CN113434826A - Detection method and system for counterfeit mobile application and related products - Google Patents

Detection method and system for counterfeit mobile application and related products Download PDF

Info

Publication number
CN113434826A
CN113434826A CN202110836828.0A CN202110836828A CN113434826A CN 113434826 A CN113434826 A CN 113434826A CN 202110836828 A CN202110836828 A CN 202110836828A CN 113434826 A CN113434826 A CN 113434826A
Authority
CN
China
Prior art keywords
application
mobile application
counterfeit
information
judgment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110836828.0A
Other languages
Chinese (zh)
Inventor
孙文琦
吴松洋
俞诗博
王娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Third Research Institute of the Ministry of Public Security
Original Assignee
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Third Research Institute of the Ministry of Public Security filed Critical Third Research Institute of the Ministry of Public Security
Priority to CN202110836828.0A priority Critical patent/CN113434826A/en
Publication of CN113434826A publication Critical patent/CN113434826A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products
    • G06Q30/0185Product, service or business identity fraud

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Development Economics (AREA)
  • Computer Hardware Design (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Accounting & Taxation (AREA)
  • General Engineering & Computer Science (AREA)
  • Economics (AREA)
  • Finance (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Telephone Function (AREA)

Abstract

The invention discloses a detection method, a system and a related product for counterfeit mobile application, wherein the scheme analyzes an acquired mobile application program package to be judged and acquires multi-dimensional attribute information of the mobile application program package; judging whether the attribute information of the mobile application program package is similar to the corresponding legal mobile application information stored in the legal application information base or not; and if the similarity is based on the judgment rule in the constructed counterfeit mobile application judgment rule base, performing counterfeit analysis and judgment on the obtained multi-dimensional static and/or dynamic attribute information of the mobile application program package and the corresponding genuine mobile application program package information in the genuine application information base. The scheme provided by the invention can realize automatic detection of counterfeit mobile application, reduce manual intervention and effectively solve the problems in the prior art.

Description

Detection method and system for counterfeit mobile application and related products
Technical Field
The invention relates to a mobile information security technology, in particular to a mobile application detection technology.
Background
With the development and popularization of mobile internet and intelligent terminals, the number of mobile applications is huge, the number of mobile applications is infinite, and the mobile applications cover aspects of life.
Meanwhile, the development, production, propagation and the like of mobile applications have a black industrial chain, for example, illegal applications are generated in batches, false advertisements are embedded, the privacy of users is stolen, and fraud activities are carried out, which brings great problems to the information security of the mobile network.
For such mobile applications, the existing detection technology mainly performs dynamic and static detection on the mobile applications, such as analyzing whether the applications acquire an authority that should not be acquired, whether malicious behaviors exist, whether malicious codes are included, and whether an unsafe framework is included.
In addition, there is still a lack of automated detection schemes for illegal, counterfeit official applications such as lending, banking, etc. that deceive users into illegal gains.
For the counterfeit mobile application, the existing detection technology mainly detects whether the apk is cracked by others and packed for the second time. Such as 360 hardened security networks, piracy monitoring is based on application's signed certificate.
When the detection technology is implemented, whether the uploaded apk uses a legal version or a test signature is also selected; wherein, the legal signature is an official application signature used by a developer or a manufacturer when the application is released, and the signature is verified and confirmed by a mainstream channel or an application market; and the test signature is an informal signature used for testing during application development. Wherein the piracy monitoring service can view the pirated signature certificate, from which application markets the piracy came, and the download address of the pirated apk.
In addition to some of the detection techniques described above, the prior art has relied on the human being to identify counterfeit applications, i.e., to observe the developer of the application, the number of downloads, etc.
In summary, it can be known from the analysis that, in the detection and analysis of the current mobile application, malicious behaviors, privacy violations, and the like are mainly targeted, and an effective method and platform are still lacking for the detection of counterfeit applications. However, the existing detection technology for counterfeit applications has many problems in the practical application process, which are mainly as follows:
(1) the existing detection technology cannot carry out automatic detection analysis on batch application, and firstly, according to the detection of a signature certificate, the risk that the signature certificate is possibly stolen exists, such as the possibility that insiders steal the signature certificate; in addition, before detection, a known application and a correct certificate are input, the certificate is only possessed by a developer of the application, and other users cannot perform detection.
(2) If the user wants to know whether an application is counterfeit or not, more professional knowledge and more complicated manual operation are required. For example, the same application needs to be observed by an applied official website, a relatively fixed or effective discrimination mode does not exist, counterfeiting needs to be discriminated manually by the size difference of the same application and the same version installation package, or all versions are compared by comparing the same version, and if the official party does not release the version, the counterfeiting is judged; the manual judgment method is complicated and depends on the experience of people.
Disclosure of Invention
Aiming at the problem that the existing mobile application detection and identification technology cannot carry out effective automatic identification and detection on counterfeit mobile applications, the invention aims to provide a detection method of counterfeit mobile applications, which realizes effective automatic detection and identification on counterfeit mobile applications and ensures the information safety of the mobile applications; on the basis, the invention further provides a detection system and a related product capable of realizing the detection method.
In order to achieve the above object, the present invention provides a method for detecting counterfeit mobile applications, comprising:
statically and/or dynamically analyzing the obtained mobile application program package to be judged, and obtaining multi-dimensional static and/or dynamic attribute information of the mobile application program package;
judging whether the multi-dimensional static and/or dynamic attribute information of the mobile application program package is similar to corresponding legal mobile application information stored in a legal application information base or not, and if so, carrying out counterfeit analysis and judgment;
and according to the judgment rule in the constructed counterfeit mobile application judgment rule base, carrying out counterfeit analysis and judgment on the obtained multi-dimensional static and/or dynamic attribute information of the mobile application program package and the corresponding genuine mobile application program package information in the genuine application information base.
Further, the detection method comprises a step of establishing a legal application information base, and comprises the following steps:
regularly and automatically collecting and updating the legal application information, and collecting official download links of the legal application and official link information of a third-party application market;
performing static analysis on the collected copyright application information, extracting a plurality of dimension information of the copyright application, and constructing a copyright application information base;
and dynamically analyzing the positive application program, extracting the domain name accessed by the background of the positive application program, and carrying out screenshot and storage on the interface of the positive application program.
Further, the counterfeit mobile application judgment rule base comprises a similar legal application information rule set and a distinguishing legal application information rule set, wherein the similar legal application information rule set is provided with at least one legal application information similar judgment rule; the distinguishing copyright application information rule set is provided with at least one copyright application information distinguishing judgment rule.
Further, the counterfeit mobile application decision rule base further comprises a set of counterfeit application features.
Further, when the detection method performs similarity judgment on the mobile application package information, the application name, the package name, the icon and the three-dimensional static attribute information are extracted from the obtained static attribute information of the mobile application package and are compared with the corresponding legal mobile application package information obtained from the established legal application information base, and as long as any one of the dimensional static attribute information is similar to the corresponding legal mobile application information stored in the legal application information base, the two are determined to be similar.
Further, when the detection method performs counterfeit analysis and judgment, if at least one judgment rule in the similar legal application information rule set and at least one judgment rule in the distinguished legal application information rule set are respectively satisfied between the obtained multi-dimensional static and/or dynamic attribute information of the mobile application package and the legal mobile application package information corresponding to the legal application information base, the mobile application package to be judged is determined to be a counterfeit mobile application.
Further, the detection method quantitatively evaluates the counterfeiting degree of the mobile application package to be judged on the basis that the obtained multi-dimensional static and/or dynamic attribute information of the mobile application package and the corresponding legal mobile application package information in the legal application information base simultaneously satisfy the number of the similar legal application information rule set and the corresponding judgment rules in the different legal application information rule sets.
In order to achieve the above object, the present invention provides a detection system for counterfeit mobile applications, comprising:
the system comprises a legal application information base, a legal application information base and a legal application information base, wherein the legal application information base stores multi-dimensional static and/or dynamic attribute information of a legal application program;
a counterfeit mobile application determination rule base in which a plurality of counterfeit mobile application detection determination rules are stored;
the counterfeit mobile application analysis and judgment module is used for statically and/or dynamically analyzing the acquired mobile application package to be judged, acquiring multi-dimensional static and/or dynamic attribute information of the mobile application package, extracting an application name, a package name and an icon from the acquired static attribute information of the mobile application package, comparing the three-dimensional static attribute information with corresponding legal mobile application package information acquired from a legal application information base, and reading a judgment rule from the counterfeit mobile application judgment rule base to perform analysis and judgment as long as any one dimension of static attribute information is similar to the corresponding legal mobile application information stored in the legal application information base.
Furthermore, the detection system also comprises a legal application information collection module and a data acquisition strategy management module, wherein the data acquisition strategy management module provides a data acquisition strategy, and the legal application information collection module automatically collects legal application information according to the data acquisition strategy provided by the data acquisition strategy management module and updates a legal application information base of the system based on the collected legal application information.
The detection system further comprises a judgment rule management module, the judgment rule management module is in data interaction with the counterfeit mobile application judgment rule base and the counterfeit mobile application analysis judgment module, and the judgment rule management module can manage judgment rules stored in the counterfeit mobile application judgment rule base based on the operation of an administrator; the judgment rule management module can perform iterative learning judgment rules according to the judgment result of the counterfeit mobile application analysis judgment module and manage the judgment rules stored in the counterfeit mobile application judgment rule base according to the iterative learning result.
Further, the counterfeit mobile application judgment rule base comprises a similar legal application information rule set and a distinguishing legal application information rule set, wherein the similar legal application information rule set is provided with at least one legal application information similar judgment rule; the distinguishing copyright application information rule set is provided with at least one copyright application information distinguishing judgment rule.
In order to achieve the above object, the present invention also provides a computer program product adapted to perform the implementing steps of the above counterfeit mobile application detection method when executed on a data processing device.
In order to achieve the above object, the present invention further provides a terminal device, which includes a processor, a memory, and a program stored in the memory and executable on the processor, where the program code is loaded by the processor and executes the implementation steps of the counterfeit mobile application detection method.
The scheme provided by the invention can realize automatic detection of counterfeit mobile application, reduce manual intervention and effectively solve the problems in the prior art.
When the scheme provided by the invention is applied specifically, the rapid batch detection of counterfeit mobile applications can be realized.
When the scheme provided by the invention is applied specifically, the detection experience and the result can be accumulated, the iterative optimization is carried out continuously, and the precision and the efficiency of detection judgment are ensured.
Drawings
The invention is further described below in conjunction with the appended drawings and the detailed description.
FIG. 1 is a diagram of an exemplary architecture of a detection system for spoofing mobile applications in an example of the present invention;
FIG. 2 is a diagram illustrating an example process for performing legal application information gathering in an embodiment of the present invention;
FIG. 3 is an exemplary diagram of a process for managing counterfeit application rules in an example embodiment of the invention;
FIG. 4 is an exemplary diagram of a decision process for a counterfeit application in accordance with an embodiment of the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
Through the analysis of various information of the counterfeit application, the embodiment provides a detection scheme of the counterfeit mobile application, which is used for rapidly detecting the counterfeit mobile application in batches, so that the automated detection of the counterfeit mobile application is realized, the manual intervention is reduced, and the detection precision and the detection efficiency are ensured.
The detection scheme of the counterfeit mobile application firstly constructs a corresponding genuine application information base and a counterfeit mobile application judgment rule base.
The legal application information base is used for storing multi-dimensional static and/or dynamic attribute information of legal application programs and is used as basic judgment data for counterfeit mobile application detection.
Furthermore, the scheme is used for automatically collecting the legal application information and regularly and automatically updating the legal application information aiming at the established legal application information base, so that the complicated process of inputting the legal application information in a mode of manually collecting information or importing certificates each time is solved, and meanwhile, the related information stored in the legal application information base can be ensured to be latest, so that the accuracy of a subsequent judgment result is ensured.
The counterfeit mobile application determination rule base is used for storing various counterfeit mobile application detection determination rules and guiding the determination of the counterfeit mobile application to be completed by combining the genuine application program information stored in the genuine application information base.
The detection judgment rules in the counterfeit mobile application judgment rule base can be formed by calibrating the artificial experience of counterfeit application judgment and are classified and recorded into the rule base. Meanwhile, the rules can be continuously updated according to the development change of the mobile application technology, the change of the application environment and the like, so that the reliability and the accuracy of subsequent counterfeit judgment are ensured.
The scheme takes the established legal application information base and the counterfeit mobile application judgment rule base as basic data and judgment criteria for judgment, and further provides a corresponding execution scheme, so that automatic counterfeit application judgment is realized.
Specifically, the execution scheme for the counterfeit mobile application automatic detection provided by the scheme is as follows:
firstly, statically and/or dynamically analyzing the obtained mobile application package to be judged according to the mobile application package to be judged, and obtaining multi-dimensional static and/or dynamic attribute information of the mobile application package;
then, preliminary prejudging is carried out on the mobile application package to be judged based on the acquired multidimensional attribute of the mobile application package, and whether the mobile application package is suspected to be counterfeit mobile application or not is determined (if some attribute information is similar to the genuine mobile application, the genuine application is not carried out at the same time); if the suspected counterfeit mobile application is counterfeit mobile application, triggering a counterfeit analysis and judgment process;
and then, performing counterfeit analysis and judgment, and performing counterfeit analysis and judgment on the obtained multi-dimensional static and/or dynamic attribute information of the mobile application program package and corresponding genuine mobile application program package information in the genuine application information base according to the judgment rule in the counterfeit mobile application judgment rule base.
When the detection scheme of the counterfeit mobile application is executed, the automatic and batch detection of the counterfeit mobile application can be realized, and the efficiency is high. Meanwhile, manual intervention is reduced, professional knowledge is not needed, only the mobile application installation package to be detected needs to be input, and other information is not needed,
when the detection scheme of the counterfeit mobile application is executed, in order to ensure the legal application information which can be timely and accurately collected by the legal application information base, the scheme further provides a collected information item (which can be expanded as required) of the legal application information and a corresponding information collection method.
For example, when the scheme is directed at a legal application information base and corresponding legal application information is automatically collected and periodically updated, corresponding means include, but are not limited to, the following modes.
Stage one:
the mobile terminal goes to each large trusted application store, collects application information and downloads files according to application names;
monitoring the application version, downloading again after the application version is updated, and storing different versions of the APP;
official download links of the legal application and official links of the common third-party application market are collected.
And a second stage: on the basis, the scheme is used for performing static analysis on collected legal copy applications, extracting and applying a plurality of dimensional information, and constructing an legal copy application information base, wherein the stored information is as follows: the method comprises the following steps of (1) obtaining an application name, a development company, an application icon, a package name, an application version number, a file MD5 value, a certificate MD5 value, an access background domain name, signature platform information and the like; the specific information to be described here is not limited to this.
And meanwhile, dynamically analyzing the application, extracting the domain name accessed by the APP background, and performing screenshot and storage on the APP interface.
And the real-time updating of the legal application information in the legal application information base is realized through the cyclic matching between the two stages. Therefore, the latest and most complete state of the reference basic data can be ensured when the counterfeit application is judged, and the accuracy of the judgment result is ensured.
When the detection scheme of the counterfeit mobile application is executed, in order to ensure that the judgment rules in the counterfeit mobile application judgment rule base keep the best accuracy and matching, the scheme further provides an expansion construction scheme of the counterfeit mobile application judgment rule base.
For example, the determination rule base for the counterfeit mobile application in the present solution at least includes two types of rule sets:
the first type: like the set of information rules for the imposition,
the second type: the set of information rules is applied to distinguish between the originals,
these two types of rule sets can be extended as needed.
Wherein, the first type: the similar copyright application information rule set is provided with at least one copyright application information similar judgment rule. As an example, the judgment rules in the first type rule set may be as follows:
(1.1) whether the application name is exactly matched with the application name in the legal application information base or not; if the rule is matched with the rule, the rule condition is met;
(1.2) whether the icon is fuzzy and matched with an icon in the genuine application information base; if the rule is matched with the rule, the rule condition is met;
(1.3) whether the package name fuzzy matches the package name in the genuine application information base; if the rule condition is matched, the rule condition is satisfied.
Whether the basic static attribute of the mobile application to be detected meets the requirement similar to the original application or not can be judged through the judgment rule.
Wherein, the second type: the distinguishing copyright application information rule set is provided with at least one copyright application information distinguishing judgment rule. By way of example, the decision rule in the second type rule set may be as follows:
(2.1) the signature certificate MD5 of the analyzed application does not match the signature certificates of all versions of the genuine applications in the genuine application information base;
(2.2) the version number of the analyzed application is not matched with all version numbers of the genuine applications in the genuine application information base;
(2.3) the download link does not exist in the official download link library or common third party application marketplace;
(2.4) the page is inconsistent with the positive version APP page;
(2.5) the background of the APP accesses the URL in the blacklist (collected and stored according to the past counterfeit APP);
(2.6) the signature certificate information hits the blacklist signature certificate information;
(2.7) the APP name, the icon and the package name are inconsistent with the hit legal version APP name, the icon and the package name;
(2.8) the domain name of the background link accessed by the APP running is inconsistent with the background domain name of the genuine APP (such as the domain name jd.com of the Beijing-east genuine APP background);
whether the basic content of the mobile application to be detected is different from the content of the legal application or not can be judged through the judgment rule.
The method and the device form a condition for judging whether the mobile application to be detected is counterfeit or not based on the rules in the two types of rule sets in the counterfeit mobile application judgment rule base. Preferably, the conditions for determining counterfeit in the present scheme may include: at least one rule of the first set of rules is satisfied and at least one rule of the second set of rules is satisfied. When the condition is met, the mobile application to be detected is judged to be counterfeit application, and the accuracy and reliability of judgment are guaranteed.
Further, the scheme also configures a third type of counterfeit application feature set in the counterfeit mobile application judgment rule base, wherein the third type of counterfeit application feature set comprises common counterfeit APP (application) features.
By way of example, the third type of counterfeit application feature set includes the following information:
(3.1) APP name is not canonical, e.g. containing spaces etc.
(3.2) APP icon pixels are below a threshold.
And further verifying whether the mobile application to be detected is a counterfeit application or not by matching the information in the third type of counterfeit application characteristic set with the judgment condition formed by the two types of sets, so that the accuracy and reliability of judgment are further improved.
The following describes, by way of example, a process of performing automated counterfeit detection according to the present invention in conjunction with the above-described configuration.
When the scheme is operated, after an apk (namely a mobile application package to be detected) is obtained from a user or flow, the obtained apk (namely the mobile application package to be detected) is statically and/or dynamically analyzed, and multi-dimensional static and/or dynamic attribute information of the apk is obtained;
secondly, performing preliminary prejudgment on the mobile application based on the acquired attribute information to determine whether the mobile application is suspected to be counterfeit mobile application; and if the suspected counterfeit mobile application is the counterfeit mobile application, triggering the counterfeit analysis and judgment process.
For example, the application name, package name, and icon of the apk may be extracted from the obtained static attribute information of the apk mobile application package, and the three-dimensional static attribute information is compared with the corresponding legal mobile application package information obtained from the established legal application information base, and as long as any one of the dimensional static attribute information is similar to the corresponding legal mobile application information stored in the legal application information base and is not legal application, it is determined that the apk is possible to counterfeit, and counterfeit analysis and determination are performed.
Next, a determination is made of counterfeit analysis for the apk for which a counterfeit possibility exists. Calling the judgment rules in the corresponding judgment rule set in the counterfeit mobile application judgment rule base, comparing and judging the acquired multi-dimensional static and/or dynamic attribute information of the apk with the corresponding legal mobile application package information in the legal application information base according to the called judgment rules, and recording the judgment results under the corresponding judgment rules.
The judgment rule of the first class rule set in the counterfeit mobile application judgment rule base can be called firstly, and the judgment is finished according to the judgment rule;
after the rule judgment of the first class rule set is finished, calling the judgment rule of the second class rule set in the counterfeit mobile application judgment rule base, and finishing the judgment according to the judgment rule;
after the rule judgment of the second type of rule set is finished, calling the judgment rule of the third type of rule set in the counterfeit mobile application judgment rule base, and finishing the judgment according to the judgment rule;
thereby completing all sets of rule decisions in turn.
And finally, performing counterfeit analysis and judgment according to the judgment result under each type of judgment rule set.
Based on the composition characteristics of the counterfeit mobile application judgment rule base in the scheme, the following analysis judgment conditions are adopted: i.e. at least one rule of the first set of rules is satisfied and at least one rule of the second set of rules is satisfied. And if the judgment condition is met, judging the apk as the counterfeit application.
For the result, further verification can be performed according to the result judged by the third type rule set.
As a preferred embodiment, the method can quantitatively evaluate the counterfeiting degree of the mobile application package to be judged on the basis that the obtained multidimensional static and/or dynamic attribute information of the mobile application package and the corresponding legal mobile application package information in the legal application information base simultaneously satisfy the number of similar legal application information rule sets and the number of corresponding judgment rules in different legal application information rule sets.
The quantitative evaluation can be realized by adopting a scoring mechanism, namely, the scoring of the counterfeiting degree of the mobile application is realized, and if the total score is higher, the suspected counterfeiting degree is higher.
The rules for scoring are not limited herein. By way of example, the following scoring mechanism may be employed:
mechanism 1:
replying according to the number of judgment rules meeting the first type rule set and the judgment rules meeting the second type rule set between the apk to be judged and the corresponding legal mobile application program package in the legal application information base, wherein the counterfeiting degree score is higher if the number of the satisfied rules is larger;
and on the basis of scoring the first-class rule set and the second-class rule set, further judging the quantity of judgment rules meeting the third-class rule set, and further scoring the counterfeit degree.
Mechanism 2:
the higher the fuzzy match, the higher the score.
Mechanism 3:
different weights can be distributed to different rules according to needs, and corresponding score values are given according to the weights.
When the detection scheme of the counterfeit mobile application is applied specifically, a corresponding software program can be formed and presented by a corresponding detection system of the counterfeit mobile application, so that the detection scheme of the counterfeit mobile application is realized.
Referring to fig. 1, there is shown a diagram of an exemplary architecture of a detection system for counterfeit mobile applications given in this example.
The counterfeit mobile application detection system 100 mainly includes a genuine application information base 110, a counterfeit mobile application determination rule base 120, a counterfeit mobile application analysis determination module 130, a genuine application information collection module 140, a data collection policy management module 150, and a determination rule management module 160.
The legal application information base 110 stores therein multi-dimensional static and/or dynamic attribute information of the legal application.
The specific configuration of the legal application information base 110, such as the content of the legal application information base, is not described herein again.
The counterfeit mobile application determination rule base 120 stores therein a plurality of counterfeit mobile application detection determination rules.
For a specific configuration scheme of the counterfeit mobile application determination rule base 120, such as the content of the foregoing corresponding counterfeit mobile application determination rule base, details are not described here.
The counterfeit mobile application analysis and determination module 130 in the system serves as an execution module for performing the mobile application counterfeit determination of the whole detection system, and executes the process of automatically detecting the counterfeit mobile application by the completion system.
The counterfeit mobile application analysis and determination module 130 serves as a data receiving port of the system, and can receive the mobile application package 400 to be determined, such as the mobile application package sent by a receiving user or automatically obtained from traffic. The counterfeit mobile application analysis and determination module 130 analyzes the received mobile application package 400 to be determined to obtain the multi-dimensional attribute information of the mobile application package 400 to be determined.
For example, the counterfeit mobile application analysis and determination module 130 may statically and/or dynamically analyze the obtained mobile application package to be determined, and obtain multi-dimensional static and/or dynamic attribute information of the mobile application package.
The counterfeit mobile application analysis and determination module 130 further performs data interaction with the genuine application information base 110 and the counterfeit mobile application determination rule base 120, and completes preliminary prejudgment on the mobile application package to be determined based on the acquired multidimensional attribute of the mobile application package, and determines whether the mobile application package is suspected to be counterfeit mobile application (if some attribute information is similar to the genuine mobile application, the mobile application is not the genuine application); and if the suspected counterfeit mobile application is the counterfeit mobile application, triggering the counterfeit analysis and judgment process.
For example, the counterfeit mobile application analysis and determination module 130 extracts the application name, the package name, and the icon from the obtained static attribute information of the mobile application package, compares the three-dimensional static attribute information with the corresponding genuine mobile application package information obtained from the genuine application information base, and performs analysis and determination by reading the determination rule from the counterfeit mobile application determination rule base as long as any one of the dimensional static attribute information is similar to the corresponding genuine mobile application information stored in the genuine application information base.
The counterfeit mobile application analysis and determination module 130 performs counterfeit analysis and determination, acquires the corresponding genuine mobile application package information from the genuine application information base 110, calls the determination rule in the counterfeit mobile application determination rule base 120, performs counterfeit analysis and determination on the acquired multi-dimensional static and/or dynamic attribute information of the mobile application package and the corresponding genuine mobile application package information in the genuine application information base according to the determination rule in the counterfeit mobile application determination rule base, and outputs the determination result.
For the process of the counterfeit mobile application analysis and determination module 130 performing counterfeit analysis and determination, such as the content of the foregoing counterfeit analysis and determination, details are not repeated here.
The legal application information collecting module 140 and the data collecting policy management module 150 in the system cooperate to automatically collect and periodically update the legal application information in the legal application information base 110.
The data collection policy management module 150 provides a data collection and update policy.
The legal application information collecting module 140 performs data interaction with the data collection policy management module 150 and the legal application information base 110, respectively. Which may automatically collect the legal application information according to the data collection policy provided by the data collection policy management module 150 and update the legal application information base 110 of the system based on the collected legal application information.
As shown in fig. 2, when the system automatically collects and periodically updates the original application information, the data collection policy management module 150 sends the data collection policy to the original application information collection module 140 according to the setting requirement.
The legal application information collecting module 140 regularly collects each legal application information from the third party application market 200 according to the collection strategy; meanwhile, corresponding legal application information is regularly collected from each mobile application official website 300 according to an acquisition strategy, and specific information is not limited here and can be determined according to actual requirements.
The legal application information collecting module 140 updates legal application information in the legal application information base 110 according to the collected legal application information.
The legal application information collecting module 140 also periodically feeds back the legal application information collection result to the data collection set policy management module 150, and the data collection policy management module 150 can optimize the data collection policy according to the feedback result, so that the data collection policy management module can make an optimal data collection policy for each application or each party application market.
The determination rule management module 160 in the present system performs data interaction with the counterfeit mobile application determination rule base 120, the counterfeit mobile application analysis determination module 130, and the data collection policy management module 150, so as to manage various determination rules in the counterfeit mobile application determination rule base 120.
As shown in fig. 3, the determination rule management module 160 may correspondingly manage (e.g., enter, delete, update rule operations) the corresponding determination rules stored in the counterfeit mobile application determination rule base 120 based on the operations (e.g., enter, delete, update rule operations) of the administrator 600.
The determination rule management module 160 may further perform iterative learning of the determination rule according to the determination result of the counterfeit mobile application analysis determination module 130, and actively manage (e.g., enter, delete, and update rule operations) the determination rule stored in the counterfeit mobile application determination rule base 120 according to the result of iterative learning.
The system can realize continuous accumulation of detection experience and results and continuous iteration optimization through the judgment rule management module 160, the legal application information collection module 140 and the data acquisition strategy management module 150 respectively.
Referring to fig. 4, an example of the counterfeit mobile application detection system 100 for determining counterfeit applications is shown.
As can be seen from the figure, when the system is applied, the user 500 can directly send the mobile application installation package to be determined to the system.
The counterfeit mobile application analysis and determination module 130 in the system receives a mobile application installation package sent by a user and performs multi-dimensional static/dynamic analysis on the mobile application installation package to obtain multi-dimensional attribute information of the mobile application installation package. Meanwhile, the corresponding determination rule is read from the counterfeit mobile application determination rule base 120, and the corresponding genuine application information is read from the genuine application information base 110.
Next, the counterfeit mobile application analysis and determination module 130 in the present system performs counterfeit analysis and determination on the obtained multi-dimensional attribute information of the mobile application package and the corresponding genuine application information in the genuine application information base according to the determination rule in the read counterfeit mobile application determination rule base (the determination process is as described above), and outputs the determination result to the user 500.
When the system is applied, a common user only needs to input the application installation package without additional other information, the whole process is simple to operate, the detection is automatically completed, and the efficiency is high.
The following illustrates the application process of the detection system 100 for counterfeit mobile applications.
Example 1:
in the example, automatic acquisition and updating of the legal information in the legal application information base are realized.
The first step is as follows: crawlers for collecting APP data and application dimension information needing to be extracted are defined through a data acquisition strategy management module in the system.
The second step is that: and the legal application information collection module periodically collects application information including application names, package names, issuers, installation packages and the like in a third party application market and all the website of the large officer according to the collection strategy, and periodically feeds back the collection result to the administrator.
The third step: and the legal application information collection module regularly and repeatedly crawls a third-party application market and each large official website according to manual setting, checks the version number, downloads the version again if the version number is updated, updates the version, and stores the updated version and old version information in a warehouse.
Example 2:
in this example, counterfeit detection determination of the mobile app package is implemented.
The first step is as follows: the user uploads a mobile application installation package A, and the installation package enters a counterfeit mobile application analysis and judgment module
The second step is that: and performing static analysis and dynamic analysis on the uploaded installation package A, reading the data of the genuine application information base, and judging by using a counterfeit application judgment rule base. And if the APP meets at least one of the first type meeting condition and the second type meeting condition, entering a third type meeting condition for filtering.
Example 1: the user uploads APP 'drips finance', and the positive version APP library has 'drips finance', but the historical version number is all different from uploading APP, and uploads APP logo resolution ratio low, and suspected screenshot, so output high counterfeit score, judge as counterfeit APP.
Example 2: and uploading the APP 'sunlight loan' by the user, wherein the logo has high similarity with the APP 'hundred-degree cash' in the genuine-version library, but the name and the page screenshot are different from the hundred-degree cash, so that a high counterfeit score is output, and the counterfeit APP is judged.
Example 3: the user uploads APP '360 debit and credit', the APP name exists in the positive version APP, and meanwhile, the APP background accesses the URL in the URL blacklist, so that a high counterfeit score is output, and the counterfeit APP is judged.
The third step: and outputting the discrimination score, and outputting a discrimination result according to the score.
Example 3:
this example implements management of the decision rules in the counterfeit mobile application decision rule base.
The first step is as follows: the administrator regularly learns and iterates the existing rules through the judgment rule management module, or adds, deletes and changes the rules. For example, the administrator finds that the survival time of the counterfeit APP is short, so that many counterfeit APPs fail to be identified, the dynamic analysis screenshot shows that "connection cannot be performed", and the normal APPs are rare in similar situations, so that "dynamic analysis shows that connection cannot be performed" can be added to the third type of identification condition. Similarly, for rules that are less frequent at present, the administrator may also make the deletion of the reduction weighting score in time.
The second step is that: the counterfeit mobile application judgment module returns a judgment result to the judgment rule management module at regular intervals, and the judgment result is used as a basis for manually increasing and changing the check rule next time.
As a further supplement to the above solution, an embodiment of the present invention further provides a computer readable storage medium, on which a program is stored, which when executed by a processor, implements the steps of the above counterfeit mobile application detection scheme.
The embodiment of the invention also provides a processor, wherein the processor is used for running the program, and the step of imitating the mobile application detection scheme is executed when the program runs.
The embodiment of the invention also provides terminal equipment, which comprises a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the program code is loaded and executed by the processor to realize the steps of the counterfeit mobile application detection scheme.
The present invention also provides a computer program product adapted to perform the steps of the above-described counterfeit mobile application detection scheme when executed on a data processing device.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the apparatus and the module described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (13)

1. The detection method for counterfeit mobile application is characterized by comprising the following steps:
statically and/or dynamically analyzing the obtained mobile application program package to be judged, and obtaining multi-dimensional static and/or dynamic attribute information of the mobile application program package;
judging whether the multi-dimensional static and/or dynamic attribute information of the mobile application program package is similar to corresponding legal mobile application information stored in a legal application information base or not, and if so, carrying out counterfeit analysis and judgment;
and according to the judgment rule in the constructed counterfeit mobile application judgment rule base, carrying out counterfeit analysis and judgment on the obtained multi-dimensional static and/or dynamic attribute information of the mobile application program package and the corresponding genuine mobile application program package information in the genuine application information base.
2. The method for detecting counterfeit mobile applications according to claim 1, wherein the method for detecting counterfeit mobile applications comprises a step of constructing a genuine application information base, comprising:
regularly and automatically collecting and updating the legal application information, and collecting official download links of the legal application and official link information of a third-party application market;
performing static analysis on the collected copyright application information, extracting a plurality of dimension information of the copyright application, and constructing a copyright application information base;
and dynamically analyzing the positive application program, extracting the domain name accessed by the background of the positive application program, and carrying out screenshot and storage on the interface of the positive application program.
3. The method for detecting the counterfeit mobile application according to claim 1, wherein the counterfeit mobile application determination rule base comprises a similar genuine application information rule set and a distinguishing genuine application information rule set, and the similar genuine application information rule set comprises at least one similar genuine application information determination rule; the distinguishing copyright application information rule set is provided with at least one copyright application information distinguishing judgment rule.
4. The method of detecting a counterfeit mobile application of claim 3, wherein the library of counterfeit mobile application decision rules further comprises a set of counterfeit application features.
5. The method for detecting counterfeit mobile applications according to claim 1, wherein when the detection method performs similarity determination on the mobile application package information, the application name, package name, icon, and three-dimensional static attribute information are extracted from the obtained static attribute information of the mobile application package and compared with the corresponding genuine mobile application package information obtained from the established genuine application information base, and as long as any one of the dimensional static attribute information is similar to the corresponding genuine mobile application information stored in the genuine application information base, the two dimensions are determined to be similar.
6. The method for detecting the counterfeit mobile application according to claim 1, wherein when the detection method performs counterfeit analysis and judgment, if at least one judgment rule in the similar legal copy application information rule set and at least one judgment rule in the differentiated legal copy application information rule set are respectively satisfied between the obtained multi-dimensional static and/or dynamic attribute information of the mobile application package and the corresponding legal copy mobile application package information in the legal copy application information base, the mobile application package to be judged is determined as the counterfeit mobile application.
7. The detection method of counterfeit mobile applications according to claim 1, wherein the detection method quantitatively evaluates the counterfeit degree of the mobile application package to be judged based on the number of corresponding judgment rules in the similar genuine application information rule set and the distinguishing genuine application information rule set that are simultaneously satisfied between the obtained multi-dimensional static and/or dynamic attribute information of the mobile application package and the corresponding genuine mobile application package information in the genuine application information base.
8. A detection system for counterfeiting a mobile application, comprising:
the system comprises a legal application information base, a legal application information base and a legal application information base, wherein the legal application information base stores multi-dimensional static and/or dynamic attribute information of a legal application program;
a counterfeit mobile application determination rule base in which a plurality of counterfeit mobile application detection determination rules are stored;
the counterfeit mobile application analysis and judgment module is used for statically and/or dynamically analyzing the acquired mobile application package to be judged, acquiring multi-dimensional static and/or dynamic attribute information of the mobile application package, extracting an application name, a package name and an icon from the acquired static attribute information of the mobile application package, comparing the three-dimensional static attribute information with corresponding legal mobile application package information acquired from a legal application information base, and reading a judgment rule from the counterfeit mobile application judgment rule base to perform analysis and judgment as long as any one dimension of static attribute information is similar to the corresponding legal mobile application information stored in the legal application information base.
9. The counterfeit mobile application detection system of claim 8, further comprising a genuine application information collection module and a data collection policy management module, wherein the data collection policy management module provides a data collection policy, and wherein the genuine application information collection module automatically collects the genuine application information according to the data collection policy provided by the data collection policy management module and updates a genuine application information base of the system based on the collected genuine application information.
10. The detection system for counterfeit mobile applications of claim 8, further comprising a decision rule management module, said decision rule management module being in data communication with the counterfeit mobile application decision rule base and the counterfeit mobile application analysis decision module, said decision rule management module being operable to manage decision rules stored in the counterfeit mobile application decision rule base based on an administrator action; the judgment rule management module can perform iterative learning judgment rules according to the judgment result of the counterfeit mobile application analysis judgment module and manage the judgment rules stored in the counterfeit mobile application judgment rule base according to the iterative learning result.
11. The counterfeit mobile application detection system of claim 8, wherein the counterfeit mobile application determination rule base comprises a similar genuine application information rule set and a distinguishing genuine application information rule set, wherein the similar genuine application information rule set has at least one genuine application information similar determination rule; the distinguishing copyright application information rule set is provided with at least one copyright application information distinguishing judgment rule.
12. A computer program product, characterized in that it is adapted to perform the implementation steps of the counterfeit mobile application detection method of any of claims 1 to 7 when executed on a data processing device.
13. A terminal device comprising a processor, a memory and a program stored on the memory and executable on the processor, characterized in that the program code is loaded by the processor and performs the implementation steps of the counterfeit mobile application detection method according to any one of claims 1 to 7.
CN202110836828.0A 2021-07-23 2021-07-23 Detection method and system for counterfeit mobile application and related products Pending CN113434826A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110836828.0A CN113434826A (en) 2021-07-23 2021-07-23 Detection method and system for counterfeit mobile application and related products

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110836828.0A CN113434826A (en) 2021-07-23 2021-07-23 Detection method and system for counterfeit mobile application and related products

Publications (1)

Publication Number Publication Date
CN113434826A true CN113434826A (en) 2021-09-24

Family

ID=77761679

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110836828.0A Pending CN113434826A (en) 2021-07-23 2021-07-23 Detection method and system for counterfeit mobile application and related products

Country Status (1)

Country Link
CN (1) CN113434826A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115225930A (en) * 2022-07-25 2022-10-21 广州博冠信息科技有限公司 Processing method and device for live interactive application, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951675A (en) * 2014-03-31 2015-09-30 北京金山网络科技有限公司 Pirate application recognition method and system
CN108133123A (en) * 2017-12-15 2018-06-08 上海连尚网络科技有限公司 A kind of recognition methods of application program and system
CN108256328A (en) * 2017-12-29 2018-07-06 北京奇虎科技有限公司 Identify the method and device of counterfeit application
CN110532165A (en) * 2019-07-05 2019-12-03 中国平安财产保险股份有限公司 Application program installation kit characteristic detecting method, device, equipment and storage medium
CN110704104A (en) * 2019-10-14 2020-01-17 北京智游网安科技有限公司 Application counterfeit detection method, intelligent terminal and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951675A (en) * 2014-03-31 2015-09-30 北京金山网络科技有限公司 Pirate application recognition method and system
CN108133123A (en) * 2017-12-15 2018-06-08 上海连尚网络科技有限公司 A kind of recognition methods of application program and system
CN108256328A (en) * 2017-12-29 2018-07-06 北京奇虎科技有限公司 Identify the method and device of counterfeit application
CN110532165A (en) * 2019-07-05 2019-12-03 中国平安财产保险股份有限公司 Application program installation kit characteristic detecting method, device, equipment and storage medium
CN110704104A (en) * 2019-10-14 2020-01-17 北京智游网安科技有限公司 Application counterfeit detection method, intelligent terminal and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115225930A (en) * 2022-07-25 2022-10-21 广州博冠信息科技有限公司 Processing method and device for live interactive application, electronic equipment and storage medium
CN115225930B (en) * 2022-07-25 2024-01-09 广州博冠信息科技有限公司 Live interaction application processing method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110958220B (en) Network space security threat detection method and system based on heterogeneous graph embedding
CN109922052B (en) Malicious URL detection method combining multiple features
CN103679031B (en) A kind of immune method and apparatus of file virus
CN112417439A (en) Account detection method, device, server and storage medium
CN108366045B (en) Method and device for setting wind control scoring card
CN110602029B (en) Method and system for identifying network attack
CN109271780A (en) Method, system and the computer-readable medium of machine learning malware detection model
CN109831459B (en) Method, device, storage medium and terminal equipment for secure access
CN107944274A (en) A kind of Android platform malicious application off-line checking method based on width study
Al-E’mari et al. A labeled transactions-based dataset on the ethereum network
CN103593609A (en) Trustworthy behavior recognition method and device
CN110071924B (en) Big data analysis method and system based on terminal
CN104202291A (en) Anti-phishing method based on multi-factor comprehensive assessment method
CN106790025B (en) Method and device for detecting link maliciousness
Ndagi et al. Machine learning classification algorithms for adware in android devices: a comparative evaluation and analysis
Namrud et al. Deep-layer clustering to identify permission usage patterns of Android app categories
CN106301979A (en) The method and system of the abnormal channel of detection
CN113468524B (en) RASP-based machine learning model security detection method
CN107231364A (en) A kind of website vulnerability detection method and device, computer installation and storage medium
CN113434826A (en) Detection method and system for counterfeit mobile application and related products
CN114285587A (en) Domain name identification method and device and domain name classification model acquisition method and device
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
CN115600201A (en) User account information safety processing method for power grid system software
CN113055368B (en) Web scanning identification method and device and computer storage medium
Nasri et al. Android malware detection system using machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination