Skip to main content

ESCAPADE: Encryption-Type-Ransomware: System Call Based Pattern Detection

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12570)


Encryption-type ransomware has risen in prominence lately as the go-to malware for threat actors aiming to compromise Android devices. In this paper, we present a ransomware detection technique based on behaviours observed in the system calls performed by the malware. We identify and present some common high-level system call behavioural patterns targeted at encryption-type ransomware and evaluate these patterns. We further present our repeatable and extensible methodology for extracting the system call log and patterns.


  • Android
  • Behaviour
  • Patterns
  • Encryption-ransomware

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.


  1. Abrams, L.: Confirmed: garmin received decryptor for WastedLocker ransomware (2020).

  2. Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Comput. Secur. 74, 144–166 (2018)

    CrossRef  Google Scholar 

  3. Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015).

    CrossRef  Google Scholar 

  4. APKPure: Benign dataset (nd).

  5. Avast: Avast blog (2020).

  6. Chebyshev, V.: Mobile malware evolution 2018. SecureList, 16 March 2019.

  7. Chen, J., Wang, C., Zhao, Z., Chen, K., Du, R., Ahn, G.J.: Uncovering the face of Android ransomware: characterization and real-time detection. IEEE Trans. Inf. Forensics Secur. 13(5), 1286–1300 (2017)

    CrossRef  Google Scholar 

  8. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    CrossRef  Google Scholar 

  9. Faruki, P., et al.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 17(2), 998–1022 (2014)

    CrossRef  Google Scholar 

  10. Faruki, P., Laxmi, V., Bharmal, A., Gaur, M.S., Ganmoor, V.: AndroSimilar: robust signature for detecting variants of Android malware. J. Inf. Secur. Appl. 22, 66–80 (2015)

    Google Scholar 

  11. Gadhiya, S., Bhavsar, K.: Techniques for malware analysis. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 3(4), 2277–3128 (2013)

    Google Scholar 

  12. Gandotra, E., Bansal, D., Sofat, S.: Malware analysis and classification: a survey. J. Inf. Secur. 5(02), 56 (2014)

    Google Scholar 

  13. Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010).

    CrossRef  Google Scholar 

  14. Google: Android security 2018 year in review (2019).

  15. Google: Android Debug Bridge (adb) (2020).

  16. Google: UI/application exerciser monkey (2020).

  17. Goud, N., et al.: Black Rose Lucy ransomware attack on Android devices, April 2020.

  18. Hou, O.: A look at Google Bouncer [blog post], 20 July 2012.

  19. Isohara, T., Takemori, K., Kubota, A.: Kernel-based behavior analysis for Android malware detection. In: 2011 Seventh International Conference on Computational Intelligence and Security, pp. 1011–1015. IEEE (2011)

    Google Scholar 

  20. Kanwal, M., Thakur, S.: An app based on static analysis for Android ransomware. In: 2017 International Conference on Computing, Communication and Automation (ICCCA), pp. 813–818. IEEE (2017)

    Google Scholar 

  21. Kok, S., Abdullah, A., Jhanjhi, N., Supramaniam, M.: Ransomware, threat and detection techniques: a review. Int. J. Comput. Sci. Netw. Secur. 19(2), 136 (2019)

    Google Scholar 

  22. Koodous: Malicious dataset (nd).

  23. Lance, W.: CovidLock ransomware exploits coronavirus with malicious Android app. TechRepublic, 17 March 2020.

  24. Lashkari, A.H., Kadir, A.F.A., Taheri, L., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark Android malware datasets and classification. In: 2018 International Carnahan Conference on Security Technology (ICCST), pp. 1–7. IEEE (2018)

    Google Scholar 

  25. Levin, D.V.: Strace (2020).

  26. Lin, Y.D., Lai, Y.C., Chen, C.H., Tsai, H.C.: Identifying Android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39, 340–350 (2013)

    CrossRef  Google Scholar 

  27. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: a view on current Android malware behaviors. In: 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 3–17. IEEE (2014)

    Google Scholar 

  28. Lockheimer, H.: Android and security [blog post], 2 February 2012.

  29. Malwarebytes: CTNT report cybercrime tactics and techniques: Ransomware retrospective (2020).

  30. Mana, O., Hazum, A., Melnykov, B., Kuperman, L.: Lucy’s back: ransomware goes mobile, April 2020.

  31. Micro, T.: Behind the Android menace: Malicious apps–TrendLabs security intelligence blog.

  32. Micro, T.: The sprawling reach of complex threats (2020).

  33. Mohammad, A.H.: Ransomware evolution, growth and recommendation for detection. Modern Appl. Sci. 14(3), (2020)

    Google Scholar 

  34. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. IEEE (2007)

    Google Scholar 

  35. Ninja, S.: How malware detects virtualized environment (and its countermeasures) (2016).

  36. O’Kane, P., Sezer, S., Carlin, D.: Evolution of ransomware. IET Netw. 7(5), 321–327 (2018)

    CrossRef  Google Scholar 

  37. Richardson, R., North, M.M.: Ransomware: evolution, mitigation and prevention. Int. Manag. Rev. 13(1), 10 (2017)

    Google Scholar 

  38. Lipovský, R., Lukáš Štefanko, G.B.: Labour party is latest victim of Blackbaud ransomware attack (2016).

  39. Scroxton, A.: Labour party is latest victim of Blackbaud ransomware attack (2020).

  40. Shivang, D.: CovidLock: Android ransomware walkthrough and unlocking routine, 16 March 2020.

  41. Song, S., Kim, B., Lee, S.: The effective ransomware prevention technique using process monitoring on Android platform. Mob. Inf. Syst. 2016 (2016)

    Google Scholar 

  42. Sood, G.: virustotal: R Client for the virustotal API (2017). r package version 0.2.1

    Google Scholar 

  43. Sophos: The state of ransomware 2020 (2020).

  44. Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: CopperDroid: automatic reconstruction of Android malware behaviors. In: NDSS (2015)

    Google Scholar 

  45. Uppal, D., Mehra, V., Verma, V.: Basic survey on malware analysis, tools and techniques. Int. J. Comput. Sci. Appl. (IJCSA) 4(1), 103 (2014)

    Google Scholar 

  46. WeLiveSecurity: WeLiveSecurity (2020).

  47. Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party Android marketplaces. In: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, pp. 317–326. ACM (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Vimal Kumar .

Editor information

Editors and Affiliations



figure a
figure b
Table 2. List of token names and their respective pattern
Table 3. List of common behavioural patterns discovered and their token representation

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chew, C.JW., Kumar, V., Patros, P., Malik, R. (2020). ESCAPADE: Encryption-Type-Ransomware: System Call Based Pattern Detection. In: Kutyłowski, M., Zhang, J., Chen, C. (eds) Network and System Security. NSS 2020. Lecture Notes in Computer Science(), vol 12570. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65744-4

  • Online ISBN: 978-3-030-65745-1

  • eBook Packages: Computer ScienceComputer Science (R0)