Research On Ransom Ware Of Android Platform

Ransomware is a malicious application that extorts ransom from users by replacing their device passwords,forcibly occupying their screen resources and encrypting their private files,so that users cannot use devices and access files normally.This type of application has low production cost and high threat to users.The number of ransomware has risen sharply in recent years as Android has gained market share.At present,the research on Android ransomware and the protection against ransomware are still in the situation of passive detection,that is,most of the research focuses on how to accurately and efficiently identify the ransomware,and to achieve the protection of Android devices by locating and handling the ransomware before it is activated.However,the whole process of extortion also includes the hijacking of screen,file and other resources after the ransomware is activated,as well as the active evolution of the ransomware against antiescape detection.The isolated protection only for a certain stage of the whole process can not deal with the whole process of extortion.In order to more comprehensively protect Android devices and user files from the harm of ransomware,this paper carried out the research of ransomware on Android platform,and put forward the security protection system for the whole life cycle of ransomware behaviors on Android platform.The main contributions of this paper are as follows:1.Research on offline detection of behavior distinguishable ransomware application before activation.In order to solve the problem that the existing ransomware detection engine can hardly distinguish the benign application with the function of locking screen and encrypting file from the real ransomware,this paper proposes KRDROID,an offline detection engine with behavior distinction before activation of ransomware.In feature set construction,KRDROID proposed the concept of "joint feature".It used K-means algorithm to combine multiple features with strong correlation but independent of each other into a new dimension of joint feature containing correlation relations,which effectively solved the problem of ransomware identification in the model.Experimental results show that KRDROID achieves 98.5%accuracy in detecting unknown ransomware.In terms of distinguishing benign applications and ransomware with similar behaviors,KRDROID improves the accuracy by about 40%compared with other ransomware detection engines,which solves the problem that existing ransomware detection engines cannot accurately distinguish ransomware from benign applications.2.Research on real-time detection of ransomware application based on interest folder access perception.Since the detection of the ransomware using detection escape technology can only be detected after the ransomware is activated,the files of the user will be greatly threatened by the encryption of the ransomware.This paper proposes KRPROTECTOR,a real-time detection engine for ransomware based on interest folder access awareness.KRPROTECTOR uses an empty folder as an entity of interest folder to detect ransomware on terminals that are not ROOT,and can effectively identify ransomware that uses a dynamic and static detection escape strategy.Experimental results show that KRPROTECTOR is 20%more accurate in identifying ransomware than other ransomware detection engines,and can issue a warning 70.613 seconds before the first file is encrypted,realizing the defense against encrypting files by ransomware when the device is not ROOT.3.Research on resource self recovery technology after ransomware implementation.With the evolution of ransomware,some ransomware have come up with the ability to prevent users from connecting to ADB for resource recovery using USB shielding.In addition,to recover resource after encryption,there are problems such as complicated procedures and high threshold of user professional background knowledge.This paper proposes KRRECOVER,a resource self-recovery tool based on Android system.KRRECOVER automatically recovers the resources of the hijacked device by terminating the process of the ransomware and deleting the files written into the password.By monitoring the encryption API,KRRECOVER obtains the keys used in dynamic operation and the list of encrypted files to decrypt the encrypted files.4.Research on the next generation ransomware technology from the perspective of attackers.Aiming at the problem of how to actively find more potential threats in the evolution of ransomware and defend against different extortion behaviors,this paper proposes three next-generation extortion technologies:data hijacking based on DNS channel,data hijacking based on man-in-the-middle attack and communication hijacking based on DNS hijacking.In addition,in order to defend against different extortion behaviors that may occur in the evolution of ransomware,this paper proposes KRPROVE,an Android extortion behavior verification framework that supports multiple strategy combinations,and provides defense suggestions based on the test results of extortion behaviors obtained from various strategy combinations on devices.