Analyzed Android Applications

Analyzed Android Applications

Recently, damage caused by ransomware has been increasing in PC and Android environments. There are many studies into real-time ransomware detection because the most important time to prevent encryption is before ransomware is able to execute its malicious process. Traditional analyses determine an application is ransomware or not by static/dynamic methods. Those analyses can serve as components of a method to detect ransomware in real time. However, problems can occur such as the inability to detect new/variant/unknown ransomware. These types require signed patches from a trusted party that can only be created after attacks occur. In a previous study into real-time new/variant/unknown ransomware detection in a PC environment, important files are monitored and only programs that have been previously analyzed and evaluated as non-malicious are allowed. As such, programs that have not been analyzed are restricted from accessing important files. In an Android environment, this method can be applied using Android applications to prevent emerging threats and verify consistency with user intent. Thus, this paper proposes a method of detecting new/variant/unknown ransomware in real time in an Android environment

a method to detect new/variant/unknown ransomware without patch information from trusted parties is proposed. For this, a file usage monitoring manager, file access control manager, and access control db were created. A part of the structure from this method is shown in Fig. 6. When an application uses APIs related to file access to read or write to a file, such an operation should be informed to the I/O manager of the OS. The I/O manager generates an I/O request packet and sends the packet to the file system driver. The file usage monitoring manager is executed in the kernel mode of the OS and communicates to the I/O manager and file access control manager. When an application opens a file, it intercepts the file system driver-initiated packet. The file access control manager is operated in the user mode of the OS and creates/manages a whitelist. If the file usage monitoring manager sends the file access request of an application, it determines whether the application is allowed to access the file according to a whitelist recorded in the access control db. The access control db is stored in the user mode of the OS and it saves/manages a whitelist which consists of two elements: one is the identity of a file type and the other is a list of accessible applications for each file type. If a request related to file access occurs, this method check the application is in whitelist—only applications in the list are allowed to access the file. If a new application wants to access a file it should be analyzed, and, if it is evaluated as being non-malicious, included in the list. F.Shannon Entropy Shannon entropy indicates the uncertainty of data. Cipher data has a higher entropy value than plain data because of encryption algorithm confusion properties. When ransomware encrypts a file, the file’s entropy increases [6]. In [5], Shannon entropy was used to determine whether a monitored file was encrypted or not in the encryption analysis step. The Shannon entropy value, e, can be computed as in (1).There are two methods to detect Android ransomware and new/variant/unknown ransomware in real time. However, problems with these methods—including reduced accuracy and increased performance overhead—can occur. To address this, we first analyze the problems inherent to each method in this chapter. A.Problems in Real-time Android Ransomware Dection We analyzed two of the three steps: encryption analysis and layout analysis. The former relates to monitoring for encryption function, while the latter performs static analysis for information extraction. Encryption Analysis In this step, predefined files are monitored and encrypted files are inspected. For this, Shannon entropy is used, but the results can be inaccurate. Theoretically, the entropy of cipher data is greater than that of plain data. However, in the case of plain data with high entropy, the entropy can be lower after encryption. This can produce inaccuracies such as a plain data that is considered to be encrypted, or cipher data that is considered unencrypted. Layout Analysis In this step, information is extracted via static analysis from a non-executed file. For this, layout files are analyzed to verify that all components are on screen and xml files are checked for strings that exist in malicious applications. However, strings are only inspected based on a whitelist of words expected to be found in normal applications. As such, inaccuracies can occur, such as strings with the same meaning circumventing the whitelist.CodeShoppy

f:id:Mobile-Application:20200101180057p:plain

Monitoring In this step, important files predefined by the user are monitored. The analyzed application module intercepts requests from APIs to read or write to a file. If the target of the operation is not in the predefined files, the module sends the requests to origin system call or it pauses the requests. Subsequently, it moves to the next step with logs including the application package name and the name of the target file. In this step, analysis is performed on the operations of read and write. The analyzed application module is shown in Fig. 8. B.Encryption In this step, whether the targeted file was encrypted or not is determined according to the result of Shannon entropy. If the target file was not encrypted, the method returns to the monitoring step, or proceeds to the next step. However, we analyzed that Shannon entropy can produce inaccurate results. To address this, we used the average entropy of the divided parts of the file—such as the average of each parts’ entropies divided by 4,096 bytes. C.Already Analyzed In this step, the package name is used to check whether the application was previously analyzed. For this, package names of pre-analyzed applications should be stored statically. If the application is previously analyzed and determined to be normal, access is granted and the process ends. Otherwise, the behavior is denied and the process moves to the next step. D.Is Normal In this step, information is extracted, analyzed and provided to the user. Besides static analysis and dynamic analysis, many studies about how to extract/analyze information from Android applications can be included. To improve the accuracy of problem 1, we modify the basis of the layout analysis inspection from a whitelist to a blacklist with words such as “pay” and “coin.n this paper, we analyzed the problems of two previous studies about how to detect new/variant/unknown ransomware in real time on Android. Subsequently, we proposed a real-time ransomware detection method as well as requirements to implement the method. This method can prevent new/variant/unknown ransomware with less performance overhead in an Android environment. We focused on the main function of processes from the Monitoring and Already Analyzed steps. However, how we provide information to the user in the Is Normal step is also important. Thus, additional studies about how to analyze the applications will be required. In future work, implementation of the proposed method should be performed with detailed analysis methods and evaluated for detection accuracy.

99 Php Projects Topics Titles Ideas: 2019 2020 MCA - CodeShoppy