Abstract
Android ransomware is one of the most threatening attacks that is increasing at an alarming rate. Ransomware attacks usually target Android users by either locking their devices or encrypting their data files and then requesting them to pay money to unlock the devices or recover the files back. Existing solutions for detecting ransomware mainly use static analysis. However, limited approaches apply dynamic analysis specifically for ransomware detection. Furthermore, the performance of these approaches is either poor or often fails in the presence of code obfuscation techniques or benign applications that use cryptography methods for their APIs usage. Additionally, most of them are unable to detect ransomware attacks at early stages. Therefore, this paper proposes a hybrid detection system that effectively utilizes both static and dynamic analyses to detect ransomware with high accuracy. For the static analysis, the proposed hybrid system considered more than 70 state-of-the-art antivirus engines. For the dynamic analysis, this research explored the existing dynamic tools and conducted an in-depth comparative study to find the proper tool to integrate it in detecting ransomware whenever needed. To evaluate the performance of the proposed hybrid system, we analyzed statically and dynamically over one hundred ransomware samples. These samples originated from 10 different ransomware families. The experiments’ results revealed that static analysis achieved almost half of the detection accuracy—ranging around 40–55%, compared to the dynamic analysis, which reached a 100% accuracy rate. Moreover, this research reports some of the high API classes, methods, and permissions used in these ransomware apps. Finally, some case studies are highlighted, including failed running apps and crypto-ransomware patterns.
Highlights
For the past few years, the vast demand to obtain mobile devices has peaked
In order to analyze how the experiment proceeded, we used the information recorded from the static analysis to calculate the detection accuracy of all the ransomware samples generated from VirusTotal
The results are presented for each sample during the static analysis; it can be noticed that sample 58 achieved the highest accuracy of detection with
Summary
For the past few years, the vast demand to obtain mobile devices has peaked. As of January 2020, more than 5.94 billion people used mobile phones worldwide (https://datareportal.com/reports/digital-2020-global-digital-overview, accessed on 28 September 2021 ), with the Android operating system (OS) taking more than 73% of the market share [1]. Part of the massive popularity of Android is its ease of use and open nature. Such characteristics have attracted many companies and developers to invest in the development of Android applications. Allowing users to have full control over verifying the application’s integrity makes it easy for cybercriminals to shift their attention toward the Android application market [2]. Attackers develop malicious software (malware), a type of mobile application used to infect a legitimate user’s device. This malware can inflict harm on the user’s device in multiple ways, such as risking and damaging the confidentiality, integrity, and availability of the target’s data or the device itself [3]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
