{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:47Z","timestamp":1777806107606,"version":"3.51.4"},"reference-count":93,"publisher":"SAGE Publications","issue":"2","license":[{"start":{"date-parts":[[2020,1,24]],"date-time":"2020-01-24T00:00:00Z","timestamp":1579824000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2020,3,17]]},"abstract":"<jats:p>Injecting malicious code into benign programs is popular in spreading malware. Unfortunately, for detection, the prior knowledge about the malware, e.g., the behavior or implementation patterns, isn\u2019t always available. Our observation shows that the logic of the host program is normally unclear to parasitic malware developers, resulting in very few interactions between the host and the payloads in lots of parasitic malware. Thus we can expose the injected part by grouping the code based on the interactive relations. Particularly, we partition a target program into modules, extract the relations, cluster the modules and further inspect the outliers to identify such malware. In this paper, we design a two-stage code clustering-based approach to detecting two representative types of malware, the UEFI rootkits and the piggybacked Android applications. Parasitic malware is reported when (1) any outlier in a UEFI firmware shows a relatively long distance to the largest cluster, or (2) the largest outlier distance exceeds zero in an Android application, i.e., multiple cluster exist after re-clustering outliers. We evaluate the approach on 35 pairs of benign\/infected UEFI samples we do our best to get and achieve an overall F1 score. of 100%. Applying the learned threshold to 50 other benign firmwares, we identify them without false positives. In addition, our evaluation on 1079 pairs of Android applications, shows an F1 score of 90.66% when the third-party libraries are eliminated and a score of 87.36% if we keep the popular third-party libraries, demonstrating the effectiveness of the approach.<\/jats:p>","DOI":"10.3233\/jcs-191313","type":"journal-article","created":{"date-parts":[[2020,1,24]],"date-time":"2020-01-24T12:23:37Z","timestamp":1579868617000},"page":"157-189","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":0,"title":["Identifying parasitic malware as outliers by\u00a0code clustering"],"prefix":"10.1177","volume":"28","author":[{"given":"Hongcheng","family":"Li","sequence":"first","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Jianjun","family":"Huang","sequence":"additional","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Bin","family":"Liang","sequence":"additional","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Wenchang","family":"Shi","sequence":"additional","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Yifang","family":"Wu","sequence":"additional","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Shilei","family":"Bai","sequence":"additional","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0,\u00a0,\u00a0"}]}],"member":"179","published-online":{"date-parts":[[2020,1,24]]},"reference":[{"key":"ref001","unstructured":"A.\u00a0Allievi, UEFI technology: Say hello to the Windows 8 bootkit, 2012."},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"K.\u00a0Allix, T.F.\u00a0Bissyand\u00e9, J.\u00a0Klein and Y.\u00a0Le Traon, AndroZoo: Collecting millions of Android apps for the research community, in: 2016 IEEE\/ACM 13th Working Conference on Mining Software Repositories (MSR), IEEE, 2016, pp.\u00a0468\u2013471.","DOI":"10.1145\/2901739.2903508"},{"key":"ref003","unstructured":"K.\u00a0Arnold, J.\u00a0Gosling and D.\u00a0Holmes, The Java Programming Language, Addison Wesley Professional, 2005, pp.\u00a043\u201362."},{"key":"ref004","unstructured":"Asus, Asus support, https:\/\/asus-drivers-download-center.blogspot.com\/2018\/11\/asus-x550c-drivers-for-windows-8-64-bit.html, accessed 16 March 2019."},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"M.\u00a0Backes, S.\u00a0Bugiel and E.\u00a0Derr, Reliable third-party library detection in Android and its security applications, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2016, pp.\u00a0356\u2013367.","DOI":"10.1145\/2976749.2978333"},{"key":"ref006","unstructured":"O.\u00a0Bazhaniuk, Y.\u00a0Bulygin, A.\u00a0Furtak, M.\u00a0Gorobets, J.\u00a0Loucaides, A.\u00a0Matrosov and M.\u00a0Shkatov, Attacking and defending BIOS in 2015, in: ReCon Conference, 2015, http:\/\/www.intelsecurity.com\/advanced-threat-research\/content\/AttackingAndDefendingBIOS-RECon2015.pdf."},{"key":"ref007","unstructured":"A.\u00a0Boursalian, Bootbandit: A macOS bootloader attack, 2017."},{"key":"ref008","unstructured":"Y.\u00a0Bulygin, A.\u00a0Furtak and O.\u00a0Bazhaniuk, A tale of one software bypass of Windows 8 Secure Boot, Black Hat USA, 2013."},{"key":"ref009","doi-asserted-by":"crossref","unstructured":"K.\u00a0Chen, P.\u00a0Liu and Y.\u00a0Zhang, Achieving accuracy and scalability simultaneously in detecting application clones on Android markets, in: Proceedings of the 36th International Conference on Software Engineering, ACM, 2014, pp.\u00a0175\u2013186.","DOI":"10.1145\/2568225.2568286"},{"key":"ref010","unstructured":"K.\u00a0Chen, P.\u00a0Wang, Y.\u00a0Lee, X.\u00a0Wang, N.\u00a0Zhang, H.\u00a0Huang, W.\u00a0Zou and P.\u00a0Liu, Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-play scale, in: 24th {USENIX} Security Symposium ({USENIX} Security 15), 2015, pp.\u00a0659\u2013674."},{"key":"ref011","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.20"},{"key":"ref012","doi-asserted-by":"crossref","unstructured":"D.\u00a0Cooper, W.\u00a0Polk, A.\u00a0Regenscheid and M.\u00a0Souppaya, BIOS protection guidelines, NIST Special Publication, 2011.","DOI":"10.6028\/NIST.SP.800-147"},{"key":"ref013","unstructured":"I.D.\u00a0Corporation, Smartphone market share, https:\/\/www.idc.com\/promo\/smartphone-market-share\/os, accessed 22\u00a0March 2019."},{"key":"ref014","doi-asserted-by":"crossref","unstructured":"J.\u00a0Crussell, C.\u00a0Gibler and H.\u00a0Chen, Attack of the clones: Detecting cloned applications on Android markets, in: European Symposium on Research in Computer Security, Springer, 2012, pp.\u00a037\u201354.","DOI":"10.1007\/978-3-642-33167-1_3"},{"key":"ref015","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2014.2381212"},{"key":"ref016","unstructured":"Dell, Dell support, https:\/\/www.dell.com\/support\/home\/bg\/en\/bgbsdt1\/product-support\/product\/latitude-e6320\/drivers, https:\/\/www.dell.com\/support\/home\/bg\/en\/bgbsdt1\/product-support\/product\/precision-t1600\/drivers, accessed 16 March 2019."},{"key":"ref017","unstructured":"C.\u00a0Domas, The memory sinkhole \u2013 Unleashing an x86 design flaw allowing universal privilege escalation, Black Hat USA, 2015."},{"key":"ref018","unstructured":"L.\u00a0Duflot, O.\u00a0Levillain, B.\u00a0Morin and O.\u00a0Grumelard, System management mode design and security issues, IT Defense, 2010."},{"key":"ref019","unstructured":"C.\u00a0Eagle, The IDA Pro Book, 2nd edn, No Starch Press, 2011."},{"key":"ref020","doi-asserted-by":"publisher","DOI":"10.1002\/sec.166"},{"key":"ref021","unstructured":"ESET Research, LOJAX: First UEFI rootkit found in the wild, courtesy of the Sednit group, 2018, https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/09\/ESET-LoJax.pdf."},{"key":"ref022","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2687880"},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"Q.\u00a0Feng, R.\u00a0Zhou, C.\u00a0Xu, Y.\u00a0Cheng, B.\u00a0Testa and H.\u00a0Yin, Scalable graph-based bug search for firmware images, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2016, pp.\u00a0480\u2013491.","DOI":"10.1145\/2976749.2978370"},{"key":"ref024","unstructured":"Github, EFI scripts for IDA Pro, https:\/\/github.com\/snare\/ida-efiutils, accessed 16 March 2019."},{"key":"ref025","unstructured":"Github, UEFITool, https:\/\/github.com\/LongSoft\/UEFITool, accessed 16 March 2019."},{"key":"ref026","unstructured":"M.\u00a0Giuliani, Mebromi: The first BIOS rootkit in the wild, 2011, http:\/\/blog.webroot.com\/2011\/09\/13\/mebromi-thefirst-bios-rootkit-in-the-wild\/."},{"key":"ref027","doi-asserted-by":"crossref","unstructured":"L.\u00a0Glanz, S.\u00a0Amann, M.\u00a0Eichberg, M.\u00a0Reif, B.\u00a0Hermann, J.\u00a0Lerch and M.\u00a0Mezini, CodeMatch: Obfuscation won\u2019t conceal your repackaged app, in: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ACM, 2017, pp.\u00a0638\u2013648.","DOI":"10.1145\/3106237.3106305"},{"key":"ref028","doi-asserted-by":"crossref","unstructured":"H.\u00a0Gonzalez, N.\u00a0Stakhanova and A.A.\u00a0Ghorbani, Droidkin: Lightweight detection of Android apps similarity, in: International Conference on Security and Privacy in Communication Systems, Springer, 2014, pp.\u00a0436\u2013453.","DOI":"10.1007\/978-3-319-23829-6_30"},{"key":"ref029","unstructured":"Google Developers, The online Android developers documentation, https:\/\/developer.android.com\/docs, accessed 14 April 2019."},{"key":"ref030","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_2"},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-30806-7_6"},{"key":"ref032","unstructured":"L.\u00a0Haukli, Exposing bootkits with BIOS emulation, Black Hat USA, 2014."},{"key":"ref033","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(08)70032-1"},{"key":"ref034","doi-asserted-by":"crossref","unstructured":"J.\u00a0Huang, X.\u00a0Zhang, L.\u00a0Tan, P.\u00a0Wang and B.\u00a0Liang, AsDroid: Detecting stealthy behaviors in Android applications by user interface and program behavior contradiction, in: Proceedings of the 36th International Conference on Software Engineering, ACM, 2014, pp.\u00a01036\u20131046.","DOI":"10.1145\/2568225.2568301"},{"key":"ref035","unstructured":"Intel Corporation, EDK II Module Writer\u2019s Guide, Version 0.7, 2010, pp.\u00a050\u201358, https:\/\/github.com\/tianocore\/tianocore.github.io\/wiki\/EDK-II-User-Documentation."},{"key":"ref036","doi-asserted-by":"crossref","unstructured":"X.\u00a0Jiang, X.\u00a0Wang and D.\u00a0Xu, Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction, in: Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM, 2007, pp.\u00a0128\u2013138.","DOI":"10.1145\/1315245.1315262"},{"key":"ref037","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-17533-1_24"},{"key":"ref038","doi-asserted-by":"publisher","DOI":"10.1007\/s11277-013-1258-x"},{"key":"ref039","unstructured":"S.\u00a0Kaczmarek, UEFI and Dreamboot, in: Hack in the Box Security Conference, Kuala Lumpur, Malasia, 2013."},{"key":"ref040","unstructured":"C.\u00a0Kallenberg, S.\u00a0Cornwell, X.\u00a0Kovah and J.\u00a0Butterworth, Setup for failure: Defeating Secure Boot, in: The Symposium on Security for Asia Network (SyScan), 2014."},{"key":"ref041","unstructured":"C.\u00a0Kallenberg, X.\u00a0Kovah, J.\u00a0Butterworth and S.\u00a0Cornwell, Extreme privilege escalation on Windows 8\/UEFI systems, Black Hat USA, 2014."},{"key":"ref042","unstructured":"P.\u00a0Kleissner, Stoned bootkit, Black Hat USA, 2009."},{"key":"ref043","unstructured":"Krebs on Security, Carberp code leak stokes copycat fears, https:\/\/krebsonsecurity.com\/tag\/carberp-source-code-leak\/, accessed 19 March 2019."},{"key":"ref044","unstructured":"N.\u00a0Kumar and V.\u00a0Kumar, Vbootkit: Compromising Windows Vista security, Black Hat Europe, 2007."},{"key":"ref045","unstructured":"N.\u00a0Kumar and V.\u00a0Kumar, VBootKit 2.0 \u2013 Attacking Windows 7 via Boot Sectors, in: Proceedings of the Hack in the Box Conference (HITBSecConf), 2009."},{"key":"ref046","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2901679"},{"key":"ref047","doi-asserted-by":"crossref","unstructured":"L.\u00a0Li, T.F.\u00a0Bissyand\u00e9, J.\u00a0Klein and Y.\u00a0Le Traon, An investigation into the use of common libraries in Android apps, in: 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Vol.\u00a01, IEEE, 2016, pp.\u00a0403\u2013414.","DOI":"10.1109\/SANER.2016.52"},{"key":"ref048","doi-asserted-by":"crossref","unstructured":"L.\u00a0Li, D.\u00a0Li, T.F.D.A.\u00a0Bissyande, D.\u00a0Lo, J.\u00a0Klein and Y.\u00a0Le Traon, Ungrafting malicious code from piggybacked Android apps, Technical report, SnT, 2016.","DOI":"10.1007\/s11390-017-1786-z"},{"key":"ref049","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.38"},{"key":"ref050","unstructured":"P.\u00a0Lin, Hacking Team uses UEFI BIOS rootkit to keep RCS 9 agent in target systems, Trend Micro, 2015, https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems\/."},{"key":"ref051","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.08.010"},{"key":"ref052","doi-asserted-by":"crossref","unstructured":"M.\u00a0Linares-V\u00e1squez, A.\u00a0Holtzhauer and D.\u00a0Poshyvanyk, On automatically detecting similar Android apps, in: 2016 IEEE 24th International Conference on Program Comprehension (ICPC), IEEE, 2016, pp.\u00a01\u201310.","DOI":"10.1109\/ICPC.2016.7503721"},{"key":"ref053","unstructured":"I.\u00a0Lord, BIOS rootkit: Welcome home, my Lord!, 2007, https:\/\/blog.csdn.net\/icelord\/article\/details\/1604884."},{"key":"ref054","unstructured":"J.\u00a0Loucaides and Y.\u00a0Bulygin, Platform security assessment with CHIPSEC, in: CanSecWest Applied Security Conference (CanSecWest 2014), 2014."},{"key":"ref055","doi-asserted-by":"publisher","DOI":"10.1155\/2017\/6958698"},{"key":"ref056","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom.2016.0104"},{"key":"ref057","doi-asserted-by":"crossref","unstructured":"Z.\u00a0Ma, H.\u00a0Wang, Y.\u00a0Guo and X.\u00a0Chen, LibRadar: Fast and accurate detection of third-party libraries in Android apps, in: Proceedings of the 38th International Conference on Software Engineering Companion, ACM, 2016, pp.\u00a0653\u2013656.","DOI":"10.1145\/2889160.2889178"},{"key":"ref058","doi-asserted-by":"crossref","unstructured":"N.\u00a0Marastoni, A.\u00a0Continella, D.\u00a0Quarta, S.\u00a0Zanero and M.D.\u00a0Preda, GroupDroid: Automatically grouping mobile malware by extracting code similarities, in: Proceedings of the 7th Software Security, Protection, and Reverse Engineering\/Software Security and Protection Workshop, ACM, 2017, p.\u00a01.","DOI":"10.1145\/3151137.3151138"},{"key":"ref059","unstructured":"A.\u00a0Matrosov, Olmasco bootkit: Next circle of TDL4 evolution (or not?), ESET, 2012."},{"key":"ref060","unstructured":"A.\u00a0Matrosov, Rovnix bootkit framework updated, 2012."},{"key":"ref061","doi-asserted-by":"crossref","unstructured":"J.\u00a0Rauchberger, R.\u00a0Luh and S.\u00a0Schrittwieser, Longkit \u2013 A universal framework for BIOS\/UEFI rootkits in system management mode, in: ICISSP, 2017, pp.\u00a0346\u2013353.","DOI":"10.5220\/0006165603460353"},{"key":"ref062","unstructured":"E.\u00a0Rodionov, Win32\/Gapz: New bootkit technique, 2012."},{"key":"ref063","doi-asserted-by":"publisher","DOI":"10.1515\/9781501505751"},{"key":"ref064","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2014.44"},{"key":"ref065","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Shao, X.\u00a0Luo, C.\u00a0Qian, P.\u00a0Zhu and L.\u00a0Zhang, Towards a scalable resource-driven approach for detecting repackaged Android applications, in: Proceedings of the 30th Annual Computer Security Applications Conference, ACM, 2014, pp.\u00a056\u201365.","DOI":"10.1145\/2664243.2664275"},{"key":"ref066","unstructured":"D.\u00a0Soeder and R.\u00a0Permeh, eEye BootRoot, Black Hat USA, 2005."},{"key":"ref067","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC.2015.25"},{"key":"ref068","doi-asserted-by":"crossref","unstructured":"M.\u00a0Sun, M.\u00a0Li and J.\u00a0Lui, DroidEagle: Seamless detection of visually similar Android apps, in: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, ACM, 2015, p.\u00a09.","DOI":"10.1145\/2766498.2766508"},{"key":"ref069","doi-asserted-by":"crossref","unstructured":"X.\u00a0Sun, Y.\u00a0Zhongyang, Z.\u00a0Xin, B.\u00a0Mao and L.\u00a0Xie, Detecting code reuse in Android applications using component-based control flow graph, in: IFIP International Information Security Conference, Springer, 2014, pp.\u00a0142\u2013155.","DOI":"10.1007\/978-3-642-55415-5_12"},{"key":"ref070","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2017.2745575"},{"key":"ref071","unstructured":"TianoCore, EDK II project, 2019, https:\/\/github.com\/tianocore\/edk2."},{"key":"ref072","unstructured":"C.\u00a0Tumbleson and R.\u00a0Wi\u015bniewski, A tool for reverse engineering Android apk files, 2019, https:\/\/ibotpeaches.github.io\/Apktool\/, accessed 5 March 2019."},{"key":"ref073","unstructured":"Unified EFI Forum, Inc., Unified Extensible Firmware Interface Specification, Version 2.7, 2017, https:\/\/uefi.org\/sites\/default\/files\/resources\/UEFI_Spec_2_7.pdf."},{"key":"ref074","unstructured":"Unified Extensible Firmware Interface Forum, Inc., Platform Initialization (PI) Specification, Version 1.7, 2019, pp.\u00a0526\u2013540, https:\/\/uefi.org\/sites\/default\/files\/resources\/PI_Spec_1_7_final_Jan_2019.pdf."},{"key":"ref075","doi-asserted-by":"publisher","DOI":"10.1145\/1925805.1925818"},{"key":"ref076","unstructured":"VirusTotal, Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community, https:\/\/www.virustotal.com\/#\/home\/upload, accessed 14 March 2019."},{"key":"ref077","doi-asserted-by":"publisher","DOI":"10.1145\/2771783.2771795"},{"key":"ref078","doi-asserted-by":"crossref","unstructured":"F.\u00a0Wei, Y.\u00a0Li, S.\u00a0Roy, X.\u00a0Ou and W.\u00a0Zhou, Deep ground truth analysis of current Android malware, in: DIMVA, 2017.","DOI":"10.1007\/978-3-319-60876-1_12"},{"key":"ref079","unstructured":"WikiLeaks, Infected machines, https:\/\/wikileaks.org\/hackingteam\/emails\/emailid\/19404, accessed 7 March 2019."},{"key":"ref080","unstructured":"WikiLeaks, UEFI Windows persistent, https:\/\/wikileaks.org\/hackingteam\/emails\/emailid\/526357, accessed 7 March 2019."},{"key":"ref081","unstructured":"Wikipedia, Hacking Team: 2015 data breach, https:\/\/en.wikipedia.org\/wiki\/Hacking_Team#2015_data_breach, accessed 7 March 2019."},{"key":"ref082","unstructured":"R.\u00a0Wilkins and B.\u00a0Richardson, UEFI secure boot in modern computer security solutions, in: UEFI Forum, 2013."},{"key":"ref083","unstructured":"R.\u00a0Wojtczuk and C.\u00a0Kallenberg, Attacking UEFI boot script, in: 31st Chaos Communication Congress (31C3), 2014."},{"key":"ref084","unstructured":"R.\u00a0Wojtczuk and C.\u00a0Kallenberg, Attacks on UEFI security, in: Proc. 15th Annu. CanSecWest Conf. (CanSecWest), 2015."},{"key":"ref085","doi-asserted-by":"publisher","DOI":"10.1002\/sec.1170"},{"key":"ref086","unstructured":"C.\u00a0Xiao, Novel malware XcodeGhost modifies Xcode, infects apple iOS apps and hits app store, Technical report, 2015, https:\/\/unit42.paloaltonetworks.com\/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store\/."},{"key":"ref087","doi-asserted-by":"crossref","unstructured":"H.\u00a0Yin, D.\u00a0Song, M.\u00a0Egele, C.\u00a0Kruegel and E.\u00a0Kirda, Panorama: Capturing system-wide information flow for malware detection and analysis, in: Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM, 2007, pp.\u00a0116\u2013127.","DOI":"10.1145\/1315245.1315261"},{"key":"ref088","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC.2017.16"},{"key":"ref089","doi-asserted-by":"crossref","unstructured":"F.\u00a0Zhang, H.\u00a0Huang, S.\u00a0Zhu, D.\u00a0Wu and P.\u00a0Liu, ViewDroid: Towards obfuscation-resilient mobile application repackaging detection, in: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, ACM, 2014, pp.\u00a025\u201336.","DOI":"10.1145\/2627393.2627395"},{"key":"ref090","doi-asserted-by":"publisher","DOI":"10.1007\/s13042-010-0001-0"},{"key":"ref091","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Zhauniarovich, O.\u00a0Gadyatskaya, B.\u00a0Crispo, F.\u00a0La Spina and E.\u00a0Moser, FSquaDRA: Fast detection of repackaged applications, in: IFIP Annual Conference on Data and Applications Security and Privacy, Springer, 2014, pp.\u00a0130\u2013145.","DOI":"10.1007\/978-3-662-43936-4_9"},{"key":"ref092","doi-asserted-by":"crossref","unstructured":"W.\u00a0Zhou, Y.\u00a0Zhou, M.\u00a0Grace, X.\u00a0Jiang and S.\u00a0Zou, Fast, scalable detection of piggybacked mobile applications, in: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, ACM, 2013, pp.\u00a0185\u2013196.","DOI":"10.1145\/2435349.2435377"},{"key":"ref093","doi-asserted-by":"crossref","unstructured":"W.\u00a0Zhou, Y.\u00a0Zhou, X.\u00a0Jiang and P.\u00a0Ning, Detecting repackaged smartphone applications in third-party Android marketplaces, in: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, ACM, 2012, pp.\u00a0317\u2013326.","DOI":"10.1145\/2133601.2133640"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191313","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191313","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191313","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:22Z","timestamp":1777495522000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191313"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,24]]},"references-count":93,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2020,3,17]]}},"alternative-id":["10.3233\/JCS-191313"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191313","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,1,24]]}}}