{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T19:15:41Z","timestamp":1771960541751,"version":"3.50.1"},"reference-count":70,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2024,3,2]],"date-time":"2024-03-02T00:00:00Z","timestamp":1709337600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,3,2]],"date-time":"2024-03-02T00:00:00Z","timestamp":1709337600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100010061","name":"University of Waikato","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100010061","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2024,6]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Ransomware, particularly crypto ransomware, has emerged as the go-to malware for threat actors aiming to compromise data on Android devices as well as in general. In this paper, we present a ransomware detection technique based on behaviours observed in the system calls performed by the malware. We first describe our repeatable and extensible methodology for extracting the system call log and patterns. We then identify and present some common high-level system call behavioural patterns exhibited by crypto ransomware, and evaluate these patterns. We further describe the implementation of a streaming implementation that utilises regular expressions for modelling malware behaviours and finite state machines for detecting crypto ransomware behaviours in real time. The success of our proof of concept evaluation allows us to envision our proposed technique applied as part of a self-protection system on Android phones against malware.\n<\/jats:p>","DOI":"10.1007\/s10207-024-00819-x","type":"journal-article","created":{"date-parts":[[2024,3,2]],"date-time":"2024-03-02T20:01:33Z","timestamp":1709409693000},"page":"1839-1858","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":16,"title":["Real-time system call-based ransomware detection"],"prefix":"10.1007","volume":"23","author":[{"given":"Christopher Jun Wen","family":"Chew","sequence":"first","affiliation":[]},{"given":"Vimal","family":"Kumar","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1366-9411","authenticated-orcid":false,"given":"Panos","family":"Patros","sequence":"additional","affiliation":[]},{"given":"Robi","family":"Malik","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,3,2]]},"reference":[{"issue":"C","key":"819_CR1","doi-asserted-by":"publisher","first-page":"212","DOI":"10.1016\/j.cose.2014.10.011","volume":"48","author":"S Alam","year":"2015","unstructured":"Alam, S., Horspool, R., Traore, I., Sogukpinar, I.: A framework for metamorphic malware analysis and real-time detection. Comput. Secur. 48(C), 212\u2013233 (2015). https:\/\/doi.org\/10.1016\/j.cose.2014.10.011","journal-title":"Comput. Secur."},{"issue":"POPL","key":"819_CR2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3290353","volume":"3","author":"U Alon","year":"2019","unstructured":"Alon, U., Zilberstein, M., Levy, O., Yahav, E.: code2vec: learning distributed representations of code. Proc. ACM Program. Lang. 3(POPL), 1\u201329 (2019)","journal-title":"Proc. ACM Program. Lang."},{"key":"819_CR3","doi-asserted-by":"publisher","unstructured":"Al-Rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Comput. Secur. 74, 144\u2013166 (2018). https:\/\/doi.org\/10.1016\/j.cose.2018.01.001. https:\/\/www.sciencedirect.com\/science\/article\/pii\/S016740481830004X","DOI":"10.1016\/j.cose.2018.01.001"},{"key":"819_CR4","doi-asserted-by":"publisher","first-page":"144","DOI":"10.1016\/j.cose.2018.01.001","volume":"74","author":"BAS Al-rimy","year":"2018","unstructured":"Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Comput. Secur. 74, 144\u2013166 (2018)","journal-title":"Comput. Secur."},{"key":"819_CR5","doi-asserted-by":"crossref","unstructured":"Alzahrani, N., Alghazzawi, D.: A review on android ransomware detection using deep learning techniques. In: Proceedings of the 11th International Conference on Management of Digital EcoSystems, pp. 330\u2013335. Association for Computing Machinery, New York (2019)","DOI":"10.1145\/3297662.3365785"},{"key":"819_CR6","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102670","volume":"116","author":"E Amer","year":"2022","unstructured":"Amer, E., El-Sappagh, S.: Robust deep learning early alarm prediction model based on the behavioural smell for android malware. Comput. Secur. 116, 102670 (2022). https:\/\/doi.org\/10.1016\/j.cose.2022.102670","journal-title":"Comput. Secur."},{"key":"819_CR7","doi-asserted-by":"publisher","unstructured":"Andronio, N., Zanero, S., Maggi, F.: Heldroid: dissecting and detecting mobile ransomware. In: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2015, vol. 9404, pp. 382\u2013404. Springer, Berlin, Heidelberg (2015). https:\/\/doi.org\/10.1007\/978-3-319-26362-5_18","DOI":"10.1007\/978-3-319-26362-5_18"},{"key":"819_CR8","unstructured":"APKPure. Download APK on Android with Free Online APK Downloader - APKPure. https:\/\/apkpure.net\/. Accessed 21 Feb 2024"},{"key":"819_CR9","doi-asserted-by":"crossref","unstructured":"Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le\u00a0Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: ACM Sigplan Notices, vol.\u00a049, pp. 259\u2013269. ACM, Association for Computing Machinery, Edinburgh (2014)","DOI":"10.1145\/2666356.2594299"},{"key":"819_CR10","unstructured":"Avast Blog. https:\/\/blog.avast.com\/. Accessed 21 Feb 2024"},{"key":"819_CR11","first-page":"46","volume":"42","author":"S Bhandari","year":"2018","unstructured":"Bhandari, S., Panihar, R., Naval, S., Laxmi, V., Zemmari, A., Gaur, M.S.: Sword: semantic aware android malware detector. J. Inf. Secur. Appl. 42, 46\u201356 (2018)","journal-title":"J. Inf. Secur. Appl."},{"issue":"5","key":"819_CR12","doi-asserted-by":"publisher","first-page":"1286","DOI":"10.1109\/TIFS.2017.2787905","volume":"13","author":"J Chen","year":"2017","unstructured":"Chen, J., Wang, C., Zhao, Z., Chen, K., Du, R., Ahn, G.J.: Uncovering the face of Android ransomware: characterization and real-time detection. IEEE Trans. Inf. Forens. Secur. 13(5), 1286\u20131300 (2017)","journal-title":"IEEE Trans. Inf. Forens. Secur."},{"key":"819_CR13","doi-asserted-by":"publisher","first-page":"388","DOI":"10.1007\/978-3-030-65745-1_23","volume-title":"Network and System Security","author":"CJW Chew","year":"2020","unstructured":"Chew, C.J.W., Kumar, V., Patros, P., Malik, R.: Escapade: encryption-type-ransomware: system call based pattern detection. In: Kuty\u0142owski, M., Zhang, J., Chen, C. (eds.) Network and System Security, pp. 388\u2013407. Springer, Cham (2020)"},{"key":"819_CR14","doi-asserted-by":"publisher","unstructured":"Compton, R., Frank, E., Patros, P., Koay, A.: Embedding java classes with code2vec: improvements from variable obfuscation. In: Proceedings of the 17th International Conference on Mining Software Repositories, MSR \u201920, pp. 243\u2013253. Association for Computing Machinery, New York (2020). https:\/\/doi.org\/10.1145\/3379597.3387445","DOI":"10.1145\/3379597.3387445"},{"key":"819_CR15","doi-asserted-by":"publisher","unstructured":"Bansal, U.: A review on ransomware attack. In: 2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC), pp. 221\u2013226. IEEE Computer Society, Jalandhar (2021). https:\/\/doi.org\/10.1109\/ICSCCC51823.2021.9478148","DOI":"10.1109\/ICSCCC51823.2021.9478148"},{"issue":"2","key":"819_CR16","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1145\/2619091","volume":"32","author":"W Enck","year":"2014","unstructured":"Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)","journal-title":"ACM Trans. Comput. Syst. (TOCS)"},{"issue":"2","key":"819_CR17","doi-asserted-by":"publisher","first-page":"998","DOI":"10.1109\/COMST.2014.2386139","volume":"17","author":"P Faruki","year":"2014","unstructured":"Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M.S., Conti, M., Rajarajan, M.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 17(2), 998\u20131022 (2014)","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"819_CR18","first-page":"66","volume":"22","author":"P Faruki","year":"2015","unstructured":"Faruki, P., Laxmi, V., Bharmal, A., Gaur, M.S., Ganmoor, V.: AndroSimilar: robust signature for detecting variants of Android malware. J. Inf. Secur. Appl. 22, 66\u201380 (2015)","journal-title":"J. Inf. Secur. Appl."},{"key":"819_CR19","doi-asserted-by":"publisher","unstructured":"Ferdous, J., Mahboubi, A.., Islam, Md.: A review of state-of-the-art malware attack trends and defense mechanisms. IEEE Access 11:121118-121141 (2023). https:\/\/doi.org\/10.1109\/ACCESS.2023.3328351","DOI":"10.1109\/ACCESS.2023.3328351"},{"key":"819_CR20","doi-asserted-by":"publisher","first-page":"56","DOI":"10.4236\/jis.2014.52006","volume":"05","author":"E Gandotra","year":"2014","unstructured":"Gandotra, E., Bansal, D., Sofat, S.: Malware analysis and classification: a survey. J. Inf. Secur. 05, 56\u201364 (2014). https:\/\/doi.org\/10.4236\/jis.2014.52006","journal-title":"J. Inf. Secur."},{"issue":"1","key":"819_CR21","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1007\/s11416-008-0092-2","volume":"6","author":"A Gazet","year":"2010","unstructured":"Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77\u201390 (2010)","journal-title":"J. Comput. Virol."},{"key":"819_CR22","doi-asserted-by":"publisher","first-page":"184","DOI":"10.1007\/978-3-319-64701-2_14","volume-title":"Network and System Security","author":"A Gharib","year":"2017","unstructured":"Gharib, A., Ghorbani, A.: Dna-droid: a real-time android ransomware detection framework. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) Network and System Security, pp. 184\u2013198. Springer, Cham (2017)"},{"key":"819_CR23","doi-asserted-by":"publisher","unstructured":"Ghillani, D., Gillani, D.H.: A perspective study on malware detection and protection, a review. (2023). https:\/\/doi.org\/10.22541\/au.166308976.63086986\/v1. https:\/\/www.authorea.com\/users\/506161\/articles\/585873-a-perspective-study-on-malware-detection-and-protection-a-review. Accessed 21 Feb 2024","DOI":"10.22541\/au.166308976.63086986\/v1"},{"key":"819_CR24","doi-asserted-by":"crossref","unstructured":"Gonzalez, D., Hayajneh, T.: Detection and prevention of crypto-ransomware. In: 2017 IEEE 8th Annual Ubiquitous Computing. Electronics and Mobile Communication Conference (UEMCON), pp. 472\u2013478. IEEE Computer Society, New York (2017)","DOI":"10.1109\/UEMCON.2017.8249052"},{"key":"819_CR25","unstructured":"Google: Android Debug Bridge (ADB) (2020). https:\/\/developer.android.com\/studio\/command-line\/adb"},{"key":"819_CR26","unstructured":"Google: help protect against harmful apps with google play protect (2019). https:\/\/support.google.com\/googleplay\/answer\/2812853?hl=en"},{"key":"819_CR27","unstructured":"Google: UI\/application exerciser monkey (2020). https:\/\/developer.android.com\/studio\/test\/monkey"},{"key":"819_CR28","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2022.117200","volume":"206","author":"A Guerra-Manzanares","year":"2022","unstructured":"Guerra-Manzanares, A., Luckner, M., Bahsi, H.: Android malware concept drift using system calls: detection, characterization and challenges. Expert Syst. Appl. 206, 117200 (2022). https:\/\/doi.org\/10.1016\/j.eswa.2022.117200","journal-title":"Expert Syst. Appl."},{"key":"819_CR29","doi-asserted-by":"publisher","unstructured":"Hou, S., Saas, A., Chen, L., Ye, Y.: Deep4MalDroid: a deep learning framework for Android malware detection based on Linux kernel system call graphs. In: 2016 IEEE\/WIC\/ACM International Conference on Web Intelligence Workshops (WIW), pp. 104\u2013111 (2016). https:\/\/doi.org\/10.1109\/WIW.2016.040","DOI":"10.1109\/WIW.2016.040"},{"key":"819_CR30","unstructured":"Hou, O.: A Look at Google Bouncer (2012). https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/a-look-at-google-bouncer\/"},{"issue":"1","key":"819_CR31","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s40163-019-0097-9","volume":"8","author":"G Hull","year":"2019","unstructured":"Hull, G., John, H., Arief, B.: Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci. 8(1), 1\u201322 (2019)","journal-title":"Crime Sci."},{"issue":"12","key":"819_CR32","doi-asserted-by":"publisher","first-page":"1380","DOI":"10.1109\/TSE.2018.2880218","volume":"46","author":"S Iannucci","year":"2018","unstructured":"Iannucci, S., Abdelwahed, S., Montemaggio, A., Hannis, M., Leonard, L., King, J.S., Hamilton, J.A.: A model-integrated approach to designing self-protecting systems. IEEE Trans. Softw. Eng. 46(12), 1380\u20131392 (2018)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"819_CR33","doi-asserted-by":"crossref","unstructured":"Isohara, T., Takemori, K., Kubota, A.: Kernel-based behavior analysis for android malware detection. In: 2011 7th International Conference on Computational Intelligence and Security, pp. 1011\u20131015. IEEE Computer Society, Sanya (2011)","DOI":"10.1109\/CIS.2011.226"},{"key":"819_CR34","doi-asserted-by":"crossref","unstructured":"Kanwal, M., Thakur, S., Lashkari, R.: An app based on static analysis for android ransomware. In: 2017 8th International Conference on Computing. Communication and Networking Technologies (ICCCNT), pp. 1\u20136. IEEE Computer Society, Delhi (2017)","DOI":"10.1109\/ICCCNT.2017.8204124"},{"issue":"2","key":"819_CR35","first-page":"136","volume":"19","author":"S Kok","year":"2019","unstructured":"Kok, S., Abdullah, A., Jhanjhi, N., Supramaniam, M.: Ransomware, threat and detection techniques: a review. Int. J. Comput. Sci. Netw. Secur. 19(2), 136 (2019)","journal-title":"Int. J. Comput. Sci. Netw. Secur."},{"key":"819_CR36","unstructured":"Koodous: Malicious dataset (n.d.). https:\/\/koodous.com\/"},{"key":"819_CR37","doi-asserted-by":"publisher","first-page":"326","DOI":"10.1007\/978-3-540-39650-5_19","volume-title":"Computer Security\u2014ESORICS 2003","author":"C Kruegel","year":"2003","unstructured":"Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) Computer Security\u2014ESORICS 2003, pp. 326\u2013343. Springer, Berlin, Heidelberg (2003)"},{"key":"819_CR38","doi-asserted-by":"crossref","unstructured":"Lashkari, A.H., Kadir, A.A., Taheri, L., Ghorbani, A.: Toward developing a systematic approach to generate benchmark android malware datasets and classification. In: 2018 International Carnahan Conference on Security Technology (ICCST), pp. 1\u20137. IEEE Computer Society, Montreal, Quebec, Canada (2018)","DOI":"10.1109\/CCST.2018.8585560"},{"key":"819_CR39","unstructured":"Levin, D.V.: Strace (2020). https:\/\/strace.io\/"},{"key":"819_CR40","doi-asserted-by":"publisher","first-page":"340","DOI":"10.1016\/j.cose.2013.08.010","volume":"39","author":"YD Lin","year":"2013","unstructured":"Lin, Y.D., Lai, Y.C., Chen, C.H., Tsai, H.C.: Identifying Android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39, 340\u2013350 (2013)","journal-title":"Comput. Secur."},{"key":"819_CR41","unstructured":"Lockheimer, H.: Android and security [Blog post] (2012). https:\/\/googlemobile.blogspot.com\/2012\/02\/android-and-security.html"},{"issue":"4","key":"819_CR42","doi-asserted-by":"publisher","first-page":"381","DOI":"10.1109\/TDSC.2008.69","volume":"7","author":"F Maggi","year":"2008","unstructured":"Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secur. Comput. 7(4), 381\u2013395 (2008)","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"issue":"4","key":"819_CR43","doi-asserted-by":"publisher","first-page":"300","DOI":"10.1016\/j.inffus.2009.01.004","volume":"10","author":"F Maggi","year":"2009","unstructured":"Maggi, F., Matteucci, M., Zanero, S.: Reducing false positives in anomaly detectors through fuzzy alert aggregation. Inf. Fus. 10(4), 300\u2013311 (2009)","journal-title":"Inf. Fus."},{"key":"819_CR44","doi-asserted-by":"publisher","unstructured":"Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, C.A., Martinelli, F.: R-PackDroid: API package-based characterization and detection of mobile ransomware. In: SAC\u00a0\u201917: Proceedings of the Symposium on Applied Computing, pp. 1718\u20131723. Association for Computing Machinery (2017). https:\/\/doi.org\/10.1145\/3019612.3019793","DOI":"10.1145\/3019612.3019793"},{"key":"819_CR45","unstructured":"McConnell, D.: The current state of ransomware in today\u2019s world and why the future is bleak (2017). https:\/\/www.cs.tufts.edu\/comp\/116\/archive\/fall2017\/dmcconnell.pdf"},{"key":"819_CR46","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1007\/978-3-030-00470-5_6","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"S Mehnaz","year":"2018","unstructured":"Mehnaz, S., Mudgerikar, A., Bertino, E.: Rwguard: a real-time detection system against cryptographic ransomware. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) Research in Attacks, Intrusions, and Defenses, pp. 114\u2013136. Springer, Cham (2018)"},{"key":"819_CR47","unstructured":"Micro, T.: Behind the Android menace: malicious apps\u2014TrendLabs security intelligence blog [Blog Post] (2012). https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/infographic-behind-the-android-menace-malicious-apps"},{"issue":"3","key":"819_CR48","doi-asserted-by":"publisher","first-page":"68","DOI":"10.5539\/mas.v14n3p68","volume":"14","author":"AH Mohammad","year":"2020","unstructured":"Mohammad, A.H.: Ransomware evolution, growth and recommendation for detection. Mod. Appl. Sci. 14(3), 68\u201374 (2020)","journal-title":"Mod. Appl. Sci."},{"key":"819_CR49","doi-asserted-by":"crossref","unstructured":"Moser, A., Kr\u00fcgel, C., Kirda, E.: Limits of static analysis for malware detection. In: 23d Annual Computer Security Applications Conference (ACSAC 2007), pp. 421\u2013430. IEEE Computer Society, Miami Beach (2007)","DOI":"10.1109\/ACSAC.2007.21"},{"key":"819_CR50","doi-asserted-by":"publisher","unstructured":"Onwuzurike, L., Mariconti, E., Andriotis, P., Cristofaro, E.D., Ross, G., Stringhini, G.: Mamadroid: detecting Android malware by building Markov chains of behavioral models (extended version). ACM Trans. Priv. Secur. (2019). https:\/\/doi.org\/10.1145\/3313391","DOI":"10.1145\/3313391"},{"issue":"11s","key":"819_CR51","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3514229","volume":"54","author":"H Oz","year":"2022","unstructured":"Oz, H., Aris, A., Levi, A., Uluagac, A.S.: A survey on ransomware: evolution, taxonomy, and defense solutions. ACM Comput. Surv. (CSUR) 54(11s), 1\u201337 (2022)","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"819_CR52","doi-asserted-by":"crossref","unstructured":"Pizzolotto, D., Fellin, R., Ceccato, M.: Oblive: seamless code obfuscation for java programs and android apps. In: 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER), pp. 629\u2013633. IEEE (2019)","DOI":"10.1109\/SANER.2019.8667982"},{"issue":"1","key":"819_CR53","first-page":"10","volume":"13","author":"R Richardson","year":"2017","unstructured":"Richardson, R., North, M.M.: Ransomware: evolution, mitigation and prevention. Int. Manag. Rev. 13(1), 10 (2017)","journal-title":"Int. Manag. Rev."},{"key":"819_CR54","unstructured":"Robert\u00a0Lipovsk\u00fd Luk\u00e1\u0161\u00a0\u0160tefanko, G.B.: Labour party is latest victim of Blackbaud ransomware attack (2016). https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2016\/02\/Rise_of_Android_Ransomware.pdf"},{"key":"819_CR55","doi-asserted-by":"publisher","unstructured":"Scalas, M., Maiorca, D., Mercaldo, F., Visaggio, C.A., Martinelli, F., Giacinto, G.: On the effectiveness of system api-related information for android ransomware detection. Comput. Secur. 86, 168\u2013182 (2019). https:\/\/doi.org\/10.1016\/j.cose.2019.06.004. https:\/\/www.sciencedirect.com\/science\/article\/pii\/S0167404819301178","DOI":"10.1016\/j.cose.2019.06.004"},{"key":"819_CR56","doi-asserted-by":"publisher","unstructured":"Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings 2001 IEEE Symposium on Security and Privacy. S P 2001, vol.\u00a01, pp. 144\u2013155. IEEE, Oakland (2001). https:\/\/doi.org\/10.1109\/SECPRI.2001.924295","DOI":"10.1109\/SECPRI.2001.924295"},{"key":"819_CR57","doi-asserted-by":"publisher","first-page":"421","DOI":"10.1016\/j.future.2020.09.005","volume":"115","author":"C Skandylas","year":"2021","unstructured":"Skandylas, C., Khakpour, N.: Design and implementation of self-protecting systems: a formal approach. Fut. Gen. Comput. Syst. 115, 421\u2013437 (2021)","journal-title":"Fut. Gen. Comput. Syst."},{"key":"819_CR58","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1155\/2016\/2946735","volume":"2016","author":"S Song","year":"2016","unstructured":"Song, S., Kim, B., Lee, S.: The effective ransomware prevention technique using process monitoring on android platform. Mob. Inf. Syst. 2016, 1\u20139 (2016). https:\/\/doi.org\/10.1155\/2016\/2946735","journal-title":"Mob. Inf. Syst."},{"key":"819_CR59","doi-asserted-by":"crossref","unstructured":"Sood, G.: Virustotal: R client for the virustotal API. VirusTotal. R package version 0.2.1 (2017)","DOI":"10.32614\/CRAN.package.virustotal"},{"key":"819_CR60","unstructured":"Sophos: the state of ransomware 2020 (2021). https:\/\/www.sophos.com\/en-us\/medialibrary\/pdfs\/whitepaper\/sophos-state-of-ransomware-retail-2021-wp.pdf"},{"key":"819_CR61","unstructured":"Sophos: the State of Ransomware 2023 (2023). https:\/\/www.sophos.com\/en-us\/content\/state-of-ransomware"},{"key":"819_CR62","doi-asserted-by":"crossref","unstructured":"Srivastava, A., Lanzi, A., Giffin, J., Balzarotti, D.: Operating system interface obfuscation and the revealing of hidden operations. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 214\u2013233. Springer (2011)","DOI":"10.1007\/978-3-642-22424-9_13"},{"key":"819_CR63","unstructured":"Statista: Forecast number of mobile devices worldwide from 2020 to 2025 (in billions). Statista (2021). https:\/\/www.statista.com\/statistics\/218984\/number-of-global-mobile-users-since-2010\/"},{"key":"819_CR64","unstructured":"Statistica: global market share held by mobile operating systems from 2009 to 2023, by quarter (2023). https:\/\/www.statista.com\/statistics\/272698\/global-market-share-held-by-mobile-operating-systems-since-2009\/"},{"key":"819_CR65","doi-asserted-by":"publisher","first-page":"38041","DOI":"10.1109\/ACCESS.2018.2853121","volume":"6","author":"S Sun","year":"2018","unstructured":"Sun, S., Fu, X., Ruan, H., Du, X., Luo, B., Guizani, M.: Real-time behavior analysis and identification for android application. IEEE Access 6, 38041\u201338051 (2018)","journal-title":"IEEE Access"},{"key":"819_CR66","doi-asserted-by":"publisher","unstructured":"Tam, K., Khan, S., Fattori, A., Cavallaro, L.: Copperdroid: automatic reconstruction of android malware behaviors. In: NDSS Symposium 2015, pp. 1\u201315. NDSS, San Diego (2015). https:\/\/doi.org\/10.14722\/ndss.2015.23145. Annual Network and Distributed System Security Symposium (NDSS) ; Conference date: 08\u201302\u20132015 Through 11\u201302\u20132015","DOI":"10.14722\/ndss.2015.23145"},{"key":"819_CR67","unstructured":"WeLiveSecurity: WeLiveSecurity (2020). https:\/\/www.welivesecurity.com\/"},{"key":"819_CR68","unstructured":"Wi\u015bniewski, R.: Apktool (2021). https:\/\/ibotpeaches.github.io\/Apktool\/"},{"key":"819_CR69","doi-asserted-by":"publisher","unstructured":"Zhang, X., Breitinger, F., Luechinger, E., O\u2019Shaughnessy, S.: Android application forensics: a survey of obfuscation, obfuscation detection and deobfuscation techniques and their impact on investigations. Forens. Sci. Int.: Digit. Invest. 39, 301285 (2021). https:\/\/doi.org\/10.1016\/j.fsidi.2021.301285. https:\/\/www.sciencedirect.com\/science\/article\/pii\/S2666281721002031","DOI":"10.1016\/j.fsidi.2021.301285"},{"key":"819_CR70","doi-asserted-by":"publisher","unstructured":"Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, CODASPY \u201912, pp. 317\u2013326. Association for Computing Machinery, New York (2012). https:\/\/doi.org\/10.1145\/2133601.2133640","DOI":"10.1145\/2133601.2133640"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00819-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-024-00819-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00819-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,19]],"date-time":"2024-09-19T14:07:21Z","timestamp":1726754841000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-024-00819-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,3,2]]},"references-count":70,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2024,6]]}},"alternative-id":["819"],"URL":"https:\/\/doi.org\/10.1007\/s10207-024-00819-x","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,3,2]]},"assertion":[{"value":"2 March 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this article.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"The authors declare that this article does not contain any studies involving human participants or animals.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}]}}