CN106934284B - Application program detection method and device and terminal - Google Patents

Application program detection method and device and terminal Download PDF

Info

Publication number
CN106934284B
CN106934284B CN201511021184.0A CN201511021184A CN106934284B CN 106934284 B CN106934284 B CN 106934284B CN 201511021184 A CN201511021184 A CN 201511021184A CN 106934284 B CN106934284 B CN 106934284B
Authority
CN
China
Prior art keywords
group
signature
application program
application
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201511021184.0A
Other languages
Chinese (zh)
Other versions
CN106934284A (en
Inventor
曾欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Internet Security Software Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201511021184.0A priority Critical patent/CN106934284B/en
Publication of CN106934284A publication Critical patent/CN106934284A/en
Application granted granted Critical
Publication of CN106934284B publication Critical patent/CN106934284B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention discloses an application program detection method, an application program detection device and a terminal, and the scheme comprises the following steps: identifying a first application program existing under a system directory of the terminal; grouping the first application program according to the signature information of the first application program to generate a first group comprising at least one group of signature groups, wherein the signature groups have unique correspondence with the signature information; grouping the first application program according to the installation time of the first application program to generate a second group comprising at least one group of time groups, wherein the time groups have unique correspondence with the installation time; judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group. By applying the embodiment of the invention, the virus program invisibly installed in the terminal can be identified.

Description

Application program detection method and device and terminal
Technical Field
The present invention relates to the field of information security, and in particular, to a method, an apparatus, and a terminal for detecting an application.
Background
In recent years, with the popularization and development of various operating systems related to terminals, virus programs for various operating systems have become increasingly popular. In the technical aspect, a virus program may attempt to steal the root authority of the operating system, and then install the root authority into the operating system in an invisible manner, and consume the traffic of the terminal in the background to acquire information in the terminal, where the invisible manner specifically refers to: the program icon of the virus program is not displayed on the main interface or the desktop of the terminal.
However, for such a virus program that is installed invisibly and obtains the root authority of the operating system of the terminal, the prior art can detect the existence of the virus program, but it is difficult to determine the location of the virus program, and how to identify the virus program becomes an urgent problem to be solved.
Disclosure of Invention
The embodiment of the invention discloses an application program detection method, an application program detection device and a terminal, which are used for realizing identification of virus programs which are invisibly installed on the terminal. The specific scheme is as follows:
in a first aspect, an embodiment of the present invention provides an application detection method, which is applied to a terminal, and the method includes:
identifying an application program existing in a system catalog of the terminal and determining the application program as a first application program;
grouping the first application program according to the signature information of the first application program to generate a first group, wherein the first group comprises at least one group of signature groups, and the signature groups have unique correspondence with the signature information;
grouping the first application programs according to the installation time of the first application programs to generate a second group, wherein the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time;
judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program included in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group.
Preferably, the predetermined condition further includes: the number of included first applications is minimal;
the determining whether a first signature group meeting a predetermined condition exists in the first group includes:
and judging whether a first signature group which can cover the first application program included in at least one group of time groups and has the least number of the first application programs exists in the first group.
Preferably, the signature set of the first application includes:
a system native class signature group, a hardware vendor class signature group, a device vendor class signature group, or an application vendor signature group.
Preferably, the grouping the first application program according to the installation time of the first application program includes:
and grouping the first application program according to the installation date of the first application program.
Preferably, the method for detecting an application provided in the embodiment of the present invention further includes:
and after the first application program included in the first signature group is determined as the virus program, outputting prompt information to prompt a user that the first application program included in the first signature group is determined as the virus program.
Preferably, the method for detecting an application provided in the embodiment of the present invention further includes:
and after the first application program included in the first signature group is determined as a virus program, acquiring system authority and forcibly unloading the virus program.
In a second aspect, an embodiment of the present invention further provides an application detection apparatus, which is applied to a terminal, where the apparatus includes: the device comprises a determining module, a first grouping module, a second grouping module and a judging module;
the determination module: the system comprises a terminal, a system catalog and a server, wherein the terminal is used for identifying an application program existing in the system catalog of the terminal and determining the application program as a first application program;
the first grouping module: the system comprises a first application program, a second application program and a third application program, wherein the first application program is divided into a first group according to signature information of the first application program, the first group comprises at least one group of signature groups, and the signature groups and the signature information have unique correspondence;
the second packet module: the system comprises a first application program, a second application program and a server, wherein the first application program is grouped according to the installation time of the first application program to generate a second group, the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time;
the judgment module: the method is used for judging whether a first signature group meeting a predetermined condition exists in the first group, and if so, determining a first application program included in the first signature group as a virus program, wherein the predetermined condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group.
Preferably, the predetermined condition further includes: the number of included first applications is minimal;
the judgment module is specifically configured to:
and judging whether a first signature group which can cover the first application program included in at least one group of time groups and has the least number of the first application programs exists in the first group.
Preferably, the signature set of the first application includes:
a system native class signature group, a hardware vendor class signature group, a device vendor class signature group, or an application vendor signature group.
Preferably, the second packet module is specifically configured to:
and grouping the first application program according to the installation date of the first application program.
Preferably, the application detection apparatus provided in the embodiment of the present invention further includes an information output module;
the prompt information output module: and the judging module is used for outputting prompt information after the first application program included in the first signature group is determined as the virus program so as to prompt the user that the first application program included in the first signature group is determined as the virus program.
Preferably, the application detection apparatus provided in the embodiment of the present invention further includes an uninstalling module;
the unloading module is used for: and the judging module is used for acquiring system authority and forcibly unloading the virus program after the first application program included in the first signature group is determined as the virus program.
In a third aspect, an embodiment of the present invention further provides a terminal, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; the power supply circuit is used for supplying power to each circuit or device of the terminal; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the steps of:
identifying an application program existing in a system catalog of the terminal and determining the application program as a first application program;
grouping the first application program according to the signature information of the first application program to generate a first group, wherein the first group comprises at least one group of signature groups, and the signature groups have unique correspondence with the signature information;
grouping the first application programs according to the installation time of the first application programs to generate a second group, wherein the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time;
judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program included in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group.
In the scheme, a first application program existing in a system catalog of the terminal is firstly identified; then, according to the signature information of the first application program, grouping the first application program to generate a first group comprising at least one group of signature groups, wherein the signature groups have unique correspondence with the signature information; grouping the first application program according to the installation time of the first application program to generate a second group comprising at least one group of time groups, wherein the time groups have unique correspondence with the installation time; judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program included in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group. Therefore, the virus program invisibly installed on the terminal can be identified through the scheme. Of course, it is not necessary for any product or method of practicing the invention to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of an application detection method according to an embodiment of the present invention;
fig. 2 is another schematic flowchart of an application detection method according to an embodiment of the present invention;
fig. 3 is another schematic flowchart of an application detection method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an application detection apparatus according to an embodiment of the present invention;
fig. 5 is another schematic structural diagram of an application detection apparatus according to an embodiment of the present invention;
fig. 6 is another schematic structural diagram of an application detection apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to solve the problem of the prior art, embodiments of the present invention provide an application detection method, an application detection device, and a terminal, which can recognize a virus program installed in the terminal in an invisible manner.
First, a method for detecting an application provided in an embodiment of the present invention is described below.
It should be noted that the application detection method provided by the embodiment of the present invention may be applied to a terminal, where the terminal may be a desktop computer, a notebook computer, a tablet computer, and a smart phone. The application program detection method provided by the embodiment of the invention can be applied to the terminal under the condition of network connection or under the condition of network disconnection.
Moreover, the functional software for implementing the application detection method provided by the embodiment of the present invention may be dedicated client software, or may also be a plug-in of existing client software capable of detecting a virus program or a plug-in of antivirus client software, and of course, may also be a plug-in of an operating system based on a terminal, which is reasonable.
As shown in fig. 1, an application detection method provided in an embodiment of the present invention includes:
s101: identifying an application program existing in a system catalog of the terminal and determining the application program as a first application program;
the application installed in the terminal is detected periodically or aperiodically, the application existing under the system directory of the terminal is identified, and the application existing under the system directory of the terminal is determined as the first application, wherein the time for detecting the application installed in the terminal may be a default detection time of the function software or a time set by a user.
The specific implementation manner of identifying the application program existing in the system directory of the terminal may be the implementation manner existing in the prior art, and is not limited herein.
S102: grouping the first application program according to the signature information of the first application program to generate a first group, wherein the first group comprises at least one group of signature groups, and the signature groups have unique correspondence with the signature information;
it should be noted that, for any operating system, such as the Android system, all applications installed on a terminal using the operating system must have a digital certificate, where the digital certificate is used to identify a source of the application and establish a trust relationship between the source and the application, and the signature information in the embodiment of the present invention is equivalent to the digital certificate here. Meanwhile, the signature information of the application programs from different sources is different, and the signature information of the application programs from the same source is the same.
It is to be understood that, when the first application programs are grouped according to the signature information of the first application program to generate the first group, the first group may include at least one signature group, and the signature group has a unique correspondence with the signature information, that is, for the signature information and the signature group, the signature information corresponding to different signature groups is different, and the signature information of at least one first application program included in each signature group is the same.
Specifically, the signature group of the first application may include:
a system native class signature group, a hardware vendor class signature group, a device vendor class signature group, or an application vendor signature group.
For a terminal with an operating system of an Android system, the system native signature group is Google native signature group. Certainly, for a terminal whose operating system is an IOS system or a windows system, there are corresponding system native signature groups, and for different operating systems, different system native signature groups may correspond to different system native signature groups.
It should be noted that, for the first application, because the source of the first application is different, the corresponding signature information is also different, and the source may be the terminal hardware manufacturer, the terminal software manufacturer, the terminal sales merchant, and the download of the terminal user, and the following situations may occur: when grouping is performed according to the signature information of the first application program, at least one signature group included in a first group generated by the first application program may be different; certainly, the same terminal is grouped according to the signature information of the first application program at different times, and at least one signature group included in the first group generated by the terminal may be different; the embodiment of the present invention does not limit the signature information of the first application.
S103: grouping the first application program according to the installation time of the first application program to generate a second group, wherein the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time;
it should be noted that, according to the installation time of the first application, the first application is grouped to generate a second group, where the second group may include at least one group of time groups, and the time groups have unique correspondence with the installation time, that is, for the time groups and the installation time, the installation times corresponding to different time groups are different, and the installation time of at least one first application included in each time group is the same.
Specifically, the grouping the first application program according to the installation time of the first application program may include:
and grouping the first application program according to the installation date of the first application program.
It can be understood that, the first applications are grouped according to the installation time of the first application, the first applications whose installation times are in the same time range may be grouped into one group according to the installation date of the first application, or according to the installation time of the first application that is accurate to an hour, or of course, a time range may also be set.
S104: judging whether a first signature group meeting a preset condition exists in the first group, if so, executing the step S105, and if not, ending the process;
wherein the predetermined condition at least comprises: the included first application program can cover the first application program included in at least one group of time groups;
s105: the first application included in the first signature group is determined to be a virus program.
For a virus program, signature information of the virus program can be disguised or modified into other signature information when the virus program is installed, but the disguised or modified signature information of the virus program with the same attribute can be the same; and virus programs for the same attribute are simultaneously installed in the terminals that they infect.
It is understood that the first application included in the first signature group is determined as a virus program, i.e. the name of the first application (virus program) can be determined, i.e. the first application (virus program) can be located according to the name of the first application (virus program).
It should be noted that, it is determined whether a first signature group meeting a predetermined condition exists in the first group, and if so, it is verified that at least one signature group exists in the first group, where the at least one signature group meets a predetermined condition, and the predetermined condition at least includes: the first application program included in the at least one group of signature groups can cover the first application program included in the at least one group of time groups, the at least one group of signature groups is the first signature group, and at this time, the first application program included in the first signature group can be determined to be a virus program; if not, the first signature group which meets the preset condition is proved to be absent, the first application programs included in all the signature groups are proved to be possible non-virus programs, and the flow is ended.
For example, there are A, B, C3 signature groups in the first group, wherein the signature group a includes first applications a, B, and C, the signature group B includes first applications d, e, f, and g, and the signature group C includes first applications h, m, n, o, and p; x, Y, Z3 time groups exist in a second group, the X signature group comprises first applications a and b, the Y signature group comprises first applications c, d, e, f, g and m, and the Z signature group comprises first applications h, n, o and p; it can be known that the signature group a includes the first applications a, b, and c, and when the signature group X includes the first applications a and b, it is determined that the signature group a includes the first applications a, b, and c as virus programs.
In the scheme provided by the embodiment, a first application program existing in a system directory of the terminal is firstly identified; then, according to the signature information of the first application program, grouping the first application program to generate a first group comprising at least one group of signature groups, wherein the signature groups have unique correspondence with the signature information; grouping the first application program according to the installation time of the first application program to generate a second group comprising at least one group of time groups, wherein the time groups have unique correspondence with the installation time; judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program included in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group. Therefore, the virus program invisibly installed on the terminal can be identified through the scheme.
Further, in practical cases, in the terminal, if a virus program is installed, the virus program may have a relatively small number compared to an application program installed in the terminal and not having the virus program, and if the signature groups included in the first group are relatively large, the time required for detecting with all the signature groups in the first group and all the time groups in the second group may be very long, and in order to improve the determination accuracy of the virus program and save the detection time, when the number of signature groups existing in the first group exceeds a set threshold, the predetermined condition may further include: the number of included first applications is minimal;
accordingly, the determining whether there is a first signature group meeting a predetermined condition in the first group may include:
and judging whether a first signature group which can cover the first application program included in at least one group of time groups and has the least number of the first application programs exists in the first group.
For example, when the number of signature groups included in the first group is lower than a certain threshold, and it is determined whether there is a first signature group in the first group that meets a predetermined condition, the predetermined condition selected may be: the included first application program can cover the first application program included in at least one group of time groups; when the number of signature groups included in the first group exceeds a certain set threshold, the predetermined condition selected may be: the included first application is capable of covering at least one group of time groups including the first application with a minimum number of included first applications.
Further, after the application program detection method provided by the embodiment of the present invention is applied to detect a virus program, in order to better guarantee the benefit of the user, after the virus program is determined, relevant prompt information may be output to prompt the user that the application program is the virus program, so that the user performs a corresponding operation to process the virus program, specifically, based on steps S101 to S105, as shown in fig. 2, after the first application program included in the first signature group is determined as the virus program, the application program detection method provided by the embodiment of the present invention may further include:
s106: and outputting prompt information to prompt the user that the first application program included in the first signature group is determined to be a virus program.
It should be noted that the prompt information may be a sound prompt, a screen brightness prompt, a text information prompt, an interface jump prompt, or the like, and the prompt form of the prompt information is not limited in the embodiment of the present invention.
It can be understood that the prompt information is output to prompt the user of the name of the first application program classified as the virus program and the specific installation location of the virus program, and then the user may perform corresponding operation on the virus program according to the prompt information, where the corresponding operation may be that the user manually performs forced deletion or uninstallation on the virus program, and of course, the terminal may also automatically perform forced deletion or uninstallation on the virus program, and so on, which is reasonable.
Further, based on steps S101 to S105, as shown in fig. 3, after the first application included in the first signature group is determined as a virus program, the application detection method provided in the embodiment of the present invention may further include:
s107: and acquiring system authority, and forcibly unloading the virus program.
Specifically, after determining that the first application included in the first signature group is a virus program, corresponding measures may be continuously taken to delete or uninstall the virus program from the terminal, so as to obtain the system permission of the terminal for the application that is not easy to delete or uninstall, and then force to uninstall the virus program. It can be understood that, in the embodiment of the present invention, a specific implementation manner of obtaining the system permission of the operating system of the terminal may be any system permission obtaining manner in the prior art, and is not limited herein. For example, the system authority may be a root authority, where after the root authority is obtained, any object in the terminal may be controlled.
Corresponding to the above method embodiment, as shown in fig. 4, an embodiment of the present invention further provides an application program detection apparatus, where the apparatus may include: a determination module 401, a first grouping module 402, a second grouping module 403, and a judgment module 404;
the determination module 401: the system catalog identification method comprises the steps of identifying an application program existing under a system catalog of the terminal and determining the application program as a first application program;
the first grouping module 402: the system comprises a first application program, a second application program and a third application program, wherein the first application program is used for generating a first group according to the signature information of the first application program, the first group comprises at least one group of signature groups, and the signature groups and the signature information have unique correspondence;
the second packet module 403: the system comprises a first application program, a second application program and a server, wherein the first application program is used for being grouped according to the installation time of the first application program to generate a second group, the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time;
the determination module 404: the method is used for judging whether a first signature group meeting a predetermined condition exists in the first group, if so, a first application program included in the first signature group is determined as a virus program, wherein the predetermined condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group.
By applying the embodiment of the invention, a first application program existing in a system catalog of the terminal is firstly identified; grouping the first application program according to the signature information of the first application program to generate a first group comprising at least one group of signature groups, wherein the signature groups have unique correspondence with the signature information; grouping the first application program according to the installation time of the first application program to generate a second group comprising at least one group of time groups, wherein the time groups have unique correspondence with the installation time; judging whether a first signature group meeting a predetermined condition exists in the first group, if so, determining a first application program in the first signature group as a virus program, wherein the predetermined condition at least comprises the following steps: the included first application program can cover the first application program included in at least one group of time groups, and identification of virus programs which are 'invisibly' installed in the terminal can be achieved.
Specifically, the predetermined condition further includes: the number of included first applications is minimal;
the determining module 404 is specifically configured to:
and judging whether a first signature group which can cover the first application program included in at least one group of time groups and has the least number of the first application programs exists in the first group.
Specifically, the signature group of the first application may include:
a system native class signature group, a hardware vendor class signature group, a device vendor class signature group, or an application vendor signature group.
Specifically, the second grouping module is specifically configured to:
and grouping the first application program according to the installation date of the first application program.
Further, as shown in fig. 5, the apparatus for detecting an application according to the embodiment of the present invention may further include a prompt information output module 405;
the prompt information output module 405: the determining module 404 is configured to output a prompt message to prompt the user that the first application included in the first signature group is determined as the virus program after determining that the first application included in the first signature group is the virus program.
Further, as shown in fig. 6, the apparatus for detecting an application according to the embodiment of the present invention may further include an uninstalling module 406;
the offload module 406: the determining module 404 obtains the system permission to force the virus program to be uninstalled after determining the first application program included in the first signature group as the virus program.
In addition, an embodiment of the present invention further provides a terminal, as shown in fig. 7, where the terminal may include: the device comprises a shell 701, a processor 702, a memory 703, a circuit board 704 and a power circuit 705, wherein the circuit board 704 is arranged inside a space enclosed by the shell 701, and the processor 702 and the memory 703 are arranged on the circuit board 704; a power supply circuit 705 for supplying power to each circuit or device of the terminal; the memory 703 is used to store executable program code; the processor 702 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 703 for performing the steps of:
identifying an application program existing in a system catalog of the terminal and determining the application program as a first application program;
grouping the first application program according to the signature information of the first application program to generate a first group, wherein the first group comprises at least one group of signature groups, and the signature groups have unique correspondence with the signature information;
grouping the first application program according to the installation time of the first application program to generate a second group, wherein the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time;
judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program included in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group.
For the specific execution process of the above steps by the processor 702 and the further steps executed by the processor 702 by running the executable program code, reference may be made to the description of the embodiments shown in fig. 1 to 6 of the present invention, which is not described herein again.
By applying the embodiment of the invention, a first application program existing in a system catalog of the terminal is firstly identified; grouping the first application program according to the signature information of the first application program to generate a first group comprising at least one group of signature groups, wherein the signature groups have unique correspondence with the signature information; grouping the first application program according to the installation time of the first application program to generate a second group comprising at least one group of time groups, wherein the time groups have unique correspondence with the installation time; judging whether a first signature group meeting a predetermined condition exists in the first group, if so, determining a first application program in the first signature group as a virus program, wherein the predetermined condition at least comprises the following steps: the included first application program can cover the first application program included in at least one group of time groups, and identification of virus programs which are 'invisibly' installed in the terminal can be achieved.
The terminal exists in various forms including, but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic devices with data interaction functions.
As for the device and terminal embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Those skilled in the art will appreciate that all or part of the steps in the above method embodiments may be implemented by a program to instruct relevant hardware to perform the steps, and the program may be stored in a computer-readable storage medium, which is referred to herein as a storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (11)

1. An application detection method is applied to a terminal, and the method comprises the following steps:
identifying an application program existing in a system catalog of the terminal and determining the application program as a first application program;
grouping the first application program according to the signature information of the first application program to generate a first group, wherein the first group comprises at least one group of signature groups, and the signature groups have unique correspondence with the signature information;
grouping the first application programs according to the installation time of the first application programs to generate a second group, wherein the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time, and the installation time is the installation date or the installation time accurate to the hour of the first application programs;
judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program included in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group.
2. The method of claim 1, wherein the predetermined condition further comprises: the number of included first applications is minimal;
the determining whether a first signature group meeting a predetermined condition exists in the first group includes:
and judging whether a first signature group which can cover the first application program included in at least one group of time groups and has the least number of the first application programs exists in the first group.
3. The method according to claim 1 or 2, wherein the signature set of the first application comprises:
a system native class signature group, a hardware vendor class signature group, a device vendor class signature group, or an application vendor signature group.
4. The method of claim 1 or 2, further comprising:
and after the first application program included in the first signature group is determined as the virus program, outputting prompt information to prompt a user that the first application program included in the first signature group is determined as the virus program.
5. The method of claim 1 or 2, further comprising:
and after the first application program included in the first signature group is determined as a virus program, acquiring system authority and forcibly unloading the virus program.
6. An application detection device, applied to a terminal, the device comprising: the device comprises a determining module, a first grouping module, a second grouping module and a judging module;
the determination module: the system comprises a terminal, a system catalog and a server, wherein the terminal is used for identifying an application program existing in the system catalog of the terminal and determining the application program as a first application program;
the first grouping module: the system comprises a first application program, a second application program and a third application program, wherein the first application program is divided into a first group according to signature information of the first application program, the first group comprises at least one group of signature groups, and the signature groups and the signature information have unique correspondence;
the second packet module: the system comprises a first application program, a second application program and a server, wherein the first application program is divided into groups according to the installation time of the first application program to generate a second group, the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time, wherein the installation time is the installation date or the installation time accurate to the hour of the first application program;
the judgment module: the method is used for judging whether a first signature group meeting a predetermined condition exists in the first group, and if so, determining a first application program included in the first signature group as a virus program, wherein the predetermined condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group.
7. The apparatus of claim 6, wherein the predetermined condition further comprises: the number of included first applications is minimal;
the judgment module is specifically configured to:
and judging whether a first signature group which can cover the first application program included in at least one group of time groups and has the least number of the first application programs exists in the first group.
8. The apparatus of claim 6 or 7, wherein the signature set of the first application comprises:
a system native class signature group, a hardware vendor class signature group, a device vendor class signature group, or an application vendor signature group.
9. The device according to claim 6 or 7, further comprising a prompt information output module;
the prompt information output module: and the judging module is used for outputting prompt information after the first application program included in the first signature group is determined as the virus program so as to prompt the user that the first application program included in the first signature group is determined as the virus program.
10. The apparatus of claim 6 or 7, further comprising an unloading module;
the unloading module is used for: and the judging module is used for acquiring system authority and forcibly unloading the virus program after the first application program included in the first signature group is determined as the virus program.
11. A terminal, comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; the power supply circuit is used for supplying power to each circuit or device of the terminal; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the steps of:
identifying an application program existing in a system catalog of the terminal and determining the application program as a first application program;
grouping the first application program according to the signature information of the first application program to generate a first group, wherein the first group comprises at least one group of signature groups, and the signature groups have unique correspondence with the signature information;
grouping the first application programs according to the installation time of the first application programs to generate a second group, wherein the second group comprises at least one group of time groups, and the time groups have unique correspondence with the installation time, and the installation time is the installation date or the installation time accurate to the hour of the first application programs;
judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program included in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group.
CN201511021184.0A 2015-12-30 2015-12-30 Application program detection method and device and terminal Active CN106934284B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511021184.0A CN106934284B (en) 2015-12-30 2015-12-30 Application program detection method and device and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511021184.0A CN106934284B (en) 2015-12-30 2015-12-30 Application program detection method and device and terminal

Publications (2)

Publication Number Publication Date
CN106934284A CN106934284A (en) 2017-07-07
CN106934284B true CN106934284B (en) 2020-02-11

Family

ID=59442541

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511021184.0A Active CN106934284B (en) 2015-12-30 2015-12-30 Application program detection method and device and terminal

Country Status (1)

Country Link
CN (1) CN106934284B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102222183A (en) * 2011-04-28 2011-10-19 奇智软件(北京)有限公司 Mobile terminal software package safety detection method and system thereof
CN102799824A (en) * 2012-07-13 2012-11-28 珠海市君天电子科技有限公司 Method and system for defending virus file with digital signature information
CN103150510A (en) * 2013-03-18 2013-06-12 珠海市君天电子科技有限公司 Method and device for processing malicious behaviors of software
CN103500311A (en) * 2013-09-30 2014-01-08 北京金山网络科技有限公司 Software testing method and system
WO2014039455A1 (en) * 2012-09-05 2014-03-13 Symantec Corporation Systems and methods for detecting illegitimate applications
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104462974A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program clearing method, device and system
CN104680084A (en) * 2015-03-20 2015-06-03 北京瑞星信息技术有限公司 Method and system for protecting user privacy in computer
CN104766008A (en) * 2014-01-07 2015-07-08 腾讯科技(深圳)有限公司 Application program installation package safety detection method and server
CN104933364A (en) * 2015-07-08 2015-09-23 中国科学院信息工程研究所 Automatic malicious code homology judgment method and system based on calling behaviors

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102222183A (en) * 2011-04-28 2011-10-19 奇智软件(北京)有限公司 Mobile terminal software package safety detection method and system thereof
CN102799824A (en) * 2012-07-13 2012-11-28 珠海市君天电子科技有限公司 Method and system for defending virus file with digital signature information
WO2014039455A1 (en) * 2012-09-05 2014-03-13 Symantec Corporation Systems and methods for detecting illegitimate applications
CN103150510A (en) * 2013-03-18 2013-06-12 珠海市君天电子科技有限公司 Method and device for processing malicious behaviors of software
CN103500311A (en) * 2013-09-30 2014-01-08 北京金山网络科技有限公司 Software testing method and system
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104766008A (en) * 2014-01-07 2015-07-08 腾讯科技(深圳)有限公司 Application program installation package safety detection method and server
CN104462974A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program clearing method, device and system
CN104680084A (en) * 2015-03-20 2015-06-03 北京瑞星信息技术有限公司 Method and system for protecting user privacy in computer
CN104933364A (en) * 2015-07-08 2015-09-23 中国科学院信息工程研究所 Automatic malicious code homology judgment method and system based on calling behaviors

Also Published As

Publication number Publication date
CN106934284A (en) 2017-07-07

Similar Documents

Publication Publication Date Title
CN107643977B (en) Anti-addiction method and related product
KR101832533B1 (en) Reputation checking obtained files
CN109726067B (en) Process monitoring method and client device
CN106227585B (en) Application program starting method, device and equipment
CN106599680B (en) Method and device for setting application program permission and electronic equipment
CN107301343B (en) Safety data processing method and device and electronic equipment
US9747449B2 (en) Method and device for preventing application in an operating system from being uninstalled
CN106815518B (en) Application installation method and electronic equipment
US10579837B2 (en) Method, device and electronic apparatus for testing capability of analyzing a two-dimensional code
WO2015027846A1 (en) Permission determining method and device for application program
CN106203092B (en) Method and device for intercepting shutdown of malicious program and electronic equipment
CN106548065B (en) Application program installation detection method and device
US20180349580A1 (en) Information processing method and device, and electronic equipment
CN111062027A (en) Method and device for preventing bad HID equipment from invading, electronic equipment and storage medium
CN109145589B (en) Application program acquisition method and device
CN110244963B (en) Data updating method and device and terminal equipment
CN108762983B (en) Multimedia data recovery method and device
WO2017185599A1 (en) Application quick operation method and electronic device
CN104468616A (en) Picture verification code generation method and client side
CN103488784A (en) Method for recommending multimedia files and electronic device
CN106934284B (en) Application program detection method and device and terminal
CN107316197B (en) Payment protection method, mobile terminal and computer readable storage medium
CN108536512B (en) Interface switching method and device and terminal equipment
CN107944261B (en) Application program control method and user equipment
CN106648671B (en) Application upgrading method and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant