How I Met Your Mother?

Android malware is becoming more and more aggressive, in terms of impact on the victim’s device and in terms of capability of evading detection. Not only smartphones with their sensitive information are targeted by attackers, but also devices such as watches, glasses and everything that can be connected to the Internet of Things. Current signature based antimalware or anomaly based detection are not able to detect zero-day attacks: even trivial code transformation can overcome detection. New malware is often not really new: malware writers are used to add functionality to existing malware, or merge different pieces of existing malware code: this determines the families of Android malware i.e. malware programs that have in common some essential features or behaviors and modify some other parts. To be able to recognize the malware familiy a malware belongs to is useful for malware analysis, fast infection response, and quick incident resolution. In this paper we introduce DescentDroid, a tool that traces back the malware descendant family. We experiment our technique with an extended dataset comprising malware and trusted applications, obtaining high precision in recognizing the malware family membership.