Comparative Analysis of Ransomware
Detection Techniques in Android Devices
(authors: Muhammad Abdullah, Ali Saad)
Course: Information Security
ABSTRACT-Ransomware is a big problem in
android devices and detecting its presence is the
first step in stopping its spread and malicious
intent. Many propositions and models are
researched and made for the detection of
ransomware in android devices but each approach
has some caveats and weak points to consider.
This paper takes 4 of the previously done
researches on this topic and critically analyzes the
propositions and methods mentioned in the
previous researches, which range from deep
learning approach to human device interaction
method to detect the ransomware, based on their
methodology, effectiveness, and accuracy to give a
definitive answer about which of the above-
mentioned solution is the most optimal.
I. INTRODUCTION
Ransomware is a sort of malware that intends to
publish or permanently block access to the victim's
data unless a premium is paid. While some
ransomware locks the system in a way that is easy to
undo for a trained user, a more powerful virus
employs a tactic known as cryptoviral extortion. It
encrypts the victim's files, rendering them
unavailable, and demands a ransom to unlock them.
Android devices in recent years have seen a
huge boom in adoption across the world so much so
that as of 2021 there are approximately 3 billion
android devices around the world and with
approximately 2.5 billion active Android users in the
world. With a market share of above 70% in 2021,
it’s a huge market for malicious users to target people
with ransomware for malicious intent.
So, there is a need now more than ever to
become aware of the attacks performed by the
ransomware on people and to stop its spread. The
first step to stop the spread of ransomware is to detect
it. In this research paper, we analyze 4 research
papers related to the detection of ransomware in
android devices. This paper presents different
methodologies and propositions to detect this
ransomware which is as follows
● DNA-Droid: A Real-Time Android
Ransomware Detection Framework
● Extinguishing Ransomware - A Hybrid
Approach to Android Ransomware
Detection
● Automated Detection and Analysis for
Android Ransomware
● Ransom Prober: A real time ransomware
detection framework
This paper states observes and analyzes these
above-mentioned models based on methodologies
used by the researchers, based on the effectiveness of
the models in detecting the detecting the ransomware,
and on the basis of the accuracy of detection which
relates to how much these models generate false
positives.
This paper then concludes by providing a
definitive answer with reasoning to state which of the
following model is the best and most optimal.
 II. LITERATURE REVIEW
We will extract malicious features from the
static analysis and on its basis, it is determined
A. Automated Detection
whether to use dynamic analysis or not. In the
The use of android devices increased over the
dynamic analysis we will measure and detect
years and that there was an increase in a
ransomware based on
ransomware attack on their devices. To stop these
● Data flow and Critical path: We will run the
attacks first we have to detect these ransomware
application and observe the flow of data and also
attacks. This paper proposes an automated approach
what paths the application is trying to access.
to detect these ransomware attacks. This paper states
● Domain Access: We will observe if the
that the process of detecting ransomware should be
application is trying to access any known malicious
automated so that regular users can discern regular
domain relation to previously known ransomware
apps from malicious apps. This automation
attacks.
technique is divided into 2 major parts, the first
● Changes: we will observe if the application
being the static approach and the last being the
is trying to change some functionality without clear
dynamic approach.
indication or not.
● Permissions: it will be observed whether the
The static approach states that we would
application is trying to bypass any permission to
analyze the code of the application without running
execute something or not.
the application and Dynamic analysis states that we
have to run the application in a secure environment
Based on above-mentioned criteria the
and monitor its behavior to understand whether the
application will be deemed malicious or not.
application is malicious or not.

B. DNA Droid
For this purpose, we use static and dynamic
This paper states that previously known
approaches successively. Firstly, we will use
solutions to detect android ransomware were slow
Android API and already known ransomware attack
while having high false positives and low accuracy
patterns to statically analyze applications and if we
and to mitigate this the paper proposes a solution
find any extraordinary behavior we will use
based on deep learning to produce high accuracy
dynamic analysis techniques to observe that
and low false-positive results.
application. The application will now be run in a
closed and limited environment and its behavior will
This paper suggests the DNA Droid approach
be judged by using previously known attack
which is a layered approach using Dynamic
patterns. If the application is deemed malicious then
Analysis and using static analysis as a compliment
it will be terminated and its behavior will be
by observing features and using Deep learning NN
recorded.
to determine whether an application is malicious or
not.
In static analysis firstly the APK is decompiled
into respective files and then these files are analyzed
This DNA Droid will firstly analyze the APK
based on
statically and if a malicious application is observed
● Permissions: APK will be judged on what
then a Neural network is used to scan the application
permission it's asking.
dynamically to determine whether it is malicious or
● API Sequence: APK will be judged based on
not.
the sequence of API invoked.
This is done in the following ways.
● Resource: What resources the APK is
● The paper presents features that can detect
requesting and using is also a critical factor in
unknown ransomware.
judging its intent.
● This paper presents a method to reduce the
● Structure: APK structure can also indicate
learning process by using Deep Auto Encode.
whether the app is malicious or not.
 ● The paper uses Binary and Multiple
Sequence Alignment to dynamically analyze the
application to detect ransomware.
● The sandbox to DNA Droid is released
publicly to report malicious activities.
The paper also presents several experiments to
determine the accuracy of the model in detecting
ransomware while producing high accuracy results
and stopping ransomware infection in early stages.
C. Ransom Prober
This paper proposes a real-time ransomware
detection model for ransomware which specifically
encrypts the user data. This is done by the use of
analysis of mobile UI widgets and finger
movements. Firstly, the UI widgets are analyzed
related to the activity performed and Secondly, the
location and movement of the user’s fingers and
used to analyze whether the encryption step is
performed by the user or ransomware.
Firstly, the research team collected many
samples of the ransomware, covering most of the
known android ransomware families. This data is
then analyzed and categorized based on several
factors and aspects. Most of these ransomwares are
observed to have the following features.
● Locking the device screen.
● Encrypting the user’s files.
● Getting specific permissions from the
android system to make itself known to the user
after the malicious activity is done.
● Giving a specific payment method to the
users to pay to get the data back.
The working of Ransom Prober is divided into
3 steps.
● Firstly, The Ransom Prober will analyze if
the user data is encrypted or not by using the
Encryption Analysis Model of the system.
● Secondly, The system will analyze if the
encryption is done by the application currently in
use by the user or not using the Foreground Analysis
Model of the system.
● Lastly, The system will analyze if the action
of encryption is performed by the user or not by
checking if the UI widgets such as Buttons are
related to the current activity and also by observing
the finger input location of the user.
This system produced extremely accurate
detection results of previously collected Data Set.
D. Extinguishing Ransomware - A
Hybrid Approach
This paper proposes a hybrid approach to
detect ransomware in android devices. The approach
states that the application is to be scanned before the
installation, also known as static analysis. After the
static analysis potential targets are then observed for
their behavior while their apps run and their
behavior will determine if these apps are
ransomware or not.
Firstly, The static approach is done on the
application using the opcode frequency. A classifier
is trained on the number of opcode sequences in an
application and after the classifier is trained it is
used to classify the application into whether it can
be malicious or not. This is based on the research
that the number of opcode occurrences and specific
opcode sequences can be the key indication of
whether the application is ransomware or not. Any
sure occurrence of ransomware can be stopped
before its execution in this way.
Secondly, the application is analyzed
dynamically to determine whether that application is
truly malicious or not. This Dynamic analysis is
done on the basis of resource utilization of the
application. The resources are as follows.
● CPU utilization.
● Memory runtime and utilization.
● Network usage by the application.
● System call statistics of the application.
A classifier is trained on previously executed
records and then the classifier is used to classify the
application to detect ransomware.
III. ANALYSIS
In this Section we will discuss different
methodologies opted by the four selected approaches
for ransomware detection in android devices. The
below mentioned approaches use the mixtures of
static and dynamic detection techniques to effectively
detect ransomwares. A detailed comparison of
methodologies of the methods and their effectiveness
and accuracy is give below
A. Methodologies:
1) Automated Detection:
Automated detection approach involves
statically analyzing the apk followed by
dynamic analysis of application’s runtime
behavior.
Static analysis:
Static analysis involves detection
without executing the application. Three
detection methods are being used here
which include:
● APK decomplication involves
decompression of the apk package
into source files which include
meta-inf, res, androidmanifest.xml,
classes. dex, resources. Ars. All
these files contain enough
information about the application to
detect if certain anomalies can be
found or not. These files are
analyzed here for checking which
permissions the application
requires, the sequence of API
invoking to match it with malicious
sequences, resources to check for
encrypted executable files that may
act to get administrative privileges
and finally the apk structure to
check if it has been repackaged
after being injected with malicious
functions.
● Repackaging Detection involves
checking if the apk has been played
with by third parties after
decompression and injected with
the malicious executable resources.
It involves decoding the
repackaged code.
● Feature extraction and
Comparison involves searching the
manifest file to match the features
with the features database so that
malicious apps can be detected if
any additional or tempered feature
is found.
Dynamic analysis:
Static analysis cannot deal with
situations such as code obfuscation and
encryption, so there is a need for dynamic
analysis. Dynamic analysis involves
observing the behavior of an application at
runtime to check if the behavior is pointing
at it being malicious or not. Four techniques
are being used here:
● Critical path and data flow involve
observation of pathways the
application is trying to access, so
that it may be checked if the
application is trying to access the
system executable directories to get
administrative access or trying to
steal sensitive data.
● Malicious domain access involves
monitoring the data flow to see if
the malicious application is trying
to send the stolen data to specific
domains, which can then be
matched with the blacklist of
malware-based domains.
● Malicious charges involve tracking
the destinations of SMS and calls to
see if it's known or unknown. This
way it can be known if the app is
charging for services through SMS
or call charges or not.
● Bypassing the android permission
involves checking if the application
is trying to do some permission
related work with announcing the
permission.
2) DNA Droid:
The DNA-Droid method involves evaluating
an application using static analysis and if it
is labeled suspicious, it will be continuously
monitored and profiling of its run-time
behavior will be done. Once the profile
becomes similar with a collection of
malicious profiles, the DNA-Droid
terminates the Application. This method
involves three major components:
Static analysis module:
Static module involves three
components to evaluate different aspects of
APK. Then it decides whether the
application is malicious or not.
● Text classification module (TCM)
involves performing linguistic
analysis on strings extracted from
disassembled APK to check for
words related to encryption,
locking, threatening, pornography
and money related words. It then
produces five similarity scores
which indicate intensity of presence
of such content in APK.
● Image classification module (ICM)
involves comparing the application
images to the database of famous
images which include logos of
well-known brands, banks,
governments etc. It uses Structural
similarity index measure algorithm
(SSIM) for this purpose.
● API calls and permissions module
(APM) involves extracting the
android API’s and permissions
from androidmanifest.xml file.
Dynamic analysis module:
Dynamic module is trained with
Malware families by executing them in
simulated environment. It produces DNA by
profiling api call sequence of each malware
family. It then tries to match the runtime
behavior of the sample with the family's
DNA. If it gets matched the app is labeled
suspicious.
Samples have to go through the following
Components to generate the DNA.
● Sandbox produces API call
sequence by capturing the runtime
behavior of each sample
application
● Pre-processing involves refining
the api call sequences to make them
more accurate and reduce noise. It
also reduces the sequence length,
thus reducing the detection time.
● Multiple sequence alignment
involves inserting games between
api call sequences to align them.
Then, common subsequences can
be extracted which indicate the
injected malicious behavior
Detection modules:
Detection module involves
monitoring the APK samples in two steps. In
the first one, a static classifier scores the
maliciousness of apk between 0 and 1. In the
second one, APK’s runtime behavior is
observed for suspected samples.
3) Ransomprober:
Ransomprober is a Realtime
Encrypting ransomware detection
framework. The basic functioning of
ransomprober involves three steps:
● Encryption Analysis involves pre-
defining some directories that need
to be protected. It then monitors the
encryption behavior by measuring
the degree of data transformation
through information entropy.
● Foreground Analysis involves
determining if the encrypted
behavior detected above is normal
or abnormal. It checks whether the
encryption operation is triggered by
the foreground application or not. If
the encryption operation is
irrelevant to the foreground
application, the package name of
the encryption operation and the
foreground application are
compared.
● Layout Analysis involves looking
for UI widgets that can be found
often in benign apps but not in
 ransomware apps. These UI
indicators are used here to
differentiate between benign and
ransomware apps: File list, Hint
text and button.
4) Hybrid approach
Hybrid approach uses two methods, Static
and dynamic analysis.
Static Analysis:
Static approach works by determining the
frequency of opcode in the executable of the
app being analyzed. Each application is pre-
processed to get the numeric values of
frequencies of opcode sequences. The
classifier is then trained on the labeled
dataset which can then be used to identify
malicious ransomware applications.
Dynamic Analysis:
A two-step detection system is used that first
classifies execution records, and then
complete applications by relying on the past
classifications of execution records. It
involves preprocessing phase, learning
phase and classification phase to detect if
application is ransomware or not.
● Preprocessing phase involves
extracting features from the
execution logs of applications
being considered.
● Learning phase involves training a
classifier to recognize execution
records of malicious malware
applications
● Classification phase involves using
the application classifier trained in
the learning phase on runtime to
detect ransomware.
C. Accuracy:
B. Effectiveness:
1) Automated Detection:
This method only seems effective
for Applications that are famous as it uses
feature comparison in dynamic analysis.
Any application that is made with the
intention of executing ransomware but done
with proper covering of features can bypass
this method. For example, if a messenger
application requires access to the camera
and gallery, this demand of permission is
justified. But if this application has
ransomware embedded in the code, it can
simply bypass this method of automated
detection.
2) DNA Droid:
DNA droid uses both the static and
dynamic approach along with the Deep
learning algorithms through which its
classifiers are trained. That makes this
method much more effective and accurate as
compared to automated detection which
works on few hardcoded constraints.
3) Ransomprober:
This method is effective only for
encryption related ransomware applications.
That is its biggest limitation. Also, The
speed of ransomprober is another limitation
as experimentation showed at least 6 files
were lost until ransomprober was effectively
able to label the application as ransomware.
This method is not very much efficient in
distinguishing unintended and user intended
file encryption.
4) Hybrid approach:
Hybrid approach is probably the
most effective approach among all those
which are discussed above. This method.
The J48 classifier gives here the best
performance. Though this method is quite
effective but there is still room for some
harm done to the device before it accurately
identifies the sample as ransomware in
dynamic detection.
1) Automated Detection:
Accuracy for this method cannot be
found as it has not been implemented yet.
2) DNA Droid:
An experiment was conducted on a
dataset released by state-of-the-art methods
for ransomware detection. DNA Droid was
 able to correctly classify 429 out of 440
ransomware samples. That gives an
accuracy of 97.5%.
3) Ransomprober
Experimentation was performed
among well-known ransomware detection
methods on the same dataset. It revealed,
ransomprober had an accuracy of 99% in
successful detection of ransomwares. One
factor that must be considered here is that
the other methods are not made entirely on
encryption analysis.
4) Hybrid approach
Experimentation performed
separately on static detection and on
dynamic detection revealed that there is a
99.8% accuracy rate for static detection and
85.61% accuracy rate for dynamic detection.
Overall, this method of hybrid approach
gives 100% accuracy in ransomware
detection.
[1] Chen, Jing, et al. “Uncovering the Face of
Android Ransomware: Characterization and
Real-Time Detection.” IEEE Transactions on
Information Forensics and Security, vol. 13, no.
5, 1 May 2018, pp. 1286–1300,
ieeexplore.ieee.org/abstract/document/8241433,
10.1109/TIFS.2017.2787905. Accessed 16 Nov.
2021.
[2] Ferrante, Alberto, et al. “Extinguishing
Ransomware - a Hybrid Approach to Android
Ransomware Detection.” Foundations and
IV. CONCLUSION
In the above discussion, four detection methods
were discussed with their methodologies,
effectiveness and accuracy. It turns out all of the
methods have some degree of harm that the user will
eventually go through. The methods using the deep
learning algorithms for training and classification are
much effective as compared to other methods. The
DNA droid and the Hybrid approach are the
approaches with most accurate results. Both of these
methods take some time for detecting ransomware
when performing dynamic analysis. That is why
some degree of harm is already caused before the
application is classified as malicious. Hybrid
approach can be called as the best approach here due
its 100% accuracy rate and least false positive rate.
V. REFERENCE
Practice of Security, 2018, pp. 242–258,
10.1007/978-3-319-75650-9_16.
[3] Gharib, Amirhossein, and Ali Ghorbani. “DNA-
Droid: A Real-Time Android Ransomware Detection
Framework.” Network and System Security, 2017,
pp. 184–198, 10.1007/978-3-319-64701-2_14.
[4] Yang, Tianda, et al. “Automated Detection and
Analysis for Android Ransomware.” IEEEXplore, 1
Aug. 2015,
ieeexplore.ieee.org/abstract/document/7336353.
Accessed 16 Nov. 2021.