GreatEatlon: Fast, Static Detection of Mobile Ransomware

Zheng, Chengyu; Dellarocca, Nicola; Andronio, Niccolò; Zanero, Stefano; Maggi, Federico

doi:10.1007/978-3-319-59608-2_34

Cited by 20 publications

(22 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This tool includes a text classifier (based on NLP features) that works on suspicious strings used by the application, a lightweight smali emulation technique to detect locking strategies, and the application of taint tracking for detecting file-encrypting flows. The system has then been further expanded by Zheng et al with the new name of GreatEatlon and features significant speed improvements, a multiple-classifier system that combines the information extracted by text-and taint-analysis, and so forth [29]. However, despite using features oriented to ransomware detection, the final label provided for each analyzed sample by the released system is only malicious or benign, with no clear decision on the sample being ransomware or not.…”

Section: Related Workmentioning

confidence: 99%

“…Year Static Dynamic Machine-Learning Available Chen et al (RansomProber) [9] 2018 Cimitille et al (Talos) [11] 2017 Gharib et al (Dna-Droid) [15] 2017 Song et al [24] 2016 Zheng et al (GreatEatlon) [29] 2016 Yang et al [27] 2015 Andronio et al (HelDroid) [3] 2015 from API-calls, permissions and behavioral features [10]. Finally, Ahmadi et al proposed IntelliAV, a generic malware-oriented detector that is publicly available.…”

Section: Workmentioning

confidence: 99%

See 1 more Smart Citation

On the effectiveness of system API-related information for Android ransomware detection

Scalas

Maiorca

Mercaldo

et al. 2019

Computers & Security

View full text Add to dashboard Cite

Ransomware constitutes a significant threat to the Android operating system. It can either lock or encrypt the target devices, and victims are forced to pay ransoms to restore their data. Hence, the prompt detection of such attacks has a priority in comparison to other malicious threats. Previous works on Android malware detection mainly focused on Machine Learning-oriented approaches that were tailored to identifying malware families, without a clear focus on ransomware. More specifically, such approaches resorted to complex information types such as permissions, userimplemented API calls, and native calls. However, this led to significant drawbacks concerning complexity, resilience against obfuscation, and explainability. In this paper, we propose a different, static approach to accurately detect Android ransomware, which is independent of user-defined information and that leverages the fact that ransomware attacks heavily resort to System API to perform their actions. More specifically, by only using System API-based information, it is possible to detect ransomware accurately and to distinguish it from generic malware and goodware. To this end, we proposed and tested three different ways of employing System API by using packages, classes, and methods, and we compared their performances to other, more complex state-of-the-art approaches. The attained results showed that systems based on System API could detect ransomware and generic malware with very good accuracy, comparable to systems that employed more complex information. Moreover, the proposed systems could accurately detect novel samples in the wild and showed resilience against static obfuscation attempts. Finally, to guarantee early on-device detection, we developed and released on the Android platform a complete ransomware and malware detector that employed one of the methodologies proposed in this paper.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Workmentioning

confidence: 99%

On the effectiveness of system API-related information for Android ransomware detection

Scalas

Maiorca

Mercaldo

et al. 2019

Computers & Security

View full text Add to dashboard Cite

show abstract

“…Zheng et al [27] proposed a preventive countermeasure ransomware detection system called GreatEatlon. GreatEatlon is like an extension from HelDroid [23] with a concentration in crypto ransomware.…”

Section: Related Workmentioning

confidence: 99%

“…Static analysis was also used to overcome the dynamic analysis issue that many malicious apps are aware of the emulated surroundings and therefore could decide to not exhibit malicious behaviors. Invoking API methods, for example, lockNow() and onDisable() can also be considered as suspicious behavior [23,27]. Other authors [24] tracked the occurrences of inbuilt API packages and accordingly predicted the maliciousness of application.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Ransomware Detection System for Android Applications

Alsoghyer

Almomani

2019

Electronics

View full text Add to dashboard Cite

Android ransomware is one of the most threatening attacks nowadays. Ransomware in general encrypts or locks the files on the victim's device and requests a payment in order to recover them. The available technologies are not enough as new ransomwares employ a combination of techniques to evade anti-virus detection. Moreover, the literature counts only a few studies that have proposed static and/or dynamic approaches to detect Android ransomware in particular. Additionally, there are plenty of open-source malware datasets; however, the research community is still lacking ransomware datasets. In this paper, the state-of-the-art of Android ransomware detection approaches were investigated. A deep comparative analysis was conducted which shed the key differences among the existing solutions. An application programming interface (API)-based ransomware detection system (API-RDS) was proposed to provide a static analysis paradigm for detecting Android ransomware apps. API-RDS focuses on examining API packages' calls as leading indicator of ransomware activity to discriminate ransomware with high accuracy before it harms the user's device. API packages' calls of both benign and ransomware apps were thoroughly analyzed and compared. Significant API packages with corresponding methods were identified. The experimental results show that API-RDS outperformed other recent related approaches. API-RDS achieved 97% accuracy while reducing the complexity of the classification model by 26% due to features reduction. Moreover, this research designed a proactive mechanism based on a high quality unique ransomware dataset without duplicated samples. 2959 ransomware samples were collected, tested and reduced by almost 83% due to samples duplication. This research also contributes to constructing an up-to-date, unique dataset that covers the majority of existing Android ransomware families and recent clean apps that could be used as a labeled reference for research community.

show abstract

A survey on analysis and detection of Android ransomware

Sharma

Kumar

Krishna

2021

Concurrency and Computation

View full text Add to dashboard Cite

Smart-phones have become a necessity for users due to their abundance of services such as global positioning system, Wi-Fi, voice/video calls, SMS, camera, and so forth.It contains personal information of users including photos, documents, messages, and videos. Android-based smart-phones enriched with many applications (commonly known as apps) fascinates users to use this ubiquitous technology up to a full extent.With open architecture and 73% of market share, Android is the most popular mobile operating system (OS) among developers. At the same time, the increasing popularity of Android OS woos attackers or cyber-criminals to exploit its vulnerabilities. The attackers write malicious code to harm the device and grab users' sensitive information. For example, ransomware (a form of malware) demands ransom from victims to liberate the ceased material for illegal financial gain. The existing survey papers cover the analysis and detection of generic Android malware. The focus of this survey paper is to present an in-depth threat scenario of Android ransomware. This article not only provides a comprehensive survey on analysis and detection methods for Android ransomware since its beginning (2015) till date (2020); but also presents observations and suggestions for researchers and practitioners to carry out further research.

show abstract

GreatEatlon: Fast, Static Detection of Mobile Ransomware

Cited by 20 publications

References 15 publications

On the effectiveness of system API-related information for Android ransomware detection

On the effectiveness of system API-related information for Android ransomware detection

Ransomware Detection System for Android Applications

A survey on analysis and detection of Android ransomware

Contact Info

Product

Resources

About