{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T01:59:47Z","timestamp":1760234387675,"version":"build-2065373602"},"reference-count":26,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2021,5,12]],"date-time":"2021-05-12T00:00:00Z","timestamp":1620777600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Key R&amp;D Program of China","award":["2018YFB0804703"],"award-info":[{"award-number":["2018YFB0804703"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>Ransomwares on Android have become a challenging threat, performing tasks such as hijacking screen resources, locking devices, and encrypting files. Even worse, with the evolution of ransomwares, many ransomwares can disable USB interfaces of mobile devices. It is difficult for users to recover their devices or decrypt files with the help of other equipment and gives monetary damages to victims. In this paper, we analyse the symmetry between the ransom behaviours and the source code of screen resource hijacked ransomwares, devices locked ransomwares and files encrypted ransomwares. We also propose strategies of recovering hijacked resources, recovering hijacked devices and decrypting encrypted files. To protect mobile devices and private files from ransomwares, we design and implement an automatic recovery application\u2014KRRecover\u2014which is used to recover the hijacked devices and decrypt encrypted files on Android.<\/jats:p>","DOI":"10.3390\/sym13050861","type":"journal-article","created":{"date-parts":[[2021,5,12]],"date-time":"2021-05-12T22:46:14Z","timestamp":1620859574000},"page":"861","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["KRRecover: An Auto-Recovery Tool for Hijacked Devices and Encrypted Files by Ransomwares on Android"],"prefix":"10.3390","volume":"13","author":[{"given":"Senmiao","family":"Wang","sequence":"first","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sujuan","family":"Qin","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nengqiang","family":"He","sequence":"additional","affiliation":[{"name":"National Computer Network Emergency Response Technical Team\/Coordination Center of China (CNCERT\/CC), Beijing 100029, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tengfei","family":"Tu","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Junjie","family":"Hou","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hua","family":"Zhang","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yijie","family":"Shi","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2021,5,12]]},"reference":[{"key":"ref_1","unstructured":"(2020, December 20). Datto\u2019s Global State of the Channel Ransomware Report. [Online]. Available online: https:\/\/www.datto.com\/resources\/dattos-global-state-of-the-channel-ransomware-report."},{"key":"ref_2","unstructured":"(2020, December 30). Available online: https:\/\/www.coveware.com\/blog\/q2-2020-ransomware-marketplace-report."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"(2019, March 15). McAfee Labs Threats Report. Available online: https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/reports\/rp-mobile-threat-report-2019.pdf.","DOI":"10.1016\/S1361-3723(19)30004-1"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1109\/MC.2014.163","article-title":"Rootguard: Protecting rooted android phones","volume":"47","author":"Shao","year":"2014","journal-title":"IEEE Comput."},{"key":"ref_5","unstructured":"Costamagna, V., and Zheng, C. (2016, April 06). Artdroid: A Virtual-Method Hooking Framework on Android Art Runtime. Available online: http:\/\/ceur-ws.org\/Vol-1575\/paper_10.pdf."},{"key":"ref_6","unstructured":"(2019, December 13). Available online: https:\/\/developer.android.com\/about\/dashboards\/index.html."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"105","DOI":"10.1007\/978-3-319-58967-1_12","article-title":"Ransomware-prevention technique using key backup","volume":"Volume 194","author":"Jung","year":"2017","journal-title":"Big Data Technologies and Applications"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Kolodenker, E., Koch, W., Stringhini, G., and Egele, M. (2017, January 2\u20136). PayBreak: Defense against cryptographic ransomware. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, Abu Dhabi, United Arab Emirates.","DOI":"10.1145\/3052973.3053035"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., and Kirda, E. (2015, January 9\u201310). Cutting the gordian knot: A look under the hood of ransomware attacks. Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Milan, Italy.","DOI":"10.1007\/978-3-319-20550-2_1"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Continella, A. (2016, January 5\u20139). Shieldfs: A self-healing, ransomware-aware filesystem. Proceedings of the 32nd Annual Conference on Computer Security Applications, Los Angeles, CA, USA.","DOI":"10.1145\/2991079.2991110"},{"key":"ref_11","unstructured":"Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., and Kirda, E. (2016, January 10\u201312). UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. Proceedings of the USENIX Security Symposium 2016, Austin, TX, USA."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Andronio, N., Zanero, S., and Maggi, F. (2015, January 2\u20134). HelDroid: Dissecting and detecting mobile ransomware. Proceedings of the International Symposium on Recent Advances in Intrusion Detection, Kyoto, Japan.","DOI":"10.1007\/978-3-319-26362-5_18"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Scaife, N., Carter, H., Traynor, P., and Butler, K.R.B. (2016, January 27\u201330). Cryptolock (and drop it): Stopping ransomware attacks on user data. Proceedings of the ICDCS, Nara, Japan.","DOI":"10.1109\/ICDCS.2016.46"},{"key":"ref_14","unstructured":"(2019, December 13). Available online: https:\/\/developer.android.google.cn\/studio\/command-line\/adb."},{"key":"ref_15","unstructured":"(2020, January 04). Available online: https:\/\/source.android.com\/source\/running#unlocking-the-bootloader."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., and Hoffmann, J. (2013, January 18\u201322). Mobile-sandbox: Having a deeper look into android applications. Proceedings of the 28th Annual ACM Symposium on Applied Computing, Coimbra, Portugal.","DOI":"10.1145\/2480362.2480701"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"9856537","DOI":"10.1155\/2018\/9856537","article-title":"A Security Sandbox Approach of Android Based on Hook Mechanism","volume":"2018","author":"Jiang","year":"2018","journal-title":"Secur. Commun. Netw."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"1286","DOI":"10.1109\/TIFS.2017.2787905","article-title":"Uncovering the Face of Android Ransomware: Characterization and Real time Detection","volume":"13","author":"Chen","year":"2018","journal-title":"IEEE Trans. Actions Inf. Forensics Secur."},{"key":"ref_19","unstructured":"(2019, March 03). Available online: http:\/\/amd.arguslab.org."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., and Siemens, C.E. (2014, January 23\u201326). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. Proceedings of the Network Distributed System Security Symposium 2014, San Diego, CA, USA.","DOI":"10.14722\/ndss.2014.23247"},{"key":"ref_21","unstructured":"(2020, March 15). Available online: https:\/\/repo.xposed.info\/module\/de.robv.android.xposed.installer."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Maiorca, D., Giacinto, F., Visaggio, C.A., and Martinelli, F. (2017, January 3\u20137). R-PackDroid: API Package-Based Characterization and Detection of Mobile Ransomware. Proceedings of the ACM Symposium on Applied Computing (SAC 2017\u2013Acceptance Rate 15.7%), Marrakech, Morocco.","DOI":"10.1145\/3019612.3019793"},{"key":"ref_23","unstructured":"(2019, December 13). Available online: http:\/\/prag.diee.unica.it\/it\/RPackDroid."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"162","DOI":"10.1016\/j.cose.2019.06.004","article-title":"On the Effectiveness of System API-Related Information for Android Ransomware Detection","volume":"86","author":"Scalas","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_25","unstructured":"(2018, August 20). Available online: https:\/\/www.virustotal.com\/."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"1048","DOI":"10.1109\/JSSC.2014.2384039","article-title":"340 mV\u20131.1 V, 289 Gbps\/W, 2090-Gate NanoAES Hardware Accelerator With Area-Optimized Encrypt\/Decrypt GF(2 4) 2 Polynomials in 22 nm Tri-Gate CMOS","volume":"50","author":"Mathew","year":"2015","journal-title":"IEEE J. Solid-State Circ."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/13\/5\/861\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T05:59:38Z","timestamp":1760162378000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/13\/5\/861"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,5,12]]},"references-count":26,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2021,5]]}},"alternative-id":["sym13050861"],"URL":"https:\/\/doi.org\/10.3390\/sym13050861","relation":{},"ISSN":["2073-8994"],"issn-type":[{"type":"electronic","value":"2073-8994"}],"subject":[],"published":{"date-parts":[[2021,5,12]]}}}