CN107145780B - Malicious software detection method and device - Google Patents

Malicious software detection method and device Download PDF

Info

Publication number
CN107145780B
CN107145780B CN201710209737.8A CN201710209737A CN107145780B CN 107145780 B CN107145780 B CN 107145780B CN 201710209737 A CN201710209737 A CN 201710209737A CN 107145780 B CN107145780 B CN 107145780B
Authority
CN
China
Prior art keywords
software
characters
malware
detected
name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710209737.8A
Other languages
Chinese (zh)
Other versions
CN107145780A (en
Inventor
王俊豪
吴彬
毕磊
张友旭
周强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710209737.8A priority Critical patent/CN107145780B/en
Publication of CN107145780A publication Critical patent/CN107145780A/en
Application granted granted Critical
Publication of CN107145780B publication Critical patent/CN107145780B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Abstract

The invention discloses a malicious software detection method and device, and belongs to the technical field of software detection. The method comprises the following steps: acquiring a software name of software to be detected; extracting target type characters contained in the software name of the software to be detected; detecting whether malicious software characters matched with target type characters contained in the software name of the software to be detected exist or not, wherein the malicious software characters refer to the target type characters contained in the software name of the malicious software; and if so, determining that the software to be detected is malicious software. The method and the device have the advantages that the characteristic that the software name of the malicious software is obviously different from the software name of normal non-malicious software is utilized, and whether the software to be detected is the malicious software or not is detected according to the software name of the software to be detected by acquiring the software name of the software to be detected, so that the detection success rate is improved, the false alarm rate is reduced, and the detection efficiency is improved.

Description

Malicious software detection method and device
Technical Field
The embodiment of the invention relates to the technical field of software detection, in particular to a malicious software detection method and device.
Background
Malware refers to applications that perform malicious tasks on a computer system. After the terminal is provided with the malicious software, the malicious software can carry out operations such as malicious fee deduction, fraudulent information sending or user personal information stealing, and the like, thereby seriously affecting the safety. Therefore, there is a need for automatic detection of malware.
In the related art, the code of the software to be detected is analyzed, the code characteristics of the software to be detected are extracted, the code characteristics of the software to be detected are compared with the code characteristics of the malicious software, and if the code characteristics of the software to be detected and the code characteristics of the malicious software are matched, the software to be detected is determined to be the malicious software.
Since most of the malicious operations performed by the malicious software are malicious deductions, sending fraudulent information or stealing user personal information, the operations implemented by the software code are not obviously different from normal non-malicious software. Therefore, the malware detection method based on code feature comparison provided by the related art has the problems of low detection success rate and high false alarm rate.
Disclosure of Invention
In order to solve the problems of low detection success rate and high false alarm rate of a malicious software detection method based on code feature comparison provided by the related art, the embodiment of the invention provides a malicious software detection method and a malicious software detection device. The technical scheme is as follows:
in a first aspect, a malware detection method is provided, where the method includes:
acquiring a software name of software to be detected;
extracting target type characters contained in the software name of the software to be detected;
detecting whether malicious software characters matched with target type characters contained in the software name of the software to be detected exist or not, wherein the malicious software characters refer to the target type characters contained in the software name of the malicious software;
and if the malicious software characters matched with the target type characters contained in the software name of the software to be detected exist, determining that the software to be detected is malicious software.
In a second aspect, there is provided a malware detection apparatus, the apparatus comprising:
the first acquisition module is used for acquiring the software name of the software to be detected;
the first extraction module is used for extracting target type characters contained in the software name of the software to be detected;
the first detection module is used for detecting whether malicious software characters matched with target type characters contained in the software name of the software to be detected exist or not, wherein the malicious software characters refer to the target type characters contained in the software name of the malicious software;
the first determining module is used for determining that the software to be detected is malicious software if malicious software characters matched with the target type characters contained in the software name of the software to be detected exist.
The technical scheme provided by the embodiment of the invention can bring the following beneficial effects:
by utilizing the characteristic that the software name of the malicious software is obviously different from the software name of normal non-malicious software, whether the software to be detected is the malicious software is detected according to the software name of the software to be detected by acquiring the software name of the software to be detected, so that the detection success rate is improved, and the false alarm rate is reduced.
In addition, compared with the malicious software detection method based on code feature comparison provided by the related art, the method and the device provided by the embodiment of the invention do not need to analyze the software code, and only need to analyze and process the software name, so that the detection efficiency can be greatly improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1A is a flow chart of a malware detection method provided by one embodiment of the present invention;
FIG. 1B is a schematic illustration of an interface according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a method for determining malware characters provided by one embodiment of the present invention;
FIG. 3 is a flowchart of a malware detection method provided by another embodiment of the present invention;
FIG. 4A is a flowchart of a malware detection method provided by another embodiment of the present invention;
FIG. 4B is a flowchart of step 403 involved in the embodiment of FIG. 4A;
FIG. 5 is a block diagram of a malware detection apparatus provided by one embodiment of the present invention;
fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
In embodiments of the present invention, malware detection is attempted from other dimensions. Through analysis of some malicious software, the software names of the malicious software are obviously different from those of normal non-malicious software. Therefore, in the embodiment of the invention, the software name of the software to be detected is acquired, and whether the software to be detected is the malicious software is detected according to the software name of the software to be detected, so that the aims of improving the detection success rate and reducing the false alarm rate are fulfilled.
In the method provided by the embodiment of the invention, the execution main body of each step can be a terminal. For example, the terminal may be an electronic device such as a mobile phone, a tablet Computer, an e-book reader, a multimedia player, a PDA (Personal Digital Assistant), a PC (Personal Computer), and the like. Optionally, the terminal is a mobile terminal based on an Android (Android) operating system. Of course, the embodiment of the present invention does not limit the operating system of the terminal to be other operating systems such as an iOS operating system and a Windows Phone operating system.
The embodiments of the present invention will be described in further detail below based on the common aspects related to the embodiments of the present invention described above.
Referring to fig. 1A, a flowchart of a malware detection method according to an embodiment of the present invention is shown. The method may include the following steps.
Step 101, acquiring a software name of software to be detected.
The software name (soft name) is also called a software name, and is an identifier of the software. Different software corresponds to different software names.
In one example, step 101 includes several sub-steps as follows:
step 101a, reading an information description file in an application program package of software to be detected;
the application package of the software to be detected refers to the installation package of the software to be detected. The information description file is a basic configuration file of the software to be detected, and an application program package of the software comprises the information description file.
Taking the software to be detected as an Android application as an example, an application package of the Android application is called apk (Android package). The information description file of the Android application program is a manifest file, namely an Android manifest.4ml file. In the information description file, the developer can specify basic information of the software, such as a software name, an entry page, required authority information, version information, and the like. The information description file may also be referred to as a manifest file.
And step 101b, reading data in the software name entry in the information description file, and taking the read data as the software name of the software to be detected.
An entry (which can be called a software name entry) for recording the software name of the software to be detected exists in the information description file of the software to be detected, and the terminal reads the software name of the software to be detected from the entry.
Taking the software to be detected as an Android application program as an example, the software name is read from a manifest file of the Android application program.
And 102, extracting target type characters contained in the software name of the software to be detected.
The software name may include various characters of different types, such as chinese characters (i.e., chinese characters), korean characters, japanese characters, english letters, greek letters, latin letters, russian letters, numbers, symbols, punctuation marks, and the like. The target type character may be one type of character or may be multiple types of characters. In the embodiment of the invention, the target type character is mainly used as the Chinese character for description. However, in the embodiment of the present invention, the target type character may be another certain type character, such as a japanese character; or may be other types of characters such as chinese characters and japanese characters.
The terminal firstly identifies target type characters contained in the software name of the software to be detected, and then extracts the identified target type characters. Taking the target type character as the Chinese character as an example, the terminal firstly identifies the Chinese character contained in the software name of the software to be detected, and then extracts the identified Chinese character.
Optionally, after the terminal acquires the software name of the software to be detected, detecting whether the number of characters of the target type characters included in the software name of the software to be detected is larger than the preset number of characters; if the number of characters is greater than the preset number of characters, executing step 102; if the number of characters is not greater than the preset number of characters, the process is terminated without executing step 102.
Taking the target type character as the chinese character as an example, the number of the chinese characters included in the software name refers to the number of the chinese characters included in the software name. For example, the software to be tested has a software name of "honey ぃ juice ぃ shadow ぃ city", and contains Chinese characters of "honey shadow city", and the number of Chinese characters is 4.
The preset number of characters may be an empirical value, such as 3 or 4, which is empirically set in advance.
By the above mode, when the number of the characters of the target type characters included in the software name of the software to be detected is larger than the preset number of the characters, the subsequent detection process is executed, otherwise, the subsequent detection process is not executed, unnecessary detection can be avoided, and the false alarm rate is reduced.
And 103, detecting whether the characters of the malicious software matched with the target type characters contained in the software name of the software to be detected exist.
The malware character refers to a target type character contained in the software name of malware. Malware refers to applications that perform malicious tasks on a computer system. After the terminal installs the malicious software, the malicious software can carry out operations such as malicious fee deduction, sending fraudulent information or stealing personal information of the user. Some malware often gimmicks with information such as emotions, wins, hazard warnings, etc., that guide a user to download and install malware in a terminal.
Optionally, if an exact matching manner is adopted, the target type characters included in the software name of the software to be detected are matched with the malware characters, which means that the target type characters included in the software name of the software to be detected are completely the same as the malware characters. If the fuzzy matching mode is adopted, matching the target type characters contained in the software name of the software to be detected with the malicious software characters, wherein the matching degree of the target type characters contained in the software name of the software to be detected and the malicious software characters reaches a preset matching degree; the matching degree can be a ratio of the number of the target type characters contained in the software name of the software to be detected and the number of the same characters in the malicious software characters to the number of the characters of the target type characters contained in the software name of the software to be detected.
Optionally, the terminal detects whether a malware character matched with a target type character included in the software name of the software to be detected exists in the malware character set, where the malware character set includes at least one malware character. The determination of the characters of the malware is described in the embodiment of fig. 2 below.
And 104, if the malicious software characters matched with the target type characters contained in the software name of the software to be detected exist, determining that the software to be detected is malicious software.
Still taking the software name of the software to be detected as "honey ぃ juice ぃ shadow ぃ city" as an example, assuming that the character "honey shadow city" exists, the software to be detected is determined to be malware.
In addition, if the malicious software characters matched with the target type characters contained in the software name of the software to be detected do not exist, the software to be detected is determined to be non-malicious software. Non-malware refers to software that is not malware.
In the embodiment of the present invention, the execution timing of the detection flow in the above steps 101 to 104 is not limited. For example, the terminal may execute the detection process when the software to be detected is downloaded but not installed (i.e., before the software to be detected is installed); the terminal can also execute the detection process in the process of installing the software to be detected; the terminal can also execute the detection process after the software to be detected is installed; or the terminal can also execute the detection process before downloading the software to be detected or in the process of downloading the software to be detected.
With reference to fig. 1B, it is assumed that a target application is installed and operated in the terminal, and the target application has the malware detection function provided in the embodiment of the present invention, for example, the target application is a "cell phone housekeeping" application 11. The terminal is also provided with an application 12 with the software name of 'honey ぃ juice ぃ shadow ぃ city', the target application analyzes the software name of the application 'honey ぃ juice ぃ shadow ぃ city' through the process, determines that the application is malicious software, generates and displays corresponding prompt information 13, and prompts the user that the application is malicious software through the prompt information 13. Alternatively, the user may delete the malware based on the above-mentioned prompt information 13.
In summary, the method provided by the embodiment of the present invention utilizes the characteristic that the software name of the malware is obviously different from the software name of the normal non-malware, and detects whether the software to be detected is malware according to the software name of the software to be detected by obtaining the software name of the software to be detected, which is beneficial to improving the detection success rate and reducing the false alarm rate.
In addition, compared with the malicious software detection method based on code feature comparison provided by the related art, the method and the device provided by the embodiment of the invention do not need to analyze the software code, and only need to analyze and process the software name, so that the detection efficiency can be greatly improved.
In an alternative embodiment provided based on the embodiment shown in fig. 1A, with reference to fig. 2, the present embodiment provides a method for determining malware characters, which may include the following steps.
Step 201, acquiring a software name of a malware sample.
The malware sample refers to a software sample that is predetermined to be malware. Malware samples may also be referred to as black samples. The number of malware samples is at least one, and in general, the number of malware samples is plural. The more the number of the malicious software samples is, the more complete the characters of the subsequently determined malicious software are, and the higher the detection success rate of the malicious software is.
In addition, the manner of obtaining the software name of the malware sample may refer to the description related to step 101 in the embodiment of fig. 1A, and details of this embodiment are not repeated.
Step 202, extracting target type characters contained in the software name of the malware sample.
The terminal firstly identifies target type characters contained in the software name of the malicious software sample, and then extracts the identified target type characters.
Optionally, after the terminal acquires the software name of the malware sample, detecting whether the number of characters of the target type character contained in the software name of the malware sample is larger than a preset number of characters; if the number of characters is greater than the preset number of characters, executing step 202; if the number of characters is not greater than the preset number of characters, the process is terminated without executing step 202.
Step 203, detecting whether the target type character contained in the software name of the malware sample meets a preset condition.
The preset condition is a determination condition (or rule) preset according to the feature of the software name of the malware.
For example, the software names of some malware are as follows: love て fun て shadow て house-38581, love つ fun つ shadow つ house-38797, love と fun と shadow と house-85479. The software names have some common features, such as chinese characters arranged at intervals and having an interval number of 3, and, for example, the chinese characters are followed by the same character string "-" and 5 numerals, so that the common features can be set as a preset condition.
Optionally, the preset condition comprises at least one of: the target type characters contained in the software name are arranged at intervals, the interval number is larger than the preset interval number, preset characters or preset character strings exist after the target type characters contained in the software name, non-target type characters are followed after the target type characters contained in the software name, and the number of the non-target type characters is larger than a preset threshold value. The preset number of intervals may be an empirical value set empirically in advance, for example, 2 or 3. The preset character refers to a certain specific character, and the preset character string refers to a plurality of specific characters. The preset threshold value may be an empirical value, such as 6 or 8, which is set empirically in advance.
Illustratively, taking the target type character as a chinese character as an example, the preset conditions include the following items:
(1) chinese characters contained in the software name are arranged at intervals, and the number of the intervals is more than or equal to 3;
for example, the software name "honey ぃ juice ぃ shadow ぃ city"; also for example, "honey aa juice bb shadow cc city".
(2) A preset string "(vip";
for example, the software name "peach つ astringent つ video つ (vip 64796)".
(3) A preset character string "_ v" or "v _" exists after the chinese character contained in the software name;
for example, the software name "fast-cast adult version _ v 2.6"; for another example, the software name is "fast-cast adult version v _ 2.6".
(4) The Chinese characters contained in the software name are followed by non-Chinese characters, and the number of the non-Chinese characters is more than or equal to 8;
for example, the software name is "fast-play 4 adult version lkybplpipiph", the form of the chinese characters contained in the software name is not limited, and non-chinese characters may be separated between the chinese characters.
It should be noted that the preset conditions described above are exemplary and explanatory, and in practical applications, the preset conditions may be set according to actual situations.
In step 204, if the target type characters included in the software name of the malware sample meet the preset conditions, it is determined that the target type characters included in the software name of the malware sample are malware characters.
Optionally, after determining that the target type character included in the software name of the malware sample is a malware character, the terminal adds the malware character to the malware character set.
In addition, if the target type character contained in the software name of the malware sample does not meet the preset condition, determining that the target type character contained in the software name of the malware sample is not the malware character.
Optionally, the step 203 further includes the following steps:
1. if the target type characters contained in the software name of the malicious software sample meet the preset conditions, determining the target type characters contained in the software name of the malicious software sample as candidate malicious software characters;
2. acquiring the extraction times corresponding to the candidate malware characters;
3. detecting whether the extraction times are greater than preset times;
4. and if the extraction times are more than the preset times, determining the candidate malware characters as the malware characters.
The extraction times refer to the times of extracting candidate malware characters from the software names of the malware samples. For example, the number of malware samples is 100, and the number of times of extracting the candidate malware character "honeydew shadow" from the 100 malware samples is 20, then the number of times of extracting the candidate malware character "honeydew shadow" is 20. The preset number of times may be an empirical value set empirically in advance, for example, 4 or 5. In addition, if the extraction times are not more than the preset times, the candidate malware characters are determined not to be malware characters.
Alternatively, the above-mentioned detection step regarding the number of extractions may also be performed after the malware characters are added to the set of malware characters. For example, for each malware character added to the malware character set, the terminal obtains the extraction times corresponding to the malware character, detects whether the extraction times are greater than preset times, if the extraction times are greater than the preset times, the malware character is reserved in the malware character set, and if the extraction times are not greater than the preset times, the malware character is deleted from the malware character set.
By the method, the finally determined malware characters are ensured to be universal, the false alarm rate is reduced, and the timeliness is improved.
Optionally, for each malware character, the terminal detects whether the malware character matches a target type character extracted from a software name of a non-malware sample; if the malware character matches a target type character extracted from a software name of a non-malware sample, deleting the malware character; if the malware character matches a target type character extracted from the software name of the non-malware sample, the malware character is retained.
A non-malware sample refers to a software sample that is predetermined to be non-malware. The non-malware samples may also be referred to as white samples. The number of non-malware samples is at least one, and in general, the number of non-malware samples is plural. The above matching process of the target type characters extracted from the software names of the non-malware samples and the malware characters may refer to the description related to step 103 in the embodiment of fig. 1A, and this embodiment is not described again.
By the method, the accuracy of finally determined malicious software characters is improved, and the false alarm rate is reduced.
Referring to fig. 3, a flowchart of a malware detection method according to another embodiment of the present invention is shown. The method may include the following steps.
Step 301, acquiring the software name of the software to be detected.
This step is the same as step 101 in the embodiment of fig. 1A, and reference may be made to the description of step 101 in the embodiment of fig. 1A, which is not repeated herein.
Step 302, extracting target type characters contained in the software name of the software to be detected.
This step is the same as step 102 in the embodiment of fig. 1A, and reference may be made to the description of step 102 in the embodiment of fig. 1A, which is not repeated herein.
Step 303, obtaining a characteristic value corresponding to a target type character contained in the software name of the software to be detected.
The characteristic value is usually a character string, and the characteristic values generated corresponding to different target type characters are different. The terminal may generate a corresponding feature value according to the target type character by using a preset algorithm, which includes, but is not limited to, a message digest algorithm and a hash algorithm.
In a possible implementation manner, a message digest algorithm is adopted to calculate a message digest corresponding to a target type character included in the software name of the software to be detected, and the message digest is used as a characteristic value corresponding to the software to be detected. For example, the Message Digest algorithm may be MD5(Message Digest algorithm, fifth edition).
In another possible implementation manner, a hash algorithm is adopted to calculate a hash value corresponding to a target type character included in the software name of the software to be detected, and the hash value is used as a characteristic value corresponding to the software to be detected. For example, the Hash Algorithm may be SHA1(Secure Hash Algorithm).
And 304, detecting whether the characteristic value of the malicious software is the same as the characteristic value corresponding to the software to be detected in the characteristic value set of the malicious software.
The malware characteristic value set comprises at least one malware characteristic value, and each malware characteristic value is a characteristic value corresponding to one malware character. The feature value corresponding to the malware character can also be obtained by calculating the malware character by using the message digest algorithm or the hash algorithm in the above example.
If the characteristic value of the malicious software is the same as the characteristic value corresponding to the software to be detected, indicating that the malicious software character matched with the target type character contained in the software name of the software to be detected exists; on the contrary, if the malware characteristic value identical to the characteristic value corresponding to the software to be detected does not exist, it is indicated that the malware character matched with the target type character contained in the software name of the software to be detected does not exist.
And 305, if the malware characteristic value set has the same malware characteristic value as the characteristic value corresponding to the software to be detected, determining that the software to be detected is malware.
In addition, if the malware characteristic value set does not have the malware characteristic value which is the same as the characteristic value corresponding to the software to be detected, the software to be detected is determined to be non-malware.
Optionally, the set of malware feature values is generated by: after the malware character set is generated, acquiring a malware characteristic value corresponding to each malware character in the malware character set to obtain a malware characteristic value set.
In summary, the method provided in the embodiment of the present invention further obtains the feature value corresponding to the target type character included in the software name of the to-be-detected software, and compares the feature value corresponding to the to-be-detected software with the malware feature value to determine whether the to-be-detected software is malware, so that compared with directly comparing and matching the target type character, the comparison efficiency is improved.
Next, in the embodiment of fig. 4A, the method flow provided by the embodiment of the present invention is described by taking the target type character as the chinese character as an example.
Step 401, obtaining at least one malware sample and at least one non-malware sample from a sample database;
for example, the sample databases include a malware sample library and a non-malware sample library. The malware sample library comprises a plurality of malware, and at least one malware sample is obtained from the malware sample library. The non-malware sample library comprises a plurality of non-malware, and at least one non-malware sample is obtained from the non-malware sample library.
Step 402, acquiring a software name of each malicious software sample;
step 403, for each malware sample, determining whether the chinese character contained in the software name of the malware sample is a malware character;
alternatively, as shown in fig. 4B, step 403 includes the following sub-steps:
step 403a, detecting whether the number of characters of Chinese characters contained in the software name of the ith malware sample is greater than a preset number of characters;
if yes, go to step 403 b; if not, let i be i +1, and execute the following step 403 f;
the initial value of i is 1, i is more than or equal to 1 and less than or equal to n, n represents the total number of the malicious software samples, and i and n are positive integers.
Step 403b, extracting Chinese characters contained in the software name of the ith malware sample;
step 403c, detecting whether the Chinese characters contained in the software name of the ith malware sample meet the jth preset condition;
if yes, go to step 403 d; if not, let j equal j +1, and execute the following step 403 e;
wherein j is an initial value of 1, j is more than or equal to 1 and less than or equal to m, m represents the total number of the preset conditions, and j and m are positive integers. In one example, the total number m of preset conditions is 4, for example:
the 1 st preset condition is: chinese characters contained in the software name are arranged at intervals, and the number of the intervals is more than or equal to 3;
the 2 nd preset condition is: a preset string "(vip";
the 3 rd preset condition is as follows: a preset character string "_ v" or "v _" exists after the chinese character contained in the software name;
the 4 th preset condition is as follows: the Chinese characters included in the software name are followed by non-Chinese characters, and the number of non-Chinese characters is greater than or equal to 8.
Step 403d, determining that the target type character contained in the software name of the ith malware sample is a malware character;
after step 403d, let i ═ i +1, and perform step 403f described below;
step 403e, judging whether j is larger than m;
if yes, let i be i +1, and execute the following step 403 f; if not, the process starts from step 403c again;
step 403f, judging whether i is larger than n;
if yes, ending the process; if not, the process starts again from step 403 a.
Step 404, adding the malware characters to a malware character set;
step 405, detecting whether the extraction times corresponding to the malware characters are greater than a preset time or not for each malware character added to the malware character set;
if yes, go to step 406; if not, the following step 407 is executed;
step 406, detecting whether the malware characters match Chinese characters extracted from the software names of the non-malware samples;
if yes, go to step 407; if not, the malicious software characters are reserved in the malicious software character set.
Step 407, deleting the malware characters from the malware character set;
and step 408, adopting the finally remaining malicious software characters in the malicious software character set to detect the malicious software according to the software name of the software to be detected.
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.
Referring to fig. 5, a block diagram of a malware detection apparatus according to an embodiment of the present invention is shown. The device has the functions of realizing the method examples, and the functions can be realized by hardware or by hardware executing corresponding software. The apparatus may include: a first obtaining module 510, a first extracting module 520, a first detecting module 530, and a first determining module 540.
The first obtaining module 510 is configured to obtain a software name of the software to be detected.
The first extraction module 520 is configured to extract a target type character included in the software name of the software to be detected.
The first detecting module 530 is configured to detect whether a malware character matching a target type character included in the software name of the software to be detected exists, where the malware character refers to the target type character included in the software name of the malware.
The first determining module 540 is configured to determine that the software to be detected is malware if malware characters matching target type characters included in the software name of the software to be detected exist.
In an optional embodiment provided based on the embodiment shown in fig. 5, the first detection module includes: the device comprises an identification acquisition unit, an identification detection unit and a detection determination unit.
And the identification acquisition unit is used for acquiring the characteristic value corresponding to the target type character contained in the software name of the software to be detected.
The identification detection unit is used for detecting whether a malware characteristic value which is the same as a characteristic value corresponding to the software to be detected exists in a malware characteristic value set, wherein the malware characteristic value set comprises at least one malware characteristic value, and each malware characteristic value refers to a characteristic value corresponding to one malware character.
And the detection determining unit is used for determining that the malicious software characters matched with the target type characters contained in the software name of the software to be detected exist if the malicious software characteristic values identical to the characteristic values corresponding to the software to be detected exist in the malicious software characteristic value set.
Optionally, the identifier obtaining unit is configured to:
calculating a message abstract corresponding to a target type character contained in the software name of the software to be detected by adopting a message abstract algorithm, and taking the message abstract as a characteristic value corresponding to the software to be detected;
alternatively, the first and second electrodes may be,
and calculating a hash value corresponding to the target type character contained in the software name of the software to be detected by adopting a hash algorithm, and taking the hash value as a characteristic value corresponding to the software to be detected.
In another alternative embodiment provided based on the embodiment shown in fig. 5, the apparatus further comprises: the device comprises a second acquisition module, a second extraction module, a second detection module and a second determination module.
And the second acquisition module is used for acquiring the software name of the malicious software sample.
And the second extraction module is used for extracting the target type characters contained in the software name of the malicious software sample.
And the second detection module is used for detecting whether the target type characters contained in the software name of the malicious software sample meet preset conditions or not.
And the second determining module is used for determining that the target type character contained in the software name of the malicious software sample is the malicious software character if the target type character contained in the software name of the malicious software sample meets the preset condition.
Optionally, the preset condition comprises at least one of: the target type characters contained in the software name are arranged at intervals, the interval number is larger than the preset interval number, preset characters or preset character strings exist after the target type characters contained in the software name, non-target type characters are followed after the target type characters contained in the software name, and the number of the non-target type characters is larger than a preset threshold value.
Optionally, the apparatus further comprises: the device comprises a third determining module, a third obtaining module and a third detecting module.
And the third determining module is used for determining that the target type characters contained in the software name of the malicious software sample are candidate malicious software characters if the target type characters contained in the software name of the malicious software sample meet the preset condition.
And the third acquisition module is used for acquiring the extraction times corresponding to the candidate malware characters, wherein the extraction times refer to the times of extracting the candidate malware characters from the software names of the malware samples.
And the third detection module is used for detecting whether the extraction times are greater than the preset times.
The second determining module is further configured to determine the candidate malware characters as the malware characters if the number of times of extraction is greater than the preset number of times.
In another alternative embodiment provided based on the embodiment shown in fig. 5, the apparatus further comprises: a fourth detection module and a deletion module.
A fourth detection module for detecting, for each malware character, whether the malware character matches a target type character extracted from a software name of a non-malware sample.
And the deleting module is used for deleting the malicious software characters if the malicious software characters are matched with the target type characters extracted from the software names of the non-malicious software samples.
In another optional embodiment provided based on the embodiment shown in fig. 5, the first obtaining module includes: a file reading unit and a name reading unit.
And the file reading unit is used for reading the information description file in the application program package of the software to be detected.
And the name reading unit is used for reading data in the software name entry in the information description file and taking the read data as the software name of the software to be detected.
In another alternative embodiment provided based on the embodiment shown in fig. 5, the apparatus further comprises: and a fifth detection module.
And the fifth detection module is used for detecting whether the number of the characters of the target type characters contained in the software name of the software to be detected is greater than the preset number of the characters.
The first extraction module is further configured to extract a target type character included in the software name of the software to be detected if the number of characters is greater than the preset number of characters.
Details not disclosed in the embodiment of fig. 5 can be found in the various method embodiments described above.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Referring to fig. 6, a schematic structural diagram of a terminal according to an embodiment of the present invention is shown. The terminal is used for implementing the malware detection method provided in the above embodiment. Specifically, the method comprises the following steps:
the terminal 600 may include RF (Radio Frequency) circuitry 610, memory 620 including one or more computer-readable storage media, an input unit 630, a display unit 640, a sensor 650, audio circuitry 660, a WiFi (wireless fidelity) module 670, a processor 680 including one or more processing cores, and a power supply 690. Those skilled in the art will appreciate that the terminal structure shown in fig. 6 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the RF circuit 610 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, for receiving downlink information from a base station and then processing the received downlink information by the one or more processors 680; in addition, data relating to uplink is transmitted to the base station. In general, RF circuitry 610 includes, but is not limited to, an antenna, at least one Amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier), a duplexer, and the like. In addition, the RF circuitry 610 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System for Mobile communications), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), email, SMS (Short Messaging Service), and the like.
The memory 620 may be used to store software programs and modules, and the processor 680 may execute various functional applications and data processing by operating the software programs and modules stored in the memory 620. The memory 620 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the terminal 600, and the like. Further, the memory 620 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 620 may also include a memory controller to provide the processor 680 and the input unit 630 access to the memory 620.
The input unit 630 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. Specifically, the input unit 630 may include an image input device 631 and other input devices 632. The image input device 631 may be a camera or a photo scanning device. The input unit 630 may include other input devices 632 in addition to the image input device 631. In particular, other input devices 632 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 640 may be used to display information input by or provided to a user and various graphical user interfaces of the terminal 600, which may be made up of graphics, text, icons, video, and any combination thereof. The Display unit 640 may include a Display panel 641, and optionally, the Display panel 641 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like. Further, the touch sensitive surface 631 can be overlaid on the display panel 641, and when the touch sensitive surface 631 detects a touch operation thereon or nearby, the touch operation can be transmitted to the processor 680 to determine the type of the touch event, and then the processor 680 can provide a corresponding visual output on the display panel 641 according to the type of the touch event. Although in FIG. 6, the touch-sensitive surface 631 and the display panel 641 are implemented as two separate components to implement input and output functions, in some embodiments, the touch-sensitive surface 631 and the display panel 641 may be integrated to implement input and output functions.
The terminal 600 may also include at least one sensor 650, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that may adjust the brightness of the display panel 641 according to the brightness of ambient light, and a proximity sensor that may turn off the display panel 641 and/or the backlight when the terminal 600 is moved to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when the mobile phone is stationary, and can be used for applications of recognizing the posture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured in the terminal 600, detailed descriptions thereof are omitted.
Audio circuit 660, speaker 661, and microphone 662 can provide an audio interface between a user and terminal 600. The audio circuit 660 may transmit the electrical signal converted from the received audio data to the speaker 661, and convert the electrical signal into an audio signal through the speaker 661 for output; on the other hand, the microphone 662 converts the collected sound signal into an electrical signal, which is received by the audio circuit 660 and converted into audio data, which is then processed by the audio data output processor 680 and then passed through the RF circuit 610 to be transmitted to, for example, another terminal, or output to the memory 620 for further processing. The audio circuit 660 may also include an earbud jack to provide communication of a peripheral headset with the terminal 600.
WiFi belongs to short-distance wireless transmission technology, and the terminal 600 can help the user send and receive e-mails, browse web pages, access streaming media, etc. through the WiFi module 670, and it provides wireless broadband internet access for the user. Although fig. 6 shows the WiFi module 670, it is understood that it does not belong to the essential constitution of the terminal 600, and can be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 680 is a control center of the terminal 600, connects various parts of the entire handset using various interfaces and lines, and performs various functions of the terminal 600 and processes data by operating or executing software programs and/or modules stored in the memory 620 and calling data stored in the memory 620, thereby integrally monitoring the handset. Optionally, processor 680 may include one or more processing cores; preferably, the processor 680 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 680.
The terminal 600 also includes a power supply 690 (e.g., a battery) for powering the various components, which may be logically coupled to the processor 680 via a power management system to manage charging, discharging, and power consumption via the power management system. The power supply 690 may also include any component including one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
Although not shown, the terminal 600 may further include a bluetooth module or the like, which will not be described in detail herein.
In this embodiment, the terminal 600 further includes a memory and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors. The one or more programs include instructions for performing the malware detection method described above.
In an exemplary embodiment, a non-transitory computer readable storage medium comprising instructions, such as a memory comprising instructions, executed by a processor of a terminal to perform the steps in the above method embodiments is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
It should be understood that reference to "a plurality" herein means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The above description is only exemplary of the present invention and should not be taken as limiting the invention, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (14)

1. A malware detection method, the method comprising:
acquiring a software name of software to be detected, wherein the software name of the software to be detected comprises characters of a plurality of language types;
detecting whether the number of characters of the target language type characters contained in the software name of the software to be detected is larger than the preset number of characters;
if the number of the characters is larger than the preset number of the characters, extracting target language type characters contained in the software name of the software to be detected;
detecting whether malicious software characters matched with target language type characters contained in the software name of the software to be detected exist or not, wherein the malicious software characters refer to the target language type characters contained in the software name of the malicious software;
and if the malicious software characters matched with the target language type characters contained in the software name of the software to be detected exist, determining that the software to be detected is malicious software.
2. The method according to claim 1, wherein the detecting whether the characters of the malicious software matching the characters of the target language type contained in the software name of the software to be detected exist comprises:
acquiring a characteristic value corresponding to a target language type character contained in the software name of the software to be detected;
detecting whether a malware characteristic value which is the same as a characteristic value corresponding to the software to be detected exists in a malware characteristic value set or not, wherein the malware characteristic value set comprises at least one malware characteristic value, and each malware characteristic value is a characteristic value corresponding to one malware character;
and if the malware characteristic value set has the malware characteristic value which is the same as the characteristic value corresponding to the software to be detected, determining that malware characters matched with the target language type characters contained in the software name of the software to be detected exist.
3. The method according to claim 2, wherein the obtaining of the feature value corresponding to the target language type character included in the software name of the software to be detected comprises:
calculating a message abstract corresponding to target language type characters contained in the software name of the software to be detected by adopting a message abstract algorithm, and taking the message abstract as a characteristic value corresponding to the software to be detected;
alternatively, the first and second electrodes may be,
and calculating a hash value corresponding to the target language type character contained in the software name of the software to be detected by adopting a hash algorithm, and taking the hash value as a characteristic value corresponding to the software to be detected.
4. The method according to claim 1, wherein before detecting whether there are malware characters matching target language type characters contained in the software name of the software to be detected, further comprising:
acquiring a software name of a malicious software sample;
extracting target language type characters contained in the software name of the malicious software sample;
detecting whether target language type characters contained in the software name of the malicious software sample meet preset conditions or not, wherein the preset conditions comprise at least one of the following items: the method comprises the following steps that target language type characters contained in a software name are arranged at intervals, the interval number is larger than a preset interval number, preset characters or preset character strings exist behind the target language type characters contained in the software name, non-target language type characters are arranged behind the target language type characters contained in the software name, and the number of the non-target language type characters is larger than a preset threshold value;
and if the target language type characters contained in the software name of the malicious software sample meet the preset conditions, determining that the target language type characters contained in the software name of the malicious software sample are the malicious software characters.
5. The method according to claim 4, wherein after detecting whether the target language type characters included in the software name of the malware sample satisfy the predetermined condition, the method further comprises:
if the target language type characters contained in the software name of the malicious software sample meet the preset conditions, determining the target language type characters contained in the software name of the malicious software sample as candidate malicious software characters;
acquiring the extraction times corresponding to the candidate malware characters, wherein the extraction times refer to the times of extracting the candidate malware characters from the software names of the malware samples;
detecting whether the extraction times are greater than preset times;
and if the extraction times are greater than the preset times, determining the candidate malware characters as the malware characters.
6. The method according to any one of claims 1 to 5, further comprising:
for each malware character, detecting whether the malware character matches a target language type character extracted from a software name of a non-malware sample;
and if the malicious software characters are matched with the target language type characters extracted from the software names of the non-malicious software samples, deleting the malicious software characters.
7. The method according to any one of claims 1 to 5, wherein the obtaining of the software name of the software to be detected comprises:
reading an information description file in an application program package of the software to be detected;
and reading data in the software name entry in the information description file, and taking the read data as the software name of the software to be detected.
8. An apparatus for malware detection, the apparatus comprising:
the software name acquisition module is used for acquiring the software name of the software to be detected, and the software name of the software to be detected comprises characters of a plurality of language types;
the first extraction module is used for detecting whether the number of characters of the target language type characters contained in the software name of the software to be detected is larger than the preset number of characters or not; if the number of the characters is larger than the preset number of the characters, extracting target language type characters contained in the software name of the software to be detected;
the first detection module is used for detecting whether malicious software characters matched with target language type characters contained in the software name of the software to be detected exist or not, wherein the malicious software characters refer to the target language type characters contained in the software name of the malicious software;
the first determining module is used for determining that the software to be detected is malicious software if malicious software characters matched with the target language type characters contained in the software name of the software to be detected exist.
9. The apparatus of claim 8, wherein the first detection module comprises:
the identification acquisition unit is used for acquiring a characteristic value corresponding to a target language type character contained in the software name of the software to be detected;
the identification detection unit is used for detecting whether a malware characteristic value which is the same as a characteristic value corresponding to the software to be detected exists in a malware characteristic value set or not, wherein the malware characteristic value set comprises at least one malware characteristic value, and each malware characteristic value refers to a characteristic value corresponding to one malware character;
and the detection determining unit is used for determining that the malicious software characters matched with the target language type characters contained in the software name of the software to be detected exist if the malicious software characteristic values identical to the characteristic values corresponding to the software to be detected exist in the malicious software characteristic value set.
10. The apparatus of claim 8, further comprising:
the second acquisition module is used for acquiring the software name of the malicious software sample;
the second extraction module is used for extracting target language type characters contained in the software name of the malicious software sample;
a second detection module, configured to detect whether a target language type character included in a software name of the malware sample meets a preset condition, where the preset condition includes at least one of: the method comprises the following steps that target language type characters contained in a software name are arranged at intervals, the interval number is larger than a preset interval number, preset characters or preset character strings exist behind the target language type characters contained in the software name, non-target language type characters are arranged behind the target language type characters contained in the software name, and the number of the non-target language type characters is larger than a preset threshold value;
and the second determining module is used for determining that the target language type characters contained in the software name of the malicious software sample are the malicious software characters if the target language type characters contained in the software name of the malicious software sample meet the preset condition.
11. The apparatus of claim 10, further comprising:
a third determining module, configured to determine, if a target language type character included in the software name of the malware sample meets the preset condition, that the target language type character included in the software name of the malware sample is a candidate malware character;
the third acquisition module is used for acquiring the extraction times corresponding to the candidate malware characters, wherein the extraction times refer to the times of extracting the candidate malware characters from the software names of the malware samples;
the third detection module is used for detecting whether the extraction times are greater than preset times;
the second determining module is further configured to determine the candidate malware characters as the malware characters if the number of times of extraction is greater than the preset number of times.
12. The apparatus of any one of claims 8 to 11, further comprising:
the fourth detection module is used for detecting whether the malicious software characters are matched with target language type characters extracted from the software names of the non-malicious software samples or not for each malicious software character;
and the deleting module is used for deleting the malicious software characters if the malicious software characters are matched with the target language type characters extracted from the software names of the non-malicious software samples.
13. A terminal, characterized in that it comprises a processor and a memory, in which a software program is stored, which is loaded and executed by the processor to implement the malware detection method according to any one of claims 1 to 7.
14. A computer-readable storage medium having stored thereon instructions for execution by a processor to implement the malware detection method of any one of claims 1 to 7.
CN201710209737.8A 2017-03-31 2017-03-31 Malicious software detection method and device Active CN107145780B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710209737.8A CN107145780B (en) 2017-03-31 2017-03-31 Malicious software detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710209737.8A CN107145780B (en) 2017-03-31 2017-03-31 Malicious software detection method and device

Publications (2)

Publication Number Publication Date
CN107145780A CN107145780A (en) 2017-09-08
CN107145780B true CN107145780B (en) 2021-07-27

Family

ID=59784145

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710209737.8A Active CN107145780B (en) 2017-03-31 2017-03-31 Malicious software detection method and device

Country Status (1)

Country Link
CN (1) CN107145780B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109462503B (en) * 2018-11-09 2022-04-26 中国联合网络通信集团有限公司 Data detection method and device
CN109657469B (en) * 2018-12-07 2023-02-24 腾讯科技(深圳)有限公司 Script detection method and device
CN109871685B (en) * 2019-02-19 2023-08-08 腾讯科技(深圳)有限公司 RTF file analysis method and device
CN112989432A (en) * 2019-12-16 2021-06-18 华为技术有限公司 File signature extraction method and device
CN112291277B (en) * 2020-12-29 2021-05-25 腾讯科技(深圳)有限公司 Malicious software detection method, device, equipment and storage medium
CN114189714B (en) * 2021-12-08 2023-11-10 安天科技集团股份有限公司 Method, device, equipment and medium for detecting propagation of malicious software in video website
CN114969741A (en) * 2022-06-07 2022-08-30 中国软件评测中心(工业和信息化部软件与集成电路促进中心) Malicious software detection and analysis method, device, equipment and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986323A (en) * 2009-10-01 2011-03-16 卡巴斯基实验室封闭式股份公司 Method and system for detection of previously unknown malware
CN102945348A (en) * 2012-10-19 2013-02-27 北京奇虎科技有限公司 Method and device for collecting file information
CN103500311A (en) * 2013-09-30 2014-01-08 北京金山网络科技有限公司 Software testing method and system
CN105718795A (en) * 2015-08-28 2016-06-29 哈尔滨安天科技股份有限公司 Malicious code evidence obtaining method and system on the basis of feature code under Linux

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9009818B2 (en) * 2006-04-06 2015-04-14 Pulse Secure, Llc Malware detection system and method for compressed data on mobile platforms

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986323A (en) * 2009-10-01 2011-03-16 卡巴斯基实验室封闭式股份公司 Method and system for detection of previously unknown malware
CN102945348A (en) * 2012-10-19 2013-02-27 北京奇虎科技有限公司 Method and device for collecting file information
CN103500311A (en) * 2013-09-30 2014-01-08 北京金山网络科技有限公司 Software testing method and system
CN105718795A (en) * 2015-08-28 2016-06-29 哈尔滨安天科技股份有限公司 Malicious code evidence obtaining method and system on the basis of feature code under Linux

Also Published As

Publication number Publication date
CN107145780A (en) 2017-09-08

Similar Documents

Publication Publication Date Title
CN107145780B (en) Malicious software detection method and device
CN107944380B (en) Identity recognition method and device and storage equipment
US9800609B2 (en) Method, device and system for detecting malware in a mobile terminal
CN108924037B (en) Display method of rich media communication RCS message and mobile terminal
WO2015058616A1 (en) Recognition method and device for malicious website
CN104852885B (en) Method, device and system for verifying verification code
CN109089229B (en) Method, device, storage medium and terminal for risk prompt
CN109003194B (en) Comment sharing method, terminal and storage medium
CN108549519B (en) Split screen processing method and device, storage medium and electronic equipment
CN108156508B (en) Barrage information processing method and device, mobile terminal, server and system
CN107506646B (en) Malicious application detection method and device and computer readable storage medium
US10956653B2 (en) Method and apparatus for displaying page and a computer storage medium
CN111124221B (en) File sending method and terminal equipment
EP3920012A1 (en) Information processing method and terminal device
CN109032491B (en) Data processing method and device and mobile terminal
CN107493378B (en) Method and device for logging in application program, computer equipment and readable storage medium
CN109753202B (en) Screen capturing method and mobile terminal
CN110505340B (en) Message sending method, terminal equipment and readable storage medium
CN111273955A (en) Thermal restoration plug-in optimization method and device, storage medium and electronic equipment
CN106339391B (en) Webpage display method and terminal equipment
CN108304369B (en) File type identification method and device
CN109657469B (en) Script detection method and device
CN108846061B (en) Method, device and terminal equipment for shielding advertisement
CN111931155A (en) Verification code input method, verification code input equipment and storage medium
CN109450853B (en) Malicious website determination method and device, terminal and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant