Abstract
Malware is advancing at a rapid pace, and it is becoming more stealthy, resilient, and aware of the existing detection methods. A similar trend in mobile crypto-ransomware can be expected soon. Thus, it is crucial to investigate the problem of new variants of mobile crypto-ransomware that may emerge in the near future. Hence, this work investigates how next-generation advanced mobile crypto-ransomware can evade the existing state-of-the-art detection metrics and how it is possible to neutralize this threat. After reviewing the current data-centric crypto-ransomware detection metrics, we investigate the possibility of evading them. We demonstrate the threat posed by next-generation mobile crypto-ransomware by implementing a crypto-ransomware targeted for the Android operating system called Maskware. Maskware uses partial encryption and mimics the behavior of legitimate applications in terms of data manipulation. We evaluate the effectiveness of common crypto-ransomware detection metrics, including entropy, data transformation, and file structure, in the detection of Maskware. We demonstrate that such metrics are ineffective in detecting Maskware. Hence, this article suggests using more efficient and effective methods to combat such malware and proposes a novel solution. The evaluation results of the proposed solution demonstrate that it can effectively detect Maskware and protect users’ data.
F. Faghihi—This work was carried out while the first author was a PhD candidate at Queen’s University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdel-Basset, M., Moustafa, N., Hawash, H., Ding, W.: Deep Learning Techniques for IoT Security and Privacy. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-89025-4
Bajpai, P., Enbody, R.: An empirical study of key generation in cryptographic ransomware. In: 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8. IEEE (2020)
Berrueta, E., Morato, D., Magaña, E., Izal, M.: A survey on detection techniques for cryptographic ransomware. IEEE Access 7, 144925–144944 (2019)
Canadian Centre for Cyber Security: National cyber threat assessment (2020). https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020. Accessed Dec 2021
Chen, J., Wang, C., Zhao, Z., Chen, K., Du, R., Ahn, G.J.: Uncovering the face of android ransomware: characterization and real-time detection. IEEE Trans. Inf. Forensics Secur. 13(5), 1286–1300 (2017)
Continella, A., et al.: Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347 (2016)
Darwin, I.F.: File - Linux man page (2008). https://linux.die.net/man/1/file. Accessed Dec 2021
Davies, S.R., Macfarlane, R., Buchanan, W.J.: Differential area analysis for ransomware attack detection within mixed file datasets. Comput. Secur. 108, 102377 (2021)
Faghihi, F., Zulkernine, M.: Ransomcare: data-centric detection and mitigation against smartphone crypto-ransomware. Comput. Netw. 191, 108011 (2021)
Financial Crimes Enforcement Network, US Treasury: Financial trend analysis (2020). Accessed Dec 2021
Hicks, B.J., Dong, A., Palmer, R., Mcalpine, H.C.: Organizing and managing personal electronic files: a mechanical engineer’s perspective. ACM Trans. Inf. Syst. 26(4) (2008)
Kaspersky Lab: The onion ransomware (encryption trojan) (2021). https://www.kaspersky.com/resource-center/threats/onion-ransomware-virus-threat. Accessed Dec 2021
Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: \(\{\)UNVEIL\(\}\): a large-scale, automated approach to detecting ransomware. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 16), pp. 757–772 (2016)
Lee, K., Lee, S.-Y., Yim, K.: Effective ransomware detection using entropy estimation of files for cloud services. In: Esposito, C., Hong, J., Choo, K.-K.R. (eds.) I-SPAN 2019. CCIS, vol. 1080, pp. 133–139. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30143-9_11
Lessing, M.: Case study: archievus ransomware (2020). https://www.sdxcentral.com/security/definitions/case-study-archievus-ransomware/. Accessed Dec 2021
Sophos Ltd.: Lockfile ransomware’s box of tricks: intermittent encryption and evasion (2021). https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/. Accessed Dec 2021
May, M.J., Laron, E.: Combating ransomware using content analysis and complex file events. In: 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5. IEEE (2019)
McAfee: An analysis of the wannacry ransomware outbreak (2017). https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/. Accessed Dec 2021
McIntosh, T., Jang-Jaccard, J., Watters, P., Susnjak, T.: The inadequacy of entropy-based ransomware detection. In: Gedeon, T., Wong, K.W., Lee, M. (eds.) ICONIP 2019. CCIS, vol. 1143, pp. 181–189. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36802-9_20
McIntosh, T., Watters, P., Kayes, A., Ng, A., Chen, Y.P.P.: Enforcing situation-aware access control to build malware-resilient file systems. Futur. Gener. Comput. Syst. 115, 568–582 (2021)
Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 114–136. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_6
Roussev, V.: Data fingerprinting with similarity digests. In: Chow, K.-P., Shenoi, S. (eds.) DigitalForensics 2010. IAICT, vol. 337, pp. 207–226. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15506-2_15
Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312. IEEE (2016)
Sjouwerman, S.: The evolution of mobile ransomware (2020). https://blog.knowbe4.com/evolution-of-mobile-ransomware. Accessed Dec 2021
Sullivan, G.J., Wiegand, T.: Video compression-from concepts to the h. 264/avc standard. Proc. IEEE 93(1), 18–31 (2005)
Varonis: Ransomware statistics, data, trends and facts (2020). https://www.varonis.com/blog/ransomware-statistics-2021/. Accessed Dec 2021
Varonis: Return of the darkside: analysis of a large-scale data theft campaign (2021). https://www.varonis.com/blog/darkside-ransomware. Accessed Dec 2021
Wu, B., et al.: Why an android app is classified as malware: toward malware classification interpretation. ACM Trans. Softw. Eng. Methodol. (TOSEM) 30(2), 1–29 (2021)
Xia, T., Sun, Y., Zhu, S., Rasheed, Z., Shafique, K.: Toward a network-assisted approach for effective ransomware detection. arXiv preprint arXiv:2008.12428 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Faghihi, F., Zulkernine, M., Ding, S. (2024). Unmasking of Maskware: Detection and Prevention of Next-Generation Mobile Crypto-Ransomware. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-57537-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57536-5
Online ISBN: 978-3-031-57537-2
eBook Packages: Computer ScienceComputer Science (R0)