Scalable Semantics-Based Detection of Similar Android Applications

Abstract

The popularity and utility of smartphones rely on their vibrant application markets; however, plagiarism threatens the long-term health of these markets. In this paper, we present a scalable approach to detecting similar Android apps based on semantic information. We implement our approach in a tool called AnDarwin and evaluate it on 265,359 apps collected from 17 markets including Google Play and numerous third-party markets. In contrast with earlier approaches, AnDarwin does not compare apps pairwise, thus greatly increasing its scalability. Additionally, AnDarwin does not rely on information other than the app code — such as the app’s market, signature, or description — thus greatly increasing its reliability. AnDarwin can automatically detect library code and remove it from the similarity analysis. We present two use cases for AnDarwin: finding similar apps by different developers (“clones”) and similar apps from the same developer (“rebranded”). In ten hours, AnDarwin detected at least 4,295 apps which have been the victims of cloning and 36,106 apps that are rebranded. By analyzing the clusters found by AnDarwin, we found 88 new variants of malware and identified 169 malicious apps based on differences in the requested permissions. In contrast to earlier approaches, AnDarwin can detect both full and partial app similarity. Additionally, AnDarwin can automatically detect similar code that is injected into many apps, which may indicate the spread of malware. Our evaluation demonstrates AnDarwin’s ability to accurately detect similar apps on a large scale.