KRDroid: Ransomware-Oriented Detector for Mobile Devices Based on Behaviors

Senmiao Wang; Sujuan Qin; Jiawei Qin; Hua Zhang; Tengfei Tu; Zhengping Jin; Jing Guo

doi:10.3390/app11146557

Applied Sciences (Jul 2021)

KRDroid: Ransomware-Oriented Detector for Mobile Devices Based on Behaviors

Senmiao Wang,
Sujuan Qin,
Jiawei Qin,
Hua Zhang,
Tengfei Tu,
Zhengping Jin,
Jing Guo

Affiliations

Senmiao Wang: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Sujuan Qin: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Jiawei Qin: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Hua Zhang: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Tengfei Tu: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Zhengping Jin: State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Jing Guo: National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), Beijing 100029, China

DOI: https://doi.org/10.3390/app11146557
Journal volume & issue: Vol. 11, no. 14
p. 6557

Abstract

Read online

Ransomware has become a serious threat on Android and new cases of ransomware are continuously growing. Most existing ransomware detectors use sensitive text or APIs to detect ransomware. Some goodware applications with the functionalities of locking screen and encrypting files have similar behaviors with ransomware. It is difficult for ransomware detectors to identity them. In this paper, we made detailed analyses of three kinds of active ransomware. We proposed a behavior-based ransomware detector on Android, called KRDroid. KRDroid deploys on servers or PCs, that is, ransomware cannot be activated and cause any loss during testing. Experiments showed that our ransomware-oriented detector can find 1809 of 1862 unseen ransomware. It can also distinguish goodware with similar ransom behaviors to ransomware with an accuracy of 97.5%.

Published in Applied Sciences

ISSN: 2076-3417 (Online)
Publisher: MDPI AG
Country of publisher: Switzerland
LCC subjects: Technology: Engineering (General). Civil engineering (General); Science: Biology (General); Science: Physics; Science: Chemistry
Website: http://www.mdpi.com/journal/applsci

About the journal

Abstract

Keywords