Identifying android malicious repackaged applications by thread-grained system call sequences

Ying-Dar Lin, Yuan Cheng Lai*, Chien Hung Chen, Hao Chuan Tsai

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

68 Scopus citations


Android security has become highly desirable since adversaries can easily repackage malicious codes into various benign applications and spread these malicious repackaged applications (MRAs). Most MRA detection mechanisms on Android focus on detecting a specific family of MRAs or requiring the original benign application to compare with the malicious ones. This work proposes a new mechanism, SCSdroid (System Call Sequence Droid), which adopts the thread-grained system call sequences activated by applications. The concept is that even if MRAs can be camouflaged as benign applications, their malicious behavior would still appear in the system call sequences. SCSdroid extracts the truly malicious common subsequences from the system call sequences of MRAs belonging to the same family. Therefore, these extracted common subsequences can be used to identify any evaluated application without requiring the original benign application. Experimental results show that SCSdroid falsely detected only two applications among 100 evaluated benign applications, and falsely detected only one application among 49 evaluated malicious applications. As a result, SCSdroid achieved up to 95.97% detection accuracy, i.e., 143 correct detections among 149 applications.

Original languageEnglish
Pages (from-to)340-350
Number of pages11
JournalComputers and Security
Issue numberPART B
StatePublished - 11 Sep 2013


  • Android
  • Dynamic analysis
  • Longest common substring
  • Malicious repackaged applications
  • System call

Cite this