Go to DBLP homepageRansomSentry: Runtime Detection of Android Ransomware With Compiler-Based Instrumentation
Abstract: In recent years, mobile ransomware attacks have become increasingly prevalent, especially in Android systems. Android ransomware extorts users by maliciously locking infected devices or encrypting user files on the devices. To address this problem, we propose RansomSentry, a runtime detection system with compiler-based instrumentation against both lock-screen and crypto ransomware in Android. Specifically, RansomSentry leverages a modified Android dex2oat compiler to instrument the sensitive APIs invoked by ransomware during the installation of a target app, and monitors the app's screen-related and file access operations at runtime to detect attacks. Compared to previous solutions, RansomSentry does not require to change the app's APK file and bytecode, thus it will pass the original integrity check of the app, which makes it readily deployed by users. Further, such a dynamic approach is naturally immune to code or data obfuscation and can provide real-time protection. To validate our approach, we implement a prototype of RansomSentry and collect 2,376 recent Android ransomware samples to evaluate it. The evaluation results show that our prototype can effectively detect ransomware attacks with an acceptable performance overhead.
External IDs:dblp:journals/tdsc/MaZLZLM25
Loading