Abstract

In recent years, we witnessed a drastic increase of ransomware, especially on popular mobile platforms including Android. Ransomware extorts victims for a sum of money by taking control of their devices or files. In light of their rapid growth, there is a pressing need to develop effective countermeasure solutions. However, the research community is still constrained by the lack of a comprehensive dataset, and there exists no insightful understanding of mobile ransomware in the wild. In this paper, we focus on the Android platform and aim to characterize existing Android ransomware. Specifically, we have managed to collect 2,721 ransomware samples that cover the majority of existing Android ransomware families. Based on these samples, we systematically characterize them from several aspects, including timeline and malicious features. In addition, the detection results of existing anti-virus tools are rather disappointing, which clearly calls for customized anti-mobile-ransomware solutions. To detect ransomware that extorts users by encrypting data, we propose a novel real-time detection system, called RansomProber. By analyzing the UI widgets of related activities and the coordinates of users’ finger movements, RansomProber can infer whether the file encryption operations are initiated by users. The experimental results show that RansomProber can effectively detect encrypting ransomware with high accuracy and acceptable runtime performance.

Original languageEnglish (US)
JournalIEEE Transactions on Information Forensics and Security
DOIs
StateAccepted/In press - Dec 27 2017

Fingerprint

Malware
Viruses
Cryptography

Keywords

  • Android
  • Ransomware
  • Real-time Detection
  • UI Indicator

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

Uncovering the Face of Android Ransomware : Characterization and Real-time Detection. / Chen, Jing; Wang, Chiheng; Zhao, Ziming; Chen, Kai; Du, Ruiying; Ahn, Gail-Joon.

In: IEEE Transactions on Information Forensics and Security, 27.12.2017.

Research output: Contribution to journalArticle

@article{dc10383b206642c78bdae964d6cb1bd7,
title = "Uncovering the Face of Android Ransomware: Characterization and Real-time Detection",
abstract = "In recent years, we witnessed a drastic increase of ransomware, especially on popular mobile platforms including Android. Ransomware extorts victims for a sum of money by taking control of their devices or files. In light of their rapid growth, there is a pressing need to develop effective countermeasure solutions. However, the research community is still constrained by the lack of a comprehensive dataset, and there exists no insightful understanding of mobile ransomware in the wild. In this paper, we focus on the Android platform and aim to characterize existing Android ransomware. Specifically, we have managed to collect 2,721 ransomware samples that cover the majority of existing Android ransomware families. Based on these samples, we systematically characterize them from several aspects, including timeline and malicious features. In addition, the detection results of existing anti-virus tools are rather disappointing, which clearly calls for customized anti-mobile-ransomware solutions. To detect ransomware that extorts users by encrypting data, we propose a novel real-time detection system, called RansomProber. By analyzing the UI widgets of related activities and the coordinates of users’ finger movements, RansomProber can infer whether the file encryption operations are initiated by users. The experimental results show that RansomProber can effectively detect encrypting ransomware with high accuracy and acceptable runtime performance.",
keywords = "Android, Ransomware, Real-time Detection, UI Indicator",
author = "Jing Chen and Chiheng Wang and Ziming Zhao and Kai Chen and Ruiying Du and Gail-Joon Ahn",
year = "2017",
month = "12",
day = "27",
doi = "10.1109/TIFS.2017.2787905",
language = "English (US)",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Uncovering the Face of Android Ransomware

T2 - Characterization and Real-time Detection

AU - Chen, Jing

AU - Wang, Chiheng

AU - Zhao, Ziming

AU - Chen, Kai

AU - Du, Ruiying

AU - Ahn, Gail-Joon

PY - 2017/12/27

Y1 - 2017/12/27

N2 - In recent years, we witnessed a drastic increase of ransomware, especially on popular mobile platforms including Android. Ransomware extorts victims for a sum of money by taking control of their devices or files. In light of their rapid growth, there is a pressing need to develop effective countermeasure solutions. However, the research community is still constrained by the lack of a comprehensive dataset, and there exists no insightful understanding of mobile ransomware in the wild. In this paper, we focus on the Android platform and aim to characterize existing Android ransomware. Specifically, we have managed to collect 2,721 ransomware samples that cover the majority of existing Android ransomware families. Based on these samples, we systematically characterize them from several aspects, including timeline and malicious features. In addition, the detection results of existing anti-virus tools are rather disappointing, which clearly calls for customized anti-mobile-ransomware solutions. To detect ransomware that extorts users by encrypting data, we propose a novel real-time detection system, called RansomProber. By analyzing the UI widgets of related activities and the coordinates of users’ finger movements, RansomProber can infer whether the file encryption operations are initiated by users. The experimental results show that RansomProber can effectively detect encrypting ransomware with high accuracy and acceptable runtime performance.

AB - In recent years, we witnessed a drastic increase of ransomware, especially on popular mobile platforms including Android. Ransomware extorts victims for a sum of money by taking control of their devices or files. In light of their rapid growth, there is a pressing need to develop effective countermeasure solutions. However, the research community is still constrained by the lack of a comprehensive dataset, and there exists no insightful understanding of mobile ransomware in the wild. In this paper, we focus on the Android platform and aim to characterize existing Android ransomware. Specifically, we have managed to collect 2,721 ransomware samples that cover the majority of existing Android ransomware families. Based on these samples, we systematically characterize them from several aspects, including timeline and malicious features. In addition, the detection results of existing anti-virus tools are rather disappointing, which clearly calls for customized anti-mobile-ransomware solutions. To detect ransomware that extorts users by encrypting data, we propose a novel real-time detection system, called RansomProber. By analyzing the UI widgets of related activities and the coordinates of users’ finger movements, RansomProber can infer whether the file encryption operations are initiated by users. The experimental results show that RansomProber can effectively detect encrypting ransomware with high accuracy and acceptable runtime performance.

KW - Android

KW - Ransomware

KW - Real-time Detection

KW - UI Indicator

UR - http://www.scopus.com/inward/record.url?scp=85040065978&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85040065978&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2017.2787905

DO - 10.1109/TIFS.2017.2787905

M3 - Article

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

ER -