On computing similarity of android executables using text mining: student research abstract

Abstract

According to Comscore1, Android users in the U.S spend an average of 2.8 hours per day using mobile media. On the other hand, according to Statista reports2, Android users were able to choose between 2.2 million applications on June 2016. Among these applications, there are ones reported by Google Android Security Service3 as malware, virus, or illegal theft. Many tools such as Dex2Jar4, apktool5, and jd-gui6 analyze and reverse engineer Android applications and can be used to illegally copy or transform the applications as well. In order to protect applications from piracy or illegal theft, it is necessary to detect theft by measuring application similarity. In the literature, previous studies on theft detection have measured application similarity at two levels, source or executable code level, which have some limitations. Source codes are not available if the codes are legacy one or are developed by upstream suppliers. In the case of the executable codes, application similarity is measured 1) using the source codes decompiled from the executables, or 2) using the characteristics extracted from the executables (i.e., birthmark). For example, DroidMoss [5] applied a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. Reference [4] proposed software birthmarks to show the unique characteristics of a program and detected software theft based on the birthmarks.