Detecting Android Locker-Ransomware on Chinese Social Networks

In recent years, an increasing amount of locker-ransomware has been posing a great threat to the Android platform as well as users' properties. Locker-ransomware blackmails victims for ransom by compulsorily locking the devices. What is worse, a mature locker-ransomware transaction chain has taken shape on Chinese social networks. The effective detection of locker-ransomware is an emergent yet crucial issue. To deal with this issue, in this paper, we are motivated to propose a light-weight and automated method for the detection of locker-ransomware. First, we conduct a thorough survey of the locker-ransomware's transaction market and perform a comprehensive analysis of locker-ransomware's behaviors. Second, to cope with the code obfuscation problem, we extract features of both displayed texts and background operations based on the observed behaviors. The fine-grained features are extracted from multiple sources, which can profile locker-ransomware in different aspects. Finally, we employ the ensemble of four machine learning algorithms for detection. The experimental results show that our method outperforms VirusTotal. It achieves the best performance with the detection accuracy of 99.98%.