Groupdroid: Automatically grouping mobile malware by extracting code similarities

Niccolò Marastoni, Andrea Continella, Davide Quarta, Stefano Zanero, Mila Dalla Preda

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

3 Citations (Scopus)

Abstract

As shown in previous work, malware authors often reuse portions of code in the development of their samples. Especially in the mobile scenario, there exists a phenomena, called piggybacking, that describes the act of embedding malicious code inside benign apps. In this paper, we leverage such observations to analyze mobile malware by looking at its similarities. In practice, we propose a novel approach that identifies and extracts code similarities in mobile apps. Our approach is based on static analysis and works by computing the Control Flow Graph of each method and encoding it in a feature vector used to measure similarities. We implemented our approach in a tool, GroupDroid, able to group mobile apps together according to their code similarities. Armed with Group-Droid, we then analyzed modern mobile malware samples. Our experiments show that GroupDroid is able to correctly and accurately distinguish different malware variants, and to provide useful nd detailed information about the similar portions of maliciouscode.

Original languageEnglish
Title of host publicationProceedings of the 7th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2017
PublisherAssociation for Computing Machinery (ACM)
ISBN (Electronic)9781450353878
DOIs
Publication statusPublished - 5 Dec 2017
Externally publishedYes
Event7th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2017 - Hilton Orlando Lake Buena Vista, Orlando, United States
Duration: 4 Dec 20175 Dec 2017
Conference number: 7
http://www.pprew.org/2017-7/program.htm

Publication series

NameACM International Conference Proceeding Series

Conference

Conference7th Software Security, Protection, and Reverse Engineering Workshop, SSPREW 2017
Abbreviated titleSSPREW 2017
CountryUnited States
CityOrlando
Period4/12/175/12/17
Internet address

Keywords

  • Malware
  • Mobile
  • Similarity

Fingerprint Dive into the research topics of 'Groupdroid: Automatically grouping mobile malware by extracting code similarities'. Together they form a unique fingerprint.

Cite this