TY - JOUR
T1 - Uncovering the Face of Android Ransomware
T2 - Characterization and Real-Time Detection
AU - Chen, Jing
AU - Wang, Chiheng
AU - Zhao, Ziming
AU - Chen, Kai
AU - Du, Ruiying
AU - Ahn, Gail-Joon
N1 - Funding Information:
Manuscript received May 21, 2017; revised October 17, 2017 and December 7, 2017; accepted December 8, 2017. Date of publication December 28, 2017; date of current version January 30, 2018. This work was supported in part by the National Natural Science Foundation of China under Grant 61572380, Grant 61772383, Grant 61702379, Grant U1536106, Grant 61728209, and Grant 61628202, in part by the National Key Research and Development Program of China under Grant 2016QY04W0805, in part by the National Program on Key Basic Research Project under Grant 2014CB340600, in part by the National Top-Notch Youth Talents Program of China, in part by the Youth Innovation Promotion Association CAS, in part by the Beijing Nova Program, and in part by the Center for Cybersecurity and Digital Forensics at Arizona State University and the Institute for Information & Communications Technology Promotion (IITP) under Grant MSIT-2017-0-00168. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. David Starobinski. (Corresponding author: Chiheng Wang.) J. Chen is with the Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Computer School, Wuhan University, Wuhan 430072, China, and also with the Science and Technology on Communication Security Laboratory, Chengdu 610041, China (e-mail: chenjing@whu.edu.cn).
Publisher Copyright:
© 2005-2012 IEEE.
PY - 2018/5
Y1 - 2018/5
N2 - In recent years, we witnessed a drastic increase of ransomware, especially on popular mobile platforms including Android. Ransomware extorts victims for a sum of money by taking control of their devices or files. In light of their rapid growth, there is a pressing need to develop effective countermeasure solutions. However, the research community is still constrained by the lack of a comprehensive data set, and there exists no insightful understanding of mobile ransomware in the wild. In this paper, we focus on the Android platform and aim to characterize existing Android ransomware. Specifically, we have managed to collect 2,721 ransomware samples that cover the majority of existing Android ransomware families. Based on these samples, we systematically characterize them from several aspects, including timeline and malicious features. In addition, the detection results of existing anti-virus tools are rather disappointing, which clearly calls for customized anti-mobile-ransomware solutions. To detect ransomware that extorts users by encrypting data, we propose a novel real-time detection system, called RansomProber. By analyzing the user interface widgets of related activities and the coordinates of users' finger movements, RansomProber can infer whether the file encryption operations are initiated by users. The experimental results show that RansomProber can effectively detect encrypting ransomware with high accuracy and acceptable runtime performance.
AB - In recent years, we witnessed a drastic increase of ransomware, especially on popular mobile platforms including Android. Ransomware extorts victims for a sum of money by taking control of their devices or files. In light of their rapid growth, there is a pressing need to develop effective countermeasure solutions. However, the research community is still constrained by the lack of a comprehensive data set, and there exists no insightful understanding of mobile ransomware in the wild. In this paper, we focus on the Android platform and aim to characterize existing Android ransomware. Specifically, we have managed to collect 2,721 ransomware samples that cover the majority of existing Android ransomware families. Based on these samples, we systematically characterize them from several aspects, including timeline and malicious features. In addition, the detection results of existing anti-virus tools are rather disappointing, which clearly calls for customized anti-mobile-ransomware solutions. To detect ransomware that extorts users by encrypting data, we propose a novel real-time detection system, called RansomProber. By analyzing the user interface widgets of related activities and the coordinates of users' finger movements, RansomProber can infer whether the file encryption operations are initiated by users. The experimental results show that RansomProber can effectively detect encrypting ransomware with high accuracy and acceptable runtime performance.
KW - Android
KW - Ransomware
KW - real-time detection
KW - user interface (UI) indicator
UR - http://www.scopus.com/inward/record.url?scp=85040065978&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85040065978&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2017.2787905
DO - 10.1109/TIFS.2017.2787905
M3 - Article
AN - SCOPUS:85040065978
VL - 13
SP - 1286
EP - 1300
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
SN - 1556-6013
IS - 5
M1 - 8241433
ER -