On the effectiveness of system API-related information for Android ransomware detection

Abstract Ransomware constitutes a significant threat to the Android operating system. It can either lock or encrypt the target devices, and victims are forced to pay ransoms to restore their data. Hence, the prompt detection of such attacks has a priority in comparison to other malicious threats. Previous works on Android malware detection mainly focused on Machine Learning-oriented approaches that were tailored to identifying malware families, without a clear focus on ransomware. More specifically, such approaches resorted to complex information types such as permissions, user-implemented API calls, and native calls. However, this led to significant drawbacks concerning complexity, resilience against obfuscation, and explainability. To overcome these issues, in this paper, we propose and discuss learning-based detection strategies that rely on System API information. These techniques leverage the fact that ransomware attacks heavily resort to System API to perform their actions, and allow distinguishing between generic malware, ransomware and goodware. We tested three different ways of employing System API information, i.e., through packages, classes, and methods, and we compared their performances to other, more complex state-of-the-art approaches. The attained results showed that systems based on System API could detect ransomware and generic malware with very good accuracy, comparable to systems that employed more complex information. Moreover, the proposed systems could accurately detect novel samples in the wild and showed resilience against static obfuscation attempts. Finally, to guarantee early on-device detection, we developed and released on the Android platform a complete ransomware and malware detector (R-PackDroid) that employed one of the methodologies proposed in this paper.

[1]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[2]  Fabio Roli,et al.  Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning , 2017, Pattern Recognit..

[3]  Mansour Ahmadi,et al.  IntelliAV: Toward the Feasibility of Building Intelligent Anti-malware on Android Devices , 2017, CD-MAKE.

[4]  Gerardo Canfora,et al.  An HMM and structural entropy based detector for Android malware: An empirical study , 2016, Comput. Secur..

[5]  Konrad Rieck,et al.  IFI-TB-2013-02 D REBIN : Efficient and Explainable Detection of Android Malware in Your Pocket , 2013 .

[6]  Fabio Roli,et al.  Explaining Black-box Android Malware Detection , 2018, 2018 26th European Signal Processing Conference (EUSIPCO).

[7]  Fabio Roli,et al.  Yes, Machine Learning Can Be More Secure! A Case Study on Android Malware Detection , 2017, IEEE Transactions on Dependable and Secure Computing.

[8]  Aniello Cimitile,et al.  Talos: no more ransomware victims with formal methods , 2018, International Journal of Information Security.

[9]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[10]  Ziming Zhao,et al.  Uncovering the Face of Android Ransomware: Characterization and Real-Time Detection , 2018, IEEE Transactions on Information Forensics and Security.

[11]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Naren Ramakrishnan,et al.  Causality-based Sensemaking of Network Traffic for Android Application Security , 2016, AISec@CCS.

[13]  Peng Liu,et al.  FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware , 2017, CCS.

[14]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[15]  Fabio Martinelli,et al.  R-PackDroid: API package-based characterization and detection of mobile ransomware , 2017, SAC.

[16]  Naren Ramakrishnan,et al.  Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery , 2014, AsiaCCS.

[17]  Minhui Xue,et al.  StormDroid: A Streaminglized Machine Learning-Based System for Detecting Android Malware , 2016, AsiaCCS.

[18]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[19]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[20]  Ali A. Ghorbani,et al.  DNA-Droid: A Real-Time Android Ransomware Detection Framework , 2017, NSS.

[21]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[22]  Yu Yang,et al.  Automated Detection and Analysis for Android Ransomware , 2015, 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems.

[23]  Stefano Zanero,et al.  GreatEatlon: Fast, Static Detection of Mobile Ransomware , 2016, SecureComm.

[24]  Sam Malek,et al.  [Journal First] Lightweight, Obfuscation-Resilient Detection and Family Identification of Android Malware , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[25]  Alessandro Barenghi,et al.  ShieldFS: a self-healing, ransomware-aware filesystem , 2016, ACSAC.

[26]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.

[27]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[28]  Juan Caballero,et al.  AVclass: A Tool for Massive Malware Labeling , 2016, RAID.

[29]  Giorgio Giacinto,et al.  Stealth attacks: An extended insight into the obfuscation effects on Android malware , 2015, Comput. Secur..

[30]  Gianluca Stringhini,et al.  PayBreak: Defense Against Cryptographic Ransomware , 2017, AsiaCCS.

[31]  Mansour Ahmadi,et al.  Clustering android malware families by http traffic , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[32]  Fabio Roli,et al.  Pattern Recognition Systems under Attack: Design Issues and Research Challenges , 2014, Int. J. Pattern Recognit. Artif. Intell..

[33]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[34]  Sanggeun Song,et al.  The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform , 2016, Mob. Inf. Syst..