Skip to main content
SpringerLink
Log in

GreatEatlon: Fast, Static Detection of Mobile Ransomware

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2016)

Abstract

Ransomware is a class of malware that aim at preventing victims from accessing valuable data, typically via data encryption or device locking, and ask for a payment to release the target. In the past year, instances of ransomware attacks have been spotted on mobile devices too. However, despite their relatively low infection rate, we noticed that the techniques used by mobile ransomware are quite sophisticated, and different from those used by ransomware against traditional computers.

Through an in-depth analysis of about 100 samples of currently active ransomware apps, we concluded that most of them pass undetected by state-of-the-art tools, which are unable to recognize the abuse of benign features for malicious purposes. The main reason is that such tools rely on an inadequate and incomplete set of features. The most notable examples are the abuse of reflection and device-administration APIs, appearing in modern ransomware to evade analysis and detection, and to elevate their privileges (e.g., to lock or wipe the device). Moreover, current solutions introduce several false positives in the naïve way they detect cryptographic-APIs abuse, flagging goodware apps as ransomware merely because they rely on cryptographic libraries. Last but not least, the performance overhead of current approaches is unacceptable for appstore-scale workloads.

In this work, we tackle the aforementioned limitations and propose GreatEatlon, a next-generation mobile ransomware detector. We foresee GreatEatlon deployed on the appstore side, as a preventive countermeasure. At its core, GreatEatlon uses static program-analysis techniques to “resolve” reflection-based, anti-analysis attempts, to recognize abuses of the device administration API, and extract accurate data-flow information required to detect truly malicious uses of cryptographic APIs. Given the significant resources utilized by GreatEatlon, we prepend to its core a fast pre-filter that quickly discards obvious goodware, in order to avoid wasting computer cycles.

We tested GreatEatlon on thousands of samples of goodware, generic malware and ransomware applications, and showed that it surpasses current approaches both in speed and detection capabilities, while keeping the false negative rate below \(1.3\%\).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://ransom.mobi/scans.

References

  1. Statista: Number of smartphone users worldwide from 2014 to 2019, August 2015. http://www.statista.com/

  2. Ericcson: Mobility report, February 2016. http://www.ericsson.com/

  3. G Data: G data mobile malware report (2015). https://www.gdatasoftware.com/

  4. K Lab: The volume of new mobile malware tripled in 2015, February 2016. http://www.kaspersky.com/

  5. Avast Software: Avast ransomware removal, June 2014. https://play.google.com/

  6. Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015). doi:10.1007/978-3-319-26362-5_18

    Chapter  Google Scholar 

  7. Spreitzenbarth Mobile Security and Forensics: Summary of the year 2015, January 2016. http://forensics.spreitzenbarth.de/

  8. Symantec: Simplocker: first confirmed file-encrypting ransomware for android, June 2014. http://www.symantec.com/

  9. Avast: Mobile crypto-ransomware simplocker now on steroids, February 2015. http://www.symantec.com/

  10. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: SOUP’S 2012 Proceedings of the Eighth Symposium on Usable Privacy and Security, no. 3 (2012)

    Google Scholar 

  11. ESET: Eset simplocker decryptor, August 2014. http://www.eset.com/

  12. Apktool v2.0.3. https://github.com/iBotPeaches/Apktool

  13. Venkatesan, D.: Android nougat prevents ransomware from resetting device passwords, July 2016. http://www.symantec.com/connect/blogs/android-nougat-prevents-ransomware-resetting-device-passwords

  14. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. NDSS 25(4), 50–52 (2012)

    Google Scholar 

  15. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: NDSS (2014)

    Google Scholar 

  16. Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: Mast: triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 13–24. ACM (2013)

    Google Scholar 

  17. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: Andromaly: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)

    Article  Google Scholar 

  18. Apvrille, L., Apvrille, A.: Pre-filtering mobile malware with heuristic techniques. In: Proceedings of GreHack (2013)

    Google Scholar 

  19. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy (SP) 2012, pp. 95–109. IEEE (2012)

    Google Scholar 

  20. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)

    Google Scholar 

  21. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2014, pp. 259–269 (2014)

    Google Scholar 

  22. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)

    Google Scholar 

  23. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 3. ACM (2012)

    Google Scholar 

  24. Andrubin. https://anubis.iseclab.org

  25. Han, J., Kamber, M., Pei, J.: Data Mining: Concepts and Techniques. Elsevier, Amsterdam (2011)

    MATH  Google Scholar 

  26. Jarvis, K.: Cryptolocker ransomware. Viitattu 20, 2014 (2013)

    Google Scholar 

  27. Domingos, P.: Metacost: a general method for making classifiers cost-sensitive. In: Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 155–164. ACM (1999)

    Google Scholar 

  28. Contagio mobile. http://contagiominidump.blogspot.it/

  29. Virustotal. https://virustotal.com/

  30. Lindorfer, M., Volanis, S., Sisto, A., Neugschwandtner, M., Athanasopoulos, E., Maggi, F., Platzer, C., Zanero, S., Ioannidis, S.: AndRadar: fast discovery of android applications in alternative markets. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 51–71. Springer, Cham (2014). doi:10.1007/978-3-319-08509-8_4

    Google Scholar 

  31. Maggi, F., Valdi, A., Zanero, S.: Andrototal: a flexible, scalable toolbox and service for testing mobile malware detectors. In: Proceedings of the 3rd Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). ACM, November 2013

    Google Scholar 

  32. Rasthofer, S., Arzt, S., Miltenberger, M., Bodden, E.: Harvesting runtime values in android applications that feature anti-analysis techniques. In: Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS) (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DEIB, Politecnico di Milano, Milan, Italy

    Chengyu Zheng, Nicola Dellarocca, Niccolò Andronio, Stefano Zanero & Federico Maggi

Authors
  1. Chengyu Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicola Dellarocca
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Niccolò Andronio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefano Zanero
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Federico Maggi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chengyu Zheng .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Robert Deng

  2. Jinan University, Guangzhou, Guangdong, China

    Jian Weng

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. SRI International, Menlo Park, California, USA

    Vinod Yegneswaran

Rights and permissions

Reprints and permissions

Copyright information

© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Zheng, C., Dellarocca, N., Andronio, N., Zanero, S., Maggi, F. (2017). GreatEatlon: Fast, Static Detection of Mobile Ransomware. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59608-2_34

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59607-5

  • Online ISBN: 978-3-319-59608-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation