HelDroid: Dissecting and Detecting Mobile Ransomware

  • Nicoló Andronio
  • Stefano Zanero
  • Federico MaggiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9404)


In ransomware attacks, the actual target is the human, as opposed to the classic attacks that abuse the infected devices (e.g., botnet renting, information stealing). Mobile devices are by no means immune to ransomware attacks. However, there is little research work on this matter and only traditional protections are available. Even state-of-the-art mobile malware detection approaches are ineffective against ransomware apps because of the subtle attack scheme. As a consequence, the ample attack surface formed by the billion mobile devices is left unprotected.

First, in this work we summarize the results of our analysis of the existing mobile ransomware families, describing their common characteristics. Second, we present HelDroid, a fast, efficient and fully automated approach that recognizes known and unknown scareware and ransomware samples from goodware. Our approach is based on detecting the “building blocks” that are typically needed to implement a mobile ransomware application. Specifically, HelDroid detects, in a generic way, if an app is attempting to lock or encrypt the device without the user’s consent, and if ransom requests are displayed on the screen. Our technique works without requiring that a sample of a certain family is available beforehand.

We implemented HelDroid and tested it on real-world Android ransomware samples. On a large dataset comprising hundreds of thousands of APKs including goodware, malware, scareware, and ransomware, HelDroid exhibited nearly zero false positives and the capability of recognizing unknown ransomware samples.


Natural Language Processing Optical Character Recognition Cryptographic Primitive Immortal Activity Extract String 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We are thankful to the anonymous reviewers and our shepherd, Patrick Traynor, for the insightful comments, Steven Arzt, who helped us improving FlowDroid to track flows across threads, and Daniel Arp from the DREBIN project. This work has been supported by the MIUR FACE Project No. RBFR13AJFT.


  1. 1.
    Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 129–140, May 1996Google Scholar
  2. 2.
    McAfee Labs: Threats report, November 2014. McAfee Labs, November 2014Google Scholar
  3. 3.
  4. 4.
    Perlroth, N.: Android phones hit by ‘Ransomware’, August 2014.
  5. 5.
    Lab. Koler - the police ransomware for android, June 2014.
  6. 6.
    SurfRight. HitmanPro.kickstart, March 2014.
  7. 7.
    Avast Software. Avast ransomware removal, June 2014.
  8. 8.
    Arp, D., et al.: Drebin: effective and explainable detection of android malware in your pocket. In: Network and Distributed System Security (NDSS) Symposium, San Diego, California (2014)Google Scholar
  9. 9.
    Spagnuolo, M., Maggi, F., Zanero, S.: BitIodine: extracting intelligence from the bitcoin network. In: Financial Cryptography and Data Security, Barbados, 3 March 2014Google Scholar
  10. 10.
  11. 11.
    Chrysaidos, N.: Mobile crypto-ransomware simplocker now on steroids, February 2015.
  12. 12.
    Hamada, J.: Simplocker: first confirmed file-encrypting ransomware for android, June 2014.
  13. 13.
    Unuchek, R.: Latest version of svpeng targets users in US, June 2014.
  14. 14.
    Kelly, M.: US targeted by coercive mobile ransomware impersonating the FBI, July 2014.
  15. 15.
    Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Recent Advances in Intrusion Detection, pp. 41–60 (2011)Google Scholar
  16. 16.
    Lestringant, P., Guihéry, F., Fouque, P.-A.: Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 203–214, New York, NY, USA (2015)Google Scholar
  17. 17.
    Aggarwal, C.C., Zhai, C.: A survey of text classification algorithms. In: Aggarwal, C.C., Zhai, C. (eds.) Mining Text Data, pp. 163–222. Springer, US (2012)CrossRefGoogle Scholar
  18. 18.
    The snowball language.
  19. 19.
    Shuyo, N.: Language detection library for java (2010).
  20. 20.
    van der Veen, V., Bos, H., Rossow, C.: Dynamic analysis of android malware. VU University Amsterdam, August 2013.
  21. 21.
    Hoffmann, J., et al.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851, New York, NY, USA (2013)Google Scholar
  22. 22.
    Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 259–269, New York, NY, USA (2014)Google Scholar
  23. 23.
    Lindorfer, M., Volanis, S., Sisto, A., Neugschwandtner, M., Athanasopoulos, E., Maggi, F., Platzer, C., Zanero, S., Ioannidis, S.: AndRadar: fast discovery of android applications in alternative markets. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 51–71. Springer, Heidelberg (2014) Google Scholar
  24. 24.
    Maggi, F., Valdi, A., Zanero, S.: AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 49–54, New York, NY, USA (2013)Google Scholar
  25. 25.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, San Francisco, CA, May 2012.
  26. 26.
    Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  27. 27.
    Schwartz, E.J., et al.: Native x86 decompilation using semantics-preserving structural analysis and iterative control-flow structuring. In: USENIX security (2013)Google Scholar
  28. 28.
    Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA (2011)Google Scholar
  29. 29.
    Manning, C.D., et al.: The stanford Core NLP natural language processing toolkit. In: Proceedings of 52nd Annual Meeting of the Association for Computational Linguistics: System Demonstrations, pp. 55–60 (2014).
  30. 30.
    Poeplau, S., et al.: Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), pp. 23–26 (2014)Google Scholar
  31. 31.
    Zhou, W., et al.: Fast, scalable detection of “piggybacked” mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196, New York, NY, USA (2013)Google Scholar
  32. 32.
    Bursztein, E., Martin, M., Mitchell, J.: Text-based CAPTCHA strengths and weaknesses. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 125–138, New York, NY, USA (2011)Google Scholar
  33. 33.
    Chakradeo, S., et al.: MAST: triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 13–24, New York, NY, USA (2013)Google Scholar
  34. 34.
    Shabtai, A., et al.: Andromaly: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)CrossRefGoogle Scholar
  35. 35.
    Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Heidelberg (2015) CrossRefGoogle Scholar
  36. 36.
    Young, A.: Cryptoviral extortion using microsoft’s crypto API. Int. J. Inf. Secur. 5(2), 67–76 (2006)CrossRefGoogle Scholar
  37. 37.
    Jarabek, C., Barrera, D., Aycock, J.: ThinAV: truly lightweight mobile cloud-based anti-malware. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 209–218, New York, NY, USA (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Nicoló Andronio
    • 1
  • Stefano Zanero
    • 1
  • Federico Maggi
    • 1
    Email author
  1. 1.DEIBPolitecnico di MilanoMilanoItaly

Personalised recommendations