R-PackDroid: Practical On-Device Detection of Android Ransomware.

Ransomware constitutes a major threat for the Android operating system. It can either lock or encrypt the target devices, and victims may be forced to pay ransoms to restore their data. Despite previous works on malware detection, little has been done to specifically identify Android malware as ransomware. This is crucial, as ransomware requires immediate countermeasures to avoid data being entirely compromised. In this paper, we propose R-PackDroid, a machine learning-based application (which directly runs on Android phones) for the detection of Android ransomware. R-PackDroid is a lightweight approach that leverages a methodology based on extracting information from system API packages. We demonstrate its effectiveness by testing it on a wide number of legitimate, malicious and ransomware-based applications. Our analyses pointed out three major results: first, R-PackDroid can distinguish ransomware from malware and legitimate applications with very high accuracy; second, R-PackDroid guarantees resilience against heavy obfuscation attempts, such as class encryption; third, R-PackDroid can be used to effectively predict and detect novel ransomware samples that are released after the ones used to train the system. R-Packdroid is available on the Google Play Store, and it is the first, academic ransomware-oriented detector available for Android.