Identifying Mobile Repackaged Applications through Formal Methods

Fabio Martinelli, Francesco Mercaldo, Vittoria Nardone, Antonella Santone, Corrado Aaron Visaggio


Smartphones and tablets are rapidly become indispensable in every day activities. Android has become the most popular operating system for mobile environments in the world. These devices, owing to the open nature of Android, are continuously exposed to attacks, mostly to data exfiltration and monetary fraud. There are many techniques to embed the bad code, i.e. the instructions able to perform a malicious behaviour, into a legitimate application: the most diffused one is the so-called repackaged, that consists of reverse engineer the application in order to embed the malicious code and then (re)distribute them in the official and/or third party markets. In this paper we propose a technique to localize malicious payload of GinMaster family, one of the most representative repackaged trojan in Android environment. We obtain encouraging results, achieving an accuracy equal to 0.9.


  1. Andersen, J. R., Andersen, N., Enevoldsen, S., Hansen, M. M., Larsen, K. G., Olesen, S. R., Srba, J., and Wortmann, J. K. (2015). CAAL: concurrency workbench, aalborg edition. In Theoretical Aspects of Computing - ICTAC 2015 - 12th International Colloquium Cali, Colombia, October 29-31, 2015, Proceedings, pages 573-582.
  2. Arp, D., Spreitzenbarth, M., Huebner, M., Gascon, H., and Rieck, K. (2014). Drebin: Efficient and explainable detection of android malware in your pocket. In Proceedings of 21th Annual Network and Distributed System Security Symposium (NDSS). IEEE.
  3. Barbuti, R., De Francesco, N., Santone, A., and Tesei, L. (2002). A notion of non-interference for timed automata. Fundamenta Informaticae, 51(1-2):1-11. cited By 6.
  4. Barbuti, R., Francesco, N. D., Santone, A., and Vaglini, G. (2005). Reduced models for efficient CCS verification. Formal Methods in System Design, 26(3):319- 350.
  5. Battista, P., Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016). Identification of android malware families with model checking. In International Conference on Information Systems Security and Privacy. SCITEPRESS.
  6. Bernardeschi, C., De Francesco, N., Lettieri, G., and Martini, L. (2004). Checking secure information flow in java bytecode by code transformation and standard bytecode verification. Software - Practice and Experience, 34(13):1225-1255.
  7. Canfora, G., Mercaldo, F., and Visaggio, C. A. (2016). An hmm and structural entropy based detector for android malware: An empirical study. Computers & Security, 61:1-18.
  8. Cleaveland, R. and Sims, S. (1996). The ncsu concurrency workbench. In CAV. Springer.
  9. De Ruvo, G., Nardone, V., Santone, A., Ceccarelli, M., and Cerulo, L. (2015). Infer gene regulatory networks from time series data with probabilistic model checking. pages 26-32. cited By 7.
  10. Fedler, R., Schütte, J., and Kulicke, M. (2014). On the effectiveness of malware protection on android: An evaluation of android antivirus apps,
  11. Garavel, H., Lang, F., Mateescu, R., and Serwe, W. (2013). CADP 2011: a toolbox for the construction and analysis of distributed processes. STTT, 15(2):89-107.
  12. GoogleMobile (2014). 02/android-and-security.html.
  13. Isohara, T., Takemori, K., and Kubota, A. (2011). Kernelbased behavior analysis for android malware detection. In Proceedings of Seventh International Conference on Computational Intelligence and Security, pp. 1011-1015.
  14. Jacob, G., Filiol, E., and Debar, H. (2010). Formalization of viruses and malware through process algebras. In International Conference on Availability, Reliability and Security (ARES 2010). IEEE.
  15. Kinder, J., Katzenbeisser, S., Schallhart, C., and Veith, H. (2005). Detecting malicious code by model checking. Springer.
  16. Liang, S. and Du, X. (2014). Permission-combinationbased scheme for android mobile malware detection. In International Conference on Communications, pages 2301-2306.
  17. Marforio, C., Aurelien, F., and Srdjan, C. (2011). Application collusion attack on the permissionbased security model and its implications for modern smartphone systems,
  18. Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016a). Download malware? No, thanks. How formal methods can block update attacks. In Formal Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016b). Ransomware steals your phone. formal methods rescue it. In International Conference on Formal Techniques for Distributed Objects, Components, and Systems, pages 212-221. Springer.
  19. Milner, R. (1989). Communication and concurrency. PHI Series in computer science. Prentice Hall.
  20. Neuhaus, S. and Zimmermann, T. (2010). Security trend analysis with cve topic models. In Software reliability engineering (ISSRE), 2010 IEEE 21st international symposium on, pages 111-120. IEEE.
  21. Oberheide, J. and Miller, C. (2012). Dissecting the android bouncer. In SummerCon, bouncer.pdf.
  22. Reina, A., Fattori, A., and Cavallaro, L. (2013). A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In Proceedings of EuroSec.
  23. Santone, A. (2011). Clone detection through process algebras and java bytecode. pages 73-74. cited By 10.
  24. SecureList (2015).
  25. Song, F. and Touili, T. (2001). Efficient malware detection using model-checking. Springer.
  26. Song, F. and Touili, T. (2013). Pommade: Pushdown model-checking for malware detection. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM.
  27. Song, F. and Touili, T. (2014). Model-checking for android malware detection. Springer.
  28. Song, J., Han, C., Wang, K., Zhao, J., Ranjan, R., and Wang, L. (2016). An integrated static detection and analysis framework for android. Pervasive and Mobile Computing.
  29. Spreitzenbarth, M., Echtler, F., Schreck, T., Freling, F. C., and Hoffmann, J. (2013). Mobilesandbox: Looking deeper into android applications. In 28th International ACM Symposium on Applied Computing (SAC). ACM.
  30. Stirling, C. (1989). An introduction to modal and temporal logics for ccs. In Concurrency: Theory, Language, And Architecture, pages 2-20.
  31. Tchakount, F. and Dayang, P. (2013). System calls analysis of malwares on android. In International Journal of Science and Tecnology (IJST) Volume, 2 No. 9.
  32. Yerima, S. Y., Sezer, S., McWilliams, G., and Muttik, I. (2013). A new android malware detection approach using bayesian classification. In International Conference on Advanced Information Networking and Applications, pages 121-128.
  33. Yu, R. (2013). Ginmaster: a case study in android malware. In Virus bulletin conference, pages 92-104.
  34. Zhao, Y.-B., Liu, S.-M., and Guo, S.-Q. (2014). Extraction and prediction of hot topics in network security. In Computer Science and Network Security, 2014 International Conference on, pages 347-353.
  35. Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In 2012 IEEE Symposium on Security and Privacy, pages 95-109. IEEE.

Paper Citation

in Harvard Style

Martinelli F., Mercaldo F., Nardone V., Santone A. and Visaggio C. (2017). Identifying Mobile Repackaged Applications through Formal Methods . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017) ISBN 978-989-758-209-7, pages 673-682. DOI: 10.5220/0006287906730682

in Bibtex Style

author={Fabio Martinelli and Francesco Mercaldo and Vittoria Nardone and Antonella Santone and Corrado Aaron Visaggio},
title={Identifying Mobile Repackaged Applications through Formal Methods},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)},

in EndNote Style

JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)
TI - Identifying Mobile Repackaged Applications through Formal Methods
SN - 978-989-758-209-7
AU - Martinelli F.
AU - Mercaldo F.
AU - Nardone V.
AU - Santone A.
AU - Visaggio C.
PY - 2017
SP - 673
EP - 682
DO - 10.5220/0006287906730682