| In recent years,Ransomware gradually appeared on the mobile platforms,especially in Android.The number of users threatened by Android ransomware has shown a trend of explosive growth.People pay more attention to Android ransomware than ever before.To induce users to install on the device,Android ransomware is usually disguised as benign software,game plugins,or porn applications.When running on the device,they will cause screen locking or file encryption.The attackers threaten to pay ransoms to restore the device,which causes a great economic loss to victims.There is a pressing need to develop a detection and prevention technique against Android ransomware.In order to deal with the threats of Android ransomware,a detection and prevention method for Android ransomware based on ART compiler modification is proposed in this work,which can detect and prevent the malicious behavior of an application by dynamic analysis in real-time.It monitors and analyses the behavior of the running application at the instruction level and protects the device with scheduled security policies,which can overcomes the shortcomings of static analysis.Compared with the existing methods,this method is based on Android system modification,there is no need to modify the signature of the application,and it is convenient for device vendors to use.To prevent the large-scale intrusion,the feature library and security policies can be updated in time according to the new characteristics of Android ransomware.This method solves the problem of security threat from Android ransomware quickly and efficiently.Specifically,The method monitors malicious behaviors of running application by modifing the source code of Android dex2 oat compiler,which can be divided into three phases.First,in the pre-processing phase,filter the trust application and detect threatening text by static analysis method.Second,in the Optimizing compilation phase,Search and obtain the instruction of malicious API method,and then inject tag instruction and feature library before the malicious instruction,and generate the oat file in the end.Third,in the running detection phase,Capture the tag instruction and call process,threatening text similarity of application to determine whether it is Android ransomware,which can remind user in time and protect the device from Android ransomware.Finally,we implemented a prototype on Android 7.0,and collected 850 samples from 8 Android ransomware families to evaluate the prototype.The results of function test show that the prototype can recognize the behaviour of screen locking or file encryption of Android ransomware effectively(for the samples compiled successfully,the accuracy rate has reached 100%).At the same time,we further evaluate the influence of modifying compiler in stability and performance overhead of prototype through a large number of tests.The results show that the prototype runs stable with a small performance overhead(the average overhead of running application is less than 3%). |
PDF Full Text Request