Abstract

The worldwide epidemic of ransomware monetary gains has grown astonishingly. This crimeware form is emerged to extort innocent users under the threat of locking their devices and/or encrypting their files. To mitigate the growth of ransomware attacks, cybersecurity researchers have proposed various solutions based on the functionalities of those attacks. However, this polymorphic type is kept refined to increase the appearance of new families and survive against mitigation approaches. This paper introduces RanDroid, a new automated lightweight approach for detecting ransomware variants in Android platform by measuring the structural similarity between a set of collected information from an inspected application and a set of predefined threatening information collected from known ransomware variants. Furthermore, RanDroid performs a linguistic analysis on the app's code as well as image textural strings to enhance further revelation. RanDroid was evaluated using 950 ransomware samples. In addition, this approach is capable of extracting threatening messages from samples that use evasion techniques such as sophisticated codes or dynamic payloads.