On locating malicious code in piggybacked Android apps

Li Li, Daoyuan Li, Tegawendé F. Bissyandé, Jacques Klein, Haipeng Cai, David Lo, Yves Le Traon

Research output: Contribution to journalArticleResearchpeer-review

7 Citations (Scopus)

Abstract

To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6% for such packages that are triggered through method invocations and an accuracy@5 of 82.2% for such packages that are triggered independently.

Original languageEnglish
Pages (from-to)1108-1124
Number of pages17
JournalJournal of Computer Science and Technology
Volume32
Issue number6
DOIs
Publication statusPublished - Nov 2017
Externally publishedYes

Keywords

  • Android
  • HookRanker
  • malicious code
  • piggybacked app

Cite this

Li, L., Li, D., Bissyandé, T. F., Klein, J., Cai, H., Lo, D., & Le Traon, Y. (2017). On locating malicious code in piggybacked Android apps. Journal of Computer Science and Technology, 32(6), 1108-1124. https://doi.org/10.1007/s11390-017-1786-z
Li, Li ; Li, Daoyuan ; Bissyandé, Tegawendé F. ; Klein, Jacques ; Cai, Haipeng ; Lo, David ; Le Traon, Yves. / On locating malicious code in piggybacked Android apps. In: Journal of Computer Science and Technology. 2017 ; Vol. 32, No. 6. pp. 1108-1124.
@article{cfad5368704f4eda89ec72610e53d7d3,
title = "On locating malicious code in piggybacked Android apps",
abstract = "To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6{\%} for such packages that are triggered through method invocations and an accuracy@5 of 82.2{\%} for such packages that are triggered independently.",
keywords = "Android, HookRanker, malicious code, piggybacked app",
author = "Li Li and Daoyuan Li and Bissyand{\'e}, {Tegawend{\'e} F.} and Jacques Klein and Haipeng Cai and David Lo and {Le Traon}, Yves",
year = "2017",
month = "11",
doi = "10.1007/s11390-017-1786-z",
language = "English",
volume = "32",
pages = "1108--1124",
journal = "Journal of Computer Science and Technology",
issn = "1000-9000",
publisher = "Springer-Verlag London Ltd.",
number = "6",

}

Li, L, Li, D, Bissyandé, TF, Klein, J, Cai, H, Lo, D & Le Traon, Y 2017, 'On locating malicious code in piggybacked Android apps', Journal of Computer Science and Technology, vol. 32, no. 6, pp. 1108-1124. https://doi.org/10.1007/s11390-017-1786-z

On locating malicious code in piggybacked Android apps. / Li, Li; Li, Daoyuan; Bissyandé, Tegawendé F.; Klein, Jacques; Cai, Haipeng; Lo, David; Le Traon, Yves.

In: Journal of Computer Science and Technology, Vol. 32, No. 6, 11.2017, p. 1108-1124.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - On locating malicious code in piggybacked Android apps

AU - Li, Li

AU - Li, Daoyuan

AU - Bissyandé, Tegawendé F.

AU - Klein, Jacques

AU - Cai, Haipeng

AU - Lo, David

AU - Le Traon, Yves

PY - 2017/11

Y1 - 2017/11

N2 - To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6% for such packages that are triggered through method invocations and an accuracy@5 of 82.2% for such packages that are triggered independently.

AB - To devise efficient approaches and tools for detecting malicious packages in the Android ecosystem, researchers are increasingly required to have a deep understanding of malware. There is thus a need to provide a framework for dissecting malware and locating malicious program fragments within app code in order to build a comprehensive dataset of malicious samples. Towards addressing this need, we propose in this work a tool-based approach called HookRanker, which provides ranked lists of potentially malicious packages based on the way malware behaviour code is triggered. With experiments on a ground truth of piggybacked apps, we are able to automatically locate the malicious packages from piggybacked Android apps with an accuracy@5 of 83.6% for such packages that are triggered through method invocations and an accuracy@5 of 82.2% for such packages that are triggered independently.

KW - Android

KW - HookRanker

KW - malicious code

KW - piggybacked app

UR - http://www.scopus.com/inward/record.url?scp=85037373040&partnerID=8YFLogxK

U2 - 10.1007/s11390-017-1786-z

DO - 10.1007/s11390-017-1786-z

M3 - Article

VL - 32

SP - 1108

EP - 1124

JO - Journal of Computer Science and Technology

JF - Journal of Computer Science and Technology

SN - 1000-9000

IS - 6

ER -