Mingshen Sun, Mengmeng Li, and John C.S. Lui
The 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec '15.

Three operations of layout tree transformations on the "Sign in" user interface of Twitter.
Architecture of RepoEagle.


Abstract. Repackaged malware and phishing malware consist 86% of all Android malware, and they significantly affect the Android ecosystem. Previous work use disassembled Dalvik bytecode and hashing approaches to detect repackaged malware, but these approaches are vulnerable to obfuscation attacks and they demand large computational resources on mobile devices. In this work, we propose a novel methodology which uses the layout resources within an app to detect apps which are "visually similar", a common characteristic in repackaged apps and phishing malware. To detect visually similar apps, we design and implement DroidEagle which consists of two sub-systems: RepoEagle and HostEagle. RepoEagle is to perform large scale detection on apps repositories (e.g., apps markets), and HostEagle is a light-weight mobile app which can help users to quickly detect visually similar Android app upon download. We demonstrate the high accuracy and efficiency of DroidEagle: Within 3 hours RepoEagle can detect 1298 visually similar apps from 99626 apps in a repository. In less than one second, HostEagle can help an Android user to determine whether a downloaded mobile app is a repackaged apps or a phishing malware. This is the first work which provides both speed and scalability in discovering repackaged apps and phishing malware in Android system.

BibTeX Record:

  author = {Sun, Mingshen and Li, Mengmeng and Lui, John C.S.},
  title = {DroidEagle: Seamless Detection of Visually Similar Android Apps},
  booktitle = {Proceedings of the 8th ACM Conference on Security \& Privacy in Wireless and Mobile Networks},
  series = {WiSec '15},
  year = {2015},