research-article

R-PackDroid: API package-based characterization and detection of mobile ransomware

Authors:
Davide Maiorca

University of Cagliari, Cagliari, Italy

University of Cagliari, Cagliari, Italy
View Profile

,
Francesco Mercaldo

National Research Council, Pisa, Italy

National Research Council, Pisa, Italy
View Profile

,
Giorgio Giacinto

University of Cagliari, Cagliari, Italy

University of Cagliari, Cagliari, Italy
View Profile

,
Corrado Aaron Visaggio

University of Sannio, Benevento, Italy

University of Sannio, Benevento, Italy
View Profile

,
Fabio Martinelli

National Research Council, Pisa, Italy

National Research Council, Pisa, Italy
View Profile

SAC '17: Proceedings of the Symposium on Applied ComputingApril 2017Pages 1718–1723https://doi.org/10.1145/3019612.3019793

Published:03 April 2017Publication History

SAC '17: Proceedings of the Symposium on Applied Computing

Pages 1718–1723

ABSTRACT

Ransomware has become a serious and concrete threat for mobile platforms and in particular for Android. In this paper, we propose R-PackDroid, a machine learning system for the detection of Android ransomware. Differently to previous works, we leverage information extracted from system API packages, which allow to characterize applications without specific knowledge of user-defined content such as the application language or strings. Results attained on very recent data show that it is possible to detect Android ransomware and to distinguish it from generic malware with very high accuracy. Moreover, we used R-PackDroid to flag applications that were detected as ransomware with very low confidence by the VirusTotal service. In this way, we were able to correctly distinguish true ransomware from false positives, thus providing valuable help for the analysis of these malicious applications.

References

N. Andronio, S. Zanero, and F. Maggi. Heldroid: Dissecting and detecting mobile ransomware. In RAID, pages 382--404. Springer, 2015. Google ScholarDigital Library
M. Aresu, D. Ariu, M. Ahmadi, D. Maiorca, and G. Giacinto. Clustering android malware families by http traffic. In 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), pages 128--135, Oct 2015. Google ScholarDigital Library
D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, and K. Rieck. Drebin: Effective and explainable detection of android malware in your pocket. In NDSS. The Internet Society, 2014. Google ScholarCross Ref
G. Canfora, F. Mercaldo, and C. A. Visaggio. An hmm and structural entropy based detector for android malware: An empirical study. Computers & Security, 61:1--18, 2016. Google ScholarDigital Library
J. Hoffmann, T. Rytilahti, D. Maiorca, M. Winandy, G. Giacinto, and T. Holz. Evaluating analysis tools for android apps: Status quo and robustness against obfuscation. In CODASPY '16, pages 139--141, New York, NY, USA, 2016. ACM. Google ScholarDigital Library
D. Maiorca, D. Ariu, I. Corona, M. Aresu, and G. Giacinto. Stealth attacks: An extended insight into the obfuscation effects on android malware. Computers & Security, 51:16--31, 2015. Google ScholarDigital Library
J. Oberheide, E. Cooke, and F. Jahanian. Cloudav: N-version antivirus in the network cloud. In USENIX Security Symposium, pages 91--106, 2008. Google ScholarDigital Library
J. Oberheide and C. Miller. Dissecting the android bouncer. SummerCon2012, New York, 2012.Google Scholar
C. J. V. Rijsbergen. Information Retrieval. Butterworth-Heinemann, Newton, MA, USA, 2nd edition, 1979. Google ScholarDigital Library
S. Roy, J. DeLoach, Y. Li, N. Herndon, D. Caragea, X. Ou, V. P. Ranganath, H. Li, and N. Guevara. Experimental study with real-world data for android app security analysis using machine learning. In ACSAC 2015, pages 81--90. ACM, 2015. Google ScholarDigital Library
K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro. Copperdroid: Automatic reconstruction of android malware behaviors. In NDSS. The Internet Society, 2015. Google ScholarCross Ref
Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In IEEE Symposium on Security and Privacy, pages 95--109. IEEE, 2012. Google ScholarDigital Library

Index Terms

R-PackDroid: API package-based characterization and detection of mobile ransomware
1. Security and privacy

Recommendations

Talos: no more ransomware victims with formal methods

Ransomware is a very effective form of malware that is recently spreading out on an impressive number of workstations and smartphones. This malware blocks the access to the infected machine or to the files located in the infected machine. The attackers ...
Read More
On the effectiveness of system API-related information for Android ransomware detection
Abstract
Ransomware constitutes a significant threat to the Android operating system. It can either lock or encrypt the target devices, and victims are forced to pay ransoms to restore their data. Hence, the prompt detection of such attacks has ...
Read More
RansomShield: A Visualization Approach to Defending Mobile Systems Against Ransomware
The unprecedented growth in mobile systems has transformed the way we approach everyday computing. Unfortunately, the emergence of a sophisticated type of malware known as ransomware poses a great threat to consumers of this technology. Traditional ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '17: Proceedings of the Symposium on Applied Computing
April 2017
2004 pages
ISBN:9781450344869
DOI:10.1145/3019612
Conference Chair:
Sung Y. Shin
South Dakota State University
,
Program Chairs:
Dongwan Shin
New Mexico Tech
,
Maria Lencastre
University of Pernambuco, Brazil
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 April 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Android
machine learning
malware
ransomware
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,650of6,669submissions,25%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 73
  Total Citations
  View Citations
- 636
  Total Downloads
- Downloads (Last 12 months)36
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

R-PackDroid: API package-based characterization and detection of mobile ransomware

SAC '17: Proceedings of the Symposium on Applied Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

Talos: no more ransomware victims with formal methods

On the effectiveness of system API-related information for Android ransomware detection

RansomShield: A Visualization Approach to Defending Mobile Systems Against Ransomware