On locating malicious code in piggybacked Android apps

Li Li, Daoyuan Li, Tegawendé F. Bissyandé, Jacques Klein, Haipeng Cai, David Lo, Yves Le Traon

Research output: Contribution to journalArticleResearchpeer-review

11 Citations (Scopus)


To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6% for such packages that are triggered through method invocations and an accuracy@5 of 82.2% for such packages that are triggered independently.

Original languageEnglish
Pages (from-to)1108-1124
Number of pages17
JournalJournal of Computer Science and Technology
Issue number6
Publication statusPublished - Nov 2017
Externally publishedYes


  • Android
  • HookRanker
  • malicious code
  • piggybacked app

Cite this