On Locating Malicious Code in Piggybacked Android Apps

Li Li; Daoyuan Li; Tegawendé F. Bissyandé; Jacques Klein; Haipeng Cai; David Lo; Yves Le Traon

doi:10.1007/s11390-017-1786-z

On Locating Malicious Code in Piggybacked Android Apps

Li Li
, Daoyuan Li
, Tegawendé F. Bissyandé
, Jacques Klein
, Haipeng Cai
, David Lo
, Yves Le Traon

Department of Computer Science and Engineering

University of Luxembourg
Singapore Management University

Research output: Contribution to journal › Article › peer-review

19 Scopus citations

Abstract

To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6% for such packages that are triggered through method invocations and an accuracy@5 of 82.2% for such packages that are triggered independently.

Original language	English
Pages (from-to)	1108-1124
Number of pages	17
Journal	Journal of Computer Science and Technology
Volume	32
Issue number	6
DOIs	https://doi.org/10.1007/s11390-017-1786-z
State	Published - Nov 1 2017

Keywords

Android
HookRanker
malicious code
piggybacked app

Access to Document

10.1007/s11390-017-1786-z

Cite this

@article{6595a4294aab42cdbb542838c87a3aa8,

title = "On Locating Malicious Code in Piggybacked Android Apps",

abstract = "To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6\% for such packages that are triggered through method invocations and an accuracy@5 of 82.2\% for such packages that are triggered independently.",

keywords = "Android, HookRanker, malicious code, piggybacked app",

author = "Li Li and Daoyuan Li and Bissyand{\'e}, \{Tegawend{\'e} F.\} and Jacques Klein and Haipeng Cai and David Lo and \{Le Traon\}, Yves",

note = "Publisher Copyright: {\textcopyright} 2017, Springer Science+Business Media, LLC, part of Springer Nature.",

year = "2017",

month = nov,

day = "1",

doi = "10.1007/s11390-017-1786-z",

language = "English",

volume = "32",

pages = "1108--1124",

journal = "Journal of Computer Science and Technology",

issn = "1000-9000",

publisher = "Springer New York",

number = "6",

}

TY - JOUR

T1 - On Locating Malicious Code in Piggybacked Android Apps

AU - Li, Li

AU - Li, Daoyuan

AU - Bissyandé, Tegawendé F.

AU - Klein, Jacques

AU - Cai, Haipeng

AU - Lo, David

AU - Le Traon, Yves

PY - 2017/11/1

Y1 - 2017/11/1

N2 - To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6% for such packages that are triggered through method invocations and an accuracy@5 of 82.2% for such packages that are triggered independently.

AB - To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6% for such packages that are triggered through method invocations and an accuracy@5 of 82.2% for such packages that are triggered independently.

KW - Android

KW - HookRanker

KW - malicious code

KW - piggybacked app

UR - https://www.scopus.com/pages/publications/85037373040

U2 - 10.1007/s11390-017-1786-z

DO - 10.1007/s11390-017-1786-z

M3 - Article

AN - SCOPUS:85037373040

SN - 1000-9000

VL - 32

SP - 1108

EP - 1124

JO - Journal of Computer Science and Technology

JF - Journal of Computer Science and Technology

IS - 6

ER -

On Locating Malicious Code in Piggybacked Android Apps

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this