Consumers and businesses increasingly rely on computing devices (e.g., smartphones, tablets, laptops, etc.) to store and manage sensitive data. Consequently, malicious programmers seem to continuously increase their efforts to gain illegitimate control and access to these computing devices through the use of viruses, Trojan horses, worms, and other programs meant to compromise computer systems and data belonging to other people. These malicious programs are often referred to as malware.
Repackaging legitimate popular applications is a common malware distribution technique whereby a malicious programmer adds malicious code to a legitimate application and then distributes the repackaged application as thought it were the original legitimate application.
On some computing platforms, an application may be distributed to users using application package files that contain the code, data, and resources that make up the application. For example, applications created for mobile devices (e.g., ANDROID, IOS, and WINDOWS PHONE devices) may be distributed as application package files that users can download and install on their mobile devices. On such platforms, a malicious programmer may be able to obtain an application package file of an already popular application, unpack it, and add malicious code to the application contained within the application package file. The malicious programmer may then repackage the now malicious application and distribute it to users as if it were the original popular application. Some examples of malware created and distributed using this repackaging technique may include DroidDream, Gemini, and the fake ANDROID MARKET Security tool.
Unfortunately, it may be difficult for a user to determine whether an application is legitimate or whether it is malicious and has been repackaged from another application because repackaged applications may have the same functionality as the original application from which it has been repackaged. For this reason, a user may be able to download, install, and run a repackaged application without any indication that the repackaged application is malicious. Accordingly, the instant disclosure addresses a need for additional and improved systems and methods for detecting malicious digitally-signed applications.