An efficient method of detecting repackaged android applications

With the massive popularity of smartphones, many third-party marketplaces are emerged to meet smartphone users´ need. These third-party marketplaces usually provide thousands of applications, but can´t guarantee their security. Among the malicious applications, repackaging is one of the most common techniques to piggyback malicious payloads into legitimate applications. In order to keep the android ecosystem healthy, an app similarity measurement system is proposed to detect repackaged applications directly from the DEX file. We use the string length as the fingerprint to measure the similarity between third-party application and the original one, afterwards according to the similarity score whether one third-party application is repackaged or not can be determined. We perform a systematic study on five popular Android-based third-party marketplaces with randomly 200 samples from each third-party marketplace. Further manual investigation shows that these repackaged apps are mainly used to replace existing in-app advertisements or embed new ones to “steal” or re-route ad revenues. We also identify a few cases with planted malicious payloads among repackaged apps.