Online artefact

All Your App Links Are Belong to Us: Understanding the Threats of Instant Apps Based Attacks

-- ShanghaiTech University

"are belong to" is broken English. It comes from a popular Internet meme "all your base are belong to us". We use the same pattern as the meme.


[Demo] The link hijacking with STS


[Demo] The link hijacking without STS


[Demo] The instant app hijacking

2. The code of demo project can be downloaded at:

As we already remove our PoC app (it is a malicious app) from Google Play, you cannot download it from Google Play any more.

Please use the source code to build the app.

3. The raw data.

(The raw data is available once we received the notification)

The data can be downloaded at

There are four files in the directory: two text files are the apps in use, two zip files are the experimental results.

As we have 400K android apps hosted on our private cloud, we cannot show all the apks to public (as it is on our private cloud).

But, through the two text files, you can find all apps' package names.

You are suggested to download them via APKPure ( , APK Monk (, and Yingyongbao (

If you really need our apks, please send us an email ( We will setup an account for you to download apks from our cloud.

4. The tool.

(The tool is available once we received the notification)

The tool can be downloaded at

To use this tool, please ensure you have python 2 and java 7/8 installed on your machine.

The tool is developed on a Mac machine. If you use Windows or Linux, maybe you need some adjustments in code.

5. Tool Evaluation

We manually evaluate the tool with 800 Android apps from Google Play.

The data can be found at

Insider the directory,

  1. apps.csv and apps-2.csv represent the apps used;

  2. result.csv and result-2.csv represent the results returned by our tool;

  3. evaluation.csv and evaluation-2.csv represent the evaluation result;

  • Google Drive only private 15GB, which is not sufficient for 800 Android apps. We provide the apk package names for these apps.

  • Moreover, you are encourage to use our apkdownloader to download app from apk monk.

6. How to use the tool?

The tool is easy to use.

[The java code in the directory is the source code for the "DeepLinkHijackingDetector.jar".

We already build the DeepLinkHijackingDetector.jar for you. ]

You can start with the "" file, which is in the "pythonwrapper" directory.

In the "", you have to offer two parameters:

    • parameter 1: the directory that stores all your apps (apks)

    • parameter 2: the directory to store the result.

When the program is finished, a file named "result.csv" is generated in the target directory (parameter 2) .

* Please do not change the directory of "DeepLinkHijackingDetector.jar". If you have to do so, please change the "" as well.

Please reference the "" file for more.

7. How to test the tool?

You can download the apps and then test the tool with the script "" .

Besides, in the tool, there are 8 sample apps, you can try them first.