by these embedded codes, we found that majority of them are advertisement traffic and malicious traffic. Copyright © 2015 John Wiley & Sons, Ltd.