A Rapid and Scalable Method for Android Application Repackaging Detection

  • Sibei JiaoEmail author
  • Yao Cheng
  • Lingyun Ying
  • Purui Su
  • Dengguo Feng
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)


Nowadays the security issues of Android applications (apps) are more and more serious. One of the main security threats come from repackaged apps. There already are some researches detecting repackaged apps using similarity measurement. However, so far, all the existing techniques for repackaging detection are based on code similarity or feature (e.g., permission set) similarity evaluation. In this paper, we propose a novel approach called ImageStruct that applies image similarity technique to locate and detect the changes coming from repackaging effectively. ImageStruct performs a quick repackaging detection by considering the similarity of images in target apps. The intuition behind our approach is that the repackaged apps still need to maintain the ”look and feel” of the original apps by including the original images, even they might have their additional code included or some of the original code removed. To prove the effectiveness and evaluate the reliability of our approach, we carry out the compare experiments between ImageStruct and the code based similarity scores of AndroGuard. The results demonstrate that ImageStruct is not only with good performance and scalability, but also able to resistant to code obfuscation.


Android Malware Repackaged Application Detection Image Similarity 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Strategy Analytics. Strategy analytics: 85% of phones shipped last quarter run android (2014),
  2. 2. Androguard: Reverse engineering, malware and goodware analysis of android applications (2013),
  3. 3.
    AppBrain. Number of android applications (2014),
  4. 4.
    Cilibrasi, R., Vitanyi, P.M.B.: Clustering by compression. IEEE Transactions on Information Theory 51(4), 1523–1545 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Crussell, J., Gibler, C., Chen, H.: Attack of the clones: Detecting cloned applications on android markets. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 37–54. Springer, Heidelberg (2012), CrossRefGoogle Scholar
  6. 6.
    Desnos, A.: Android: Static analysis using similarity distance. In: 2012 45th Hawaii International Conference on System Science (HICSS), pp. 5394–5403 (January 2012)Google Scholar
  7. 7.
    Evan, K., David, S.: Phash (2014),
  8. 8.
    Hanna, S., Huang, L., Wu, E., Li, S., Chen, C., Song, D.: Juxtapp: A scalable system for detecting code reuse among android applications. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 62–81. Springer, Heidelberg (2013), CrossRefGoogle Scholar
  9. 9.
    Hu, W., Tao, J., Ma, X., Zhou, W., Zhao, S., Han, T.: Migdroid: Detecting app-repackaging android malware via method invocation graph. In: 2014 23rd International Conference on Computer Communication and Networks (ICCCN), pp. 1–7 (August 2014)Google Scholar
  10. 10.
    Huang, H., Zhu, S., Liu, P., Wu, D.: A framework for evaluating mobile app repackaging detection algorithms. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) TRUST 2013. LNCS, vol. 7904, pp. 169–186. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Google Inc. Android dvelopment guide: Signing your applications (2014),
  12. 12.
    Oracle Inc. Mysql (2014),
  13. 13.
    Symantec Inc. Android threats getting steamy (May 7 (2011),
  14. 14.
    J. Craig Venter Institute. Sift (2014),
  15. 15.
    Li, S.: Juxtapp and DStruct: Detection of Similarity Among Android Applications. PhD thesis, EECS Department, University of California, Berkeley (2012)Google Scholar
  16. 16.
    Oberheide, J.: Dissecting the android bouncer (2012),
  17. 17.
    Sanfilippo, S.: Redis (2014),
  18. 18.
    Studios, H.: Fruit ninja (2013),
  19. 19.
    Ulrich, B., Paolo, M.C., Clemens, H., Christopher, K., Engin, K.: Scalable, behavior-based malware clustering. In: Proceedings of Network and Distributed System Security Symposium 2009. Citeseer (2009)Google Scholar
  20. 20.
    Wikipedia. Color histogram (2014),
  21. 21.
    Zhou, W., Zhou, Y., Grace, M., Jiang, X., Zou, S.: Fast, scalable detection of “piggybacked” mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196. ACM (2013)Google Scholar
  22. 22.
    Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, pp. 317–326. ACM (2012)Google Scholar
  23. 23.
    Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109 (May 2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Sibei Jiao
    • 1
    Email author
  • Yao Cheng
    • 1
  • Lingyun Ying
    • 1
  • Purui Su
    • 1
  • Dengguo Feng
    • 1
  1. 1.Trusted Computing and Information Assurance LaboratoryInstitute of Software, Chinese Academy of SciencesBeijingChina

Personalised recommendations