The end users rely on wireless networks in obtaining legitimate updated applications to install on their wireless devices. If the application that is being updated and distributed is not encrypted, or encrypted with weak algorithms, the attacker can possibly intercept the application and inject malicious code into the application. This paper presents a novel detection approach to identify application updates that have been tampered with while being distributed via a wireless network.
The approach makes use of the Kull back-Leibler Divergence (KLD) metric. Our approach builds the population distribution of a legitimate and tampered with application based on a set of opcodes. A larger KLD value indicates that an application is dissimilar compared to its original application, hence likely got tampered with.