R-PackDroid: Practical On-Device Detection of Android Ransomware

Ransomware constitutes a major threat for the Android operating system. It can either lock or encrypt the target devices, and victims may be forced to pay ransoms to restore their data. Despite previous works on malware detection, little has been done to specifically identify Android malware as ransomware. This is crucial, as ransomware requires immediate countermeasures to avoid data being entirely compromised. In this paper, we propose R-PackDroid, a machine learning-based application (which directly runs on Android phones) for the detection of Android ransomware. R-PackDroid is a lightweight approach that leverages a methodology based on extracting information from system API packages. We demonstrate its effectiveness by testing it on a wide number of legitimate, malicious and ransomware-based applications. Our analyses pointed out three major results: first, R-PackDroid can distinguish ransomware from malware and legitimate applications with very high accuracy; second, R-PackDroid guarantees resilience against heavy obfuscation attempts, such as class encryption; third, R-PackDroid can be used to effectively predict and detect novel ransomware samples that are released after the ones used to train the system. R-Packdroid is available on the Google Play Store, and it is the first, academic ransomware-oriented detector available for Android.

[1]  Giorgio Giacinto,et al.  Stealth attacks: An extended insight into the obfuscation effects on Android malware , 2015, Comput. Secur..

[2]  Fabio Roli,et al.  Yes, Machine Learning Can Be More Secure! A Case Study on Android Malware Detection , 2017, IEEE Transactions on Dependable and Secure Computing.

[3]  Aniello Cimitile,et al.  Talos: no more ransomware victims with formal methods , 2018, International Journal of Information Security.

[4]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[5]  Gerardo Canfora,et al.  An HMM and structural entropy based detector for Android malware: An empirical study , 2016, Comput. Secur..

[6]  Ziming Zhao,et al.  Uncovering the Face of Android Ransomware: Characterization and Real-Time Detection , 2018, IEEE Transactions on Information Forensics and Security.

[7]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[8]  Ali A. Ghorbani,et al.  DNA-Droid: A Real-Time Android Ransomware Detection Framework , 2017, NSS.

[9]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[10]  Yu Yang,et al.  Automated Detection and Analysis for Android Ransomware , 2015, 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems.

[11]  Sanggeun Song,et al.  The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform , 2016, Mob. Inf. Syst..

[12]  Fabio Martinelli,et al.  R-PackDroid: API package-based characterization and detection of mobile ransomware , 2017, SAC.

[13]  Mansour Ahmadi,et al.  IntelliAV: Toward the Feasibility of Building Intelligent Anti-malware on Android Devices , 2017, CD-MAKE.

[14]  Juan Caballero,et al.  AVclass: A Tool for Massive Malware Labeling , 2016, RAID.

[15]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[16]  Minhui Xue,et al.  StormDroid: A Streaminglized Machine Learning-Based System for Detecting Android Malware , 2016, AsiaCCS.

[17]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[18]  Mansour Ahmadi,et al.  Clustering android malware families by http traffic , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[19]  Stefano Zanero,et al.  GreatEatlon: Fast, Static Detection of Mobile Ransomware , 2016, SecureComm.

[20]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.