Detection of Ransomware-Like Data Manipulation in Android Applications

Abstract

Ransomware detection on Android platforms is increasingly challenging due to the evolving techniques used by attackers and the diverse behaviors of applications. Traditional methods like static and dynamic analysis face limitations, such as difficulties in handling code obfuscation, polymorphism, and high resource demands. Static analysis struggles with detecting hidden or encrypted code, while dynamic analysis, though effective at runtime, can be resource-intensive and impractical for real-time detection on mobile devices. This study introduces a multi-stage framework aimed at improving ransomware detection by focusing on a reduced set of distinguishing features. The framework begins by collecting ransomware apps and generating behavioral profiles that capture key malicious activities, such as file encryption attempts and unauthorized access to sensitive data. These attributes are used to create a dataset for analysis. The created dataset consists of 174 features. For the reduction of features, we performed various techniques, including SelectKBest, Recursive Feature Elimination (RFE), L1-based selection, Principal Component Analysis (PCA), and Random Forest feature importance with the proposed feature selection scheme. The proposed feature reduction strategy optimized 80% of ineffective features, with a minor compromise of 0.59% detection accuracy. Several machines learning algorithms, including Random Forest, Gradient Boosting, ExtraTree etc., were employed to classify ransomware based on the reduced feature set. Random Forest attained the highest accuracy. Its performance was validated through 10-fold cross-validation, which produced an AUC-ROC score of 99.3%. This high accuracy, coupled with the reduced computational demands, demonstrates the effectiveness of the proposed framework. This framework enhances Android ransomware detection by combining behavioral analysis with feature reduction, leading to improved detection accuracy and efficiency. It outperforms traditional methods by focusing on a minimal, optimized feature set, resulting in a solution for practical applications on resource-limited devices like smartphones.