Authorship Attribution of Android Apps

Since the first computer virus hit the Advanced Research Projects Agency Network (ARPANET) in the early 1970s, the security community interest revolved around ways to expose the identities of malware writers. Knowledge of the adversarial identities promised additional leverage to security experts in their ongoing battle against those perpetrators. At the dawn of computing era, when malware writers and malicious software were characterized by the lack of experience and relative simplicity, the task of uncovering the identities of virus writers was more or less straightforward. Manual analysis of source code often revealed personal, identifiable information embedded by authors themselves. But these times have long gone. Modern days malware writers extensively use numerous malware code generators to mass produce new variants and employ advanced obfuscation techniques to hide their identities. As a result the work of security experts trying to uncover the identities of malware writers became significantly more challenging and time consuming. To gain insight into the identity of an adversary, we turn our attention to authorship attribution research, which offers a broad spectrum of techniques for identifying an author of a document, based on the analysis of an author's writing style. Equipped with these methods, we explore attribution of Android binaries and the role of features related to the development process on the determination of Android binary authorship. Within this context, we propose an incremental approach to perform authorship attribution of Android apps. First to a set of known authors and then the generation of new profiles for unknown apps. We assess the effectiveness of our approach on several sets of malicious and legitimate Android binaries produced by actual developers, as opposed to using artificially created authors' data. We achieve 97.5% accuracy on these authors' data. We further evaluate our approach on more than 131,000 apps collected from various sources including 10 different markets around the globe.