Poster : An Efficient Solution for Detecting UI-Mimicking Android Applications

In the Android system, apps are managed by centralized markets, such as Google Play. To eliminate malicious apps, the markets actively check apps using scanners, which perform program analysis to detect malicious logic in apps. Many solutions have been developed to further enhance the accuracy of detection [4], [6], [10]. Meanwhile, malicious apps often deceive users via faked UIs. For example, phishing apps [5] mimic UIs of their target apps, such as banking apps, to lure private information from users. As another example, UI-hijacking apps [3] detect internal states of target apps, and replace the fore-ground UI, such as the payment interface of Google Pay, with their faked ones to intercept user inputs. Therefore, UI similarity is an important metric in detecting this type of malicious apps, which is missed by most of the scanners used in app markets. Several techniques have been developed to detect malicious Android apps based on their resources. For example, ViewDroid [9] detects similarity in Android apps based on the relationship among apps’ activities. DroidEagle [8] and ResDroid [7] detect similar UIs in Android apps based on the syntax features of layout files. Though such solutions offer basic techniques in detecting similar UIs, they can be evaded when attackers make simple changes to the content of the resources, without significantly changing the UI’s appearance. To reliably detect similar UIs among Android apps, an effective solution needs to detect UI similarity based on the actual presence of the UI. Specifically, it needs to identify UI features that represent their visual effects. In addition, it needs to efficiently quantify UI similarity based on such features.