Due to recent indiscriminate attacks of ransomware, damage cases including encryption of users’ important files are constantly increasing. The existing vaccine systems are vulnerable to attacks of new pattern ransomware because they can only detect the ransomware of existing patterns. More effective technique is required to prevent modified ransomware. In this paper, an effective method is proposed to prevent the attacks of modified ransomware on Android platform. The proposed technique specifies and intensively monitors processes and specific file directories using statistical methods based on Processor usage, Memory usage, and I/O rates so that the process with abnormal behaviors can be detected. If the process running a suspicious ransomware is detected, the proposed system will stop the process and take steps to confirm the deletion of programs associated with the process from users. The information of suspected and exceptional processes confirmed by users is stored in a database. The proposed technique can detect ransomware even if you do not save its patterns. Its speed of detection is very fast because it can be implemented in Android source code instead of mobile application. In addition, it can effectively determine modified patterns of ransomware and provide protection with minimum damage.

1. Introduction

Ransomware [1] is a type of malware that uses malicious codes to intrude the system before users notice it, to encrypt important files, to require money using encrypted files as a hostage, and to give monetary damages to users. The rapid growth of the mobile market has been the main target of hackers to obtain illegal gains by using ransomware. The market share of Korea’s Android OS is approximately 80% of the total share of smartphone market as shown in Table 1. Compared to other OS such as iOS, Windows Phone, or Blackberry, Android holds a high market share close to monopoly, while the others combined have less than 15% share in the mobile device market [2]. The share of the Android platform is so high that the platform is the main target of ransomware attacks. Damage cases of Android-based smartphones are continuously growing recently.

Traditional vaccine system can detect a system if it is infected with ransomware and cure it. However, it cannot prevent attacks by ransomware without obtaining information on the ransomware. In addition, files cannot be recovered without the encryption key because files are already encrypted even if the traditional vaccine system can remove the ransomware [3]. Users can avoid infections by updating the vaccine system from time to time. However, this method has limited efficacy. Existing vaccine system can detect ransomware using intrusion detection method based on files [4]. However, this approach cannot detect modified ransomware with new patterns because it can only prevent ransomware based on analysis information of the ransomware. Therefore, an active instead of a passive prevention method is urgently required.

In this paper, a ransomware prevention technique on Android platform is proposed. The proposed method can monitor file events that occurred when the ransomware accesses and copies files. This technique can detect and remove the ransomware using the CPU and I/O usage as well as the information stored in the DB. This proposed method can detect modified patterns of ransomware without obtaining information about the ransomware. In addition, it can be implemented on the kernel and framework source of Android so that it can detect ransomware relatively faster than other programs that run at the application level. Furthermore, it can continuously monitor the ransomware without separately downloading or updating.

The remainder of this paper is organized as follows. Related work is briefly discussed in Section 2. Our proposed approach is described in Section 3. Evaluation of the proposed approach is given in Section 4. Finally, several concluding remarks are given in Section 5.

2.1. Ransomware

Ransomware spreading methods are similar to those of malicious code Trojan Horse [5] that contains malicious routine and pretends as a normal program. Ransomware intrudes into users’ devices after pretending as a normal application such as Trojan Horse. Ransomware restricts the use of the system in various ways after intruding the system. It is mainly classified into the following three types: Scareware, Lock-Screen, and Encrypting [6].

(i) Scareware. It informs users that the device has been infected with malicious codes. It suggests the purchase of fake antivirus programs to treat them. It finally extorts money from the user.

(ii) Lock-Screen. It disables users’ PC in any way. It locks the system so that the users are not able to run the operating system when executing the system. When a user runs his system, it disables the operating system and sends the message that your PC has illegal contents that you will be fined by impersonating FBI or government agencies.

(iii) Encrypting. This is the most serious type of ransomware. It prevents the use of important files in your device by encrypting them. It extorts money by encrypting users’ files in PCs and letting users deposit the ransom for files to a virtual account to decrypt.

Ransomware accesses users and gives damage to them in various ways. For example, CryptoLocker [7] can encrypt files in PC. Reveton [8, 9] will impersonate law enforcement agencies such as FBI. SimpleLocker [10] targets smartphone users of the Android environment. This ransomware can be serious security threat to cloud computing [11] as it becomes the basic infrastructure of information system.

2.2. Existing Techniques
2.2.1. Process Using Hash Information

The processing method of CryptoLocker is to compare Hash information. CryptoLocker generates files encrypted with “.encrypted” [12]. The encrypted files are then added to the Hash Information. Signature, Public Key values, and their sizes will increase. Recovery tools are generally used to process CryptoLocker. They include different decryption key index information by infected users. Recovery tools compare Hash information and encrypted files in the data files, confirm the validation of key from key index information stored therein, and then proceed to decoding [13].

By looking at encrypted files’ recovery methods used in existing vaccines, these methods obtain a sample by decompiling the ransomware and perform decryption using the decryption key found by the code analysis of the sample [14]. There is a risk that when a new ransomware appears, users have to wait until a security company finds the decryption key value through sample analysis. Intelligent sensing techniques are required to detect new patterns of ransomware because ransomware constantly threatens the safety of mobile device.

System-based behavior detection technique [15] is based on the detection of occurrences of several behaviors in a computer system. It performs “integrity checking” and “behavior blocking” [16, 17]. Integrity checking technique conducts frequent inspections in order to confirm the integrity of the computing system. This approach calculates and writes the Hash values for execution files and directories on a clean computer system that is not infected by malware. Behavior blocking technique monitors all actions within the computer system. When a suspicious action occurs in similar way of malicious infections, this approach tracks the cause of executable file and blocks the execution of a suspicious action so that it has no progress.

2.2.2. Process Using CPU and I/O Usage

Statistical technique is one malware analysis technique that detects abnormal behaviors by analyzing the resources of the system. NIDES (Next-generation Intrusion Detection Expert System) [18] of SRI (Stanford Research Institute) International is a typical system based on statistical techniques. NIDES sets a goal of detecting abnormal behaviors that occurred in the system with a profiling technique after collecting Processor usage, I/O rate, Memory usage, and so forth, over a long time. Korea Electronics and Telecommunications Research Institute uses the technique using the mean difference of CPU or Memory usage in order to provide a reliable service on the host [19, 20]. However, this technique only operates against the attacks of DDoS. In this paper, a technique is proposed to prevent the intrusion of ransomware on Android platform based on statistical methods using Process, Memory, and Storage I/O usage.

2.3. Android Application Permissions Analysis

Android market applications demand Android system permissions in order to perform the correct operation. Applications registered in an official store show users permission requirements when they are downloaded. However, ordinary users may unintentionally download or run applications without carefully looking at them. Ransomware distributors will distribute the ransomware and pretend as a normal application on an official store using this security weakness.

To design the proposed method, the different kinds and functions of permissions on the Android system and permissions needed by ransomware are analyzed. Permissions to adversely affect the Android system are largely classified as System, SMS, Contact, and Location [21]. Difference in permissions between Ransomware App and Normal App is shown in Table 2. A total of 14 kinds of ransomware that appeared between 2014.01 and 2015.09 based on the report of virustotal [22] are included in the comparison (Table 2).

The functions of the corresponding permissions are not necessarily safe. These permissions access a lot of information, including the configuration information of the device, the list of applications, resource statistics, and personal information such as location information and SMS information. Normal applications use these permissions. Therefore, users generally agree to install applications without doubt, even when it is the ransomware that requires permissions for the System, SMS, Contact, and Location.

3. The Proposed Technique

To have efficient implementation, the proposed technique is designed with three modules: Configuration, Monitoring, and Processing (Figure 1). Configuration module generates a monitoring list table for a smooth operation of the proposed method. It is the module for the initial setting. Monitoring module is responsible for monitoring Processor, Memory, and Storage I/O usages of every process in real time based on statistical techniques. Finally, processing module determines the handling of the process suspected as ransomware by the Monitoring module and makes an exception or isolation of the process.

The proposed technique implements the configuration module, the monitoring module, and the processing module using the framework and kernel of the Android platform as shown in Figure 2. In addition, user’s UI part added to the Android Settings and the database used in the configuration module are implemented within the framework. In the kernel, a part for generating I/O information to monitor the process is implemented, through which a kernel image is produced.

Algorithm 1 shows the operation flow of the basic technique proposed in this paper. Details are described later in different topics.

Input: process id P
 ProcessInfo ProcessDatabase(P);
if ProcessInfo is blacklist then
else if ProcessInfo is not priority protection member then
3.1. Configuration Module

The configuration module is the basic setup to be applied when the proposed technique detects a ransomware. In this paper, default setting values that are information about the process or application installed by default on the Android platform are saved in a database. The foremost role of the configuration module is to specify the location of the files needed to be protected from the attacks of the ransomware. An area of these important files is called priority protection area (hereinafter PPA). If the proposed technique is run correctly, it will collect the information of PPA, register them to the watch list table for the monitoring module, and protect the corresponding files in real time. The second role is to register user’s handling for the suspected process detected by the monitoring module into the database and maintain the handling. If the user finally determines the process as a ransomware, it stores the information of the corresponding process. It will automatically detect and delete the process depending on the user’s feedback. If the user determines the process as normal, it records the information of the process and forces the system to maintain the process without terminating the process even if the process is redetected.

3.2. Monitoring Module

The monitoring module is responsible for detecting the ransomware by monitoring the PPA area and the process. The monitoring module is largely composed of two modules (file monitoring and process monitoring) based on the roles.

(i) File Monitoring Module. It continuously monitors the status of the input/output events such as reading, writing, copying, and deleting of a file belonging to a PPA set in the configuration module and detects the attacks of the ransomware. Algorithm 2 shows the operation flow of the file monitoring module proposed in this paper.

Input: process ids
  for all process id do
   Flag isOccuriedEventInPPA();
   if Flag is enabled then
    Result ProcessNotification();
    if Result is block then

(ii) Process Monitoring Module. It continuously monitors Processor share by Process, Memory usage, I/O count, Storage I/O count, and so forth and detects the ransomware. Algorithm 3 shows the operation flow of the process monitoring module proposed in this paper.

Input: process ids , Threshold T
  for all process id do
   ProcessInfo getProcessInformation();
   if ProcessInfo has occupied resources then T then
    Result ProcessNotification();
    if Result is block then

Upon detecting the suspected process, it also handles malicious or exceptional processes in the database applied in the configuration module. For the process registered as a malicious process, the monitoring module will stop the process at the moment of detection and automatically delete the process. For the process registered as an exceptional process, it will allow the normal execution because it is specified as safe by the user.

3.2.1. File Event Monitoring

The monitoring module monitors the modification and deletion events of files and directories existing in a PPA. Monitoring path is generally through external storage of the device. Basic monitoring path is shown in Table 3.

Observer is arranged to monitor file events in each directory. File event monitoring using Observer is based on the patterns of ransomware to generate encrypted files after reading and writing target files and deleting original files. Observer can detect events of ransomware deleting and modifying files without obtaining data on the ransomware. Observer is responsible for monitoring modification and deletion events that occurred in each path while the device is on. If the event for the file occurs, Observer will pass the file event information to the monitoring module and find which process is the one that produced the event. The process found by the Observer is primarily checked through an exceptional handling process. If the process is not in a list, it is determined as a process suspicious of ransomware. The process will be stopped first. The technique inquires the user about subsequent handling of the process. Depending on the user’s determination, the handling of the process in the database will be updated and managed.

3.2.2. Process Monitoring

The monitoring module uses information such as Processor share for each Process, Memory usage, I/O count, and Storage I/O count to detect suspected process among running processes. It also detects suspected process through monitoring file events. The operation of Process monitoring is based on the information of malicious/exceptional processes stored in the database by the configuration module. It takes advantage of the fact that ransomware process uses a lot of system resources in the process of encrypting files in the storage. The proposed technique checks whether Processor share, Memory usage, I/O count, and Storage I/O count are more than a threshold value based on statistical methods. It will transmit the information of the corresponding process into the Processing module when it is higher than a threshold value.

To prove the change of Processor usage, a sample ransomware is run. The name of the corresponding ransomware process is called “com.example. .Sample”. Figure 3 shows the status of the process when a latent ransomware process is carried out. Processor share shows 0-1% so that users will not notice it.

Figure 4 shows the situation when the latent ransomware performs encrypting files in earnest. The Processor usage is changed to 11% at the moment of the encryption. It peaked at 46%.

The process of I/O usage of the same ransomware at latency is shown in Figure 5. The top of the figure is the initial stage of the process execution. The amount of bytes read is relatively small.

The process of I/O usage of the same latent ransomware that performs active encrypting is shown in Figure 6. As shown in Figure 6, the file I/O usage is sharply increased because the data of the files to be encrypted are read and written in earnest. The sharp increase in the CPU usage and I/O usage can be used to detect the ransomware.

3.3. Processing Module

The processing module forcibly stops the process suspicious of ransomware in the monitoring module and inquires users about the appropriate handling of the process. Once the handling is determined, the information of the corresponding process will be stored in the database and used in the configuration module subsequently. Database table structure used in the processing module is shown in Table 4.

ID is used to place the number of each tuple. PackageName is the name of an application. RiskType is a flag to determine whether it is safe/unsafe. Comment is prepared in case a separate explanation is needed.

The processing module also warns users about the risk of the ransomware through Android permission analysis.

(i) System Permission. The ransomware has permissions of the system. It seizes permissions of the device’s administrator and prevents users from manipulating the device. This permission involves the risk of ransomware browsing the user’s personal files stored in the device without user’s permission. It uses administrator’s permission.

(ii) SMS Permission. While a normal application provides convenience to users with SMS permission, the ransomware intercepts received messages to use them for illegal purposes by using SMS permission.

(iii) Contract Permission. Permission to access contacts is stored in the device. Typical examples of making ill use of this permission are phishing and smishing.

(iv) Network Permission. Permission to automatically find network connected to the device and allow the ransomware to operate. Ransomware seizes permission of the device so that users cannot operate the device. It has the risk of intercepting user’s personal information stored in the device.

The processing module inquires of users about whether to keep or delete the corresponding program after stopping the process suspicious of ransomware. If the user shows his intention to delete the application, when the same process appears later, it is automatically removed without asking about user’s thoughts because the user recognizes the corresponding application as ransomware. If he determines the process as normal, its safety is guaranteed so the process will not be forcibly stopped by the proposed technique. In addition, the proposed technique will let the user know if any part of the process is vulnerable. Concerns of permission are listed in Table 5.

3.4. User Interface

User Interface shown in Figure 7 provides users with easy access to the proposed method. UI is equipped with a basic format of the Android. It provides an interface of the configuration module. The proposed system functions can be turned on and off at any time using the corresponding interface. At the bottom, the names of the packages registered in the database so far can be checked. Addition, modification, and deletion of the information stored are also possible.

4. Evaluation

Unknown ransomware is used for evaluation of the proposed method compared to existing vaccine systems. A ransomware that encrypts files with 40-byte keys using the AES algorithm was made for testing. This sample ransomware has the function of opening all files on the input path and encrypting.

On the left of Figure 8 is the running result of a testing ransomware after running V3 Mobile one vaccine system that is famous in South Korea. On the right of Figure 8 is the result after running Avast made in the Czech Republic. These vaccine programs have no information about the new ransomware. They failed to detect the unknown ransomware. Therefore, files on /Download are encrypted. It is impossible to cure them either because there is no decryption key value.

In order to verify the proposed technique, PPA was set as /Download directory using the configuration module. Figure 9 shows the result of running the same sample ransomware after activating the proposed technique. In the device using the proposed method, users’ files were protected because it found the ransomware before the encryption. Therefore, it stopped the ransomware process and asked about users’ thoughts on deletion.

Results of evaluation of existing vaccine systems compared to the proposed technique are shown in Table 6. The proposed technique can deal with modified or new patterns of ransomware because it can detect ransomware using information such as Processor share, Memory usage or I/O count, and Storage I/O count. However, existing techniques need information of the ransomware to detect it. While traditional vaccines require updating the detection pattern from time to time, the proposed method does not need so many updates because it can detect the ransomware based on its behavior. It does not need to install an application such as existing vaccines as it is implemented in the Android source. In this study, we found a slightly degraded performance of the device after using the proposed technique in order to protect sensitive information.

5. Conclusion

In this paper, a technique is proposed to reduce damage caused by unknown ransomware attacks on Android devices. The proposed method can effectively reduce damage caused by ransomware with modified or new patterns without obtaining information on the ransomware. It uses file input/output events and Processor status information based on the behavior of ransomware, unlike existing techniques that need information about the ransomware. It can automatically prevent damage caused by such ransomware attacks later based on information collected on the detected ransomware. It is possible to use the proposed method in all Android-based smart phones because this technique is added to the open source of Android source file. This technique is expected to allow users to minimize damage caused by attacks of ransomware that existing vaccine systems fail to detect.

Competing Interests

The authors declare that they have no competing interests.


This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Korea government (MSIP) (NRF-2015R1D1A1A01057680).