WO2022126616A1

WO2022126616A1 - Malicious application detection method and apparatus, and storage medium

Info

Publication number: WO2022126616A1
Application number: PCT/CN2020/137660
Authority: WO
Inventors: 那键
Original assignee: 华为技术有限公司
Priority date: 2020-12-18
Filing date: 2020-12-18
Publication date: 2022-06-23
Also published as: CN112689835A

Abstract

A malicious application detection method and apparatus, and a storage medium. The application detection method comprises: acquiring initial information of an operating system, and acquiring running information of the operating system (301); comparing information on a legitimate application with information on an application to be detected, or comparing configuration information in an initial state with configuration information in a running state, to obtain a comparison result (302); and if the comparison result indicates that said information is different, determining that the application to be detected on the operating system is a malicious application (303). According to the method, configuration information of an operating system in an initial state is compared with configuration information of the operating system in a running state, or information on a legitimate application of the operating system is compared with information on an application to be detected, so as to detect the security of the application to be detected and evaluate the malicious level of the application to be detected, such that a large number of computation and storage resources can be saved, the detection efficiency is improved, the present invention is still effective for detection of malicious applications having code changed or using techniques such code obfuscation and packing, and the accuracy of the detection result is improved.

Description

A detection method, device and storage medium for malicious application

technical field

The present application relates to the field of computer technologies, and in particular, to a method, device and storage medium for detecting malicious applications.

Background technique

Application (Application, App) is a computer program for completing one or more specific tasks. An operating system based on a Linux kernel, such as an Android (Android) system, is mainly used in mobile terminal devices. Due to the open source and rich extensibility of the operating system code based on the Linux kernel, the functions of the apps developed by the operating system based on the Linux kernel are more and more diverse, which greatly meets the various needs of people's daily life.

However, depending on the terminal system with a large number of users, the black industry that conducts fraud, deduction, and mining through malicious apps is also developing rapidly. The black industry has a major impact on the data security of users. For example, the car-machine equipped with the Android system and the mobile terminal device that communicates with the car-machine are attacked by malicious apps, resulting in the leakage of the car owner's private data, and even a serious threat to the driving safety of the vehicle. Therefore, the detection of the application security of the operating system based on the Linux kernel has always been the focus of the research of information security personnel.

The currently used application detection method is to detect the source code of the App, but it requires a lot of computing and storage resources, and the detection efficiency is low; and when the malicious App code changes or uses techniques such as code obfuscation and packing, it can be easily bypass detection. Therefore, the current detection methods for malicious apps consume a lot of resources, and the accuracy of detection results is low.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a malicious application detection method, device, and storage medium. Through text comparison technology, the configuration information of the operating system in the initial state and the configuration information in the running state are compared, and the operating system is compared. The legitimate application information and the application information to be detected are compared, so as to detect the security of the application to be detected, and evaluate the malicious level of the application to be detected, which can save a lot of computing and storage resources, improve the detection efficiency, and prevent the code occurrence. Malicious application detection that changes or adopts technologies such as code obfuscation and packing is still effective, which improves the accuracy of detection results.

In a first aspect, an embodiment of the present application provides a detection method for a malicious application, the detection method includes:

Obtain initial information of the operating system, wherein the initial information includes legal application information of the operating system or configuration information of the operating system in an initial state, and the initial state is the state before the operating system runs for the first time;

Acquire operating information of the operating system, where the operating information includes application information to be detected of the operating system or configuration information of the operating system in a running state;

Comparing the legal application information with the application information to be detected, or comparing the configuration information in the initial state with the configuration information in the running state, to obtain a comparison result;

In the case that the comparison results are not the same, it is determined that the application to be detected on the operating system is a malicious application.

In the embodiment of the present application, based on the text comparison technology, the configuration information of the operating system and the application information of the application are regarded as two comparison contents, and a detection method for malicious applications is provided, which is different from the many currently used "detection applications". Compared with the detection method of "self", the detection method in this embodiment, combined with the system content detection and application content detection under the operating mechanism of the operating system, can save a lot of computing and storage resources, improve the detection efficiency, and change the code. Or the detection of malicious applications by techniques such as code obfuscation and packing is still effective, which improves the accuracy of detection results.

In a possible implementation manner, the comparing the configuration information in the initial state with the configuration information in the running state specifically includes:

The hash value of the configuration information of the operating system in the initial state is compared with the hash value of the configuration information of the operating system in the running state.

In this implementation manner, a method of comparing hash values is used to compare whether the configuration information in the initial state and the configuration information in the running state are the same. Compare the hash value of the configuration information of the operating system in the initial state with the hash value of the configuration information of the operating system in the running state. The hash value of the configuration information and the configuration information are obtained together. The hash value of the two configuration information can enable the receiver of the configuration information to confirm the authenticity of the content of the configuration information, thereby confirming whether the content of the above two configuration information is the same, and the comparison method effectively improves the efficiency of configuration information comparison. .

Compare the first configuration information with the second configuration information, where the first configuration information is the configuration information of the system startup process of the operating system in the initial state, and the second configuration information is the Configuration information of the system startup process of the operating system in the running state;

or,

Comparing the third configuration information with the fourth configuration information, wherein the third configuration information is the configuration information of the user logging in to the operating system process in the initial state of the operating system, and the fourth configuration information The information is configuration information of a user logging in to the operating system process when the operating system is in the running state.

In this implementation manner, the configuration information of the system startup process of the operating system in the initial state and in the running state is compared, or the user of the operating system in the initial state and in the running state is logged into the operating system process configuration information for comparison. Through the content comparison described in this implementation method, the configuration information under the operating mechanism of the operating system can be detected from the perspective of the operating system level, and the detection of high-threat malicious applications processed by the hidden camouflage technology is still effective, and the improvement is improved. Detection efficiency and accuracy of detection results.

In a possible implementation manner, the comparing the legal application information with the application information to be detected specifically includes:

Compare the application name in the legal application information with the application name in the application information to be detected;

or,

Compare the fifth configuration information with the sixth configuration information, where the fifth configuration information includes configuration information of an application startup process of the application to be detected in an initial state, and the sixth configuration information includes the application startup process of the application to be detected. Detects the configuration information of the application startup process when the application is running.

In this implementation manner, the application name in the legal application information and the application name in the application information to be detected are compared, or the configuration information of the application startup process of the application to be detected in the initial state and the running state is compared. Comparison. Through the content comparison described in this implementation, it is possible to detect the configuration information of the application startup process in the initial state and the configuration information of the application startup process in the running state from the perspective of the application level and the operating mechanism of the operating system. The configuration information is still effective for the detection of high-threat malicious applications processed by the hidden camouflage technology, and a lot of computing and storage resources are saved, and the detection efficiency and the accuracy of the detection results are improved.

In a possible implementation, the detection method further includes:

According to the initial information and the running information, the malicious level of the application to be detected is determined.

In this implementation manner, the initial information and the running information are different, and it is determined that the application to be detected is a malicious application. Based on this premise, the malicious level of the application to be detected is further determined according to the specific difference between the initial information and the running information. . Through this implementation, the malicious level of the application to be detected can be determined, and the degree of threat of the application to be detected to the terminal device can be evaluated, thereby providing a theory for the subsequent reduction or resolution of possible threats to the malicious application in different degrees. Based on this, the security and overall stability of the application operating environment are improved.

In a possible implementation manner, the determining the malicious level of the application to be detected according to the initial information and the running information specifically includes:

In the case that the first configuration information and the second configuration information are different, determine that the application to be detected is a first-level malicious application;

In the case that the first configuration information and the second configuration information are the same, and the third configuration information and the fourth configuration information are different, it is determined that the application to be detected is a second-level malicious application, wherein, The malicious level of the second-level malicious application is lower than the malicious level of the first-level malicious application.

In this implementation manner, an implementation manner of determining the malicious level of the application to be detected under different information at the operating system level is provided. When the first configuration information and the second configuration information are different, it is determined that the application to be detected is a first-level malicious application, and the first-level malicious application represents the application to be detected with the highest degree of maliciousness; the first configuration information and the second configuration information are the same , and when the third configuration information and the fourth configuration information are different, it is determined that the application to be detected is a second-level malicious application, because the configuration information of the system startup process of the operating system in the initial state and the system startup process in the running state The configuration information of the second-level malicious application is the same, so the malicious level expressed by the second-level malicious application is lower than the malicious level expressed by the first-level malicious application.

The first configuration information is the same as the second configuration information, the third configuration information is the same as the fourth configuration information, and the application name in the legal application information is the same as the application name in the application information to be detected. In the case of different application names, it is determined that the application to be detected is a third-level malicious application, wherein the malicious level of the third-level malicious application is lower than the malicious level of the second-level malicious application.

In this implementation manner, an implementation manner of determining the malicious level of the application to be detected when the information at the application level is different is provided. When the first configuration information and the second configuration information are the same, the third configuration information and the fourth configuration information are the same, and the application name in the legal application information and the application name in the application information to be detected are different, it is determined that the application to be detected is The third-level malicious application is because the configuration information of the system startup process in the initial state of the operating system is the same as the configuration information of the system startup process in the running state, and the configuration information of the user logging in to the operating system process in the initial state of the operating system The configuration information of the user logging in to the operating system process when the operating system is running is the same, so the malicious level represented by the third-level malicious application is lower than the malicious level represented by the second-level malicious application and the first-level malicious application.

When the first configuration information is the same as the second configuration information, the third configuration information is the same as the fourth configuration information, the application name in the legal application information and the application to be detected information In the case where the names are the same and the fifth configuration information and the sixth configuration information are different, determine that the application to be detected is a fourth-level malicious application, where the malicious level of the fourth-level malicious application is lower than the The malicious level of the third-level malicious application.

In this implementation manner, another implementation manner of determining the malicious level of the application to be detected under the condition that the information at the application level is different is provided. The above-mentioned first configuration information is the same as the second configuration information, the above-mentioned third configuration information is the same as the fourth configuration information, the application name in the legal application information is the same as the application name in the application information to be detected, and the above-mentioned fifth configuration information and the third configuration information are the same. Sixth, when the configuration information is different, it is determined that the application to be detected is a fourth-level malicious application, because the configuration information of the system startup process of the operating system in the initial state is the same as that of the system startup process in the running state, and the operating system is in the initial state. The configuration information of the user logging in to the operating system process in the state is the same as the configuration information of the user logging in to the operating system process in the running state of the operating system, and the application name in the legal application information and the application name in the application information to be detected are the same. The malicious level represented by the fourth-level malicious application is lower than the malicious level represented by the third-level malicious application, the second-level malicious application, and the first-level malicious application.

In a possible implementation manner, the operating system includes a system using the Linux kernel.

In this implementation, the operating system includes a system using the Linux kernel. The first process started by the system using the Linux kernel is generally the init process, and the configuration information of the process is usually stored in the init.rc file. Therefore, using Linux The kernel systems are all applicable to the malicious application detection method described in the embodiments of this application.

In a possible implementation, the detection method further includes:

According to the initial information and the running information, the storage path of the application to be detected is determined.

In this implementation manner, the initial information and the running information are different, and it is determined that the application to be detected is a malicious application. Based on this premise, the storage path of the application to be detected is further determined according to the specific difference between the initial information and the running information. . In the case where the first configuration information and the second configuration information are different, the label of the first configuration information and the label of the second configuration information are parsed to obtain the label content of the first configuration information and the label content of the second configuration information, and the The content of the tag of the first configuration information is compared with the content of the tag of the second configuration information, and the storage path of the application to be detected is determined according to the difference in content between the two. Similarly, in the case where the third configuration information and the fourth configuration information are different, the label of the third configuration information and the label of the fourth configuration information are parsed to obtain the content of the label of the third configuration information and the label of the fourth configuration information. content, the content of the tag of the third configuration information is compared with the content of the tag of the fourth configuration information, and the storage path of the application to be detected is determined according to the difference in the content of the two. In the case where the fifth configuration information and the sixth configuration information are different, the label of the fifth configuration information and the label of the sixth configuration information are analyzed to obtain the label content of the fifth configuration information and the label content of the sixth configuration information, and the The content of the tag of the fifth configuration information is compared with the content of the tag of the sixth configuration information, and the storage path of the application to be detected is determined according to the difference in content between the two. Through the method of determining the storage path in this implementation, the storage path of the malicious application can be quickly determined, and the malicious application can be processed accordingly according to the storage path, such as uninstalling the malicious application according to the storage path, restricting the acquisition of corresponding permissions, etc. processing to improve the security of the operating system operating environment.

In a second aspect, an embodiment of the present application provides a detection device for malicious applications, the detection device includes:

an acquisition unit, configured to acquire initial information of the operating system, wherein the initial information includes legal application information of the operating system or configuration information of the operating system in an initial state, where the initial state is the first time the operating system state before operation;

The obtaining unit is further configured to obtain operation information of the operating system, where the operation information includes application information to be detected of the operating system or configuration information of the operating system in a running state;

A comparison unit, configured to compare the legal application information with the application information to be detected, or compare the configuration information in the initial state with the configuration information in the running state to obtain a comparison result ;

A determining unit, configured to determine that the application to be detected on the operating system is a malicious application if the comparison results are different.

In a possible implementation manner, the comparison unit is specifically configured to compare the hash value of the configuration information of the operating system in the initial state with the configuration information of the operating system in the running state Hash values are compared.

In a possible implementation manner, the comparison unit is further configured to compare the first configuration information with the second configuration information, wherein the first configuration information is the operating system in the initial state configuration information of the system startup process under the operating system, the second configuration information is the configuration information of the system startup process of the operating system in the running state;

or,

The comparison unit is further configured to compare the third configuration information with the fourth configuration information, wherein the third configuration information is that the user of the operating system in the initial state logs in to the operating system configuration information of a process, and the fourth configuration information is configuration information of a user logging in to the operating system process when the operating system is in the running state.

In a possible implementation manner, the comparison unit is further configured to compare the application name in the legal application information with the application name in the application information to be detected;

or,

The comparison unit is further configured to compare the fifth configuration information with the sixth configuration information, wherein the fifth configuration information includes the configuration information of the application startup process of the application to be detected in the initial state, The sixth configuration information includes configuration information of an application startup process of the application to be detected in a running state.

In a possible implementation manner, the determining unit is further configured to determine the malicious level of the application to be detected according to the initial information and the running information.

In a possible implementation manner, the determining unit is specifically configured to determine that the application to be detected is a first-level malicious application when the first configuration information and the second configuration information are different;

The determining unit is further configured to determine the application to be detected when the first configuration information and the second configuration information are the same and the third configuration information and the fourth configuration information are different is a second-level malicious application, wherein the malicious level of the second-level malicious application is lower than the malicious level of the first-level malicious application.

In a possible implementation manner, the determining unit is specifically further configured to: when the first configuration information and the second configuration information are the same, the third configuration information and the fourth configuration information are the same, and all the In the case where the application name in the legal application information and the application name in the application information to be detected are different, determine that the application to be detected is a third-level malicious application, wherein the malicious level of the third-level malicious application is low the malicious level of the second-level malicious application.

In a possible implementation manner, the determining unit is specifically further configured to: when the first configuration information and the second configuration information are the same, the third configuration information and the fourth configuration information are the same, the In the case where the application name in the legitimate application information and the application name in the application information to be detected are the same, and the fifth configuration information and the sixth configuration information are different, it is determined that the application to be detected is the fourth-level malicious application, wherein the malicious level of the fourth-level malicious application is lower than the malicious level of the third-level malicious application.

In a possible implementation manner, the determining unit is further configured to determine the storage path of the application to be detected according to the initial information and the running information.

Regarding the technical effects brought about by the second aspect or various possible implementation manners, reference may be made to the introduction of the technical effects corresponding to the first aspect or corresponding implementation manners.

In a third aspect, an embodiment of the present application provides an apparatus for detecting malicious applications, where the detection apparatus includes a processor and a memory; the memory is used for storing computer execution instructions; the processor is used for executing a computer stored in the memory The instructions are executed to cause the detection apparatus to execute the method according to the above-mentioned first aspect and any possible implementation manner. Optionally, the detection apparatus further includes a transceiver, where the transceiver is used to receive a signal or send a signal.

In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, where the computer-readable storage medium is used to store instructions or computer programs; when the instructions or the computer programs are executed, the first aspect is The described method is implemented.

In a fifth aspect, an embodiment of the present application provides a computer program product, where the computer program product includes an instruction or a computer program; when the instruction or the computer program is executed, the method described in the first aspect is implemented.

In the embodiment of the present application, through the text comparison technology, the configuration information of the operating system in the initial state is compared with the configuration information in the running state, and the legal application information of the operating system and the application information to be detected are compared. , so as to detect the security of the application to be detected, and evaluate the malicious level of the application to be detected, which can save a lot of computing and storage resources, improve the detection efficiency, and prevent malicious applications with code changes or code obfuscation, packing and other technologies. The detection is still valid, improving the accuracy of the detection results.

Description of drawings

FIG. 1 is a schematic diagram of a scenario of malicious application detection provided by an embodiment of the present application;

FIG. 2 is a schematic structural diagram of a malicious application detection provided by an embodiment of the present application;

3 is a schematic flowchart of a method for detecting a malicious application provided by an embodiment of the present application;

FIG. 4 is a schematic flowchart of another malicious application detection method provided by an embodiment of the present application;

FIG. 5 is a schematic flowchart of another malicious application detection method provided by an embodiment of the present application;

FIG. 6 is a schematic flowchart of another malicious application detection method provided by an embodiment of the present application;

7 is a schematic structural diagram of an apparatus for detecting malicious applications provided by an embodiment of the present application;

FIG. 8 is a schematic structural diagram of a terminal device according to an embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.

The terms "first" and "second" in the description, claims and drawings of the present application are used to distinguish different objects, rather than to describe a specific order. Furthermore, the terms "comprising" and "having", and any variations thereof, are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device, etc. that includes a series of steps or units is not limited to the listed steps or units, but optionally also includes unlisted steps or units, etc., or optional It also includes other steps or units inherent to these processes, methods, products or devices, etc.

Reference herein to an "embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor a separate or alternative embodiment that is mutually exclusive of other embodiments. Those skilled in the art will understand, both explicitly and implicitly, that the embodiments described herein may be combined with other embodiments.

It should be understood that in this application, "at least one (item)" refers to one or more, "multiple" refers to two or more, and "at least two (item)" refers to two or three And three or more, "and/or" is used to describe the association relationship of related objects, indicating that three kinds of relationships can exist, for example, "A and/or B" can mean: only A exists, only B exists, and A exists at the same time and B three cases, where A, B can be singular or plural. The character "/" generally indicates that the associated objects are an "or" relationship. "At least one item(s) below" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (a) of a, b or c, can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c" ", where a, b, c can be single or multiple.

The present application provides a method for detecting malicious applications. In order to describe the solution of the present application more clearly, some knowledge related to application detection is introduced below.

APKTool: is an Android application package (Android application package, APK) compilation tool, which can decompile and recompile apk, install the framework-res framework required by the decompilation system apk, and clean up the last decompiled folder and other functions . If the apk code wants to run on an Android device, it must be compiled first, and then packaged into a file recognized by the Android system before it can be run, and the file format that can be recognized and run by the Android system is " apk". An apk file contains compiled code files (.dex files), file resources (resources), native resource files (assets), certificates (certificates), and manifest files (manifest file).

Sandbox: A virtual execution environment for network programming, a virtual system program that allows testers to run browsers or other programs in a sandbox environment, so changes resulting from running can be deleted later. It creates an independent operating environment similar to a sandbox, and the programs running inside it cannot have a permanent impact on the hard disk. In cybersecurity, a sandbox refers to a tool used to test the behavior of untrusted files or applications in an isolated environment.

Hook technology: also known as hook function. Before the system does not call the function, the hook program first captures the message, and the hook function first obtains control. At this time, the hook function can process (change) the execution behavior of the function, and can also Forcibly end the delivery of the message. To put it simply, it is to pull out the program of the system and turn it into a snippet of our own execution code.

The embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.

Please refer to FIG. 1. FIG. 1 is a schematic diagram of a malicious application detection scenario provided by an embodiment of the present application. As shown in Figure 1, the 101 installed in the center console of the car is a car machine equipped with an Android system. The car machine is the abbreviation of the in-vehicle infotainment products installed in the car. In addition to the traditional radio, audio and video playback, and navigation functions In addition, it also has a telematics function, which can realize information communication between people and vehicles, vehicles and the outside world (vehicle-to-vehicle). Among them, the "I-Call" and "E-Call" functions are the most typical representatives of Telematics functions. The "I-Call" function is to connect the background call center through the built-in communication module of the car, providing one-key navigation and corresponding location and remote services; the "E-Call" function is that when a serious accident occurs in the car, the The local area network (controller area network, CAN) bus reads the information of the airbag and automatically dials the emergency call. In addition, the Telematics function also has a positioning function and anti-theft monitoring function. When the vehicle is stolen, the call center will cooperate with the law enforcement department to locate and track the vehicle. In this scenario, if the vehicle is attacked by malicious apps, it will affect the realization of some functions of the vehicle.

102 is a mobile phone equipped with an Android system, and the mobile phone 102 can communicate with the vehicle machine 101 through a Bluetooth connection or a data cable connection or other means. For example, 102 (mobile phone) and 101 (car machine) are connected via Bluetooth, and the user can control the behavior of the car machine by operating the mobile phone: open the music player application on the mobile phone, and communicate with the car machine to make the car audio connected to the car machine play. Songs in the mobile phone; when answering a call from the mobile phone, you can make a call without holding the mobile phone, but use the audio and microphone connected with the car machine to make a call. However, in the above scenario, the mobile phone that communicates with the car and the machine is attacked by malicious apps, which leads to the leakage of the car owner's privacy, and even the incidents that affect the safety of vehicle driving are increasing day by day. For example, a certain map app on the mobile phone has been maliciously tampered with due to the cyber attack code, and the driver will go astray under the navigation of the app, and even seriously threaten the driving safety.

Therefore, in the above application scenarios, applying an efficient malicious application detection method is of great significance for ensuring user information security and vehicle driving safety.

In view of the problems existing in the above application scenarios, the embodiments of the present application provide a new malicious application detection architecture. Please refer to FIG. 2. FIG. 2 is a schematic structural diagram of a malicious application detection according to an embodiment of the present application. As shown in Figure 2, this architecture mainly includes three modules: the original information database module, the file analysis module, and the application detection result module.

The original information database module is used to establish the original information database, and the original information database mainly includes two contents: the configuration information of the operating system in the initial state, and the legal application information of the operating system. Among them, the above initial state refers to the state before the operating system runs for the first time, including the state that has not been used after leaving the factory, the state before the first run, or the state that has not been used after the official subsequent release of the updated version of the operating system, The state before the first run. The configuration information of the operating system in the initial state mainly includes the configuration information of the system startup process of the operating system and the configuration information of the user logging in to the operating system process. The legal application information of the above operating system mainly includes relevant information of some legal applications, such as application name of the legal application, configuration information of the legal application, and the configuration information of the legal application may specifically be the configuration information of the application startup process.

The information contained in the original information database can be obtained without accessing the operating system. The original information database module can obtain the configuration information of the operating system in the initial state by downloading it from the official website of the operating system. Similarly, the original information database module can also obtain the legal application information of the operating system through different channels, and adopt different channels to obtain the application information for different types of legal applications. Further, the legal applications contained in the legal application information of the operating system mainly fall into two categories. One is the applications that are pre-installed by the operating system in the initial state. The original information database module can be downloaded from platforms such as the official website that publishes such applications. Obtain the application-related information such as the application name and configuration information of this type of application; another type of legitimate application is the application developed based on the above-mentioned operating system published by the third-party application platform, and the original information database module can be downloaded from the corresponding third-party platform. Related content of the application, such as the application name and configuration information of the class application. Therefore, the information obtained from the original information database does not need to depend on the operation of the operating system, and the information can be determined after the operating system leaves the factory or is updated.

The above configuration information of the system startup process is the information of the first process started by the operating system. After the system startup process works, other important system processes will be derived to perform corresponding functions. The above-mentioned operating systems include systems using the Linux kernel, such as Android, Ubuntu, and the like. In an operating system with Linux as the kernel, the first process started by the system is generally the init process, which is used to instruct the operating system to perform a series of corresponding processes at startup, such as starting user login, implementing run levels, and processing Orphaned processes, etc. Therefore, the configuration information of the above system startup process is usually stored in the init.rc file and the rc.local file. Both the init.rc file and the rc.local file are scripts that are started with the system startup. The init.rc file precedes rc. local file starts. The init.rc file is a configuration file that specifies the behavior and actions of the init process. The rc.local file is used to record the execution commands for system startup, which are executed after the system is started and before the user logs in. Similarly, in an operating system with Linux as the kernel, the configuration information of the above-mentioned user login operating system process is usually stored in a profile file. The profile file is a script that is started when the user logs in to the operating system. The profile file is used to record some user logins. The execution command when the system is started. The above command is executed when the user logs in to the system after the system is started. In addition, the path of the init.rc file in the system is "/system/core/rootdir/init.rc", the path of the rc.local file in the system is "/etc/init.rc", and the path of the profile file in the system is " /etc/profile". The configuration information of the above application startup process is usually stored in the AndroidManifest.xml file. The AndroidManifest.xml file is an application manifest file located in the root directory of the application, and contains the configuration information of the application. The operating system needs to run the application according to the content in it. code, display the interface, and execute the corresponding function.

The file analysis module is used to compare and analyze the operation information of the operating system with the information in the original information database. The operating information of the operating system is different from the information in the original information database. It needs to be obtained by the operating system in the operating state. The operating state is the state in which the operating system is in use after the operating system leaves the factory or is updated. Therefore, the file analysis module needs to be connected to the operation. system, obtain the relevant permissions of the operating system, and then obtain the operating information of the operating system. The operating information of the operating system mainly includes two aspects: configuration information of the operating system in a running state, and application information of the operating system to be detected. The configuration information of the operating system in the running state mainly includes the configuration information of the system startup process of the operating system and the configuration information of the user logging in to the operating system process. The application information to be detected of the operating system mainly includes application-related information such as the application name of the application to be detected, configuration information of the application to be detected, etc. The configuration information of the application to be detected may specifically be configuration information of the application startup process.

Similar to the information in the original information database above, in an operating system with Linux as the kernel, the configuration information of the system startup process when the operating system is running is usually stored in the init.rc file and the rc.local file. The configuration information of the user logging in to the operating system process in the running state is usually stored in the profile file, and the configuration information of the application startup process of the application to be detected is usually stored in the AndroidManifest.xml file of the application to be detected.

The file analysis module compares and analyzes the operating information of the operating system with the information in the original information database. Because the configuration information of the above two is usually stored in the corresponding configuration file, it can be achieved by comparing the hash value of the configuration file. For the purpose of comparing configuration information, the specific comparison content can be compared from the following aspects:

First, the file analysis module compares the configuration information of the system startup process in the initial state of the operating system with the configuration information of the system startup process in the running state;

Second, the file analysis module compares the configuration information of the user logging in to the operating system process in the initial state of the operating system with the configuration information of the user logging in the operating system process in the running state;

Third, the file analysis module compares the application name in the legal application information of the operating system with the application name in the application information to be detected;

Fourth, the file analysis module compares the configuration information of the application startup process in the initial state of the application to be detected of the operating system with the configuration information of the application startup process in the running state.

It should be noted that the above four comparison contents can be the comparison contents of the four parallel comparison schemes, or the comparison contents of the progressive comparison schemes in order. The file analysis module can be used according to different application scenarios. It is required to select at least one of the above aspects for comparative analysis.

The application detection result module is used to obtain the application detection result according to the comparative analysis result of the above-mentioned document analysis module. That is, as long as the comparison result of any one of the four aspects of the file analysis module is different, the application detection result module will determine the application to be detected as a malicious application.

Further, the application detection result module can further distinguish the malicious degree of the application to be detected according to the comparison content in different aspects, so as to provide a theoretical basis for the subsequent reduction or resolution of possible threats to the malicious application in different degrees. , to improve the security and overall stability of the application operating environment. In the case where the comparison contents of the first aspect above are different, the application detection result module determines the application to be detected in this case as the malicious application with the greatest degree of maliciousness (may be referred to as the first-level malicious application); If the comparison content of the first aspect is the same and the comparison content of the second aspect above is different, the application detection result module will determine that the application to be detected in this case is the second-level malicious application, and the second-level malicious application The degree of maliciousness expressed by the application is lower than the degree of maliciousness expressed by the above-mentioned first-level malicious application; similarly, the comparison content in the first aspect above is the same, the comparison content in the second aspect above is the same, and the content in the third aspect above is the same If the comparison contents are not the same, the application detection result module will determine that the application to be detected in this case is a third-level malicious application, and the maliciousness expressed by the third-level malicious application is lower than the maliciousness expressed by the above-mentioned second-level malicious application. degree; when the comparison content of the above-mentioned first aspect is the same, the comparison content of the above-mentioned second aspect is the same, the comparison content of the above-mentioned third aspect is the same, and the comparison content of the above-mentioned fourth aspect is different , the application detection result module will determine that the application to be detected in this case is a fourth-level malicious application, and the malicious degree expressed by the fourth-level malicious application is lower than the malicious degree expressed by the third-level malicious application.

To sum up, in the malicious application detection architecture of the embodiments of the present application, the detection technology combines the content detection under the operating system operating mechanism. Even if the application code to be detected changes or uses technologies such as code obfuscation and packing, the above detection technology is still effective. The accuracy of the detection result is greatly improved, and the detection process does not require a large amount of feature storage or occupies a large amount of computing resources, which can save a large amount of computing and storage resources and improve the detection efficiency.

Based on the malicious application detection architecture shown in FIG. 2, an embodiment of the present application further provides a malicious application detection method. Please refer to FIG. 3, which is a schematic flowchart of a method for detecting a malicious application according to an embodiment of the present application. The detection method includes but is not limited to the following steps:

Step 301: The terminal device obtains initial information of the operating system, and obtains operating information of the operating system.

The terminal device in the embodiment of the present application is an electronic device equipped with an operating system of the Linux kernel, such as a mobile phone, a computer, a car machine, and a smart wearable device equipped with an Android system.

The terminal device obtains the initial information and running information of the operating system. The initial information mainly includes legal application information of the operating system and configuration information of the operating system in an initial state, and the running information mainly includes application information of the operating system to be detected and configuration information of the operating system in a running state. Among them, the initial state refers to the state before the operating system runs for the first time, including the state that has not been used after leaving the factory and before the first run, or the state that has not been used after the official subsequent release of the updated version of the operating system, and the first time The state before running, the running state is the state in use after the operating system leaves the factory or is updated.

The legal application information of the operating system mainly includes relevant information of some legal applications, such as the application name of the legal application and the configuration information of the legal application. The configuration information of the legal application may specifically be the configuration information of the application startup process in the initial state. The configuration information of the operating system in the initial state may include configuration information (first configuration information) of the system startup process of the operating system in the initial state, and configuration information (third configuration information) of a user logging into the operating system process. The above initial information can be obtained without accessing the operating system. The terminal device can obtain the configuration information of the operating system in its initial state by downloading it from the official website where the operating system is released, and obtain the configuration information on the official website where the legal application is released. App-related information for legitimate apps. Further, the terminal device will take different ways to obtain its application information for different types of legitimate applications. There are two main types of legitimate applications included in the legitimate application information of the operating system. One is that the operating system is pre-installed in the initial state. The terminal device can download the application name and configuration information and other related information of the application on the platform that publishes the application, such as the official website. application, the terminal device can download the relevant content of the application, such as the application name and configuration information of this type of application, from the corresponding third-party platform. Therefore, the terminal device does not need to rely on the operation of the operating system to obtain the initial information of the operating system, nor does it need to obtain the relevant permissions of the operating system in advance, and the initial information is information that can be determined after the operating system leaves the factory or is updated.

The application information to be detected of the operating system mainly includes some relevant information of the application to be detected, such as the application name of the application to be detected, and the configuration information of the application to be detected. configuration information. The configuration information of the operating system in the running state may include the configuration information (second configuration information) of the system startup process of the operating system in the running state, and the configuration information (fourth configuration information) of the user logging into the operating system process. The operating information of the operating system is different from the initial information of the above-mentioned operating system, and needs to be obtained by relying on the operating system in the running state. Therefore, the terminal device needs to access the operating system, obtain the root authority of the operating system, and then obtain the operating system's root authority. Running information.

The configuration information (first configuration information) of the system startup process in the above-mentioned initial state and the configuration information (second configuration information) of the system startup process in the running state are both information of the first process started by the operating system. The information indicates the information that the first process is not started, the second configuration information indicates the information after the first process is started, and other important system processes will be derived after the system startup process works to perform corresponding functions. In an operating system with Linux as the kernel, the first process started by the system is generally the init process, which is used to instruct the operating system to perform a series of corresponding processes at startup, such as starting user login, implementing run levels, and processing The process information of the init process is usually stored in the init.rc file and the rc.local file. Both the init.rc file and the rc.local file are scripts that are started with the system startup. The init.rc file first Start in the rc.local file. The init.rc file is a configuration file that specifies the behavior and actions of the init process. The rc.local file is used to record the execution commands for system startup, which are executed after the system is started and before the user logs in. Therefore, the above-mentioned first configuration information and second configuration information are usually also stored in the init.rc file and the rc.local file of the operating system. Similarly, in an operating system with Linux as the kernel, the above-mentioned third configuration information and fourth configuration information indicating that the user logs in to the operating system process in different states are usually stored in the profile file of the operating system. The script is started by the operating system, and the profile file is used to record the execution commands of some users when they log in to the system. After the system is started, the above commands are executed when the user logs in to the system. In addition, the path of the init.rc file in the system is "/system/core/rootdir/init.rc", the path of the rc.local file in the system is "/etc/init.rc", and the path of the profile file in the system is " /etc/profile". In an operating system with Linux as the kernel, the configuration information (fifth configuration information) of the application startup process of the above-mentioned legal application in the initial state is usually stored in the AndroidManifest.xml file corresponding to the legal application, and the above-mentioned application to be detected is running The configuration information (the sixth configuration information) of the application startup process in the state is usually stored in the AndroidManifest.xml file corresponding to the application to be detected, and the AndroidManifest.xml file is an application manifest file located in the root directory of the application, which contains the application configuration information, the operating system needs to run the code of the application according to the content inside, display the interface, and perform the corresponding functions.

Step 302: Compare the legal application information with the application information to be detected, or compare the configuration information in the initial state with the configuration information in the running state.

After the terminal device obtains the initial information and running information of the operating system, it will use the text comparison technology to compare and analyze the initial information and running information, specifically, compare the legal application information of the operating system with the application information to be detected. , and compare the configuration information of the operating system in the initial state with the configuration information in the running state.

Further, the following comparisons can be made:

First: compare the above-mentioned first configuration information with the second configuration information;

Second: compare the above-mentioned third configuration information with the fourth configuration information;

Third: compare the application name in the legal application information of the above operating system with the application name in the application information to be detected;

Fourth: Compare the fifth configuration information with the sixth configuration information.

Because the above configuration information and application names are stored in the corresponding configuration files (the first configuration information is stored in the init.rc and rc.local configuration files in the initial state, and the second configuration information is stored in the init.rc in the running state and rc.local configuration file, the third configuration information is stored in the profile configuration file in the initial state, the fourth configuration information is stored in the profile configuration file in the running state, the application name of the legal application and the fifth configuration information are stored in the The legal application is in the AndroidManifest.xml configuration file in the initial state, the application name and sixth configuration information of the application to be detected are stored in the AndroidManifest.xml configuration file in the running state of the application to be detected), so the terminal device can use The method of comparing the hash value of the configuration file is to compare whether the configuration information in the initial state is the same as the configuration information in the running state, and whether the application name in the legal application information and the application name in the application information to be detected are the same. The hash value is usually represented by a short string of random letters and numbers. The hash value of the configuration file is calculated by a hashing algorithm, which is a method of creating a small digital "fingerprint" from any kind of data. " method is used to compress the message or data into a digest, so that the amount of data becomes smaller and the format of the data is fixed. The hash value of the configuration file and the configuration information stored in the configuration file are obtained together. By comparing the hash values of the two configuration files, the receiver of the configuration information can confirm the authenticity of the content of the configuration information, thereby confirming the authenticity of the content of the configuration information. Whether the content of the above two configuration information is the same, the comparison method effectively improves the efficiency of configuration information comparison.

Further, the application name in the above-mentioned legal application information and the application name in the application information to be detected can be used as the unique identifiers of the legal application and the application to be detected, respectively. Therefore, the application names of the two applications can be used to distinguish. Whether the two applications are the same application. Further, the name of the application can be named by a computer programming language (such as a Java package), and its function can describe the program components of the application, publish corresponding component functions, declare the necessary permissions of the application, and the like.

It should be noted that the above four comparison contents can be the comparison contents of the four parallel comparison schemes, or the comparison contents of the progressive comparison schemes in sequence, and the terminal device can meet the needs of different application scenarios. Select at least one of the above aspects for comparative analysis. For example, the terminal device may perform comparison and analysis according to any one of the above-mentioned four comparison methods to obtain the detection result. The terminal device can also perform a comparison and analysis according to the first comparison method above. If the application to be detected can be confirmed as a malicious application through the first comparison method, the detection result of the application to be detected as a malicious application is obtained. , do not perform the other three comparison methods; if the application to be detected cannot be confirmed as a malicious application through the first comparison method above, continue to carry out the comparison and analysis according to the second comparison method above. The second comparison method above can confirm that the application to be detected is a malicious application, then the detection result that the application to be detected is a malicious application is obtained, and the remaining two comparison methods are not executed; If it is still impossible to confirm that the application to be detected is a malicious application, continue to carry out the comparison and analysis according to the third comparison method above. If the detection result of the detected application is a malicious application, the remaining fourth comparison method is not performed; if the application to be detected cannot be confirmed as a malicious application through the third comparison method above, continue to follow the fourth comparison method above. A comparative analysis was carried out to obtain the final test results.

Step 303: In the case that the above comparison results are not the same, determine that the application to be detected on the operating system is a malicious application.

Through the four comparison methods in the above step 302, a corresponding comparison result can be obtained, and according to the comparison result, it can be determined whether the application to be detected on the operating system is a malicious application. As long as the comparison result of any one of the above four comparison methods is different, it can be determined that the application to be detected on the operating system is a malicious application. That is, if the initial information and running information of the above operating system are different, it can be determined that the application to be detected is a malicious application. On this premise, the terminal device can also determine the malicious level of the application to be detected according to the specific difference between the initial information and the running information. make further determinations.

Further, when the first configuration information and the second configuration information are different, it is determined that the application to be detected is a first-level malicious application, and the first-level malicious application represents an application to be detected with the highest degree of maliciousness. The malicious application in this case is an application that starts automatically when the system startup process is started, which will pose a great threat to the privacy information and security of the device.

In the case where the first configuration information and the second configuration information are the same, and the third configuration information and the fourth configuration information are different, it is determined that the application to be detected is a second-level malicious application, because the first configuration information and the second configuration information are different The information is the same, that is, the configuration information of the system startup process of the operating system in the initial state is the same as the configuration information of the system startup process in the running state, so the malicious level represented by the second-level malicious application is lower than the first-level malicious application. Indicates the level of maliciousness. The malicious application in this case is an application that starts automatically when the user logs into the operating system process, which will pose a great threat to the privacy information and security of the device.

When the first configuration information and the second configuration information are the same, the third configuration information and the fourth configuration information are the same, and the application name in the legal application information and the application name in the application information to be detected are different, determine the application to be detected It is a third-level malicious application, because the first configuration information is the same as the second configuration information, and the third configuration information is the same as the fourth configuration information, that is, the configuration information of the system startup process of the operating system in the initial state is the same as that in the running state. The configuration information of the system startup process is the same, and the configuration information of the user logging in to the operating system process in the initial state of the operating system is the same as the configuration information of the user logging in to the operating system process in the running state of the operating system, so the third-level malicious application The malicious level indicated is lower than the malicious level indicated by the second-level malicious application and the first-level malicious application. The malicious application in this case is not a legitimate application, neither an application pre-installed by the operating system in the initial state, nor an application developed based on the above-mentioned operating system disclosed by a third-party application platform. The security of downloaded applications released on unofficial platforms (informal application markets) cannot be guaranteed accordingly, and they are likely to be malicious applications packaged with technologies such as code obfuscation and packing.

The first configuration information is the same as the second configuration information, the third configuration information is the same as the fourth configuration information, the application name in the legal application information is the same as the application name in the application information to be detected, and the fifth configuration information If it is different from the sixth configuration information, it is determined that the application to be detected is a fourth-level malicious application, because the first configuration information is the same as the second configuration information, and the third configuration information is the same as the fourth configuration information, that is, the operating system is initially The configuration information of the system startup process in the state is the same as the configuration information of the system startup process in the running state. The configuration information of the user logging in to the operating system process in the initial state of the operating system is the same as that of the user logging in to the operating system in the operating state. The configuration information of the process is the same, and the application name in the legitimate application information and the application name in the application information to be detected are the same, so the malicious level of the fourth-level malicious application is lower than that of the third-level malicious application and the second-level malicious application. , the malicious level represented by the first-level malicious application. It should be noted that, in the case of this comparison result, the application name in the application information to be detected is the same as the application name in the legal application information, which means that the source of the application to be detected is legal. The pre-installed application in the state may also be the application developed by the user on the third-party application platform based on the above operating system, but this does not mean that the detection application is not malicious, because the configuration of the application startup process of the application to be detected The information may not be the same. In this case, the application to be detected is also malicious, and its malicious behavior is manifested as automatically acquiring illegal permissions when the application startup process is started. For example, when a user downloads a "weather" app, when the user clicks to start, the app's application startup process starts and enters the running state. According to the configuration information of the application startup process, the geographical location permission, calendar permission, and photo album of the terminal device are obtained in turn. However, the application behavior recorded by the configuration information of the application startup process of the "Weather" App in the initial state is to sequentially obtain the geographical location permission and calendar permission of the terminal device. Automatically obtained illegal permissions, the configuration information of the application startup process in the initial state of the "Weather" App is different from the configuration information of the application startup process in the running state, and it can be determined that the "Weather" App is a fourth-level malicious application.

Further, in the case of the above-mentioned comparison results (the above-mentioned first configuration information and the second configuration information are the same, the above-mentioned third configuration information and the fourth configuration information are the same, the application name in the above-mentioned legal application information and the application information to be detected are the same. If the names of the applications are the same and the fifth configuration information and the sixth configuration information are different), the malicious level of the application to be detected may be further refined. That is, the first configuration information is the same as the second configuration information, the third configuration information is the same as the fourth configuration information, the application name in the legal application information is the same as the application name in the application information to be detected, and the fifth configuration If the information is different from the sixth configuration information, if the application to be detected is an application preinstalled by the operating system in the initial state, it is determined that the application to be detected is a fourth-level malicious application; if the application to be detected is published by a third-party application platform Based on the application developed by the above operating system, it is determined that the application to be detected is a fifth-level malicious application. Because the user does not have the permission to uninstall the applications pre-installed by the operating system in the initial state, and the user has the permission to uninstall the applications developed on the basis of the above-mentioned operating system disclosed by the third-party application platform, so the malicious level expressed by the fifth-level malicious application is lower. The malicious level represented by the fourth-level malicious application.

Further, in this embodiment of the present application, after it is determined that the application to be detected on the operating system is a malicious application and the malicious level of the application to be detected is determined, it is also possible to further Determine the storage path of the application to be detected. For example, when the first configuration information and the second configuration information are different, the label of the first configuration information and the label of the second configuration information are parsed to obtain the content of the label of the first configuration information and the content of the label of the second configuration information , compare the label content of the first configuration information with the label content of the second configuration information, and determine the storage path of the application to be detected according to the difference in content between the two. Similarly, in the case where the third configuration information and the fourth configuration information are different, the label of the third configuration information and the label of the fourth configuration information are parsed to obtain the content of the label of the third configuration information and the label of the fourth configuration information. content, the content of the tag of the third configuration information is compared with the content of the tag of the fourth configuration information, and the storage path of the application to be detected is determined according to the difference in the content of the two. In the case where the fifth configuration information and the sixth configuration information are different, the label of the fifth configuration information and the label of the sixth configuration information are analyzed to obtain the label content of the fifth configuration information and the label content of the sixth configuration information, and the The content of the tag of the fifth configuration information is compared with the content of the tag of the sixth configuration information, and the storage path of the application to be detected is determined according to the difference in content between the two.

In this embodiment of the present application, the configuration information of the operating system in the initial state is compared with the configuration information in the running state, and the legal application information of the operating system and the application information to be detected are compared, so as to ensure the security of the application to be detected. It can save a lot of computing and storage resources, improve the detection efficiency, and it is still effective for the detection of malicious applications with code changes or code obfuscation, packing and other technologies, improving the detection results. accuracy.

Please refer to FIG. 4 , which is a schematic flowchart of another malicious application detection method provided by an embodiment of the present application, which can also be understood as a supplement to the flowchart of the malicious application detection method in FIG. 3 .

As shown in FIG. 4 , the terminal device first establishes an initial database, which mainly includes legal application information of the operating system and configuration information of the operating system in an initial state (see step 401 ). The terminal device is an electronic device equipped with a Linux kernel operating system, such as a mobile phone, a computer, a car machine, and a smart wearable device equipped with an Android system. The initial state refers to the state before the operating system runs for the first time, including the state that has not been used after leaving the factory, before the first run, or the state that has not been used after the official subsequent release of the updated version of the operating system, before the first run. The configuration information of the operating system in the initial state mainly includes the configuration information of the system startup process of the operating system in the initial state (the above-mentioned first configuration information), the configuration information of the user logging into the operating system process (the above-mentioned third configuration information) ), the first configuration information is usually stored in the init.rc and rc.local files of the operating system, and the third configuration information is usually stored in the profile file of the operating system. The legal application information of the operating system mainly includes the relevant information of some legal applications, such as the application name of the legal application and the configuration information of the legal application. The configuration information of the legal application may specifically be the configuration information of the application startup process in the initial state (the fifth configuration information). The information in the above-mentioned initial database can be obtained without accessing the operating system, and the terminal device can obtain the configuration information of the operating system in its initial state by downloading it from the official website where the operating system is released, and on the official website where legal applications are released. Download the application-related information of the legitimate application.

Next, the terminal device will access the Android system to obtain application information of the operating system to be detected and configuration information of the operating system in a running state (see step 402). The operating state is the state in which the operating system is in use after leaving the factory or after being updated, and the configuration information of the operating system in the operating state mainly includes the configuration information of the system startup process of the operating system in the operating state (the above-mentioned second configuration information), The configuration information (the above-mentioned fourth configuration information) that the user logs into the operating system process, the above-mentioned second configuration information is usually stored in the init.rc and rc.local files of the operating system, and the above-mentioned fourth configuration information is usually stored in the profile of the operating system in the file. In addition, the path of the init.rc file in the operating system is "/system/core/rootdir/init.rc", the path of the rc.local file in the operating system is "/etc/init.rc", and the profile file in the operating system The path is "/etc/profile". The application information to be detected of the operating system mainly includes some relevant information of the application to be detected, such as the application name of the application to be detected, and the configuration information of the application to be detected. Configuration information (sixth configuration information).

Next, the terminal device compares the configuration information of the operating system in the initial state with the configuration information of the operating system in the running state, and determines whether the configuration information of the operating system in the above two states is the same (see step 403). Specifically, the configuration information of the system startup process of the operating system in the initial state is compared with the configuration information of the system startup process of the operating system in the running state, or the user of the operating system in the initial state logs in to the operating system process. The configuration information of the operating system is compared with the configuration information of the user logging in to the operating system process in the running state of the operating system, and it is judged whether the configuration information of the two is the same.

If the comparison result in the above step 403 is not the same, it can be determined that the application to be detected is a malicious application, and the init.rc and rc.local files, or the profile file, are parsed to determine the malicious application path (see step 404). Specifically, if the comparison result between the first configuration information and the second configuration information is different, the application to be detected is determined to be a first-level malicious application, and the label and running state of the init.rc file in the initial state are analyzed. The label of the init.rc file in the following state is analyzed, the label of the rc.local file in the initial state and the label of the rc.local file in the running state are parsed, and the path of the malicious application is determined according to the difference in the content of the labels in the two states; if If the comparison result between the third configuration information and the fourth configuration information is not the same, it is determined that the application to be detected is a second-level malicious application, and the second-level malicious application represents a lower degree of maliciousness than the first-level malicious application. Indicates the degree of maliciousness, and parses the label of the profile file in the initial state and the label of the profile file in the running state, and determines the path of the malicious application according to the difference in the content of the label in the two states.

On the contrary, if the comparison result in the above step 403 is the same, the terminal device will compare the legal application information in the initial database with the application information to be detected in the running state of the operating system (see step 405). Specifically, the application name in the legal application information of the operating system is compared with the application name in the application information to be detected, or the configuration information of the application startup process of the application to be detected in the running state is compared with the application startup of the legal application of the same name. The configuration information of the process is compared, and whether the information of the two is the same.

First, compare the application name in the legal application information of the operating system with the application name in the application information to be detected, and determine whether the two application names are the same (refer to step 406 ).

If the comparison result in the above step 406 is not the same, it is determined that the application to be detected is a third-level malicious application, and the malicious level represented by the third-level malicious application is lower than the above-mentioned first-level malicious application and second-level malicious application. Malicious level (see step 407).

On the contrary, if the comparison result in the above step 406 is the same, then the configuration information of the application startup process of the application to be detected in the running state is compared with the configuration information of the application startup process of the legal application with the same name (see step 408), and Determine whether the configuration information of the two is the same.

In the case where the configuration information in the above step 408 is not the same, it is determined that the application to be detected is a fourth-level malicious application, and the configuration information in the two states is parsed to determine possible malicious behaviors (see step 409).

Further, in the above step 409, the malicious level of the application to be detected may be further refined, that is, if the first configuration information and the second configuration information are the same, the third configuration information and the fourth configuration information are the same, and the application to be detected is the same. In the case where the application name is the same as the application name of the legitimate application, and the fifth configuration information and the sixth configuration information above are different, if the application to be detected is an application preinstalled by the operating system in the initial state, it is determined that the application to be detected is the fourth If the application to be detected is an application developed based on the above operating system and disclosed by a third-party application platform, it is determined that the application to be detected is a fifth-level malicious application. Because the user does not have the permission to uninstall the applications pre-installed by the operating system in the initial state, and the user has the permission to uninstall the applications developed on the basis of the above-mentioned operating system disclosed by the third-party application platform, so the malicious level expressed by the fifth-level malicious application is lower. The malicious level represented by the fourth-level malicious application.

Optionally, on the premise that the application to be detected is determined to be a malicious application, the application to be detected may be scored by formulating a scoring rule to distinguish the malicious grades of the malicious application in different degrees. For example, the scoring rules for malicious apps are as follows:

In the case where the above-mentioned first configuration information and the second configuration information are different, the determined application to be detected is a first-level malicious application, and the first-level malicious application starts automatically when the system startup process is started, and is rated as 5 points;

In the case where the third configuration information and the fourth configuration information are different, the determined application to be detected is the second-level malicious application, and the second-level malicious application starts automatically when the user logs into the operating system process, and is rated as 4 points;

When the application name of the above-mentioned application to be detected is different from the application name of the legitimate application, the application to be detected is determined as a third-level malicious application, and the source of the third-level malicious application is illegal, and is rated as 3 points;

If the application to be detected is determined when the fifth configuration information and the sixth configuration information are different, if the application to be detected is an application preinstalled by the operating system in the initial state, it is determined that the application to be detected is a fourth-level malicious application , rated as 2 points;

If the application to be detected is determined under the condition that the fifth configuration information and the sixth configuration information are different, if the application to be detected is an application developed based on the above operating system disclosed by a third-party application platform, the application to be detected is determined to be the fifth application to be detected. level malicious application, rated 1 point.

The higher the above score, the higher the level of maliciousness and the greater the degree of maliciousness. The above scoring adopts the principle of “highest”, that is, when the application to be detected satisfies many of the above five scoring rules, it will be scored according to the highest score. From this, it can also be concluded that the malicious degree of the first-level malicious application is the largest, and the subsequent malicious degrees are in order. decrease. The above scoring can also adopt the accumulation principle, that is, when the application to be detected satisfies more than one of the above five scoring rules, the scores of the rules that satisfy the conditions are accumulated to obtain the final scoring result of the application to be detected.

Please refer to FIG. 5. FIG. 5 is a schematic flowchart of another malicious application detection method provided by an embodiment of the present application, which can also be understood as a supplement to the flowcharts of the malicious application detection method in FIGS.

This embodiment provides a specific process for the comparison of the configuration information of the system startup process of the operating system. As shown in FIG. 5 , first obtain the latest updated init.rc/rc.local file (refer to step 501), the init.rc/rc.local file is obtained. The rc/rc.local file contains the configuration information of the system startup process in the initial state of the operating system, which can be downloaded from the official website where the operating system is released; secondly, access the target Android system with root privileges and obtain the target Android system The init.rc/rc.local file in the running state (see step 502), the init.rc/rc.local file contains the configuration information of the system startup process in the running state of the operating system, and the init.rc file is in the operating system The path of the rc.local file is "/system/core/rootdir/init.rc", and the path of the rc.local file in the operating system is "/etc/init.rc"; then, compare the above two init.rc/rc.local files Yes, parse the file tags (refer to step 503), and specifically compare the init.rc/rc.local files in the initial state and the running state according to the tag content, and compare the text content corresponding to the tags with different tag contents. Parsing, the tags of the file include actions (Actions), commands (Commands), services (Services), options (Options), etc.; finally, determine the malicious level and path of the application to be detected (see step 504), in the above initial state and If the init.rc/rc.local files in the running state are not the same, it can be rated as 5 points according to the scoring rule in Figure 4 above to determine that the application to be detected is the first-level malicious application, and parse the content according to the text level by level. Trace, determine the path of malicious applications.

Similarly, a corresponding specific process can also be provided for the comparison of the configuration information of the operating system user login operating system process. First, obtain the latest updated profile file, which contains the user login in the initial state of the operating system. The configuration information of the operating system process can be downloaded from the official website of the operating system and other platforms; secondly, access the target Android system with root privileges, and obtain the profile file under the running state of the target Android system. The configuration information of the user logging in to the operating system process in the running state, the path of the profile file in the operating system is "/etc/profile"; then, compare the above two profile files, and parse the file tags, specifically, the above initial state Compare with the profile file in the running state according to the content of the label, and parse the corresponding text content under the label with different label content. The labels of the file include Actions, Commands, Services, and Options. ) and so on; finally, determine the malicious level and path of the application to be detected, under the condition that the profile file under the above-mentioned initial state and the running state are different, it can be rated as 4 points according to the scoring rule in the above-mentioned Figure 4, and it is determined that the to-be-detected The application is a second-level malicious application, and is tracked step by step according to the text parsing content to determine the path of the malicious application.

Please refer to FIG. 6. FIG. 6 is a schematic flowchart of another malicious application detection method provided by an embodiment of the present application, which can also be understood as a supplement to the flowcharts of the malicious application detection method in FIGS. 3 and 4.

This embodiment provides a specific process for the comparison of the configuration information of the application to be detected in the operating system. As shown in FIG. 6 , first obtain the Androidmanifest.xml file of the application preinstalled by the operating system (see step 601), the Androidmanifest.xml file The file contains the configuration information of the application startup process of the application pre-installed by the operating system in the initial state, which can be downloaded from the official website where the application is released. The Androidmanifest.xml file of the application to be detected in the state (refer to step 602), the Androidmanifest.xml file contains the configuration information of the application startup process of the application to be detected in the running state; then, compare the above two Androidmanifest.xml files. Yes, parsing the file tags (see step 603), specifically comparing the Androidmanifest.xml files in the initial state and the running state according to the tag content, and parsing the text content corresponding to the tags with different tag content, Labels include actions (Actions), commands (Commands), services (Services), options (Options), etc.; finally, determine the malicious level and path of the application to be detected (see step 604), in the above initial state and running state If the Androidmanifest.xml files are not the same, it can be rated as 2 points according to the scoring rule in Figure 4 above, and the application to be detected is determined to be the fourth-level malicious application, the user has no uninstall permission, and the content is parsed according to the text. Path to malicious application.

Similarly, another specific process can also be provided for the comparison of the configuration information of the application to be detected in the operating system. First, obtain the Androidmanifest.xml file of the application developed based on the above operating system disclosed by the third-party application platform, the Androidmanifest.xml file. The xml file contains the configuration information of the application startup process in the initial state of the application developed based on the above operating system disclosed by the third-party application platform, which can be downloaded from the corresponding third-party application platform; secondly, access the target Android system with root privileges , and obtain the Androidmanifest.xml file of the application to be detected in the running state of the target Android system, the Androidmanifest.xml file contains the configuration information of the application startup process of the application to be detected in the running state; then, the above two Androidmanifest.xml File comparison, parsing file tags, specifically comparing the Androidmanifest.xml files in the initial state and the running state according to the tag content, parsing the text content corresponding to the tags with different tag content, and the tags of the file have behaviors (Actions), Commands (Commands), Services (Services), Options (Options), etc.; finally, determine the malicious level and path of the application to be detected, in the case that the Androidmanifest.xml file in the above initial state and the running state are different 4, the application to be detected is determined to be a fifth-level malicious application, the user has the permission to uninstall, and the path of the malicious application is determined according to the text analysis content.

The methods of the embodiments of the present application are described in detail above, and the apparatuses of the embodiments of the present application are provided below.

Please refer to FIG. 7 . FIG. 7 is a schematic structural diagram of an apparatus for detecting malicious applications according to an embodiment of the present application. The apparatus for detecting malicious applications 70 may include an acquiring unit 701 , a comparing unit 702 and a determining unit 703 , wherein each The description of the unit is as follows:

Obtaining unit 701, configured to obtain initial information of an operating system, wherein the initial information includes legal application information of the operating system or configuration information of the operating system in an initial state, where the initial state is the operating system the state before the first run;

The obtaining unit 701 is further configured to obtain the operation information of the operating system, the operation information including the application information to be detected of the operating system or the configuration information of the operating system in the running state;

A comparison unit 702, configured to compare the legal application information with the application information to be detected, or compare the configuration information in the initial state with the configuration information in the running state to obtain a comparison result;

The determining unit 703 is configured to determine that the application to be detected on the operating system is a malicious application if the comparison results are different.

In the embodiment of the present application, based on the text comparison technology, the configuration information of the operating system and the application information of the application are regarded as two comparison contents, and a method for detecting malicious applications is provided.

The malicious application detection method provided by the embodiments of the present application can save a large amount of computing and storage resources, improve the detection efficiency, and has no effect on code changes or Malicious application detection using techniques such as code obfuscation and packing is still effective, improving the accuracy of detection results.

In a possible implementation manner, the comparison unit 702 is specifically configured to compare the hash value of the configuration information of the operating system in the initial state with the configuration of the operating system in the running state The hash value of the information is compared.

In the embodiment of the present application, a method of comparing hash values is used to compare whether the configuration information in the initial state and the configuration information in the running state are the same. Compare the hash value of the configuration information of the operating system in the initial state with the hash value of the configuration information of the operating system in the running state. The hash value of the configuration information and the configuration information are obtained together. The hash value of the two configuration information can enable the receiver of the configuration information to confirm the authenticity of the content of the configuration information, thereby confirming whether the content of the above two configuration information is the same, and the comparison method effectively improves the efficiency of configuration information comparison. .

In a possible implementation manner, the comparing unit 702 is further configured to compare the first configuration information with the second configuration information, wherein the first configuration information is the operating system in the The configuration information of the system startup process in the initial state, and the second configuration information is the configuration information of the system startup process of the operating system in the running state;

or,

The comparison unit 702 is further configured to compare the third configuration information with the fourth configuration information, wherein the third configuration information is the operation of logging in the user in the initial state of the operating system Configuration information of a system process, and the fourth configuration information is configuration information of a user logging in to the operating system process when the operating system is in the running state.

In this implementation manner, the configuration information of the system startup process of the operating system in the initial state and in the running state is compared, or the user of the operating system in the initial state and in the running state is logged into the operating system process configuration information for comparison. Through the content comparison described in this implementation, the configuration information under the operating mechanism of the operating system can be detected from the perspective of the operating system level, and the detection of high-threat malicious applications processed by the hidden camouflage technology is still effective, and the improvement is improved. Detection efficiency and accuracy of detection results.

In a possible implementation manner, the comparing unit 702 is further configured to compare the application name in the legal application information with the application name in the application information to be detected;

or,

The comparing unit 702 is further configured to compare the fifth configuration information with the sixth configuration information, wherein the fifth configuration information includes the configuration information of the application startup process of the application to be detected in the initial state , the sixth configuration information includes configuration information of an application startup process of the application to be detected in a running state.

In a possible implementation manner, the determining unit 703 is further configured to determine the malicious level of the application to be detected according to the initial information and the running information.

In the embodiment of the present application, the initial information and the running information are different, and it is determined that the application to be detected is a malicious application. Based on this premise, the malicious level of the application to be detected is further determined according to the specific difference between the initial information and the running information. Sure. Through this implementation, the malicious level of the application to be detected can be determined, and the degree of threat of the application to be detected to the terminal device can be evaluated, thereby providing a theory for the subsequent reduction or resolution of possible threats to the malicious application in different degrees. Based on this, the security and overall stability of the application operating environment are improved.

In a possible implementation manner, the determining unit 703 is specifically configured to determine that the application to be detected is a first-level malicious application when the first configuration information and the second configuration information are different;

The determining unit 703 is specifically further configured to determine the to-be-detected when the first configuration information and the second configuration information are the same, and the third configuration information and the fourth configuration information are different The application is a second-level malicious application, wherein the malicious level of the second-level malicious application is lower than the malicious level of the first-level malicious application.

In the embodiment of the present application, an implementation manner of determining the malicious level of the application to be detected under the condition that the information at the operating system level is different is provided. When the first configuration information and the second configuration information are different, it is determined that the application to be detected is a first-level malicious application, and the first-level malicious application represents the application to be detected with the highest degree of maliciousness; the first configuration information and the second configuration information are the same , and when the third configuration information and the fourth configuration information are different, it is determined that the application to be detected is a second-level malicious application, because the configuration information of the system startup process of the operating system in the initial state and the system startup process in the running state The configuration information of the second-level malicious application is the same, so the malicious level expressed by the second-level malicious application is lower than the malicious level expressed by the first-level malicious application.

In a possible implementation manner, the determining unit 703 is further configured to, specifically, when the first configuration information and the second configuration information are the same, the third configuration information and the fourth configuration information are the same, And when the application name in the legitimate application information and the application name in the application information to be detected are different, it is determined that the application to be detected is a third-level malicious application, wherein the malicious application of the third-level malicious application is The level is lower than the malicious level of the second-level malicious application.

In the embodiment of the present application, an implementation manner of determining the malicious level of the application to be detected under the condition of different application-level information is provided. When the first configuration information and the second configuration information are the same, the third configuration information and the fourth configuration information are the same, and the application name in the legal application information and the application name in the application information to be detected are different, it is determined that the application to be detected is The third-level malicious application is because the configuration information of the system startup process in the initial state of the operating system is the same as the configuration information of the system startup process in the running state, and the configuration information of the user logging in to the operating system process in the initial state of the operating system The configuration information of the user logging in to the operating system process when the operating system is running is the same, so the malicious level represented by the third-level malicious application is lower than the malicious level represented by the second-level malicious application and the first-level malicious application.

In a possible implementation manner, the determining unit 703 is further configured to, specifically, when the first configuration information and the second configuration information are the same, the third configuration information and the fourth configuration information are the same, In the case where the application name in the legal application information and the application name in the application information to be detected are the same, and the fifth configuration information and the sixth configuration information are different, it is determined that the application to be detected is the fourth configuration information. level malicious application, wherein the malicious level of the fourth level malicious application is lower than the malicious level of the third level malicious application.

In the embodiment of the present application, another implementation manner of determining the malicious level of the application to be detected under the condition of different application-level information is provided. The above-mentioned first configuration information is the same as the second configuration information, the above-mentioned third configuration information is the same as the fourth configuration information, the application name in the legal application information is the same as the application name in the application information to be detected, and the above-mentioned fifth configuration information and the third configuration information are the same. Sixth, when the configuration information is different, it is determined that the application to be detected is a fourth-level malicious application, because the configuration information of the system startup process of the operating system in the initial state is the same as that of the system startup process in the running state, and the operating system is in the initial state. The configuration information of the user logging in to the operating system process in the state is the same as the configuration information of the user logging in to the operating system process in the running state of the operating system, and the application name in the legal application information and the application name in the application information to be detected are the same. The malicious level represented by the fourth-level malicious application is lower than the malicious level represented by the third-level malicious application, the second-level malicious application, and the first-level malicious application.

In a possible implementation, the operating system includes a system using the Linux kernel.

In the embodiment of the present application, the operating system includes a system using the Linux kernel, the first process started by the system using the Linux kernel is generally the init process, and the configuration information of the process is usually stored in the init.rc file. Therefore, using The Linux kernel systems are all applicable to the malicious application detection methods described in the embodiments of this application.

In a possible implementation manner, the determining unit 703 is further configured to determine the storage path of the application to be detected according to the initial information and the running information.

In the embodiment of the present application, the initial information and the running information are different, and it is determined that the application to be detected is a malicious application. On this premise, according to the specific difference between the initial information and the running information, the storage path of the application to be detected is further analyzed. Sure. In the case where the first configuration information and the second configuration information are different, the label of the first configuration information and the label of the second configuration information are parsed to obtain the label content of the first configuration information and the label content of the second configuration information, and the The content of the tag of the first configuration information is compared with the content of the tag of the second configuration information, and the storage path of the application to be detected is determined according to the difference in content between the two. Similarly, in the case where the third configuration information and the fourth configuration information are different, the label of the third configuration information and the label of the fourth configuration information are parsed to obtain the content of the label of the third configuration information and the label of the fourth configuration information. content, the content of the tag of the third configuration information is compared with the content of the tag of the fourth configuration information, and the storage path of the application to be detected is determined according to the difference in the content of the two. In the case where the fifth configuration information and the sixth configuration information are different, the label of the fifth configuration information and the label of the sixth configuration information are analyzed to obtain the label content of the fifth configuration information and the label content of the sixth configuration information, and the The content of the tag of the fifth configuration information is compared with the content of the tag of the sixth configuration information, and the storage path of the application to be detected is determined according to the difference in content between the two. Through the method of determining the storage path in this implementation, the storage path of the malicious application can be quickly determined, and the malicious application can be processed accordingly according to the storage path, such as uninstalling the malicious application according to the storage path, restricting the acquisition of corresponding permissions, etc. processing to improve the security of the operating system operating environment.

According to the embodiment of the present application, each unit in the apparatus shown in FIG. 7 may be combined into one or several other units, respectively or all, to form, or some unit(s) may be further split into functionally more The same operation can be achieved without affecting the realization of the technical effects of the embodiments of the present application. The above units are divided based on logical functions. In practical applications, the function of one unit can also be implemented by multiple units, or the functions of multiple units can be implemented by one unit. In other embodiments of the present application, the network-based device may also include other units, and in practical applications, these functions may also be implemented with the assistance of other units, and may be implemented by cooperation of multiple units.

It should be noted that, the implementation of each unit may also correspond to the corresponding descriptions of the method embodiments shown in FIG. 3 , FIG. 4 , FIG. 5 , and FIG. 6 .

In the malicious application detection device 70 described in FIG. 7 , the configuration information of the operating system in the initial state and the configuration information in the running state are compared through the text comparison technology, and the legitimate application information of the operating system is compared. Compare with the information of the application to be detected, so as to detect the security of the application to be detected, and evaluate the malicious level of the application to be detected, which can save a lot of computing and storage resources, improve the detection efficiency, and change the code or use code obfuscation. , Packing and other malicious application detection techniques are still effective, improving the accuracy of detection results.

Please refer to FIG. 8 , which is a schematic structural diagram of a terminal device 80 according to an embodiment of the present application. The terminal device 80 may include a memory 801 and a processor 802 . Further optionally, a communication interface 803 and a bus 804 may also be included, wherein the memory 801 , the processor 802 and the communication interface 803 are communicated with each other through the bus 804 . The communication interface 803 is used for data interaction with the above-mentioned malicious application detection device 70 .

Among them, the memory 801 is used to provide a storage space, and data such as an operating system and a computer program can be stored in the storage space. The memory 801 includes, but is not limited to, random access memory (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM), or Portable read-only memory (compact disc read-only memory, CD-ROM).

The processor 802 is a module that performs arithmetic operations and logical operations, and can be a processing module such as a central processing unit (CPU), a graphics processing unit (GPU), or a microprocessor (microprocessor unit, MPU). of one or more combinations.

A computer program is stored in the memory 801, and the processor 802 calls the computer program stored in the memory 801 to execute the malicious application detection method shown in the above-mentioned FIG. 3, FIG. 4, FIG. 5, and FIG. 6:

The specific content of the method executed by the processor 802 can be referred to FIG. 3 , FIG. 4 , FIG. 5 , and FIG. 6 , and details are not repeated here.

Correspondingly, the processor 802 calls the computer program stored in the memory 801, and can also be used to execute the method executed by the obtaining unit 701, the comparing unit 702 and the determining unit 703 in the malicious application detection device 70 shown in FIG. The specific content of the steps can be found in FIG. 7 , which will not be repeated here.

In the terminal device 80 described in FIG. 8 , the configuration information of the operating system in the initial state and the configuration information in the running state are compared through the text comparison technology, and the legal application information of the operating system is compared with the information to be detected. The application information is compared, so as to detect the security of the application to be detected, and evaluate the malicious level of the application to be detected, which can save a lot of computing and storage resources, improve the detection efficiency, and the code changes or code obfuscation, packing The malicious application detection of other technologies is still effective, and the accuracy of the detection results is improved.

Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium. When the computer program is executed on one or more processors, the computer program shown in FIG. 3 , FIG. 4 , and FIG. 5 and the method shown in Figure 6.

An embodiment of the present application further provides a computer program product, which can implement the methods shown in FIG. 3 , FIG. 4 , FIG. 5 , and FIG. 6 when the computer program product is executed on the processor.

In summary, through the text comparison technology, the configuration information of the operating system in the initial state is compared with the configuration information in the running state, and the legal application information of the operating system and the application information to be detected are compared, so as to Detecting the security of the application to be detected and evaluating the malicious level of the application to be detected can save a lot of computing and storage resources and improve the detection efficiency. Effective and improve the accuracy of detection results.

Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented, and the processes can be completed by hardware related to a computer program, and the computer program can be stored in a computer-readable storage medium. When the computer program is executed , which may include the processes of the foregoing method embodiments. The aforementioned storage medium includes: read-only memory ROM or random-access storage memory RAM, magnetic disk or optical disk and other media that can store computer program codes.

Claims

A method for detecting malicious applications, comprising:

Obtain initial information of the operating system, wherein the initial information includes legal application information of the operating system or configuration information of the operating system in an initial state, and the initial state is the state before the operating system runs for the first time;

Acquire operating information of the operating system, where the operating information includes application information to be detected of the operating system or configuration information of the operating system in a running state;

Comparing the legal application information with the application information to be detected, or comparing the configuration information in the initial state with the configuration information in the running state, to obtain a comparison result;

In the case that the comparison results are not the same, it is determined that the application to be detected on the operating system is a malicious application.
The detection method according to claim 1, wherein the comparing the configuration information in the initial state with the configuration information in the running state specifically includes:

The hash value of the configuration information of the operating system in the initial state is compared with the hash value of the configuration information of the operating system in the running state.
The detection method according to claim 1 or 2, wherein the comparing the configuration information in the initial state with the configuration information in the running state specifically includes:

Compare the first configuration information with the second configuration information, where the first configuration information is the configuration information of the system startup process of the operating system in the initial state, and the second configuration information is the Configuration information of the system startup process of the operating system in the running state;

or,

Comparing the third configuration information with the fourth configuration information, wherein the third configuration information is the configuration information of the user logging in to the operating system process in the initial state of the operating system, and the fourth configuration information The information is configuration information of a user logging in to the operating system process when the operating system is in the running state.
The detection method according to any one of claims 1-3, wherein the comparing the legal application information with the application information to be detected specifically includes:

Compare the application name in the legal application information with the application name in the application information to be detected;

or,

Compare the fifth configuration information with the sixth configuration information, where the fifth configuration information includes configuration information of an application startup process of the application to be detected in an initial state, and the sixth configuration information includes the application startup process of the application to be detected. Detects the configuration information of the application startup process when the application is running.
The detection method according to any one of claims 1-4, wherein the detection method further comprises:

According to the initial information and the running information, the malicious level of the application to be detected is determined.
The detection method according to claim 5, wherein the determining the malicious level of the application to be detected according to the initial information and the running information specifically includes:

In the case that the first configuration information and the second configuration information are different, determine that the application to be detected is a first-level malicious application;

In the case that the first configuration information and the second configuration information are the same, and the third configuration information and the fourth configuration information are different, it is determined that the application to be detected is a second-level malicious application, wherein, The malicious level of the second-level malicious application is lower than the malicious level of the first-level malicious application.
The detection method according to claim 6, wherein the determining the malicious level of the application to be detected according to the initial information and the running information specifically includes:

The first configuration information is the same as the second configuration information, the third configuration information is the same as the fourth configuration information, and the application name in the legal application information is the same as the application name in the application information to be detected. In the case of different application names, it is determined that the application to be detected is a third-level malicious application, wherein the malicious level of the third-level malicious application is lower than the malicious level of the second-level malicious application.
The detection method according to claim 7, wherein the determining the malicious level of the application to be detected according to the initial information and the running information specifically includes:

When the first configuration information is the same as the second configuration information, the third configuration information is the same as the fourth configuration information, the application name in the legal application information and the application to be detected information In the case where the names are the same and the fifth configuration information and the sixth configuration information are different, determine that the application to be detected is a fourth-level malicious application, where the malicious level of the fourth-level malicious application is lower than the The malicious level of the third-level malicious application.
A detection device for malicious applications, comprising:

an acquisition unit, configured to acquire initial information of the operating system, wherein the initial information includes legal application information of the operating system or configuration information of the operating system in an initial state, where the initial state is the first time the operating system state before operation;

The obtaining unit is further configured to obtain operation information of the operating system, where the operation information includes application information to be detected of the operating system or configuration information of the operating system in a running state;

A comparison unit, configured to compare the legal application information with the application information to be detected, or compare the configuration information in the initial state with the configuration information in the running state to obtain a comparison result ;

A determining unit, configured to determine that the application to be detected on the operating system is a malicious application if the comparison results are different.
The detection device according to claim 9, wherein the comparison unit is specifically configured to compare the hash value of the configuration information of the operating system in the initial state with the operating system in the running The hash value of the configuration information in the state is compared.
The detection device according to claim 9 or 10, wherein the comparison unit is further configured to compare the first configuration information with the second configuration information, wherein the first configuration information is the the configuration information of the system startup process of the operating system in the initial state, and the second configuration information is the configuration information of the system startup process of the operating system in the running state;

or,

The comparison unit is further configured to compare the third configuration information with the fourth configuration information, wherein the third configuration information is that the user of the operating system in the initial state logs in to the operating system configuration information of a process, and the fourth configuration information is configuration information of a user logging in to the operating system process when the operating system is in the running state.
The detection device according to any one of claims 9-11, wherein the comparison unit is further configured to compare the application name in the legal application information with the application in the application information to be detected name comparison;

or,

The comparison unit is further configured to compare the fifth configuration information with the sixth configuration information, wherein the fifth configuration information includes the configuration information of the application startup process of the application to be detected in the initial state, The sixth configuration information includes configuration information of an application startup process of the application to be detected in a running state.
The detection device according to any one of claims 9-12, wherein the determining unit is further configured to determine the malicious level of the application to be detected according to the initial information and the running information.
The detection device according to claim 13, wherein the determining unit is specifically configured to determine that the application to be detected is the first application when the first configuration information and the second configuration information are different malicious applications;

The determining unit is further configured to determine the application to be detected when the first configuration information and the second configuration information are the same and the third configuration information and the fourth configuration information are different is a second-level malicious application, wherein the malicious level of the second-level malicious application is lower than the malicious level of the first-level malicious application.
The detection device according to claim 14, wherein the determining unit is further configured to determine when the first configuration information and the second configuration information are the same, and the third configuration information and the fourth configuration information are the same. When the configuration information is the same and the application name in the legal application information and the application name in the application information to be detected are different, it is determined that the application to be detected is a third-level malicious application, wherein the third-level malicious application The malicious level of the malicious application is lower than the malicious level of the second-level malicious application.
The detection device according to claim 15, wherein the determining unit is further configured to determine when the first configuration information and the second configuration information are the same, and the third configuration information and the fourth configuration information are the same. When the configuration information is the same, the application name in the legal application information and the application name in the application information to be detected are the same, and the fifth configuration information and the sixth configuration information are different, determine the to-be-detected The application is a fourth-level malicious application, wherein the malicious level of the fourth-level malicious application is lower than the malicious level of the third-level malicious application.
A device for detecting malicious applications, comprising: a processor and a memory;

the memory is used to store computer-executable instructions;

The processor is configured to execute computer-implemented instructions stored in the memory to cause the application detection apparatus to perform the method of any one of claims 1-8.
A computer-readable storage medium, comprising:

The computer-readable storage medium is used to store instructions or a computer program; when the instructions or the computer program are executed, the method according to any one of claims 1-8 is implemented.
A computer program product, characterized in that it includes: an instruction or a computer program;

The instructions or the computer program, when executed, cause the method of any of claims 1-8 to be implemented.