A Neural Embeddings Approach for Detecting Mobile Counterfeit Apps

A Neural Embeddings Approach for Detecting Mobile Counterfeit Apps

A Neural Embeddings Approach for Detecting Mobile Counterfeit Apps Jathushan Rajasegaran Suranga Seneviratne Guillaume Jourjon Data61-CSIRO, Australia University of Sydney Data61-CSIRO, Australia University of Moratuwa, Sri Lanka Abstract popular apps). The overarching goals behind app imperson- Counterfeit apps impersonate existing popular apps in at- ation can be broadly categorised into two. First, the develop- tempts to misguide users to install them for various reasons ers of counterfeits are trying to attract app installations and such as collecting personal information, spreading malware, increase their advertisement revenue. This is exacerbated by or simply to increase their advertisement revenue. Many the fact that some popular apps are not available in some counterfeits can be identified once installed, however even a countries and users who search the names of those popular tech-savvy user may struggle to detect them before installa- apps can become easy targets of impersonations. Second is tion as app icons and descriptions can be quite similar to the to use counterfeits as a means of spreading malware. For in- original app. To this end, this paper proposes to use neural stance, in November 2017 a fake version of the popular mes- embeddings generated by state-of-the-art convolutional neu- senger app WhatsApp [5] was able to get into Google Play ral networks (CNNs) to measure the similarity between im- Store and was downloaded over 1 million times before it was ages. Our results show that for the problem of counterfeit de- taken down. Similar instances were reported in the past for tection a novel approach of using style embeddings given by popular apps such as Netflix, IFTTT, and Angry Birds [6–8]. the Gram matrix of CNN filter responses outperforms base- More recently, counterfeits have been used to secretly mine crypto currencies in smartphones [9]. In Figure 1 we show line methods such as content embeddings and SIFT features. 1 We show that further performance increases can be achieved an example counterfeit named Temple Piggy which shows a high visual similarity to the popular arcade game Temple by combining style embeddings with content embeddings. 2 We present an analysis of approximately 1.2 million apps Run. from Google Play Store and identify a set of potential coun- terfeits for top-1,000 apps. Under a conservative assumption, we were able to find 139 apps that contain malware in a set of 6,880 apps that showed high visual similarity to one of the top-1,000 apps in Google Play Store. a) Original (Temple Run) b) Counterfeit (Temple Piggy) 1. Introduction Availability of third party apps is one of the major reasons Figure 1: An example counterfeit app for the popular arcade arXiv:1804.09882v1 [cs.CR] 26 Apr 2018 behind the wide adoption of smartphones. The two most game Temple Run popular app markets, Google Play Store and Apple App In this paper, we propose a neural embedding-based im- Store, hosted approximately 3.5 million and 2.1 million apps age retrieval framework that allows to identify visually sim- at the first quarter of 2018 [1, 2] and these numbers are likely ilar apps to a given app icon from a large corpus of icons. to grow further as they have been in last few years. Handling Indeed, recent advances in Convolutional Neural Networks such large numbers of apps is challenging for app market (CNNs) allow to generate feature embeddings to a given im- operators since there is always a trade-off between how age that are related to the content of the image using pre- much scrutiny is put into checking apps and encouraging trained models such as AlexNet [10], VGGNet [11], and developers by providing fast time-to-market. As a result, ResNet [12]. In particular, we demonstrate that content em- problematic apps of various kinds have made into the apps beddings are moderately suitable for the task of visually sim- markets including malware, before they have been taken ilar app icon detection as many fake apps tend to have a sim- down after receiving user complaints [3, 4]. One category of problematic apps making into app mar- 1 Temple Piggy is currently not available in Google Play Store. kets is counterfeits (i.e. apps that attempt to impersonate 2 Temple Run - https://play.google.com/store/apps/details?id=com.imangi.templerun. 1 2018/4/27 ilarity in the image style in terms of colour and texture than itations. First, all visually similar apps may not be necessar- the actual content. In addition, we show that style embed- ily similar in XML layouts and it is necessary to consider dings generated from the Gram matrix of convolutional layer the similarities in images. Second, app developers are start- filter responses of the same pre-trained models achieve better ing to use code encryption methods, thus accessing codes results compared to baseline methods such as Scale Invariant and layout files may not always possible. Third, dependency Feature Transforms (SIFT) [13] and combining content and of specific aspects related to one operating system will not style embeddings further increases the detection rates. More allow to make comparisons between heterogeneous app mar- specifically, we make the following contributions: kets and in such situations only metadata and image similar- ity are meaningful. Recently, Malisa et al. [28] studied how • We propose to use style embeddings to detect visually likely would users detect spoofing application using a com- similar mobile apps icons and introduce a novel image plete rendering of the application itself. To do so, authors embedding that combines both content and style repre- introduced a new metric representing the distance between sentations of an image that allows higher retrieval rates the original app screenshot and the spoofing app. In contrast compared to baseline methods such as SIFT. to above work, the proposed work intends to use different • Using a large dataset of over 1.2 million app icons, we neural embeddings derived from app icons that will better show that style embeddings achieve 9%-14% higher re- capture visual similarities. trieval rates in comparison to content embeddings and SIFT-based methods. 2.2 Visual similarity & style search • We identify a set of 6,880 highly visually similar app Number of work looked into the possibility of transferring icons to the top-1,000 apps in Google Play and show that style of an image to another using neural networks. For ex- under a conservative assumption, 139 of them contain ample, Gatys et al. [29, 30] proposed a neural style transfer malware. To the best of our knowledge this is the first algorithm that is able to transfer the stylistic features of well- large-scale study that investigates the depth of app coun- known artworks to target images using feature representa- terfeit problem in app stores. tions learned by Convolutional Neural Networks (CNNs). Several other methods proposed to achieve the same objec- The remainder of the paper is organised as follows. In tive either by updating pixels in the image iteratively or by Section 2, we present the related work. In Section 3, we optimising a generative model iteratively and producing the present our dataset followed by the methodology in Sec- styled image through a single forward pass. A summary of tion 4. Section 5 presents our results. We discuss limitations the available style transfer algorithms can be found in the and possible future improvements in Section 6 and Section 7 survey by Jing et al. [31]. concludes the paper. Johnson et al. [32] have proposed a feed-forward network architecture capable of real-time style transfer by solving 2. Related Work the optimisation problem formulated by Gatys et al. [30]. 2.1 Mobile Malware & Greyware Similarly, to style transfer, convolutional neural networks have been successfully used for image searching. In partic- While there is a plethora of work on detecting mobile mal- ular, Bell & Bala [33] proposed a Siamese CNN to learn a ware [14–18] and various fraudulent activities in app mar- high-quality embedding that represent visual similarity and kets [19–22], only a limited amount of work focused on the demonstrated the utility of these embeddings on several vi- similarity of mobile apps. One line of such work focused on sual search tasks such as searching products across or within detecting clones and rebranding. Viennot et al. [23] used categories. Tan et al. [34] and Matsuo & Yanai [35] used the Jaccard similairty of app resources in the likes of im- embeddings created from CNNs to classify artistic styles. In ages and layout XMLs to identify clusters of similar apps contrast to these work, our work focuses on retrieving visu- and then used the developer name and certificate information ally similar Android apps and we highlight the importance to differentiate clones from rebranding. Crussell et al. [24] of style embeddings in this particular problem. proposed to use features generated from the source codes to identify similar apps and then used the developer infor- mation to isolate true clones. In contrast to above work, our 3. Dataset work focuses on identifying visually similar apps rather than We collected our dataset by crawling Google Play Store the exact similarity (i.e. clones), which is a more challenging using a Python crawler between January and March, 2018. problem. The crawler was initially seeded with the web pages of the Limited amount of work focused on identifying visually top free and paid apps as of January, 2018 and it recursively similar mobile apps [25–28]. For example, Sun et al. [25] discovered apps by following the links in the seeded pages proposed DroidEagle that identifies the visually similar apps and the pages of subsequently discovered apps.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    11 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us