DNA-Droid: A real-time android ransomware detection framework

Abstract

Ransomware has become one of the main cyber-threats for mobile platforms and in particular for Android. The number of ransomware attacks are increasing exponentially, while even state of art approaches terribly fail to safeguard mobile devices. The main reason is that ransomware and generic malware characteristics are quite different. Current solutions produce low accuracy and high false positives in presence of obfuscation or benign cryptographic API usage. Moreover, they are inadequate in detecting ransomware attack in early stages before infection happens. In this paper, DNA-Droid, a two layer detection framework is proposed. It benefits of a dynamic analysis layer as a complementary layer on top of a static analysis layer. The DNA-Droid utilizes novel features and deep neural network to achieve a set of features with high discriminative power between ransomware and benign samples. Moreover, Sequence Alignment techniques are employed to profile ransomware families. This helps in detecting ransomware activity in early stages before the infection happens. In order to extract dynamic features, a fully automated Android sandbox is developed which is publicly available for researchers as a web service. The DNA-Droid is tested against thousands of samples. The experimental results shows high precision and recall in detecting even unknown ransomware samples, while keeping the false negative rate below 1.5%.