Due to the proliferation of the Internet of Things (IoT), Android-based IoT devices are increasingly targeted by sophisticated ransomware threats. To address this issue, we propose a hierarchical architecture for ransomware detection and family attribution that leverages solely API call sequences extracted from Android apps. The architecture is designed to analyze a continuous stream of apps. It comprises three sequential levels: (1) Malware detection to distinguish benign apps from malware, (2) Ransomware detection to differentiate ransomware from other malware types, and (3) Ransomware family attribution to assign detected ransomware to its actual family. This architecture is novel in that it differs from the single-level approaches proposed in the literature and considers all types of apps, including benign, ransomware, and other malware types. In addition, we extensively evaluated the architecture on the CICAndMal2017 dataset by combining different models and data pre-processing methods, which enables the evaluation of a total of 135 machine learning workflows across all levels. The evaluation results show accuracies of 92% and 100% were obtained for ransomware detection and ransomware family attribution, respectively.
← Back to publications
article 2025
Multi-level Architecture for IoT-based Android Ransomware Detection and Family Attribution
I Gharbi, A Agarwal, A Derhab