Groupdroid: Automatically Grouping Mobile Malware By Extracting Code Similarities

As shown in previous work, malware authors often reuse portions of code in the development of their samples. Especially in the mobile scenario, there exists a phenomena, called piggybacking, that describes the act of embedding malicious code inside benign apps. In this paper, we leverage such observations to analyze mobile malware by looking at its similarities. In practice, we propose a novel approach that identifies and extracts code similarities in mobile apps. Our approach is based on static analysis and works by computing the Control Flow Graph of each method and encoding it in a feature vector used to measure similarities. We implemented our approach in a tool, GROUPDROID, able to group mobile apps together according to their code similarities. Armed with GROUPDROID, we then analyzed modern mobile malware samples. Our experiments show that GROUPDROID is able to correctly and accurately distinguish different malware variants, and to provide useful and detailed information about the similar portions of malicious code.