CN117763548A - Malicious android virtualized application program detection method - Google Patents
Malicious android virtualized application program detection method Download PDFInfo
- Publication number
- CN117763548A CN117763548A CN202311786519.2A CN202311786519A CN117763548A CN 117763548 A CN117763548 A CN 117763548A CN 202311786519 A CN202311786519 A CN 202311786519A CN 117763548 A CN117763548 A CN 117763548A
- Authority
- CN
- China
- Prior art keywords
- plug
- application program
- application
- android
- detection result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 claims abstract description 54
- 238000004458 analytical method Methods 0.000 claims abstract description 18
- 230000003993 interaction Effects 0.000 claims abstract description 16
- 230000003068 static effect Effects 0.000 claims abstract description 16
- 238000012545 processing Methods 0.000 claims abstract description 11
- 230000006399 behavior Effects 0.000 claims description 41
- 238000000034 method Methods 0.000 claims description 21
- 238000013507 mapping Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000003607 modifier Substances 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Stored Programmes (AREA)
Abstract
The invention belongs to the technical field of network security, and particularly relates to a malicious android virtualized application program detection method; comprising the following steps: acquiring APK of an application to be tested and reversely compiling the APK to obtain a source code file; extracting a path of an application program loading plug-in from a source code file; processing the source code file by adopting a static analysis tool to obtain a first hidden loading behavior detection result; executing APK in the simulator and dynamically analyzing the user interaction interface to obtain a second hidden loading behavior detection result; obtaining a plug-in according to a path of loading the plug-in by an application program, detecting the sensitive authority and the API calling condition of the plug-in application, and analyzing according to the sensitive authority and the API calling condition of the plug-in to obtain a plug-in detection result; analyzing according to the first and second hidden loading behavior detection results and the plug-in detection result to obtain a malicious android virtualized application program detection result of the application to be tested; the invention can improve the comprehensiveness and accuracy of detection.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a malicious android virtualized application program detection method.
Background
Nowadays, mobile equipment is portable and intelligent, is favored by users, has powerful functions and high market share of an Android operating system mounted on the mobile equipment, attracts a large number of Android malicious software developers to get gray benefits, causes quick spreading of the Android malicious software, and breaks the ecological safety of the Android system. In particular, android virtualization programs can load malicious code at runtime, so that malicious functions do not appear immediately upon application installation, with concealment. Android virtualization technology is widely adopted to implement various malicious actions, such as stealing sensitive information, performing unauthorized operations, and the like. Specifically, since the android virtualization program can encrypt a malicious plug-in, such as plug-in, or dynamically load its plug-in, such as HummingBad, from the internet after the program is running, the conventional android malicious application detection scheme is difficult to directly use for identifying such malicious behaviors. In order to assist downstream security analysts in analyzing and selecting targeted detection means, it is necessary to study how to determine that the application to be detected belongs to the android virtualization program.
In the prior art, an android virtualization program detection method mainly comprises static detection and dynamic detection. Static detection recognizes that if more than 80% of the declared components are similar, the corresponding application is likely to use virtualization techniques. A state detection model appears that identifies the presence of an application virtualization framework in an APK file by looking through a control flow graph to see if plug-in components are eventually replaced by stub components. However, this scheme is based on the fixed observation of the existing framework, and it is difficult to detect multiple types of virtualization programs. And dynamic detection ensures the safety of the host application program when loading various application plugins by monitoring, analyzing and evaluating the behavior of plugins in real time. Whether the APP is called as a plug-in or not can be judged by detecting the unmatched Android management file and component information by adopting a plug-in Killer. A learner discovers that when an application program runs in a plug-in environment in a plug-in unit, the starting activity generation time cost of the same type of Android component under the condition of the same process and a new process is not proportional. One existing method collects and calculates a ratio of times that activity is initiated in both cases, and compares the ratio to a predefined threshold to determine the type of current environment. In addition, studies have proposed that it be possible to detect whether an application is being launched by a host application by storing six features, i.e., directory, process name and unexplained permissions, stack trace and suspicious library calls inside and outside.
In detecting android malicious programs for using virtualization technology, the following two problems need to be solved for how to accurately identify malicious android virtualized programs: 1. how to accurately grasp the malicious features of the android malicious virtualized application program and judge the malicious attributes of the android malicious virtualized application program; 2. the existing detection method for the android malicious virtualized application program is mainly based on static or dynamic analysis, but the detection result is not ideal, and the accuracy is to be improved.
Disclosure of Invention
Aiming at the defects existing in the prior art, the invention provides a malicious android virtualized application program detection method, which comprises the following steps:
s1: acquiring APK of an application to be tested and reversely compiling the APK to obtain a source code file;
s2: extracting a path of an application program loading plug-in from a source code file;
s3: processing the source code file by adopting a static analysis tool to obtain a first hidden loading behavior detection result;
s4: executing APK in the simulator and dynamically analyzing the user interaction interface to obtain a second hidden loading behavior detection result;
s5: obtaining a plug-in according to a path of loading the plug-in by an application program, detecting application sensitive authority and API calling conditions of the plug-in, and analyzing according to the sensitive authority and the API calling conditions of the plug-in to obtain a plug-in detection result;
s6: and analyzing according to the first and second hidden loading behavior detection results and the plug-in detection result to obtain a malicious android virtualized application program detection result of the application to be tested.
Preferably, step S2 specifically includes: and detecting whether the application to be tested dynamically loads the plug-in or not and acquiring a path of the application program for loading the plug-in by using the DexClassLoader function interface of the application to be tested in the Frida frame hook.
Preferably, step S3 specifically includes:
using static analysis tool android to construct control flow graph and data flow graph of application program according to source code file;
acquiring a data processing and transferring path according to a control flow graph of an application program;
acquiring calling relations among functions according to a data flow diagram of an application program;
comparing the calling relation between the data processing and transfer paths and functions with expected behaviors; if the expected behavior is not met, judging that the hidden loading behavior exists in the application program, otherwise, judging that the application program is suspicious.
Preferably, step S4 specifically includes: and executing the APK in the simulator, judging that the application program has hidden loading behavior if the user interaction popup window does not appear on the user interaction interface to acquire user consent or the user interaction interface does not appear on the icon, otherwise, judging that the application program is a suspicious application program.
Preferably, step S5 specifically includes: obtaining an APK file of the plug-in according to a path of loading the plug-in by the application program; decompiling the APK file of the plug-in to obtain a source code file of the plug-in; analyzing the source code file and acquiring all rights in the plug-in source code file; judging whether sensitive rights exist in all rights; if yes, extracting the sensitive authority and acquiring an API call condition corresponding to the sensitive authority, otherwise, judging that the plug-in is normal; constructing a mapping relation between the sensitive authority and the corresponding API call condition; judging whether the mapping relation between the sensitive authority and the API calling situation accords with the expectation, if so, judging that the plug-in is normal, otherwise, judging that the plug-in is abnormal.
Further, the sensitive rights include a camera, a storage, a microphone, and a telephone.
Preferably, in step S6, the process of obtaining the detection result of the malicious android virtualized application program of the application to be tested includes: if the first and second hidden loading behavior detection results are that the application to be tested is a suspicious application program and the plug-in detection result is that the plug-in is normal, the application to be tested is finally judged to be a benign android virtualized application program; otherwise, the application to be tested is finally judged to be the malicious android virtualized application program.
The beneficial effects of the invention are as follows: according to the method, the detection accuracy of the malicious android virtualized application program is effectively improved through combination of static and dynamic analysis. The mixed analysis mode can be combined with a control flow graph and a data flow graph of an application program, and dynamically analyze APK to be detected to confirm a more accurate detection result. The method refers to user interaction information, and even if malicious behaviors occur in running, the malicious behaviors can be detected, so that the comprehensiveness and accuracy of detection are improved. In addition, the invention also notices the sensitive authority and API call condition of the loaded plug-in, grasps the malicious features of the android malicious virtualized application program, which are easy to be ignored, and can more accurately check out the malicious attribute.
Drawings
FIG. 1 is a flowchart of a malicious android virtualized application detection method in the invention;
FIG. 2 is a diagram of a hook scheme implementation of the present invention;
FIG. 3 is a flow chart of static analysis APK hidden loading behavior in the invention;
FIG. 4 is a flow chart of detecting loaded plug-in application sensitive rights and API calls in the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention provides a malicious android virtualized application program detection method, which is shown in fig. 1 and comprises the following steps:
s1: and acquiring the APK of the application to be tested and reversely compiling the APK to obtain a source code file.
Preferably, APK of the application to be tested is unpacked by using Apktool and dex2jar tools, android byte code files are reversely converted into Java byte code file tools capable of being analyzed and processed statically, and source code files are obtained through decompilation.
S2: a path for loading plug-ins by an application is extracted from a source code file.
The basis for dynamic loading of the dex/jar/apk file is the class loader ClassLoader. In the dynamic loading development of the practical application, a class is loaded by using a specific subclass DexClassLoader class loader, and the method can record the storage path of a dynamic loading file, the loaded class information, the called method information and the like.
The constructor of the DexClassLoader is as follows:
DexClassLoader(String dexPath,String optimizedDirectory,
String librarySearchPath,ClassLoader parent)
wherein: dexPath: jar packets or apk file paths containing dex files; optimizedtirectory: caching the catalogue; librarySearchPath: the path of the native library (so file), may be empty; parent: parent class loader.
The invention uses DexClassLoader function interface of the application to be tested in the Frida frame hook to detect whether the application dynamically loads the plugin and obtain the path of loading the plugin, namely the dexPath, and obtains the loaded APK file through the path so as to prepare for subsequent detection. As shown in fig. 2, in particular:
s21: using a Frida framework to load the process of the application program to be tested, and using a Java.choose () function to acquire a DexClassLoader instance and a Java.use () function to specify the DexClassLoader class needing hook;
s22: adding a hook for a constructor of the DexClassLoader, monitoring the call of the constructor, and acquiring a dexPath when the constructor is called;
s23: an interceptor is added for the loadClass () function of the declassfoader. In the interceptor, monitoring call of loadClass () function, and obtaining input parameters and return value of the function;
s24: determining whether the plug-in is dynamically loaded by the application program by judging whether the input parameters contain information such as class names, paths and the like related to the plug-in;
s25: if the dynamic loading of the plug-in is detected, the dexPath of the plug-in is recorded for subsequent detection, and if the dynamic loading of the plug-in is not detected, namely the operation of the dynamic loading of the plug-in is not carried out by the application to be tested, the subsequent operation of judging whether the hidden loading behavior exists is continued.
S26: outputting a path of loading the plug-in of the application program to be tested. After running the Frida script described above, it will monitor the DexClassLoader constructor used in the target application and print the dexPath when the constructor is called.
S3: and processing the source code file by adopting a static analysis tool to obtain a first hidden loading behavior detection result.
Application code is analyzed by a code static analysis tool, android, to build a control flow graph (Control Flow Graph, CFG) and a call graph (dataflow graph) of the application and analyze the same. The purpose of the dataflow and call graph analysis is to track the path of the object from the start point to the end point, determine whether the object is processed according to the expected behavior or whether the call is triggered, and thus determine whether the application has hidden loading behavior. For benign applications, after locating the plug-in APK path, the plug-in will be installed with user consent and executed with a normal user interface. However, most application virtualization-based malware will silence the loading plug-in without any prompt boxes or user clicks, summarized as two features in table 1. The whole flow is shown in fig. 3, and comprises the following steps:
s31: using static analysis tool android, control flow graphs and data flow graphs of applications are built from source code files.
And extracting information such as functions, variables, classes and the like from the source code file by using a static analysis tool android, and constructing a control flow graph and a data flow graph of the application program according to the extracted information.
S32: and acquiring a data processing and transferring path according to the control flow graph of the application program.
The data flow analysis is implemented by using the CFG to track the processing and delivery paths of the data and to analyze objects associated with the path API.
S33: and acquiring the calling relation among the functions according to the data flow diagram of the application program.
And analyzing the calling relation and the dependency relation through a calling graph (Callgraph), constructing a calling path between functions, and realizing the calling graph analysis.
S34: comparing the calling relation between the data processing and transfer paths and functions with expected behaviors; if the expected behavior is not met, judging that the hidden loading behavior exists in the application program, otherwise, judging that the application program is suspicious.
Part of the expected behavior is shown in table 1, and features are searched by data flow analysis of the call graph, and a specific object is propagated from a starting point (second column of table 1) to an ending point (third column of table 1) to determine whether the object is processed according to the expected behavior or whether a call is triggered.
TABLE 1 expected behavior
The control flow graph and call graph are not in line with the expected situation, i.e. the object is not processed according to the expected behavior, or certain parameters are not used for calling, and the hidden loading behavior is determined. For example, the expected behavior for a plug-in load is to install after user consent and execute in the normal user interface of the application. When dataflow and call graph analysis is performed, object paths from the start point to the end point are tracked and checked whether the objects are processed as expected or calls are triggered.
S4: and executing APK in the simulator and dynamically analyzing the user interaction interface to obtain a second hidden loading behavior detection result.
Typically benign application virtualization applications require the user to click an install button or pop-up dialog box at the time of plug-in installation to gain user consent. However, most application virtualization-based malware samples load their malicious plug-ins from the beginning without any user interaction. In addition, after the benign application program is installed, icons are added to the main screen, so that the user can use the icon next time conveniently. However, malware instances tend to hide themselves and run in the background without displaying any icons or activities, and the user does not see any GUI on the screen.
Therefore, the APK is executed in the simulator, if the user interaction popup window does not appear in the user interaction interface to obtain user consent, or the icon does not appear in the user interaction interface, the application program is judged to have hidden loading behaviors, and the result is output. Otherwise, the application program does not have hidden loading behavior, the application program is judged to be the suspicious android virtualized application program, and the flow is continued. This is because some game plug-ins will load game modifiers and game applications in the application virtualization environment and provide an interface for users to customize and modify different game properties. Therefore, some malicious android virtualized applications may forge the game plug-in and provide a user interaction interface to mislead the hidden loading behavior as not contained.
S5: and (3) acquiring the plug-in according to the path of the application program loading the plug-in, namely the dexPath obtained in the step S2, detecting the sensitive authority and the API calling condition of the plug-in application, and analyzing according to the sensitive authority and the API calling condition of the plug-in to obtain a plug-in detection result.
Detecting whether the loaded plug-in application has a sensitive authority and API calling condition, and statically analyzing a mapping relation between the sensitive authority and the API by using an android tool to detect privacy disclosure; the method can help to judge whether the application program is a malicious android virtualized application program, and the algorithm flow chart is shown in fig. 4, and comprises the following steps:
s51: obtaining an APK file of the plug-in according to a path of loading the plug-in by the application program; decompiling the APK file of the plug-in to obtain a source code file of the plug-in.
S52: and analyzing the source code file to acquire all rights in the plug-in source code file.
And loading the plug-in source code file by using an android library, analyzing the content of the plug-in source code file, and obtaining a code structure in the APK by reading and analyzing information such as classes, methods, fields and the like in the Java byte code.
Traversing the perms list through a get_permission () method to acquire all rights applied in the APK file.
S53: judging whether sensitive rights exist in all rights; if yes, extracting the sensitive authority and acquiring the API call condition corresponding to the sensitive authority, otherwise, judging that the plug-in is normal.
Preferably, the sensitive rights include camera, storage, microphone and telephone.
S54: and constructing a mapping relation between the sensitive authority and the corresponding API call condition.
And establishing a mapping relation between the authority and the API call condition according to the sensitive authority and the corresponding API call condition.
S55: judging whether the mapping relation between the sensitive authority and the API calling situation accords with the expectation, if so, judging that the plug-in is normal, otherwise, judging that the plug-in is abnormal.
It is expected that the application program will use the camera related API call to implement camera function related operations, such as taking a picture or recording a video, if the application program declares an android. The expected relationship between the partial rights and the corresponding API call is shown in table 2.
TABLE 2 expected relationship between partial rights and corresponding API calls
Judging whether the mapping relation between the sensitive authority and the API call situation accords with the expectation or not, and if any situation which does not accord with the expectation is detected, indicating that the plug-in is abnormal.
S6: and analyzing according to the first and second hidden loading behavior detection results and the plug-in detection result to obtain a malicious android virtualized application program detection result of the application to be tested.
If the first and second hidden loading behavior detection results are that the application to be tested is a suspicious application program and the plug-in detection result is that the plug-in is normal (no sensitive authority exists or the sensitive authority accords with the expectation), the application to be tested is finally judged to be a benign android virtualized application program; otherwise, the application to be tested is finally judged to be the malicious android virtualized application program.
The part comprehensively judges 3 detection results, and the latter part dynamically detects or loads the detection results of the file, no matter whether the detection results are true or false, the static detection results are not affected. And so on, when the dynamic detection result is false (benign program), the dynamic detection result is only related to the previous detection result and is not related to the detection result of the loaded file.
In summary, the invention decompiles APK to be tested; detecting whether an application dynamically loads APK and acquiring a path of the loaded APK file by using a Frida frame hook tested application DexClassLoader function interface; judging whether the APK has hidden loading behaviors or not by combining static and dynamic analysis; acquiring a dynamically loaded plug-in application from an APK file path, reversely analyzing a code structure and authority of the plug-in application, and detecting the call of a sensitive authority and an API; comprehensively analyzing the detection result, and judging whether the tested android virtualized application program is a malicious program or not; the comprehensive and accurate detection is improved through the mixed analysis mode.
While the foregoing is directed to embodiments, aspects and advantages of the present invention, other and further details of the invention may be had by the foregoing description, it will be understood that the foregoing embodiments are merely exemplary of the invention, and that any changes, substitutions, alterations, etc. which may be made herein without departing from the spirit and principles of the invention.
Claims (7)
1. The malicious android virtualization application program detection method is characterized by comprising the following steps of:
s1: acquiring APK of an application to be tested and reversely compiling the APK to obtain a source code file;
s2: extracting a path of an application program loading plug-in from a source code file;
s3: processing the source code file by adopting a static analysis tool to obtain a first hidden loading behavior detection result;
s4: executing APK in the simulator and dynamically analyzing the user interaction interface to obtain a second hidden loading behavior detection result;
s5: obtaining a plug-in according to a path of loading the plug-in by an application program, detecting the sensitive authority and the API calling condition of the plug-in application, and analyzing according to the sensitive authority and the API calling condition of the plug-in to obtain a plug-in detection result;
s6: and analyzing according to the first and second hidden loading behavior detection results and the plug-in detection result to obtain a malicious android virtualized application program detection result of the application to be tested.
2. The method for detecting the malicious android virtualized application according to claim 1, wherein step S2 specifically includes: and detecting whether the application to be tested dynamically loads the plug-in or not and acquiring a path of the application program for loading the plug-in by using the DexClassLoader function interface of the application to be tested in the Frida frame hook.
3. The method for detecting the malicious android virtualized application according to claim 1, wherein step S3 specifically includes:
using static analysis tool android to construct control flow graph and data flow graph of application program according to source code file;
acquiring a data processing and transferring path according to a control flow graph of an application program;
acquiring calling relations among functions according to a data flow diagram of an application program;
comparing the calling relation between the data processing and transfer paths and functions with expected behaviors; if the expected behavior is not met, judging that the hidden loading behavior exists in the application program, otherwise, judging that the application program is suspicious.
4. The method for detecting the malicious android virtualized application according to claim 1, wherein step S4 specifically includes: and executing the APK in the simulator, judging that the application program has hidden loading behavior if the user interaction popup window does not appear on the user interaction interface to acquire user consent or the user interaction interface does not appear on the icon, otherwise, judging that the application program is a suspicious application program.
5. The method for detecting the malicious android virtualized application according to claim 1, wherein step S5 specifically includes: obtaining an APK file of the plug-in according to a path of loading the plug-in by the application program; decompiling the APK file of the plug-in to obtain a source code file of the plug-in; analyzing the source code file and acquiring all rights in the plug-in source code file; judging whether sensitive rights exist in all rights; if yes, extracting the sensitive authority and acquiring an API call condition corresponding to the sensitive authority, otherwise, judging that the plug-in is normal; constructing a mapping relation between the sensitive authority and the corresponding API call condition; judging whether the mapping relation between the sensitive authority and the API calling situation accords with the expectation, if so, judging that the plug-in is normal, otherwise, judging that the plug-in is abnormal.
6. The method for detecting malicious android virtualized application of claim 5, wherein said sensitive permissions include cameras, storage, microphones, and phones.
7. The method for detecting the malicious android virtualized application program according to claim 1, wherein in step S6, the process of obtaining the detection result of the malicious android virtualized application program of the application to be tested includes: if the first and second hidden loading behavior detection results are that the application to be tested is a suspicious application program and the plug-in detection result is that the plug-in is normal, the application to be tested is finally judged to be a benign android virtualized application program; otherwise, the application to be tested is finally judged to be the malicious android virtualized application program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311786519.2A CN117763548A (en) | 2023-12-22 | 2023-12-22 | Malicious android virtualized application program detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311786519.2A CN117763548A (en) | 2023-12-22 | 2023-12-22 | Malicious android virtualized application program detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117763548A true CN117763548A (en) | 2024-03-26 |
Family
ID=90314000
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311786519.2A Pending CN117763548A (en) | 2023-12-22 | 2023-12-22 | Malicious android virtualized application program detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117763548A (en) |
-
2023
- 2023-12-22 CN CN202311786519.2A patent/CN117763548A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Xue et al. | Malton: Towards {On-Device}{Non-Invasive} Mobile Malware Analysis for {ART} | |
| Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
| Feng et al. | Apposcopy: Semantics-based detection of android malware through static analysis | |
| Spreitzenbarth et al. | Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| KR100926115B1 (en) | Apparatus and method for automatically analyzing a program for detecting malicious codes triggered under an certain event/context | |
| CN111859375B (en) | Vulnerability detection method and device, electronic equipment and storage medium | |
| Junaid et al. | Dexteroid: Detecting malicious behaviors in android apps using reverse-engineered life cycle models | |
| US20080052677A1 (en) | System and method for mitigating repeated crashes of an application resulting from supplemental code | |
| Gianazza et al. | Puppetdroid: A user-centric ui exerciser for automatic dynamic analysis of similar android applications | |
| US9507933B2 (en) | Program execution apparatus and program analysis apparatus | |
| US11811824B2 (en) | Security system for detecting malicious actor's observation | |
| JP2011233126A (en) | Device, system and method for detecting malignant code which is disguised as normal and inserted to normal process | |
| CN112035354A (en) | Method, device and equipment for positioning risk code and storage medium | |
| CN112527674A (en) | Safety evaluation method, device, equipment and storage medium of AI (Artificial Intelligence) framework | |
| Xu et al. | A dynamic taint analysis tool for android app forensics | |
| Afonso et al. | Lumus: Dynamically uncovering evasive Android applications | |
| Boxler et al. | Static taint analysis tools to detect information flows | |
| Lebbie et al. | Comparative Analysis of Dynamic Malware Analysis Tools | |
| CN112632547A (en) | Data processing method and related device | |
| Tang et al. | A systematical study on application performance management libraries for apps | |
| CN114328168A (en) | Anomaly detection method and device, computer equipment and storage medium | |
| CN117763548A (en) | Malicious android virtualized application program detection method | |
| Sufatrio et al. | Accurate specification for robust detection of malicious behavior in mobile environments | |
| Li et al. | Cross-language Android permission specification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |