1. Introduction
With the unprecedented outbreak of different kinds of ransomware in recent years, devices and files from all walks of life have been locked. It has brought economic losses to both individuals and enterprises. Ransomware have been growing from the last few years since 2017, and it has become a key threat to mobile devices [
1]. There are at least 150 countries with 300,000 users are attacked by the WannaCry (a kind of ransomware) according to the statistics. It causes economic losses as high as USD 8,000,000,000. According to the new report released by Precise Security, WannaCry remains one of the most influential ransomware in 2019. In 2019, a new kind of ransomware, Silex, was found by researchers. The spread of these types of ransomware is rapid. Silex first affected 350 devices and then quickly expanded to more than 1500 devices. According to the statistics released by Coveware, the payment ransomware require in the second quarter of 2020 is four times higher than in 2019 [
2].
It is reported that the number of mobile devices based on the Android platform has sharply increased [
3,
4,
5,
6]. It is worth noting that the number of Android devices will be approximately 6.1 billion by the end of 2020 [
6,
7,
8,
9]. At present, ransomware running on Android is still a threat to mobile devices. In this work, we mainly focus on detecting ransomware based on the Android platform for mobile devices.
Ransomware detection on Windows has been relatively well established. For instance, 2entFOX can detect highly survivable ransomware with high detection accuracy and low false-positive rate [
10]. UNVEIL uses filesystem to monitor and OCR to detect locking devices and encrypting files ransomware [
11]. ShieldFS [
12] and reference [
13] can identify ransomware by I/O request packets. EldeRan uses dynamic analysis to distinguish ransomware from goodware [
14]. Some works [
15,
16,
17,
18] focus on encrypting ransomware detection by using traffic characteristics or sensitive APIs.
The methods of detecting ransomware on other platforms could not be directly applied on Android. On the one hand, detectors [
15,
16,
17,
18] use traffic to identify ransomware. This means detected ransomware should have network access, while most ransomware on Android can ransom without network access. On the other hand, Android has its own security mechanism, meaning that there are many different files and features that can be used for Android ransomware detection.
For Android, the approach for ransomware-oriented detection is incomplete. In 2016, N.Andronio et al. [
19] first proposed a ransomware detector based on machine learning. To our best knowledge, HelDroid [
19] and GreatEatlon [
20] are the earliest ransomware-oriented detectors based on static analysis with machine learning. They detect ransomware based on threatening text detectors, lock detectors, and encryption detectors. If the ransomware uses unseen language, it may cause many misjudgments. The execution time is nearly seconds per sample on average [
19]. There are also some detectors that use dynamic analysis to identify ransomware. DNA-Droid [
21] combines static and dynamic analysis to detect ransomware. R-PackDroid [
22] is a practical on-device detector of Android ransomware. Azmoodeh et al. [
23] focus on files encryption ransomware in IoT and detect them by using energy consumption. If users need to detect large-scale samples by using detectors with dynamic analysis, it may be time consuming.
Many ransomware detectors identify ransomware based on sensitive APIs. However, there are some ransomware that use insensitive API callings to ransom. For example, a ransomware application can make its interface be the top-level interface suspending on the screen though users press Home buttons or Back buttons. Detectors may misjudge them as goodware behaviors. Some goodware applications that have the functions of locking devices and encrypting files have behaviors similar to ransomware. For example, some goodware applications such as time management applications lock the devices according to the time users have set. It is difficult for ransomware detectors to identity them.
Contributions. In the light of this, we made detailed analyses of three kinds of active ransomware, including the different runtime behaviors, ransom codes and the differences between ransomware and goodware with similar behaviors, for example, screen beautification applications with lock function and files management applications with an encryption function. Then, we constructed a multidimensional behavior pattern based on ransom behaviors. Finally, we proposed a behavior-based Android ransomware detector for mobile devices, called KRDroid. It retains the relational behavior patterns of ransomware. The main contributions of this paper are as follows.
The analyses of three kinds of active ransomware. We collected three kinds of active IoT Android ransomware from VirusTotal [
24], AMD [
25], and from open source databases [
26]. According to their runtime behaviors, we sorted out ransomware into three groups: device lock ransomware, files encryption ransomware, and screen resource control ransomware. We analyzed them from multiple dimensions for their extortion behaviors and source code.
The construction of a ransomware-behavior-pattern-based multidimensional feature set. We extracted features from API callings, permissions, intents, and other dimensions to construct different kinds of ransom behavior patterns. In this way, the feature set can be seen as a formal expression set that retains the relational behaviors of ransomware.
A behavior-based ransomware-oriented detector. We proposed a behavior-based ransomware-oriented detector, KRDroid, to find Android ransomwares. KRDroid deploys on servers or PCs, that is, ransomware cannot be activated and cause any loss during testing. Experiments results show that KRDroid can detect unseen ransomware with the accuracy of 97.5%.
4. A Ransomware-Oriented Detector
In this section, we introduce a ransomware-behavior-pattern-based, multidimensional, ransomware-oriented detection approach for mobile devices. It uses static analysis to analyze the source code and extract features based on behavior patterns; it also uses the form of binary feature to represent the feature information of samples and XGBoost to classify samples.
4.1. Workflow
The detailed workflow of the ransomware-oriented detector is shown in
Figure 4.
When an application needs to be tested, the AndroidManifest.xml and classes.dex are first extracted from the apk file. Second, Androguard [
34], a static analysis tool, is used to extract features. Then, features are divided into two parts. For the features that do not need to be counted for their frequency, we use
to represent their existence and
to represent the opposite. Next, all the features are combined to form the feature vectors and use XGBoost to classify them. Lastly, the detector outputs the results of the detection.
4.2. Feature Extraction
With the help of Androguard [
34], a tool that can read the binary format of Android XML files(AXML) and decompile DEXfiles [
35], we extracted features from AndroidManifest.xml and classes.dex. The feature set contains sensitive strings set and other features set.
Sensitive Strings Set. The sensitive strings mentioned in this paper mean constant strings declared in the Dalvik bytecode. In order to better distinguish ransomware from other applications, we segmented the constant strings based on the word segmentation method in NLP. As shown in Algorithm 1, the steps of building sensitive strings set are as follows.
(1) Segmentation. We used special characters such as " " for the baseline of the segmentation. represents the text set of ransomware after segmentation, and represents the text set of other applications after segmentation.
(2) Deletion. We removed some meaningless words from and . The meaningless words include stop words such as a, , and some obvious common words. We used to represent the ransom text set after deletion and used to represent other text sets.
(3)
Keywords Extraction. We used
to calculate the weight of each word in
and
. The result of
refers to whether the word has the discrimination between ransomware and other applications. The weight can be expressed similar to formula (14). The
represents the number of the word t appears in
and in
. The
represents the total words in both
and
. The
label
represents the number of ransomware, and the
label
represents the number of other applications. The
label
represents the number of applications containing the word
.
Algorithm 1 The algorithm of building sensitive strings set |
Input: apks, label |
Output:S |
1: |
2: |
3: |
4: |
5: for do |
6: |
7: if then |
8: |
9: end if |
10: end for |
return S |
Other Features Set. The algorithm of building other features set is shown in Algorithm 2. The other features set can be represented as set F. As shown in formula (15),
contains permissions, intents, API callings, and sensitive strings. The
represents permissions, a kind of the security model of Android. Permissions need to be declared before calling sensitive APIs. The
represents intents, the runtime binding mechanism of Android. Intents are responsible for internal communication. The
represents sensitive strings related to ransom, which we obtained based on
tf-idf.
Algorithm 2 The algorithm of building feature set |
Input: apks |
Output:F |
1: |
2: for do |
3: |
4: |
5: if then |
6: |
7: else |
8: |
9: end if |
10: end for |
return F |
As shown in formula (16) and formula (17),
is the subset of
.
is the subset of
, and
represents the universal set of
. The
represents API callings, which provide certain functions for developers to access a set of routines based on Android. Developers can use different API calling sequences to implement different functions.
4.3. Classification
In this paper, we transfer the extracted features to vectors. As shown in formulas (18) and (19),
represents the vector set, containing a binary vector set and a value vector set.
represents the value vector set. The value of each dimension of the vector is float.
represents the binary vector set. The value of each dimension of the vector is int. If
exists in the feature set, no matter how many times it appears in the application, the value of
is
. Otherwise, the value of
is
.
Next, we combined the two groups of features as a whole vector, which represents the information of the application. Then, we used XGBoost, a supervised approach, to train the ransomware-oriented detector. We divided the ransomware and goodware applications into two parts, randomly used 80 percent of them to train, and used 20 percent of them to test.
5. Evaluation
We conducted three experiments to evaluate its detection capability and efficiency. To test the detection performance of KRDroid, we first evaluated it on a dataset with ransomware and other samples. Then, we compared the ransomware detection capability with HelDroid [
19], a well-known ransomware detector and R-PackDroid [
22], an on-device ransomware detector.
5.1. Dataset
represents the dataset we used in our experiment. As shown in formula (20),
contains three datasets,
,
, and
.
contains 1862 different kinds of ransomware in the period of 2014–2021 collected from reference [
24,
25,
26,
36,
37], including
Koler,
Locker,
PronDroid,
Simplocker,
Svpeng,
Congur,
Fusob,
Jisut,
Pigetrl,
Rkor,
Piom, and other types of ransomware. As shown in
Figure 5,
contains 425 ransomware applications in the period of 2014–2015, 767 ransomware applications in the period of 2015–2016, 240 ransomware applications in the period of 2017–2018, and 430 latest ransomware applications in the period of 2021.1–2021.6. We used
to test the capability of KRDroid and evaluate whether KRDroid can still identify unseen ransomware when facing the latest samples.
contains 1000 different kinds of malware (except ransomware), including Smsreg, a malware family that makes users register to premium services unknowingly, Windadware, an adware family that delivers adwares to devices, Emial, a malware family that monitors SMS messages on devices, Agentspy, a malware family that steals privacy information on devices, DroidKungFu, a kind of remote command and control (C&C) servers Trojans and other types of malware. We used to evaluate whether KRDroid misjudges malware as ransomware.
contains 1697 goodware applications, including screen beautification applications, files management applications, and other goodware applications. We used
to evaluate whether KRDroid misjudges goodware applications as ransomware or misjudges ransomware as goodware applications.
5.2. Evaluation Metrics
In order to give a better evaluation of experiment results, we calculated accuracy, precision, recall, F1-score, false-positive rate, and false-negative rate for ransomware-oriented detector. As shown in formula (21)–(26), accuracy represents the total number of correct ransomware and other applications divided by the total number of classifications. Precision represents the accuracy of the detector in terms of data. The recall represents the sensitivity of the detector. F1-score represents the combination of precision and recall. False-positive rate represents the rate by which the detector misjudges negative ones as positive ones. False-negative rate represents the rate by which the detector misjudges positive ones as negative ones. In formula (21)–(26), the following are included:
(1) : The number of true positives, which means the classification of the detector is correct, and the application is ransomware;
(2): The number of false positives, which means the classification of the detector is incorrect, and the application is not ransomware;
(3) : The number of false negatives, which means the classification of the detector is incorrect, and the application is ransomware;
(4)
: The number of true negatives, which means the classification of the detector is correct, and the application is not ransomware.
5.3. Experiments
In this work, we will answer the following three questions to evaluate the detection performance of KRDroid. For each question, we first describe an experiment and give the corresponding results. Then, we provide a brief insight to summarize. The training dataset of all the experiments is the same.
We used 1526 ransomware in the period of 2014–2015 from reference [
36], including
Koler,
Locker,
PronDroid,
Simplocker,
Svpeng, and unlabeled ransomware applications as positive samples to train KRDroid. We used 400 malware and 1200 goodware applications in the period of 2014–2015 as negative samples to train KRDroid; in KRDroid, the issue is not to only distinguish ransomware from malware applications but rather to distinguish ransomware from goodware applications.
In addition, we compared the MD5 of each sample in the test dataset with the training dataset before we started experiments to make sure that all the samples in the test dataset of the following experiments are different from samples used for training.
: What is the ransomware detection capability of KRDroid?
: Will KRDroid misjudge other malware applications as ransomware?
: Is the efficiency of KRDroid acceptable?
5.3.1. RQ1: What Is the Detection Effect of KRDroid?
In this experiment, we took
and
as the dataset for testing. The test dataset contains 1862 ransomware and 1697 goodware applications from reference [
24,
25,
26,
36,
37,
38]. In order to better evaluate the capability of KRDroid, we compared KRDroid with two ransomware-oriented detectors, HelDroid [
36] and R-PackDroid [
38]. HelDroid is a well-known ransomware-oriented detector, and we reproduced HelDroid from reference [
36]. R-PackDroid is an on-device Android ransomware-oriented detector, and it can be download from reference [
38]. The detailed result of this experiment is shown in
Table 6.
HelDroid correctly identified 1558 ransomware and 1397 goodware applications. The accuracy of HelDroid is 83.03%. R-PackDroid correctly identified 1692 ransomware and identified 1613 goodware applications. The accuracy of R-PackDroid is 92.86%. KRDroid correctly identified 1809 ransomware and 1655 goodware applications. The accuracy of KRDroid is 97.33%. The precision, recall, and F1-score of KRDroid are also higher than the two detectors.
We randomly sampled 46 true negatives and further analyzed the result of HelDroid. After the real machine test and decompile analysis, we found that there were 28 samples in 46 true negatives cannot be detected because of the unseen languages. Nine ransomware applications in the rest of the true negatives cannot be detected because of the unsuccessful lock detection. All of these samples had already been detected as sensitive text. In addition, we found that there were four samples in these nine ransomware applications that belong to screen resource control ransomware. As we mentioned before, this kind of ransomware does not need some real lock APIs such as lockNow() to reach their goals. The last nine ransomware applications that are misjudged are true negatives, which had not been detected.
The goal of R-PackDroid is to use a compact set of information more than enough to detect a wide variety of samples [
22]. When building the detector, it uses the system API package list to represent the application rather than building multidimensional attack-pattern-based features. To some extent, it may cause some misjudgments because of the lack of effective information.
In addition, as is aforementioned, ransomware in is in the period of 2014–2021.6. KRDroid has good performance on identifying unseen ransomware in this experiment, which means that KRDroid is still valid when facing the latest samples in 2021.
Insight. Due to the accurate characterization and comprehensive behavior-based features build of ransomware applications, KRDroid can detect ransomware by analyzing source code. It detects ransomware by means of detecting ransom behaviors. In this way, national languages requirements do not need to be taken into consideration during detection.
KRDoid has good generalization. It can identify unseen ransomware similar to the training samples and can also identify unseen ransomware applications after they have already evolved. To some extent, it can also show that our analysis and behavior-based feature extraction of ransomware applications is valuable.
5.3.2. RQ2: Will KRDroid misjudge other malware applications as ransomware?
Since a ransomware application is a kind of malware, we still need to test that the accuracy of KRDroid is independent of malware classification. We randomly sampled 1000 ransomware in
and randomly sampled 1000 goodware in
. These samples are collected from reference [
24,
26]. We used these samples and 1000 malware in
as the dataset for test in this experiment. As mentioned above, all the applications in
are malware, which is different from ransomware.
As shown in
Figure 6, we found that there are 981 samples that can be correctly identified as ransomware, and only 19 ransomware misjudged as non-ransomware. There are 1986 samples that can be correctly identified as non-ransomware, and only 14 non-ransomware misjudged as ransomware. The false-positive rate of KRDroid is 1.94%, and the false negative rate is 0.7%.
Insight. KRDroid is a ransomware-oriented detector rather than a malware detector. It does not misjudge other malware applications as ransomware because other malware applications do not have typical ransom behaviors.
5.3.3. Is the Efficiency of KRDroid Acceptable?
We measured the efficiency of KRDroid on 450 samples collected from Virustotal [
24]. Meanwhile, we used the same test dataset to test the HelDroid. Because R-PackDroid is an Android on-device detector, we did not take it into consideration. We assessed the execution time of HelDroid and KRDroid by running it on six cores of a MacBook Pro laptop containing an Intel Core i7 CPU 0.6 GHz processor.
The execution time of HelDroid was nearly 4 h 30 min, and the main bottleneck is the locking strategies detection [
19]. The average CPU usage of Heldroid is nearly 90%, and memory usage is 18%. The execution time of KRDroid was nearly 5 s. The CPU usage of KRDroid is 1.6%, and the memory usage is less than 1%.
Insight. The efficiency of KRDroid is acceptable for detecting large-scale applications. It can detect a number of applications with fewer resources.
6. Limitations and Future Work
KRDroid is an Android ransomware-oriented detector that deploys on servers or PCs. KRDroid detects ransomware applications based on behavior patterns with the help of static analysis. Though KRDroid can identify most ransomware applications with less time and high accuracy, and it can identify ransomware even if evolved, there is still some ransomware applications that may be misjudged. Because these ransomware applications are implemented with the help of obfuscation, steganography, reflection, and reinforcement as goodware for these methods can prevent applications from being totally decompiled and KRDroid could not obtain some core codes of ransomware. In the future, we will pay more attention to the detection of ransomware with code protection methods with the help of dynamic analysis. In addition, our research only focused on ransomware applications on Android. In the future, we will also turn our attention to the ransomware appoications in other platforms.
In addition, how to stop or prevent ransomware on Android devices is very essential for users. In our future work, we will pay our attention to on-device ransomware detectors and real-time files and devices protection against ransomware on Android devices.