Android app, are restricted by the security model of Android, hence they have limited functionalities. Therefore, their detection approach is not possible to do anything more than signature checking. Moreover, certain ransomware families exploit high privileges (e.g., device admin API) to kill those processes that are typically associated to common AVs.
The second approach HelDroid, proposes a feature-based detection mechanism using advanced static-analyses techniques directly on the bytecode extracted from APK files.We envisioned HelDroid deployed on the app-store side to scan submitted application’s code and resources in order to discover whether they exhibit one or more characteristics that belong to a ransomware-distinguishing feature set.
What it does in a nutshell is find clues in the disassembled Android bytecode that indicate the presence of code used to implement the typical features of ransomware. This includes:
* use of encryption routines without user intervention
* locking the screen and make the device “unusable”
* displaying threatening messages on the screen to ask for a ransom
* abuse of the Device Admin API for unattended locking or wiping
It does not deal with native code, mostly because native code is binary code, for which there are other great tools that we don’t want to re-invent. We focus on the routines that are tied to the abuse of the Android API for implementing ransomware. Remember, our approach is almost 100% static program analysis, that is, we don’t run the sample unless necessary. On the one hand this makes things simpler, on the other hand, we don’t deal with dynamically expressed ransomware behavior. There are several details behind this curtain, most of which are described in two academic papers and one conference presentation (Blackhat EU 2016, London).
+ Java 1.7+
+ Gradle 3.1+
Usage and Download:
$ git clone https://github.com/necst/heldroid
$ cd heldroid/
$ gradle build
$ gradle shadowJar
$ mkdir -p test/apks
$ curl http://detect.ransom.mobi/fetch-apk?family=slocker&hash=d721a38e55441e3273754fa642f2744567dc786df356e89fa0bfa3cfd63ad0ed > \
$ java -jar build/libs/heldroid-all.jar \
java -jar build/libs/heldroid-all.jar detector
java -jar build/libs/heldroid-all.jar filter