Charlie Soh,Hee Beng Kuan Tan,Yauhen Leanidavich Arnatovich,Lipo Wang

DOI: https://doi.org/10.1109/icpc.2015.25

2015-01-01

Abstract:The blooming mobile smart phone device industry has attracted a large number of application developers. However, due to the availability of reverse engineering tools for Android applications, it also caught the attention of plagiarists and malware writers. In recent years, application cloning has become a serious threat to the Android market. In previous work, mobile application clone detection mainly focuses on code-based analysis. Such an approach lacks resilient to advanced obfuscation techniques. Their efficiency is also questionable, as billions of opcodes need to be processed for cross-market clone detection. In this paper, we propose a novel technique of detecting Android application clones based on the analysis of user interface (UI) information collected at runtime. By leveraging on the multiple entry points feature of Android applications, the UI information can be collected easily without the need to generate relevant inputs and execute the entire application. Another advantage of our technique is obfuscation resilient since semantics preserving obfuscation technique do not affect runtime behaviors. We evaluated our approach on a set of real-world dataset and it has a low false positive rate and false negative rate. Furthermore, the results also show that our approach is effective in detecting different types of repackaging attacks.

Junaid Akram,Zhendong Shi,Majid Mumtaz,Luo Ping

DOI: https://doi.org/10.1109/compsac.2018.00021

2018-01-01

Abstract:Android became more popular and widely used operating system. It has been noticed that the code clones in Android apps make it difficult to maintain the security flaws in source code. To avoid these problems, it is essential to find, identify, evaluate and recover those code clones as early as possible. In this paper, we propose and design DroidCC, a novel clone detection approach in Android applications, that helps to detect different types of clones from APK's source code. A prototype has been developed and implemented on the dataset of almost 30,000 top rated Android apps. DroidCC detects type-1, type-2 and type-3 clones in Android apps at the source code level. It also detects the similar code fragments, that were injected into many applications, which might be an indication of spreading malware. Meanwhile it can detect full and partial level similarity between applications. We evaluate DroidCC clone detection approach on real time data-set and count the Recall and Precision, which is quite significant. Furthermore, our results show that our approach is very efficient and effective in detecting different types of clones to check the similarity level in Android applications.

Cuiying Gao,Minghui Cai,Shuijun Yin,Gaozhun Huang,Heng Li,Wei Yuan,Xiapu Luo

DOI: https://doi.org/10.1109/tifs.2023.3302509

IF: 7.231

2023-08-22

IEEE Transactions on Information Forensics and Security

Abstract:Existing Android malware detection methods are usually hard to simultaneously resist various obfuscation techniques. Therefore, bytecode-based code obfuscation becomes an effective means to circumvent Android malware analysis. Building obfuscation-resilient Android malware analysis methods is a challenging task, due to the fact that various obfuscation techniques have vastly different effects on code and detection features. To mitigate this problem, we propose combining multiple features that are complementary in combating code obfuscation. Accordingly, we develop an obfuscation-resilient Android malware analysis method CorDroid, based on two new features: Enhanced Sensitive Function Call Graph (E-SFCG) and Opcode-based Markov transition Matrix (OMM). The first describes sensitive function call relationships, while the second reflects transition probabilities among opcodes. Combining E-SFCG and OMM can well characterize the runtime behavior of Android apps from different perspectives, hence increasing the difficulty of misleading malware analysis through using code obfuscation to affect detection features. To evaluate CorDroid, we generate 74, 138 obfuscated samples with 14 different obfuscation techniques, and compare CorDroid with the state-of-the-art detection methods (e.g., MaMaDroid, RevealDroid and APIGraph). In terms of average F1-Score, CorDroid is 29.69% higher than MaMaDroid, 21.80% higher than APIGraph, and 9.71% higher than RevealDroid, respectively. Experiments also validate the complementarity between E-SFCG and OMM, and exhibit the high execution efficiency of CorDroid.

computer science, theory & methods,engineering, electrical & electronic

Yasir Glani,Luo Ping,Ke Lin,Syed Asad Shah

DOI: https://doi.org/10.1109/seai59139.2023.10217577

2023-01-01

Abstract:In recent decades, malicious code reuse has surged in numbers and sophistication, it is a common practice among adversaries to reuse malicious code, which significantly threatens user privacy and security. Several signature-based code clone detection techniques have been proposed to detect malicious clones in Android applications that use the MD5 hash function to generate signatures. Meanwhile, these techniques only retrieve signatures from Java files. Due to the 128-bit signature size of the MD5 hash function, these techniques take longer to generate signatures. In this article, we propose the AyatDroid technique, which efficiently identifies malicious chunks by retrieving signatures from Java and manifest files . AyatDroid technique is tested on reliable CiCMalDroid 2020 dataset. We have evaluated the AyatDroid technique with other cutting-edge code clone detection techniques. Our experimental results demonstrated that AyatDroid outperformed regarding detection time and accuracy. AyatDroid is not only lightweight but also efficient, allowing it to be implemented on the large scale.

Sidra Siddiqui,Tamim Ahmed Khan

DOI: https://doi.org/10.1007/s42979-024-02637-3

2024-03-16

SN Computer Science

Abstract:Obfuscation is a method to hide coding strategies for security and privacy. Despite its positive use, malware experts have also used this technique to develop malware applications. A variety of malware has taken over the market in recent times. This sophisticated malware uses different obfuscation and mutation techniques to deceive the detectors. Obfuscation and mutation attacks are technique variations in which the attacker uses java-reflection techniques and encryption to manipulate the malicious applications and force the classifier to do misclassification. Despite its positive use, malware experts have also used this technique to misguide classifiers. The obfuscated malware is difficult to tackle due to the complexity of there structure and behavior. A fresh look is needed at the available datasets and features used especially for Android obfuscated malware analysis. We investigate and provide a concise account of obfuscated malware detection techniques. We evaluate the importance and effectiveness of obfuscation for Android malware analysis by investigating the techniques, datasets, and feature sets used in the literature. We report supervised learning as more popular for analysis. The paper provides details on the use of datasets such as Debian, genome, Adrozoo, and CIC as the most commonly used in literature. We also investigate certain features, mostly static, considered for analysis and highlight the use of unconventional techniques, such as unsupervised learning and graph theory.

Yasir Giani,Luo Ping,Syed Asad Shah

DOI: https://doi.org/10.1109/accc58361.2022.00015

2022-01-01

Abstract:Code clones make software maintenance more challenging. Detecting bugs in large systems may significantly increase maintenance costs. Despite the fact that several techniques for clone identification have been proposed over the years, the accuracy and scalability of clone detection techniques remain hot research areas. Previously, Akram et al. proposed the DroidCC hybrid technique, where tokens were encoded into MD5 hash values by encoding them into 128-bit fingerprints, and clones were identified by matching identical hash values. Encoding tokens into MD5 hash values take more time due to the large fingerprint size of MD5 hash values. Due to the enormous chunk size, DroidCC cannot achieve higher accuracy. To overcome the weakness of the DroidCC technique, We proposed a novel AYAT a lightweight hybrid technique to detect clones at the fragment level. To speed up the detection process, we converted tokens into 32-bit polynomial values, and we set the chunk size to 5 lines per chunk to improve accuracy. We tested our technique on 10,968 java projects against 4.98 million lines of code. In comparison to the well-known DroidCC technique, it is significantly faster and more efficient. Our examination demonstrates that precision is significantly improved despite sacrificing scalability. AYAT code cloning detection technique has outscored DroidCC in every aspect.

王浩宇,王仲禹,郭耀,陈向群

DOI: https://doi.org/10.1360/n112013-00130

2014-01-01

Abstract:With the popularity of smart phones, mobile applications are growing rapidly, especially the Android applications. These applications not only provide useful features, but also bring security and privacy issues. The plagiarist can easily crack the legitimate applications, add malicious code or change the existing libraries, and advertise them in various third-party markets. The repackaged applications not only compromise the copyright of the original authors, but also weaken the security and privacy of users. In this paper, we propose an accurate and scalable approach to detect repackaged android applications and implement a prototype system. We use the system to study more than 14,500 applications collected from Google Play market and various third-party markets. The results demonstrate the effectiveness and scalability of our approach.

Weihao Huang,Guozhu Meng,Chaoyang Lin,Qiucun Yan,Kai Chen,Zhuo Ma

DOI: https://doi.org/10.1186/s42400-023-00148-x

2023-07-03

Abstract:Clone detection has received much attention in many fields such as malicious code detection, vulnerability hunting, and code copyright infringement detection. However, cyber criminals may obfuscate code to impede violation detection. To date, few studies have investigated the robustness of clone detectors, especially in-fashion deep learning-based ones, against obfuscation. Meanwhile, most of these studies only measure the difference between one code snippet and its obfuscation version. However, in reality, the attackers may modify the original code before obfuscating it. Then what we should evaluate is the detection of obfuscated code from cloned code, not the original code. For this, we conduct a comprehensive study evaluating 3 popular deep-learning based clone detectors and 6 commonly used traditional ones. Regarding the data, we collect 6512 clone pairs of five types from the dataset BigCloneBench and obfuscate one program of each pair via 64 strategies of 6 state-of-art commercial obfuscators. We also collect 1424 non-clone pairs to evaluate the false positives. In sum, a benchmark of 524,148 code pairs (either clone or not) are generated, which are passed to clone detectors for evaluation. To automate the evaluation, we develop one uniform evaluation framework, integrating the clone detectors and obfuscators. The results bring us interesting findings on how obfuscation affects the performance of clone detection and what is the difference between traditional and deep learning-based clone detectors. In addition, we conduct manual code reviews to uncover the root cause of the phenomenon and give suggestions to users from different perspectives.

Fahmi H Quradaa,Sara Shahzad,Rashad Saeed,Mubarak M Sufyan

DOI: https://doi.org/10.1371/journal.pone.0302333

IF: 3.7

2024-05-10

PLoS ONE

Abstract:In software development, it's common to reuse existing source code by copying and pasting, resulting in the proliferation of numerous code clones-similar or identical code fragments-that detrimentally affect software quality and maintainability. Although several techniques for code clone detection exist, many encounter challenges in effectively identifying semantic clones due to their inability to extract syntax and semantics information. Fewer techniques leverage low-level source code representations like bytecode or assembly for clone detection. This work introduces a novel code representation for identifying syntactic and semantic clones in Java source code. It integrates high-level features extracted from the Abstract Syntax Tree with low-level features derived from intermediate representations generated by static analysis tools, like the Soot framework. Leveraging this combined representation, fifteen machine-learning models are trained to effectively detect code clones. Evaluation on a large dataset demonstrates the models' efficacy in accurately identifying semantic clones. Among these classifiers, ensemble classifiers, such as the LightGBM classifier, exhibit exceptional accuracy. Linearly combining features enhances the effectiveness of the models compared to multiplication and distance combination techniques. The experimental findings indicate that the proposed method can outperform the current clone detection techniques in detecting semantic clones.

Umair Nawaz,Muhammad Aleem,Jerry Chun-Wei Lin

DOI: https://doi.org/10.7717/peerj-cs.1002

2022-06-21

PeerJ Computer Science

Abstract:The Android mobile platform is the most popular and dominates the cell phone market. With the increasing use of Android, malware developers have become active in circumventing security measures by using various obfuscation techniques. The obfuscation techniques are used to hide the malicious code in the Android applications to evade detection by anti-malware tools. Some attackers use the obfuscation techniques in isolation, while some attackers use a mixed approach (i.e., employing multiple obfuscation techniques simultaneously). Therefore, it is crucial to analyze the impact of the different obfuscation techniques, both when they are used in isolation and when they are combined as hybrid techniques. Several studies have suggested that the obfuscation techniques may be more effective when used in a mixed pattern. However, in most of the related works, the obfuscation techniques used for analysis are either based on individual or a combination of primitive obfuscation techniques. In this work, we provide a comprehensive evaluation of anti-malware tools to gauge the impact of complex hybrid code-obfuscations techniques on malware detection capabilities of the prominent anti-malware tools. The evaluation results show that the inter-category-wise hybridized code obfuscation results in more evasion as compared to the individual or simple hybridized code obfuscations (using multiple and similar code obfuscations) which most of the existing related work employed for the evaluation. Obfuscation techniques significantly impact the detection rate of any anti-malware tool. The remarkable result i.e., almost 100% best detection rate is observed for the seven out of 10 tools when analyzed using the individual obfuscation techniques, four out of 10 tools on category-wise obfuscation, and not a single anti-malware tool attained full detection (i.e., 100%) for inter-category obfuscations.

computer science, information systems, artificial intelligence, theory & methods

Zhaoguo Wang,Chenglong Li,Yi Guan,Yibo Xue

DOI: https://doi.org/10.13245/j.hust.160312

2016-01-01

Abstract:In order to confront the code obfuscation problem,and better respond to the needs of simi-larity detection,a new method based on anti-obfuscation characteristics was designed,which included 7 kinds of anti-obfuscation code characteristics,audio characteristics and image characteristics.The method was proposed for detecting similarity and evaluating.Based on these characteristics and the methods,a prototype system was implemented and made suitable for large-scale scenario.The detec-tions of 1259 malware and 288 APPs from 12 APP markets show that the proposed method has obvi-ous advantages over the state-of-the-art methods against code obfuscation with high detection perform-ance.

Junaid Akram,Zhendong Shi,Majid Mumtaz,Ping Luo

DOI: https://doi.org/10.6688/jise.202001_36(1).0002

2020-01-01

Journal of information science and engineering

Abstract:Android is becoming more and more popular in recent years. Meanwhile, it has been noticed that the security threats are also increasing with the passage of time because of the code reuse from other applications. In this paper, we propose and design DroidSD, a clone detection tool for Android applications, that helps to detect different types of code clones from APK's source code. A prototype has been developed and implemented to detect clones in Android applications. DroidSD detects Type-1, Type-2 and Type-3 (near-miss) clones in Android applications at the source code level with high accuracy rate, which was not possible in previous Android similarity detection techniques. DroidSD can detect full and partial level similarity between applications. We evaluate DroidSD on real time data-set and count the Recall and Precision on BigCloneBench, which is quite significant. The real time data-set includes 30,500 Android applications including top one, i.e. Chrome, Firefox, Gmail, WhatsApp, GoogleMap, Google-PlayStore, Baidu and BigCloneBench.

Xiao Cheng,Lingxiao Jiang,Hao Zhong,Haibo Yu,Jianjun Zhao

DOI: https://doi.org/10.1145/2975961.2975967

2016-01-01

Abstract:More and more mobile applications run on multiple mobile operating systems to attract more users of different platforms. Although versions on different platforms are implemented in different programming languages (e.g., Java and Objective-C), there must be many code snippets that implement the similar business logic on different platforms. Such code snippets are called cross-platform clones. It is challenging but essential to detect such clones for software maintenance. Due to the practice that developers usually use some common identifiers when implementing the same business logic on different platforms, in this paper, we investigate the identifier similarity of the same mobile application on different platforms and provide insights about the feasibility of cross-platform clone detection via identifier similarity. In our experiment, we have analyzed the source code of 18 open-source cross-platform applications which are implemented on Android, iOS and Windows Phone, and find that the smaller KL-Divergence the application has, the more accurate the clones detected by identifiers will be.

Runhan Feng,Zhuohao Zhang,Yetong Zhou,Ziyang Yan,Yuanyuan Zhang

DOI: https://doi.org/10.1109/saner60148.2024.00028

2024-01-01

Abstract:In an effort to enhance the attractiveness of apps, developers consistently and frequently release updates to introduce new features and address known issues. Although frequent updates are beneficial for improving user experience, they also increase the workload for reverse engineers since existing analysis results may become obsolete after the release of a new version. Matching code across app versions can help reverse engineers quickly migrate existing analysis results to new versions, verifying whether their prior findings still hold in the new version. This allows them to focus more on the modified portions of the code, thus increasing reverse engineering efficiency. Nevertheless, existing techniques cannot effectively match the code of apps protected by obfuscation techniques, which are pervasively adopted in prac-tice. To address the challenges introduced by code obfuscation, this study presents MatchScope, a novel automated approach designed to match code at the method level across versions of Android app binaries. MatchScope effectively leveraging different levels of fine-grained code features, including class structures and method opcodes, etc., for similarity comparison, thus achieving high accuracy. To further enhance the matching efficiency, we design an index-aware matching algorithm, significantly reducing the scope and number of pairwise comparisons required compared with existing work. The critical insight of our algorithm lies in that the obfuscation tools usually rely on an incrementing index to generate obfuscated names for classes in a deterministic way. Our evaluation on 20 open-source and 60 real-world apps demonstrates the effectiveness of MatchScope. The precision and recall of MatchScope on the ground truth achieve 97.49 % and 92.34 %, respectively, which are 19.50 % and 30.74 % higher than the state-of-the-art tool.

Leonid Glanz,Patrick Müller,Lars Baumgärtner,Michael Reif,Sven Amann,Pauline Anthonysamy,Mira Mezini

DOI: https://doi.org/10.1145/3320269.3384745

2020-09-09

Abstract:String obfuscation is an established technique used by proprietary, closed-source applications to protect intellectual property. Furthermore, it is also frequently used to hide spyware or malware in applications. In both cases, the techniques range from bit-manipulation over XOR operations to AES encryption. However, string obfuscation techniques/tools suffer from one shared weakness: They generally have to embed the necessary logic to deobfuscate strings into the app code. In this paper, we show that most of the string obfuscation techniques found in malicious and benign applications for Android can easily be broken in an automated fashion. We developed StringHound, an open-source tool that uses novel techniques that identify obfuscated strings and reconstruct the originals using slicing. We evaluated StringHound on both benign and malicious Android apps. In summary, we deobfuscate almost 30 times more obfuscated strings than other string deobfuscation tools. Additionally, we analyzed 100,000 Google Play Store apps and found multiple obfuscated strings that hide vulnerable cryptographic usages, insecure internet accesses, API keys, hard-coded passwords, and exploitation of privileges without the awareness of the developer. Furthermore, our analysis reveals that not only malware uses string obfuscation but also benign apps make extensive use of string obfuscation.

Cryptography and Security

Weiping WEN,Han ZHANG,Xianglei CAO

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.05.011

2016-01-01

Abstract:With the rapid development of mobile intelligent terminals, Android operating system has become one of the most widely used mobile intelligent operating systems in the world. Java is famous for its features of good cross-platform, high efficiency and a large amount of developers, therefore the designers of Android choose Java as the system development language. The characteristics of the Java language make Java program easy be decompiled by decompilation tools and be analyzed, which makes Android applications face great risks. This paper focuses on the study of code obfuscation technology for the purpose of protecting Android applications, improving the dififculty of the attacker's reverse analysis and adding no extra time cost for the execution of the program. Based on Android executable ifle reorganization, this paper designs and implements a kind of Android obfuscation tool and carries out test and performances analysis. This Android obfuscation tool enhances the security of Android applications, protects Android applications developers' intellectual property rights, and avoids reverse analysis, piracy and malicious tampering to Android applications to a certain extent.

Shuai Jiang,Yao Hong,Cai Fu,Yekui Qian,Lansheng Han

DOI: https://doi.org/10.1016/j.jisa.2021.102953

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:The obfuscation detection technology is an important auxiliary means of malware detection. Also, for security practitioners, it can carry out automatic obfuscation detection before manual reverse analysis, which helps reverse engineers to perform reverse analysis more specifically. Existing obfuscation detection methods are mainly for Android applications and based on traditional machine learning, whose detection granularity is coarse, generality is poor, and the performance is not good enough. To address these issues, in this paper, we propose a function-level obfuscation detection method based on Graph Convolutional Networks for X86 assembly code and Android applications. Firstly, our method is function-level obfuscation detection, and we extract the Control Flow Graph (CFG) of each function as its feature, including the adjacency matrix and the basic block feature matrix. Secondly, we build a hybrid neural network model GCN-LSTM as our obfuscation detection model, which combines the Graph Convolutional Network (GCN) and the Long Short-Term Memory (LSTM). Finally, we conduct experiments using real-world open-source programs and compare results with baseline methods. For function-level detection, the accuracy of our method is 94.7575% for X86 assembly code and 98.9457% for Android applications, both of which are better than baseline methods. For APK-level detection, our method can almost completely detect the obfuscated APKs. Experimental results show that our method performs well for both X86 assembly code and Android applications and is superior to the baseline methods in both function-level detection and APK-level detection. Our research showcases a successful application of the Graph Convolutional Network and the Control Flow Graph on code obfuscation detection problems.

Xin Sun,Yibing Zhongyang,Zhi Xin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-55415-5_12

2014-01-01

Abstract:Recently smartphones and mobile devices have gained incredible popularity for their vibrant feature-rich applications (or apps). Because it is easy to repackage Android apps, software plagiarism has become a serious problem. In this paper, we present an accurate and robust system DroidSim to detect code reuse. DroidSim calculates similarity score only with component-based control flow graph (CB-CFG). CB-CFG is a graph of which nodes are Android APIs and edges represent control flow precedence order in each Android component. Our system can be applied to detect repackaged apps and malware variants. We evaluate DroidSim on 121 apps and 706 malware variants. The results show that our system has no false negative and a false positive of 0.83% for repackaged apps, and a detection ratio of 96.60% for malware variants. Besides, ADAM is used to obfuscate apps and the result reveals that ADAM has no influence on our system.

Yang Yuan,Yao Guo

DOI: https://doi.org/10.1145/2351676.2351725

2012-01-01

Abstract:Detecting code clones in a program has many applications in software engineering and other related fields. In this paper, we present Boreas, an accurate and scalable token-based approach for code clone detection. Boreas introduces a novel counting-based method to define the characteristic matrices, which are able to describe the program segments distinctly and effectively for the purpose of clone detection. We conducted experiments on JDK 7 and Linux kernel 2.6.38.6 source code. Experimental results show that Boreas is able to match the detecting accuracy of a recently proposed syntactic-based tool Deckard, with the execution time reduced by more than an order of magnitude.

Wael F Elsersy,Ali Feizollah,Nor Badrul Anuar

DOI: https://doi.org/10.7717/peerj-cs.907

2022-03-09

Abstract:The various application markets are facing an exponential growth of Android malware. Every day, thousands of new Android malware applications emerge. Android malware hackers adopt reverse engineering and repackage benign applications with their malicious code. Therefore, Android applications developers tend to use state-of-the-art obfuscation techniques to mitigate the risk of application plagiarism. The malware authors adopt the obfuscation and transformation techniques to defeat the anti-malware detections, which this paper refers to as evasions. Malware authors use obfuscation techniques to generate new malware variants from the same malicious code. The concern of encountering difficulties in malware reverse engineering motivates researchers to secure the source code of benign Android applications using evasion techniques. This study reviews the state-of-the-art evasion tools and techniques. The study criticizes the existing research gap of detection in the latest Android malware detection frameworks and challenges the classification performance against various evasion techniques. The study concludes the research gaps in evaluating the current Android malware detection framework robustness against state-of-the-art evasion techniques. The study concludes the recent Android malware detection-related issues and lessons learned which require researchers' attention in the future.