On-Device Detection of Repackaged Android Malware via Traffic Clustering

<table class="table-group" id="tab1"><tr><td><table class="table"><tr><td class="thead-hr" colspan="2"><hr/></td></tr><tr class="thead"><td class="align_left">Notation</td><td class="align_center">Meaning</td></tr><tr><td class="thead-hr" colspan="2"><hr/></td></tr><tr><td class="align_left">i</td><td class="align_center">Android app i</td></tr><tr><td class="align_left">u</td><td class="align_center">Number of mobile devices with app i installed</td></tr><tr><td class="align_left">r</td><td class="align_center">Number of devices with repackaged app <svg height="8.8423pt" id="M5" style="vertical-align:-0.2064009pt" version="1.1" viewbox="-0.0498162 -8.6359 3.66193 8.8423" width="3.66193pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M244 607C244 633 228 655 200 655C166 655 146 618 146 594C146 564 166 546 191 546C221 546 244 574 244 607ZM222 91L209 114C184 94 148 66 133 66C127 66 124 73 130 96L201 370C213 416 211 448 191 448C162 448 88 407 29 352L42 328C73 354 104 371 114 371C120 371 119 365 115 345L53 92C32 5 45 -12 68 -12C103 -12 186 50 222 91Z"></path></g></svg></td></tr><tr><td class="align_left">f</td><td class="align_center">Network flow</td></tr><tr><td class="align_left">C-IPf</td><td class="align_center">Client-side IP address of f</td></tr><tr><td class="align_left">S-IPf</td><td class="align_center">Server-side IP address of f</td></tr><tr><td class="align_left">S-Portf</td><td class="align_center">Server-side port of f</td></tr><tr><td class="align_left">AppNf</td><td class="align_center">Name of the app that generates f</td></tr><tr><td class="align_left">AppVf</td><td class="align_center">Version of the app that generates f</td></tr><tr><td class="align_left">Ti</td><td class="align_center">Set time interval</td></tr><tr><td class="align_left"><svg height="16.1378pt" id="M6" style="vertical-align:-6.18141pt" version="1.1" viewbox="-0.0498162 -9.95639 13.9518 16.1378" width="13.9518pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M620 675H597C578 656 570 650 541 650H144C112 650 104 653 94 675H72C59 618 42 552 23 493L53 491C71 534 88 564 105 585C124 608 144 615 238 615H290L197 121C182 40 174 34 88 28L82 0H361L367 28C275 34 266 38 281 121L374 615H441C522 615 543 608 553 583C562 560 566 531 565 493L597 494C603 551 612 629 620 675Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,8.285,-5.741)"><path d="M528 97L513 125C484 95 440 68 431 68C425 68 421 76 427 107C449 227 476 342 505 451H495L418 424L385 278C338 191 220 62 157 62C145 62 133 76 145 130L200 368C215 434 210 451 183 451C157 451 92 418 24 352L37 324C78 356 106 377 115 377C123 377 122 364 116 340L64 115C58 89 56 68 56 52C56 2 78 -12 103 -12C127 -12 159 -4 190 18C247 59 309 113 366 187H368L351 108C328 1 348 -12 368 -12C403 -12 472 33 528 97Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,7.176,3.784)"><path d="M620 667C620 684 593 710 552 710C515 710 459 687 409 634C360 582 334 506 320 433H247L215 400L220 388H310L259 80C224 -129 199 -161 185 -174C175 -183 160 -192 141 -192C123 -192 90 -181 75 -165C69 -158 64 -156 54 -164C39 -178 24 -195 24 -208C24 -231 61 -257 94 -257C124 -257 162 -243 209 -194C267 -134 303 -66 343 107C369 220 378 279 393 385L503 397L523 433H404C432 619 464 660 500 660C522 660 542 646 566 621C573 614 583 615 593 621C603 628 620 648 620 667Z"></path></g></svg></td><td class="align_center">Recording time of flow fu at the edge server</td></tr><tr><td class="align_left">di</td><td class="align_center">Feature set of app i</td></tr><tr><td class="align_left"><svg height="11.4899pt" id="M7" style="vertical-align:-5.52899pt" version="1.1" viewbox="-0.0498162 -5.96091 13.4899 11.4899" width="13.4899pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M689 332C689 394 670 448 646 448C620 448 597 421 597 396C597 386 600 381 608 372C619 359 620 334 620 315C620 150 538 45 454 45C414 45 386 67 386 122C386 138 388 158 394 180L457 426L452 432L377 416L315 156C302 100 259 45 216 45C176 45 148 67 148 122C148 133 152 158 156 180C162 212 173 259 194 332C201 357 206 384 206 405C206 430 198 448 174 448C125 448 66 406 23 342L43 319C84 368 110 383 121 383C126 383 128 382 128 377C128 370 127 359 122 343C99 268 84 204 77 156C74 137 70 111 70 104C70 25 125 -12 180 -12C228 -12 276 12 319 50C338 8 378 -12 418 -12C549 -12 689 166 689 332Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,8.931,3.132)"><path d="M400 606C400 634 383 656 353 656C316 656 294 620 294 593C294 564 317 545 343 545C375 545 400 573 400 606ZM366 351C379 413 381 451 356 451C323 451 251 408 183 341L199 313C223 335 267 365 277 365C285 365 284 354 277 312C245 132 222 27 193 -100C182 -148 160 -188 131 -188C113 -188 90 -178 75 -170C64 -164 55 -168 48 -175C38 -185 24 -203 24 -222S48 -257 71 -257C89 -257 131 -241 186 -192C243 -141 286 -46 310 74L366 351Z"></path></g></svg></td><td class="align_center">Plaintext word in the feature sets</td></tr><tr><td class="align_left">V(di)</td><td class="align_center">Numerical vector of traffic contents</td></tr><tr><td class="align_left"><svg height="19.6661pt" id="M8" style="vertical-align:-6.734599pt" version="1.1" viewbox="-0.0498162 -12.9315 14.8858 19.6661" width="14.8858pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M584 650H137L131 622C214 614 217 612 200 521L125 127C109 41 101 35 23 28L17 0H288L294 28C201 35 193 42 209 128L242 309H348C440 309 442 300 443 226H471L510 422H482C452 354 449 348 357 348H251L295 575C302 609 304 615 338 615H426C502 615 517 604 526 581C534 560 536 524 537 492L565 494C574 554 583 631 584 650Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,7.895,-6.899)"><path d="M400 606C400 634 383 656 353 656C316 656 294 620 294 593C294 564 317 545 343 545C375 545 400 573 400 606ZM366 351C379 413 381 451 356 451C323 451 251 408 183 341L199 313C223 335 267 365 277 365C285 365 284 354 277 312C245 132 222 27 193 -100C182 -148 160 -188 131 -188C113 -188 90 -178 75 -170C64 -164 55 -168 48 -175C38 -185 24 -203 24 -222S48 -257 71 -257C89 -257 131 -241 186 -192C243 -141 286 -46 310 74L366 351Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,6.786,4.525)"><path d="M538 684C542 703 539 710 529 710C512 710 455 682 363 674L361 644H396C444 644 448 642 438 594L405 438C373 450 347 451 336 451C288 451 200 416 147 374C69 312 24 207 24 113C24 29 60 -12 94 -12C126 -12 156 4 196 30C231 53 296 100 346 166H348L328 81C311 10 325 -12 348 -12C380 -12 450 24 512 98L495 125C466 97 431 70 417 70C408 70 408 80 411 98L538 684ZM390 373L361 240C336 196 210 56 145 56C132 56 113 73 113 131C113 216 156 338 220 379C243 394 266 402 303 402C331 402 375 388 390 373Z"></path></g><g transform="matrix(.0065,0,0,-0.0065,11.873,6.626)"><path d="M256 606C256 635 239 657 207 657C171 657 147 619 147 593C147 563 173 543 194 543C234 543 256 573 256 606ZM233 98L216 125C191 101 156 75 139 75C133 75 132 82 139 107L214 377C226 420 224 454 198 454C169 454 98 415 31 351L46 323C81 353 110 372 116 372C129 372 126 356 121 338L57 101C31 5 47 -12 72 -12C115 -12 197 52 233 98Z"></path></g></svg></td><td class="align_center">Feature vector for the encrypted flow j in di</td></tr><tr><td class="align_left"><svg height="12.689pt" id="M9" style="vertical-align:-3.40067pt" version="1.1" viewbox="-0.0498162 -9.28833 53.1942 12.689" width="53.1942pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M592 498C586 556 582 629 581 675H560C545 656 537 650 510 650H115C87 650 74 652 60 675H40C38 620 33 555 28 495H57C69 539 77 568 89 585C102 607 122 616 205 616H267V123C267 44 259 34 168 28V0H454V28C360 34 352 44 352 123V616H422C498 616 514 608 531 584C542 568 552 543 562 495L592 498Z"></path></g><g transform="matrix(.013,0,0,-0.013,8.021,0)"><path d="M372 352C427 368 507 407 507 502C507 548 486 592 451 616C420 638 376 650 301 650H44V622C124 616 128 610 128 527V123C128 40 122 34 36 28V0H257C336 0 402 12 453 40C512 72 548 124 548 191C548 291 471 335 372 350V352ZM213 362V558C213 591 216 602 226 608C235 614 258 618 282 618C377 618 415 558 415 490C415 406 369 362 260 362H213ZM213 328H258C380 328 450 283 450 181C450 76 377 35 296 34C231 34 213 53 213 125V328Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,15.724,3.132)"><path d="M504 89L488 119C453 85 428 69 416 69C408 69 405 75 412 102L462 304C492 438 460 451 436 451S388 441 356 423C311 397 229 336 170 256H168L189 340C208 418 200 451 177 451C144 451 82 413 24 352L40 322C65 345 98 369 108 369C114 369 119 363 112 335L28 -3L36 -12C54 -3 83 4 112 10C125 73 138 122 153 174C205 258 328 382 376 382C395 382 399 369 384 305L330 93C312 25 323 -12 351 -12C378 -12 439 21 504 89Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,20.383,3.132)"><path d="M547 55L345 261L547 468L508 508L306 301L104 508L65 468L267 261L65 55L104 14L306 221L508 14L547 55Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,25.943,3.132)"><path d="M781 91L765 118C733 86 702 70 693 70C686 70 685 77 692 106L738 297C772 439 736 451 712 451S675 445 647 431C605 410 526 356 452 257H450L459 294C491 426 459 451 429 451C403 451 386 445 361 431C312 404 239 343 170 253H168L188 333C208 411 205 451 175 451C148 451 85 417 24 346L39 318C57 338 100 374 112 374C120 374 122 372 115 339C91 226 62 112 28 -6L37 -12C59 -4 87 3 114 6C125 68 142 127 154 168C184 227 316 383 372 383C397 383 396 366 381 289C362 192 338 92 312 -6L317 -12C339 -5 367 3 396 6L434 170C468 234 598 383 650 383C668 383 676 369 664 319L609 90C593 23 600 -12 629 -12C654 -12 722 23 781 91Z"></path></g><g transform="matrix(.013,0,0,-0.013,33.832,0)"><path d="M300 -147C201 -63 143 98 143 270S200 602 300 686L282 710C136 610 70 450 70 271V270C70 89 136 -72 282 -170L300 -147Z"></path></g><g transform="matrix(.013,0,0,-0.013,38.33,0)"><path d="M530 686C535 705 530 712 521 712C504 712 448 684 359 674L358 648H393C437 648 439 646 429 593L400 435C372 447 345 448 332 448C286 448 194 414 144 373C68 311 23 203 23 111C23 26 57 -12 91 -12C120 -12 147 3 188 29C227 54 290 102 341 170H343L322 71C308 6 320 -12 341 -12C373 -12 442 27 501 96L485 120C455 91 422 67 408 67C401 67 401 76 404 91C440 294 479 473 530 686ZM387 375L355 241C326 187 200 53 142 53C126 53 109 73 109 130C109 217 154 337 218 381C240 396 265 404 297 404S372 390 387 375Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,45.48,3.132)"><path d="M250 606C250 634 233 656 203 656C168 656 146 618 146 593C146 564 169 545 192 545C227 545 250 573 250 606ZM227 95L212 119C187 98 152 71 135 71C129 71 128 78 134 102L207 373C219 418 217 451 194 451C165 451 92 411 30 351L44 326C77 353 106 371 114 371C124 371 121 357 117 341L55 97C32 5 46 -12 70 -12C108 -12 191 51 227 95Z"></path></g><g transform="matrix(.013,0,0,-0.013,48.536,0)"><path d="M275 270C275 450 212 609 64 710L45 686C145 604 203 442 203 270S147 -63 45 -147L64 -170C213 -68 275 89 275 270Z"></path></g></svg></td><td class="align_center">Traffic behaviors of di</td></tr><tr><td class="align_left"><svg height="14.0944pt" id="M10" style="vertical-align:-5.341061pt" version="1.1" viewbox="-0.0498162 -8.75334 26.2969 14.0944" width="26.2969pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M614 175C564 76 510 21 408 21C256 21 146 149 146 336C146 488 235 629 402 629C510 629 570 586 597 480L626 488C620 541 614 582 606 638C578 643 510 665 429 665C206 665 44 527 44 316C44 157 153 -15 402 -15C474 -15 558 5 586 11C604 45 629 119 643 165L614 175Z"></path></g><g transform="matrix(.013,0,0,-0.013,8.645,0)"><path d="M409 504C401 567 396 607 392 642C354 654 312 665 266 665C137 665 60 583 60 487C60 374 161 325 225 290C300 250 355 215 355 141C355 68 311 21 235 21C131 21 86 122 71 183L41 176C48 128 61 42 68 21C78 16 93 8 118 0C142 -7 175 -15 216 -15C349 -15 438 69 438 174C438 287 344 333 265 374C186 414 138 449 138 522C138 576 172 631 249 631C336 631 363 562 380 499L409 504Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,14.862,3.132)"><path d="M538 684C542 703 539 710 529 710C512 710 455 682 363 674L361 644H396C444 644 448 642 438 594L405 438C373 450 347 451 336 451C288 451 200 416 147 374C69 312 24 207 24 113C24 29 60 -12 94 -12C126 -12 156 4 196 30C231 53 296 100 346 166H348L328 81C311 10 325 -12 348 -12C380 -12 450 24 512 98L495 125C466 97 431 70 417 70C408 70 408 80 411 98L538 684ZM390 373L361 240C336 196 210 56 145 56C132 56 113 73 113 131C113 216 156 338 220 379C243 394 266 402 303 402C331 402 375 388 390 373Z"></path></g><g transform="matrix(.0065,0,0,-0.0065,19.949,5.233)"><path d="M256 606C256 635 239 657 207 657C171 657 147 619 147 593C147 563 173 543 194 543C234 543 256 573 256 606ZM233 98L216 125C191 101 156 75 139 75C133 75 132 82 139 107L214 377C226 420 224 454 198 454C169 454 98 415 31 351L46 323C81 353 110 372 116 372C129 372 126 356 121 338L57 101C31 5 47 -12 72 -12C115 -12 197 52 233 98Z"></path></g><g transform="matrix(.0065,0,0,-0.0065,21.815,5.233)"><path d="M490 420C490 437 473 454 444 454C390 454 313 392 258 339L163 247H161L261 676C266 696 264 708 257 708C244 708 183 678 96 672L87 638L131 637C164 636 169 635 161 599L25 -4L33 -12C50 -3 84 5 114 10C127 83 135 123 149 182C155 197 180 221 206 243C235 170 266 105 293 53C320 2 335 -12 363 -12C385 -12 427 -2 489 83L466 109C440 83 414 59 402 59C391 59 382 70 359 113C333 159 293 247 272 296C301 333 360 376 407 376C428 376 444 375 451 369C457 365 470 365 474 372C482 387 490 408 490 420Z"></path></g></svg></td><td class="align_center">Content similarity between di and dk</td></tr><tr><td class="align_left"><svg height="14.0944pt" id="M11" style="vertical-align:-5.341061pt" version="1.1" viewbox="-0.0498162 -8.75334 25.2921 14.0944" width="25.2921pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M372 352C427 368 507 407 507 502C507 548 486 592 451 616C420 638 376 650 301 650H44V622C124 616 128 610 128 527V123C128 40 122 34 36 28V0H257C336 0 402 12 453 40C512 72 548 124 548 191C548 291 471 335 372 350V352ZM213 362V558C213 591 216 602 226 608C235 614 258 618 282 618C377 618 415 558 415 490C415 406 369 362 260 362H213ZM213 328H258C380 328 450 283 450 181C450 76 377 35 296 34C231 34 213 53 213 125V328Z"></path></g><g transform="matrix(.013,0,0,-0.013,7.644,0)"><path d="M409 504C401 567 396 607 392 642C354 654 312 665 266 665C137 665 60 583 60 487C60 374 161 325 225 290C300 250 355 215 355 141C355 68 311 21 235 21C131 21 86 122 71 183L41 176C48 128 61 42 68 21C78 16 93 8 118 0C142 -7 175 -15 216 -15C349 -15 438 69 438 174C438 287 344 333 265 374C186 414 138 449 138 522C138 576 172 631 249 631C336 631 363 562 380 499L409 504Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,13.858,3.132)"><path d="M538 684C542 703 539 710 529 710C512 710 455 682 363 674L361 644H396C444 644 448 642 438 594L405 438C373 450 347 451 336 451C288 451 200 416 147 374C69 312 24 207 24 113C24 29 60 -12 94 -12C126 -12 156 4 196 30C231 53 296 100 346 166H348L328 81C311 10 325 -12 348 -12C380 -12 450 24 512 98L495 125C466 97 431 70 417 70C408 70 408 80 411 98L538 684ZM390 373L361 240C336 196 210 56 145 56C132 56 113 73 113 131C113 216 156 338 220 379C243 394 266 402 303 402C331 402 375 388 390 373Z"></path></g><g transform="matrix(.0065,0,0,-0.0065,18.945,5.233)"><path d="M256 606C256 635 239 657 207 657C171 657 147 619 147 593C147 563 173 543 194 543C234 543 256 573 256 606ZM233 98L216 125C191 101 156 75 139 75C133 75 132 82 139 107L214 377C226 420 224 454 198 454C169 454 98 415 31 351L46 323C81 353 110 372 116 372C129 372 126 356 121 338L57 101C31 5 47 -12 72 -12C115 -12 197 52 233 98Z"></path></g><g transform="matrix(.0065,0,0,-0.0065,20.81,5.233)"><path d="M490 420C490 437 473 454 444 454C390 454 313 392 258 339L163 247H161L261 676C266 696 264 708 257 708C244 708 183 678 96 672L87 638L131 637C164 636 169 635 161 599L25 -4L33 -12C50 -3 84 5 114 10C127 83 135 123 149 182C155 197 180 221 206 243C235 170 266 105 293 53C320 2 335 -12 363 -12C385 -12 427 -2 489 83L466 109C440 83 414 59 402 59C391 59 382 70 359 113C333 159 293 247 272 296C301 333 360 376 407 376C428 376 444 375 451 369C457 365 470 365 474 372C482 387 490 408 490 420Z"></path></g></svg></td><td class="align_center">Behavior similarity between di and dk</td></tr><tr><td class="align_left"><svg height="13.9769pt" id="M12" style="vertical-align:-5.341001pt" version="1.1" viewbox="-0.0498162 -8.6359 17.5281 13.9769" width="17.5281pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,6.071,3.132)"><path d="M538 684C542 703 539 710 529 710C512 710 455 682 363 674L361 644H396C444 644 448 642 438 594L405 438C373 450 347 451 336 451C288 451 200 416 147 374C69 312 24 207 24 113C24 29 60 -12 94 -12C126 -12 156 4 196 30C231 53 296 100 346 166H348L328 81C311 10 325 -12 348 -12C380 -12 450 24 512 98L495 125C466 97 431 70 417 70C408 70 408 80 411 98L538 684ZM390 373L361 240C336 196 210 56 145 56C132 56 113 73 113 131C113 216 156 338 220 379C243 394 266 402 303 402C331 402 375 388 390 373Z"></path></g><g transform="matrix(.0065,0,0,-0.0065,11.158,5.233)"><path d="M256 606C256 635 239 657 207 657C171 657 147 619 147 593C147 563 173 543 194 543C234 543 256 573 256 606ZM233 98L216 125C191 101 156 75 139 75C133 75 132 82 139 107L214 377C226 420 224 454 198 454C169 454 98 415 31 351L46 323C81 353 110 372 116 372C129 372 126 356 121 338L57 101C31 5 47 -12 72 -12C115 -12 197 52 233 98Z"></path></g><g transform="matrix(.0065,0,0,-0.0065,13.024,5.233)"><path d="M490 420C490 437 473 454 444 454C390 454 313 392 258 339L163 247H161L261 676C266 696 264 708 257 708C244 708 183 678 96 672L87 638L131 637C164 636 169 635 161 599L25 -4L33 -12C50 -3 84 5 114 10C127 83 135 123 149 182C155 197 180 221 206 243C235 170 266 105 293 53C320 2 335 -12 363 -12C385 -12 427 -2 489 83L466 109C440 83 414 59 402 59C391 59 382 70 359 113C333 159 293 247 272 296C301 333 360 376 407 376C428 376 444 375 451 369C457 365 470 365 474 372C482 387 490 408 490 420Z"></path></g></svg></td><td class="align_center">Final similarity between di and dk</td></tr><tr class="table-tr"><td colspan="2"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>Main notation used in this paper.</div>

Security and Communication Networks

tab1

Table 1

Table 1: On-Device Detection of Repackaged Android Malware via Traffic Clustering 