Abstract
In ransomware attacks, the actual target is the human, as opposed to the classic attacks that abuse the infected devices (e.g., botnet renting, information stealing). Mobile devices are by no means immune to ransomware attacks. However, there is little research work on this matter and only traditional protections are available. Even state-of-the-art mobile malware detection approaches are ineffective against ransomware apps because of the subtle attack scheme. As a consequence, the ample attack surface formed by the billion mobile devices is left unprotected.
First, in this work we summarize the results of our analysis of the existing mobile ransomware families, describing their common characteristics. Second, we present HelDroid, a fast, efficient and fully automated approach that recognizes known and unknown scareware and ransomware samples from goodware. Our approach is based on detecting the “building blocks” that are typically needed to implement a mobile ransomware application. Specifically, HelDroid detects, in a generic way, if an app is attempting to lock or encrypt the device without the user’s consent, and if ransom requests are displayed on the screen. Our technique works without requiring that a sample of a certain family is available beforehand.
We implemented HelDroid and tested it on real-world Android ransomware samples. On a large dataset comprising hundreds of thousands of APKs including goodware, malware, scareware, and ransomware, HelDroid exhibited nearly zero false positives and the capability of recognizing unknown ransomware samples.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
MD5: c83242bfd0e098d9d03c381aee1b4788.
- 3.
MD5 b31ce7e8e63fb9eb78b8ac934ad5a2ec.
- 4.
- 5.
- 6.
- 7.
- 8.
References
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 129–140, May 1996
McAfee Labs: Threats report, November 2014. McAfee Labs, November 2014
Ransomware on the rise, January 2015. http://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise
Perlroth, N.: Android phones hit by ‘Ransomware’, August 2014. http://bits.blogs.nytimes.com/2014/08/22/android-phones-hit-byransomware/
Lab. Koler - the police ransomware for android, June 2014. http://securelist.com/blog/research/65189/behind-the-android-oskoler-distribution-network/
SurfRight. HitmanPro.kickstart, March 2014. http://www.surfright.nl/en/kickstart
Avast Software. Avast ransomware removal, June 2014. https://play.google.com/store/apps/details?id=com.avast.android.malwareremoval
Arp, D., et al.: Drebin: effective and explainable detection of android malware in your pocket. In: Network and Distributed System Security (NDSS) Symposium, San Diego, California (2014)
Spagnuolo, M., Maggi, F., Zanero, S.: BitIodine: extracting intelligence from the bitcoin network. In: Financial Cryptography and Data Security, Barbados, 3 March 2014
Jarvis, K.: CryptoLocker ransomware, December 2013. http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolockerransomware/
Chrysaidos, N.: Mobile crypto-ransomware simplocker now on steroids, February 2015. https://blog.avast.com/2015/02/10/mobile-cryptoransomware-simplocker-now-on-steroids/
Hamada, J.: Simplocker: first confirmed file-encrypting ransomware for android, June 2014. http://www.symantec.com/connect/blogs/simplocker-first-confirmed-file-encrypting-ransomware-android
Unuchek, R.: Latest version of svpeng targets users in US, June 2014. http://securelist.com/blog/incidents/63746/latest-version-ofsvpeng-targets-users-in-us/
Kelly, M.: US targeted by coercive mobile ransomware impersonating the FBI, July 2014. https://blog.lookout.com/blog/2014/07/16/scarepakage/
Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Recent Advances in Intrusion Detection, pp. 41–60 (2011)
Lestringant, P., Guihéry, F., Fouque, P.-A.: Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 203–214, New York, NY, USA (2015)
Aggarwal, C.C., Zhai, C.: A survey of text classification algorithms. In: Aggarwal, C.C., Zhai, C. (eds.) Mining Text Data, pp. 163–222. Springer, US (2012)
The snowball language. http://snowball.tartarus.org/
Shuyo, N.: Language detection library for java (2010). http://code.google.com/p/language-detection/
van der Veen, V., Bos, H., Rossow, C.: Dynamic analysis of android malware. VU University Amsterdam, August 2013. http://tracedroid.few.vu.nl/
Hoffmann, J., et al.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851, New York, NY, USA (2013)
Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 259–269, New York, NY, USA (2014)
Lindorfer, M., Volanis, S., Sisto, A., Neugschwandtner, M., Athanasopoulos, E., Maggi, F., Platzer, C., Zanero, S., Ioannidis, S.: AndRadar: fast discovery of android applications in alternative markets. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 51–71. Springer, Heidelberg (2014)
Maggi, F., Valdi, A., Zanero, S.: AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 49–54, New York, NY, USA (2013)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, San Francisco, CA, May 2012. http://www.malgenomeproject.org/
Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)
Schwartz, E.J., et al.: Native x86 decompilation using semantics-preserving structural analysis and iterative control-flow structuring. In: USENIX security (2013)
Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA (2011)
Manning, C.D., et al.: The stanford Core NLP natural language processing toolkit. In: Proceedings of 52nd Annual Meeting of the Association for Computational Linguistics: System Demonstrations, pp. 55–60 (2014). http://www.aclweb.org/anthology/P/P14/P14-5010
Poeplau, S., et al.: Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), pp. 23–26 (2014)
Zhou, W., et al.: Fast, scalable detection of “piggybacked” mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196, New York, NY, USA (2013)
Bursztein, E., Martin, M., Mitchell, J.: Text-based CAPTCHA strengths and weaknesses. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 125–138, New York, NY, USA (2011)
Chakradeo, S., et al.: MAST: triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 13–24, New York, NY, USA (2013)
Shabtai, A., et al.: Andromaly: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Heidelberg (2015)
Young, A.: Cryptoviral extortion using microsoft’s crypto API. Int. J. Inf. Secur. 5(2), 67–76 (2006)
Jarabek, C., Barrera, D., Aycock, J.: ThinAV: truly lightweight mobile cloud-based anti-malware. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 209–218, New York, NY, USA (2012)
Acknowledgments
We are thankful to the anonymous reviewers and our shepherd, Patrick Traynor, for the insightful comments, Steven Arzt, who helped us improving FlowDroid to track flows across threads, and Daniel Arp from the DREBIN project. This work has been supported by the MIUR FACE Project No. RBFR13AJFT.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Andronio, N., Zanero, S., Maggi, F. (2015). HelDroid: Dissecting and Detecting Mobile Ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-26362-5_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26361-8
Online ISBN: 978-3-319-26362-5
eBook Packages: Computer ScienceComputer Science (R0)