e-Article
The Case for Native Instructions in the Detection of Mobile Ransomware
Document Type
Periodical
Author
Source
IEEE Letters of the Computer Society IEEE Lett. of the Comput. Soc. Computer Society, IEEE Letters of the. 2(2):16-19 Jun, 2019
Subject
Language
ISSN
2573-9689
Abstract
Recently, the mobile segment observed the emergence of a new class of malware known as ransomware. In 2017, more than 468,830 unique mobile ransomware samples were discovered marking a 415 percent year-over-year increase in new ransomware. This trend presents a major concern for mobile users as they increasingly rely on their devices to safeguard sensitive information. Previous solutions have relied on high level bytecode and XML-based permission files to detect malicious applications. Unfortunately, attackers are resorting to obfuscation techniques that involve repackaging apps with malicious content directly in native machine code. As such, the aforementioned methods are insufficient for detecting modern mobile ransomware. To address these concerns, this work evaluates the effectiveness of using native instructions in detecting ransomware. We characterize different machine learning models and demonstrate that opcodes in native instructions can be used for detecting mobile ransomware with near ideal accuracy. In addition, we make the observation that the number of instruction opcodes that contribute to the detection of ransomware is significantly less than the full range of supported opcodes within a contemporary instruction set. Finally, we evaluate the robustness of our approach against six different ransomware families available in a state-of-the-art Android malware dataset.