Hail to the Thief: Protecting Data from Mobile Ransomware with ransomSafeDroid Sileshi Demesie Yalew 1,2 , Gerald Q. Maguire Jr. 2 , Seif Haridi 2 , Miguel Correia 1 1 INESC-ID, Instituto Superior T´ ecnico, Universidade de Lisboa, Portugal 2 School of Information and Communication Technology, KTH Royal Institute of Technology, Sweden sdyalew@kth.se, maguire@kth.se, haridi@kth.se, miguel.p.correia@tecnico.ulisboa.pt Abstract—The growing popularity of Android and the increas- ing amount of sensitive data stored in mobile devices have lead to the dissemination of Android ransomware. Ransomware is a class of malware that makes data inaccessible by blocking access to the device or, more frequently, by encrypting the data; to recover the data, the user has to pay a ransom to the attacker. A solution for this problem is to backup the data. Although backup tools are available for Android, these tools may be compromised or blocked by the ransomware itself. This paper presents the design and implementation of RAN- SOMSAFEDROID, a TrustZone based backup service for mobile devices. RANSOMSAFEDROID is protected from malware by leveraging the ARM TrustZone extension and running in the secure world. It does backup of files periodically to a secure local persistent partition and pushes these backups to external storage to protect them from ransomware. Initially, RANSOMSAFEDROID does a full backup of the device filesystem, then it does incre- mental backups that save the changes since the last backup. As a proof-of-concept, we implemented a RANSOMSAFEDROID prototype and provide a performance evaluation using an i.MX53 development board. I. I NTRODUCTION Ransomware (such as WannaCry [1]) has been appearing a lot in the news. Ransomware is malware that prevents access to data in a computer, either by locking the system’s screen or, more frequently, by encrypting files, then demanding a ransom from the victim to provide back that access [2]. The ransom is typically paid in a cryptocurrency (e.g., Bitcoin or Monero). Ransomware has begun to attack mobile devices run- ning the Android operating system (OS) similarly to what happened earlier with PCs [3]–[5]. Android ransomware can be divided in two classes: lock-screen ransomware and crypto-ransomware. Lock-screen ransomware (such as An- droid.Lockdroid.E) blocks user interaction with the device, for example by leveraging the SYSTEM ALERT WINDOW An- droid permission to lock the screen. An application (app) that has access to this permission can create system-type windows and display them on top of every other app or window, making it impossible to use the device. Before Android 6.0 Marshmallow, this permission was granted automatically to any app from Google Play Store that requested it, facilitating this form of attack [6]. Nevertheless, this class of ransomware seems to be quite specific, as it depends on particular design vulnerabilities. The most common form of ransomware is crypto- ransomware (such as Trojan-Ransom.AndroidOS.Small or WannaCry for PCs), which encrypts files in the victim’s device and demands payment to provide the decryption key. Interestingly, paying the ransom may not return the files, as sometimes the attacker does not provide the key. Moreover files may be corrupted and cannot be decrypted. Making regular backups of the files [7] is a common solution to this type of attack. There are several tools to backup and restore data and apps in mobile devices. For example, Samsung Smart Switch [8] and LG Bridge [9] transfer data (e.g., documents, videos, pictures, and contacts) and apps from a mobile device to a PC and vice-versa. Moreover, mobile OSes (such as Android and iOS) provide utilities to easily make cloud backups. However, the existing backup tools are run in the same execution environment as the malware that infects the device, hence they may be compromised or blocked by the ransomware. In fact, malware is often able to disable anti-malware software and other security software [10], as shown by the recent case of HijackRAT [11]. From the attacker’s viewpoint, an effective approach would be for the ransomware to disable the backup tool(s) for a period of time before it starts encrypting the files, so files that have been backed up are outdated. Furthermore, in some cases ransomware is able to encrypt or delete the backup files themselves, as happened with WannaCry itself, which deletes shadow copies of a particular volume [1]. Therefore, the backups themselves have to be protected. Unfortunately, this is something that does not happen for the online solutions just discussed. TrustZone is a hardware security extension provided by recent ARM processors to enable trusted computing [12], [13]. The aim of TrustZone technology is to provide two execution environments: the secure world, a trusted execution environment where trusted code runs, and the normal world, where untrusted code, including the mobile OS (e.g., Android) and the mobile apps, is executed. The physical core of the processor is divided into two virtual cores, corresponding to the two environments. Memory space, peripherals, interrupts, and other resource can be assigned to the secure world, hence they are isolated from the normal world. Moreover, code running in the secure world can access the resources of the normal world. 978-1-5386-1465-5/17/$31.00 c 2017 IEEE