Extinguishing Ransomware - A Hybrid Approach to Android Ransomware Detection

  • Alberto Ferrante
  • Miroslaw Malek
  • Fabio Martinelli
  • Francesco MercaldoEmail author
  • Jelena Milosevic
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10723)


Mobile ransomware is on the rise and effective defense from it is of utmost importance to guarantee security of mobile users’ data. Current solutions provided by antimalware vendors are signature-based and thus ineffective in removing ransomware and restoring the infected devices and files. Also, current state-of-the art literature offers very few solutions to effectively detecting and blocking mobile ransomware. Starting from these considerations, we propose a hybrid method able to effectively counter ransomware. The proposed method first examines applications to be used on a device prior to their installation (static approach) and then observes their behavior at runtime and identifies if the system is under attack (dynamic approach). To detect ransomware, the static detection method uses the frequency of opcodes while the dynamic detection method considers CPU usage, memory usage, network usage and system call statistics. We evaluate the performance of our hybrid detection method on a dataset that contains both ransomware and legitimate applications. Additionally, we evaluate the performance of the static and dynamic stand-alone methods for comparison. Our results show that although both static and dynamic detection methods perform well in detecting ransomware, their combination in a form of a hybrid method performs best, being able to detect ransomware with 100% precision and having a false positive rate of less than 4%.


Ransomware Malware Hybrid detection Machine learning Android Security 



This work has been partially supported by H2020 EU-funded projects NeCS and C3ISP and EIT-Digital Project HII.


  1. 1.
    Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015). CrossRefGoogle Scholar
  2. 2.
    Canfora, G., De Lorenzo, A., Medvet, E., Mercaldo, F., Visaggio, C.A.: Effectiveness of opcode ngrams for detection of multi family android malware. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 333–340. IEEE (2015)Google Scholar
  3. 3.
    Canfora, G., Mercaldo, F., Visaggio, C.A.: Evaluating op-code frequency histograms in malware and third-party mobile applications. In: Obaidat, M.S., Lorenz, P. (eds.) ICETE 2015. CCIS, vol. 585, pp. 201–222. Springer, Cham (2016). CrossRefGoogle Scholar
  4. 4.
    Canfora, G., Mercaldo, F., Visaggio, C.A.: Mobile malware detection using op-code frequency histograms. In: Proceedings of International Conference on Security and Cryptography (SECRYPT) (2015)Google Scholar
  5. 5.
    Carbonell, J.G., Michalski, R.S., Mitchell, T.M.: An overview of machine learning. In: Michalski, R.S., Carbonell, J.G., Mitchell, T.M. (eds.) Machine learning. SYMBOLIC. Springer, Heidelberg (1983). Google Scholar
  6. 6.
    Gharib, A., Ghorbani, A.: DNA-Droid: a real-time android ransomware detection framework. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) NSS 2017. LNCS, vol. 10394, pp. 184–198. Springer, Cham (2017). CrossRefGoogle Scholar
  7. 7.
    Infosec Institute: Evolution in the World of Cyber Crime. Technical report Infosec Institute, June 2016.
  8. 8.
    McAfee Labs: McAfee Labs Threats report - December 2016. Technical report. McAfee Labs, August 2016.
  9. 9.
    Martinelli, F., Mercaldo, F., Saracino, A.: Bridemaid: An hybrid tool for accurate detection of android malware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 899–901. ACM (2017)Google Scholar
  10. 10.
    Martinelli, F., Mercaldo, F., Saracino, A., Visaggio, C.A.: I find your behavior disturbing: static and dynamic app behavioral analysis for detection of android malware. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 129–136. IEEE (2016)Google Scholar
  11. 11.
    Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Ransomware steals your phone. Formal methods rescue it. In: Albert, E., Lanese, I. (eds.) FORTE 2016. LNCS, vol. 9688, pp. 212–221. Springer, Cham (2016). CrossRefGoogle Scholar
  12. 12.
    Mercaldo, F., Visaggio, C.A., Canfora, G., Cimitile, A.: Mobile malware detection in the real world. In: Proceedings of the 38th International Conference on Software Engineering Companion, pp. 744–746. ACM (2016)Google Scholar
  13. 13.
    Milosevic, J., Ferrante, A., Malek, M.: Malaware: Effective and efficient run-time mobile malware detector. In: The 14th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC 2016). IEEE Computer Society Press, Auckland, New Zealand (2016)Google Scholar
  14. 14.
    Milosevic, J., Malek, M., Ferrante, A.: A friend or a foe? Detecting malware using memory and CPU features. In: 13th International Conference on Security and Cryptography SECRYPT 2016 (2016)Google Scholar
  15. 15.
    Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: Evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 329–334. ACM (2013)Google Scholar
  16. 16.
    Song, S., Kim, B., Lee, S.: The effective ransomware prevention technique using process monitoring on android platform. In: Mobile Information Systems 2016 (2016)Google Scholar
  17. 17.
    Yang, T., Yang, Y., Qian, K., Lo, D.C.T., Qian, Y., Tao, L.: Automated detection and analysis for android ransomware. In: IEEE 17th International Conference on High Performance Computing and Communications, IEEE 7th International Symposium on Cyberspace Safety and Security, IEEE 12th International Conference on Embedded Software and Systems, pp. 1338–1343. IEEE (2015)Google Scholar
  18. 18.
    Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Alberto Ferrante
    • 1
  • Miroslaw Malek
    • 1
  • Fabio Martinelli
    • 2
  • Francesco Mercaldo
    • 2
    Email author
  • Jelena Milosevic
    • 1
  1. 1.Faculty of Informatics, Advanced Learning and Research InstituteUniversità della Svizzera italianaLuganoSwitzerland
  2. 2.Institute for Informatics and TelematicsNational Research Council of Italy (CNR)PisaItaly

Personalised recommendations