CN105335654A - Android malicious program detection and processing method, device and equipment - Google Patents
Android malicious program detection and processing method, device and equipment Download PDFInfo
- Publication number
- CN105335654A CN105335654A CN201410302960.3A CN201410302960A CN105335654A CN 105335654 A CN105335654 A CN 105335654A CN 201410302960 A CN201410302960 A CN 201410302960A CN 105335654 A CN105335654 A CN 105335654A
- Authority
- CN
- China
- Prior art keywords
- program
- application program
- rogue program
- rogue
- activity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The embodiment of the invention discloses a method for detecting an Android malicious program, which comprises the following steps: monitoring whether the calling of an application program to the ACTIVITY conforms to a preset rule and whether a specific type of file corresponding to the application program exists in a system; determining whether the application program is a malicious program based on the monitoring result. The invention also discloses an Android malicious program detection device, an Android malicious program processing method and device and an intelligent terminal device. By implementing the technical scheme of the invention, the malicious application which is installed in the operating system of the user mobile equipment, can achieve the purpose of a user with lasso corruption by controlling the user desktop, preventing the user from uninstalling and encrypting the user file can be accurately detected and processed, and the safety of the system is improved.
Description
Technical field
The present invention relates to mobile Internet field of information security technology, particularly relate to a kind of malicious virus and detect and disposal route, device and equipment.
Background technology
Along with the development of android system, application program in android system also gets more and more, under normal circumstances, based in the mobile terminal device of android system, the application program of all installations can manage in Operation system setting, comprising the stopping, unloading etc. of application program.
Because the source of android system application program is relatively extensive, whether user is that rogue program does not have resolving ability to the application program of installing usually, and malicious application is once after installing, and will bring many inconvenience to user.Typical example is the malicious application as Cryptolocker and so on, and such malicious application can control subscriber equipment desktop and constantly require that user's Litis aestimatio is to unlock; Cryptographic algorithm also can be used in addition to be encrypted the data file in subscriber equipment, and common encrypted data objects comprises the audio frequency of user, video file, makes user normally cannot access and use these data files.User just can unlock after must completing payment, decrypted audio video file, make equipment recover normal use, if user attempts to carry out other clicks or operate unloading this malicious application, then this malicious application also can require user charges by cancellation user behavior automatically once again.Usually once this type of malicious application virus of user facility operation system infections, user cannot remove this malicious application, subscriber equipment will become complete down state, unique solution can only be sent genuine back to and be reset, and the behavior that resets will destroy the data of user's storage completely, bring irretrievable loss to user.Further, even if user has unloaded this rogue program, but still can not normally be used by the file that rogue program is encrypted, subscriber data can only process as discarded record, so also brings a lot of puzzlement to user.
Summary of the invention
The embodiment of the present invention provides a kind of Android malicious application to detect and disposal route, accurately can detect in user's mobile device operation system and whether this type of has been installed by controlling user's desktop, stoping user to unload, and user file is encrypted, reach the malicious application of extorting blackmail customer objective.
The embodiment of the present invention provides a kind of Android malware detection methods, comprising:
Whether monitoring application program meets preset rules for calling of ACTIVITY, and, whether there is the particular type file corresponding with described application program in system;
Result based on described monitoring determines whether described application program is rogue program.
The embodiment of the present invention also provides a kind of Android rogue program disposal route, and described method is applicable to above-mentioned rogue program, and described method comprises:
Monitor described rogue program and cycle T 1 is called for first of ACTIVITY;
Arrange second and call cycle T 2, wherein T2 is less than T1;
Start rogue program and delete boot, make described rogue program deletion boot call cycle T 2 with second and call ACTIVITY;
Call default decipherment algorithm function, use the preset-key character string file encrypted to described rogue program to be decrypted.
Accordingly, the embodiment of the present invention also provides a kind of Android rogue program device, comprising:
Whether the first monitoring module, meet preset rules for monitoring application program for calling of ACTIVITY, and, whether there is the particular type file corresponding with described application program in system;
Judge module, for determining based on the result of described monitoring whether described application program is rogue program.
Accordingly, the embodiment of the present invention also provides a kind of Android rogue program treating apparatus, and described device is applicable to process above-mentioned rogue program, and described device comprises:
Second monitoring module, calls cycle T 1 for monitoring described rogue program for first of ACTIVITY;
Arrange module, call cycle T 2 for arranging second, wherein T2 is less than T1;
Starting module, deleting boot for starting rogue program, make rogue program deletion boot call cycle T 2 with second and call ACTIVITY;
Deciphering module, for calling default decipherment algorithm function, uses the preset-key character string file encrypted to described rogue program to be decrypted.
Implement the embodiment of the present invention, there is following beneficial effect:
By monitoring application program calling for ACTIVITY, concrete application program can be navigated to, when application program meets default rule to calling of ACTIVITY, and when being present in particular type file corresponding to described application program in monitoring in system, can judge that this application program is as occupying user's desktop, stoping user to carry out unloading and the rogue program be encrypted user file.By the embodiment of the present invention, can accurately detect and process this type of Android malicious application, protection subscriber equipment safety.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of a kind of Android malicious application detection method that the embodiment of the present invention provides;
Fig. 2 is another schematic flow sheet of a kind of Android malicious application detection method that the embodiment of the present invention provides;
Fig. 3 is a kind of Android rogue program process flow schematic diagram that the embodiment of the present invention provides;
Fig. 4 is the structural representation of a kind of Android rogue program pick-up unit that the embodiment of the present invention provides;
Fig. 5 is another structural representation of a kind of Android rogue program pick-up unit that the embodiment of the present invention provides;
Fig. 6 is a kind of Android rogue program treating apparatus structural representation that the embodiment of the present invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only a part of embodiment of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Activity is substantially the most also one of the most common four large assemblies (Activity, Service serve, ContentProvider content provider, BroadcastReceiver radio receiver) in Android assembly.
In Activity, all operations is all closely related with user, be one to be responsible for and the assembly of user interactions, in an android application, Activity is exactly an independent screen usually, some controls can be shown above it, also can to monitor and the event processing user makes response.
In android, Activity has four kinds of basic status:
After a new Activity startup is stacked, it is presented at screen foremost, process is the top (Activity stack top) being in stack, now it be in visible and can with the state of activation of user interactions, be called active state or running status (activeORrunning).
When Activity loses focus, be placed on stack top by a new non-full frame Activity or transparent Activity, state is now called halted state (Paused).Now it still keeps being connected with window manager, and Activity still maintains vigour (keep all states, information about firms, keep being connected with window manager), but will be fallen by force termination when Installed System Memory is extremely low.So it is still visible, but loses focus therefore can not carry out alternately with user.
If an Activity is override completely by other Activity, be called halted state (Stopped).It still keeps all states and information about firms, but it is no longer visible, so its window is hidden, when Installed System Memory needs to be used in other places time, the Activity of Stopped will be fallen by force termination.
If an Activity is Paused or Stopped state, this Activity can delete by system from internal memory, and android system is adopted and deleted in two ways, or requires that this Activity terminates, or directly stops its process.When this Activity is shown to user again, it must restart and reset state above.
Android manages Activity by a kind of mode of Activity stack, its position in stack of the Determines of the example of an Activity.The Activity being in foreground is always on the top of stack, and when the Activity on foreground is destroyed because of abnormal or other reason, the Activity being in the stack second layer will be activated, and float to stack top.When new Activity starts stacked, former Activity can be pressed into the second layer of stack.The change in location of an Activity in stack reflects its conversion between different conditions.
Namely Cryptolocker and similar malicious application make use of this characteristic of Activity, by not stopping to call new Activity, generate new screen, when user clicks other operations, this application can call the Activity that new Activity covers other application that user clicks, such application just occupies user's desktop like this, user cannot remove this malicious application, and subscriber equipment will become complete down state.
In addition, the Cryptolocker of upgrade version also uses disclosed cryptographic algorithm aes algorithm, the personal document that user commonly uses is encrypted, after the video of such as user, audio file are encrypted, user cannot normally open and use, and only has when user charges could decipher these files to virus authors.
For above-mentioned similar malicious application, the present invention proposes a kind of Android malicious application detection method, refer to Fig. 1, Fig. 1 is the schematic flow sheet of a kind of Android malicious application detection method that the embodiment of the present invention provides, in embodiments of the present invention, the method comprises:
S100, monitoring application program calling for ACTIVITY;
This type of malicious application mainly make use of the characteristic of ACTIVITY stack, periodically calls described ACTIVITY, and the present invention calls behavior mainly through monitoring ACTIVITY's, judges whether malice occupies user's desktop for it.
Further, described default rule comprise: described application program periodically calls described ACTIVITY; Described preset rules is obtained by local or server end
The particular type file corresponding with described application program whether is there is in S101, supervisory system;
For the behavior of this type of malicious virus, the file encrypted by this rogue program whether is there is in main supervisory user device systems, comprise in the described system of monitoring and whether there is the particular file folder corresponding with described application program, such as the particular file folder of application-specific; Also comprise in the described system of monitoring and whether there is the particular extension file corresponding with described application program, Virus can change user file suffix extension to after user file encryption, and video or the audio file of such as revising script are enc file.
S102, determine whether described application program is rogue program based on the result of described monitoring.
Really being periodically call ACTIVITY frequently by monitoring described application program, making user normally to use other to apply, and this application cannot be unloaded by normal mode; Can application program be then rogue program described in preliminary judgement;
Optionally, when monitoring the file whether existing in user device system and encrypted by this rogue program further, such as there is the particular file folder corresponding with described application program, or there is the particular extension file corresponding with described application program, then can judge that described application program is as rogue program.
Fig. 2 is another schematic flow sheet of a kind of Android malicious application detection method that the embodiment of the present invention provides.In embodiments of the present invention, the method comprises:
S200, monitoring application program calling for ACTIVITY;
The particular type file corresponding with described application program whether is there is in S201, supervisory system;
S202, upload described application program characteristic of correspondence information to server, so that based on described characteristic information, server judges whether described application program is rogue program;
In order to confirm the malicious of this application program, the characteristic information of described application program can be uploaded onto the server and judge, concrete described characteristic information comprises bag name and/or the MD5 value of described application program, further alternative, can also comprise the behavior characteristic information of described application program.
S203, receive described server send rogue program judged result, according to result of determination perform predetermined registration operation.
Concrete, receive the rogue program judged result that described server sends, when described judged result shows that described application program is rogue program, delete described application program.
Further alternative, receive the rogue program process information that described server sends, when described process information shows that described file is the encrypted file of rogue program, according to described rogue program process information, described file is decrypted.
Optionally, in other embodiments of the present invention, described method can also comprise, and after the success of deletion application program, uploads the result of described rogue program to server.And the facility information of described rogue program place equipment is uploaded to server.
Really be periodically call frequently in ACTIVITY and system whether to there is the particular type file corresponding with described application program and carry out preliminary judgement by monitoring described application program; Then the characteristic information uploading described application program further confirms to server, then accurately can judge described application program whether as rogue program in conjunction with preliminary judgement result; Or
Really be periodically call in ACTIVITY and system whether there is the particular type file corresponding with described application program frequently by monitoring described application program, these characteristic informations uploading described application program, to server, can judge described application program whether as rogue program.
A kind of Android rogue program process flow schematic diagram that Fig. 3 provides for the embodiment of the present invention, the method for the embodiment of the present invention is applicable to the rogue program in method shown in Fig. 1 and Fig. 2, and the present embodiment method comprises:
S300, monitor described rogue program cycle T 1 is called for first of ACTIVITY;
Described malicious application mainly make use of the characteristic of ACTIVITY stack, periodically calls ACTIVITY, to occupy user's desktop, therefore can monitor described malicious application, and what obtain its ACTIVITY calls cycle T 1;
S301, arrange second and call cycle T 2, wherein T2 is less than T1;
S302, startup rogue program delete boot, make rogue program deletion boot call cycle T 2 with second and call ACTIVITY.
Arrange be less than T1 call cycle T 2, object is to try to be the first before described rogue program, calls the ACTIVITY example of Uninstaller, for user creates conditions this malicious application of unloading.
Further, described rogue program deletes the rogue program delete instruction that boot receives user, deletes described rogue program.
Concrete, described rogue program deletes boot completes described rogue program deletion by the delete program calling android system.
When starting rogue program deletion boot, this boot can call the ACTIVITY example of Uninstaller, now the ACTIVITY example of this Uninstaller is placed in ACTIVITY stack top, user is visible, therefore user can click Uninstaller and unload this rogue program, if user fails to click Uninstaller in time within the described T1 cycle, then this rogue program can call self ACTIVITY example in next cycle, now due to rogue program delete boot call that cycle T 2 is less than rogue program call cycle T 1, then rogue program deletion boot starts again, the ACTIVITY example that cycle T 2 calls Uninstaller is called with second.Therefore, can ensure that rogue program is deleted boot and can be called delete program before described rogue program all the time, help user to unload this malicious application.
S303, call default decipherment algorithm function, use the preset-key character string file encrypted to described rogue program to be decrypted.
Described default decipherment algorithm function and preset-key character string are obtained by local or server end.Concrete, by unpacking and decompiling the apk file of above-mentioned rogue program, navigate to the function of the cryptographic algorithm that rogue program uses, such as AES encryption function; The function of cryptographic algorithm is analyzed, the key information that encryption function uses can be got.Therefore, the decryption function corresponding to encryption function can be called, use the key information obtained, just can be decrypted by the user file encrypted to rogue program.
Fig. 4 is the structural representation of a kind of Android rogue program pick-up unit that the embodiment of the present invention provides, and in embodiments of the present invention, this device comprises:
Whether the first monitoring module 100, meet preset rules for monitoring application program for calling of ACTIVITY, and, whether there is the particular type file corresponding with described application program in system;
Judge module 101, for determining according to the result of described monitoring whether described application program is rogue program;
Concrete, described preset rules comprises: described application program periodically calls described ACTIVITY.
Further, described preset rules is obtained by local or server end.
Really be periodically call ACTIVITY frequently by monitoring described application program, make user normally cannot use other application and this application cannot be unloaded by normal mode, being encrypted subscriber data file if monitor further, then can application program be rogue program described in preliminary judgement.
Fig. 5 is another structural representation of a kind of Android rogue program pick-up unit that the embodiment of the present invention provides, and in embodiments of the present invention, this device comprises:
Whether the first monitoring module 200, meet preset rules for monitoring application program for calling of ACTIVITY, and, whether there is the particular type file corresponding with described application program in system;
Judge module 201, for determining according to the result of described monitoring whether described application program is rogue program;
Concrete, described preset rules comprises: described application program periodically calls described ACTIVITY.
Further, described preset rules is obtained by local or server end.
Transmission module 202 on first, for uploading described application program characteristic of correspondence information to server, so that based on described characteristic information, server judges whether described application program is rogue program.
In order to confirm the malicious of this application program further, the characteristic information of described application program can be uploaded onto the server and judging, concrete described characteristic information comprises bag name and/or the MD5 value of described application program.
Further alternative, described device can also comprise:
First receiver module 203, for receiving the rogue program judged result that described server sends;
Removing module 204, for when described judged result shows that described application program is rogue program, deletes described application program.
Really be periodically call in ACTIVITY, system whether there is the particular type file corresponding with described application program frequently by monitoring described application program, and the characteristic information uploading described application program judges to server, then accurately can judge described application program whether as rogue program in conjunction with result of determination, then delete this malicious application further.
Further alternative, described device can also comprise:
Second receiver module 205, for receiving the rogue program process information that described server sends;
Deciphering module 206, during for showing that when described process information described file is rogue program encrypted file, is decrypted described file according to described rogue program process information.
Further alternative, described device can also comprise:
Transmission module 207 on second, for uploading the result of described rogue program to server.
Fig. 6 is a kind of Android rogue program treating apparatus structural representation that the embodiment of the present invention provides, and in embodiments of the present invention, this device comprises:
Second monitoring module 300, calls cycle T 1 for monitoring described rogue program for first of ACTIVITY;
Arrange module 301, call cycle T 2 for arranging second, wherein T2 is less than T1;
Starting module 302, deleting boot for starting rogue program, make rogue program deletion boot call cycle T 2 with second and call ACTIVITY;
Deciphering module 303, for calling default decipherment algorithm function, uses the preset-key character string file encrypted to described rogue program to be decrypted.
Concrete, described default decipherment algorithm function and preset-key character string are obtained by local or server end.
It should be noted that, each embodiment in this instructions describes and other embodiment differences emphatically, between each embodiment identical similar part mutually see.Especially for device embodiment, because it is substantially similar to embodiment of the method, so describe fairly simple, relevant part illustrates see the part of embodiment of the method.
One of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, that the hardware that can carry out instruction relevant by computer program has come, described program can be stored in a computer read/write memory medium, this program, when performing, can comprise the flow process of the embodiment as above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-OnlyMemory, ROM) or random store-memory body (RandomAccessMemory, RAM) etc.
Above disclosedly be only a kind of preferred embodiment of the present invention, certainly the interest field of the present invention can not be limited with this, one of ordinary skill in the art will appreciate that all or part of flow process realizing above-described embodiment, and according to the equivalent variations that the claims in the present invention are done, still belong to the scope that invention is contained.
Claims (21)
1. an Android malware detection methods, is characterized in that, comprising:
Whether monitoring application program meets preset rules for calling of ACTIVITY, and, whether there is the particular type file corresponding with described application program in system;
Result based on described monitoring determines whether described application program is rogue program.
2. the method for claim 1, is characterized in that, described preset rules comprises:
Described application program periodically calls described ACTIVITY.
3. the method for claim 1, is characterized in that, whether there is the particular type file corresponding with described application program and comprise in supervisory system:
Monitor in described system and whether there is the particular file folder corresponding with described application program.
4. the method for claim 1, is characterized in that, whether there is the particular type file corresponding with described application program and comprise in supervisory system:
Monitor in described system and whether there is the particular extension file corresponding with described application program.
5. the method for claim 1, is characterized in that, before the result based on described monitoring determines whether described application program is rogue program, described method also comprises:
Upload described application program characteristic of correspondence information to server, in order to judge whether described application program is rogue program at server end based on described characteristic information.
6. method as claimed in claim 5, it is characterized in that, described method also comprises:
Receive the rogue program judged result that described server sends, when described judged result shows that described application program is rogue program, delete described application program.
7. method as claimed in claim 5, it is characterized in that, described method also comprises:
Receive the rogue program process information that described server sends, when described process information shows that described file is the encrypted file of rogue program, according to described rogue program process information, described file is decrypted.
8. method as claimed in claims 6 or 7, it is characterized in that, described method also comprises: the result uploading described rogue program to server.
9. an Android rogue program disposal route, is characterized in that, described method is applicable to process the rogue program in claim 1 to 8 described in arbitrary claim, and described method comprises:
Monitor described rogue program and cycle T 1 is called for first of ACTIVITY;
Arrange second and call cycle T 2, wherein T2 is less than T1;
Start rogue program and delete boot, make described rogue program deletion boot call cycle T 2 with second and call ACTIVITY;
Call default decipherment algorithm function, use the preset-key character string file encrypted to described rogue program to be decrypted.
10. method as claimed in claim 9, is characterized in that, described default decipherment algorithm function and preset-key character string are obtained by local or server end.
11. 1 kinds of Android rogue program pick-up units, is characterized in that, comprising:
Whether the first monitoring module, meet preset rules for monitoring application program for calling of ACTIVITY, and, whether there is the particular type file corresponding with described application program in system;
Judge module, for determining based on the result of described monitoring whether described application program is rogue program.
12. devices as claimed in claim 11, it is characterized in that, described preset rules comprises: described application program periodically calls described ACTIVITY.
13. devices as claimed in claim 11, it is characterized in that, described first monitoring module is specifically for monitoring in described system whether there is the particular file folder corresponding with described application program.
14. devices as claimed in claim 11, is characterized in that, whether described first monitoring module specifically also exists the particular extension file corresponding with described application program for monitoring in described system.
15. devices as claimed in claim 11, it is characterized in that, described device also comprises:
Based on described characteristic information, transmission module on first, for uploading described application program characteristic of correspondence information to server, in order to judge whether described application program is rogue program at server end.
16. devices as claimed in claim 11, it is characterized in that, described device also comprises:
First receiver module, for receiving the rogue program judged result that described server sends;
Removing module, for when described judged result shows that described application program is rogue program, deletes described application program.
17. devices as claimed in claim 11, it is characterized in that, described device also comprises:
Second receiver module, for receiving the rogue program process information that described server sends;
Deciphering module, during for showing that when described process information described file is rogue program encrypted file, is decrypted described file according to described rogue program process information.
18. devices as described in claim 16 or 17, it is characterized in that, described device also comprises:
Transmission module on second, for uploading the result of described rogue program to server.
19. 1 kinds of Android rogue program treating apparatus, is characterized in that, described device is applicable to process the rogue program in claim 1 to 8 described in arbitrary claim, and described device comprises:
Second monitoring module, calls cycle T 1 for monitoring described rogue program for first of ACTIVITY;
Arrange module, call cycle T 2 for arranging second, wherein T2 is less than T1;
Starting module, deleting boot for starting rogue program, make rogue program deletion boot call cycle T 2 with second and call ACTIVITY;
Deciphering module, for calling default decipherment algorithm function, uses the preset-key character string file encrypted to described rogue program to be decrypted.
20. devices as claimed in claim 19, is characterized in that, described default decipherment algorithm function and preset-key character string are obtained by local or server end.
21. 1 kinds of terminal devices, is characterized in that, comprise the device according to any one of claim 11-20.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410302960.3A CN105335654B (en) | 2014-06-27 | 2014-06-27 | Android malicious program detection and processing method, device and equipment |
| PCT/CN2015/082123 WO2015196982A1 (en) | 2014-06-27 | 2015-06-23 | Android malicious program detecting and processing methods and apparatuses, and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410302960.3A CN105335654B (en) | 2014-06-27 | 2014-06-27 | Android malicious program detection and processing method, device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105335654A true CN105335654A (en) | 2016-02-17 |
| CN105335654B CN105335654B (en) | 2018-12-14 |
Family
ID=54936863
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410302960.3A Active CN105335654B (en) | 2014-06-27 | 2014-06-27 | Android malicious program detection and processing method, device and equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105335654B (en) |
| WO (1) | WO2015196982A1 (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548070A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system that blackmailer's virus is defendd in stand-by time |
| CN107291517A (en) * | 2017-07-26 | 2017-10-24 | 广东小天才科技有限公司 | A kind of discharging method of application, device and terminal device |
| CN108197462A (en) * | 2016-12-08 | 2018-06-22 | 武汉安天信息技术有限责任公司 | It is extorted under a kind of Android system using detecting system and method |
| CN109711172A (en) * | 2018-06-26 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Data prevention method and device |
| CN110020530A (en) * | 2018-12-24 | 2019-07-16 | 中国银联股份有限公司 | For determining the method and device thereof of the safety of application program at runtime |
| CN110213443A (en) * | 2019-05-30 | 2019-09-06 | 努比亚技术有限公司 | Prevent third party's desktop application self-start method, mobile terminal and storage medium |
| EP3592005A4 (en) * | 2017-03-10 | 2020-01-08 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for controlling broadcast recipient, and mobile terminal |
| CN111639341A (en) * | 2020-05-29 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious program detection method and device, electronic device and storage medium |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105956470A (en) * | 2016-05-03 | 2016-09-21 | 北京金山安全软件有限公司 | Method and terminal for intercepting application program behaviors |
| CN108595989B (en) * | 2018-03-15 | 2020-06-30 | 杭州电子科技大学 | Mobile APP safety protection system and method under iOS |
| CN114244599B (en) * | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | Method for interfering malicious program |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101226570A (en) * | 2007-09-05 | 2008-07-23 | 江启煜 | Method for monitoring and eliminating generalized unknown virus |
| CN102722680A (en) * | 2012-06-07 | 2012-10-10 | 腾讯科技(深圳)有限公司 | Method and system for removing rogue programs |
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN103577753A (en) * | 2012-08-01 | 2014-02-12 | 联想(北京)有限公司 | Method and electronic equipment for prompting potential hazards of camouflage application |
| US20140181973A1 (en) * | 2012-12-26 | 2014-06-26 | National Taiwan University Of Science And Technology | Method and system for detecting malicious application |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103207969B (en) * | 2013-04-12 | 2016-10-05 | 百度在线网络技术(北京)有限公司 | The device of detection Android malware and method |
| CN103400076B (en) * | 2013-07-30 | 2016-01-06 | 腾讯科技(深圳)有限公司 | Malware detection methods, devices and systems on a kind of mobile terminal |
-
2014
- 2014-06-27 CN CN201410302960.3A patent/CN105335654B/en active Active
-
2015
- 2015-06-23 WO PCT/CN2015/082123 patent/WO2015196982A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101226570A (en) * | 2007-09-05 | 2008-07-23 | 江启煜 | Method for monitoring and eliminating generalized unknown virus |
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN102722680A (en) * | 2012-06-07 | 2012-10-10 | 腾讯科技(深圳)有限公司 | Method and system for removing rogue programs |
| CN103577753A (en) * | 2012-08-01 | 2014-02-12 | 联想(北京)有限公司 | Method and electronic equipment for prompting potential hazards of camouflage application |
| US20140181973A1 (en) * | 2012-12-26 | 2014-06-26 | National Taiwan University Of Science And Technology | Method and system for detecting malicious application |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548070A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system that blackmailer's virus is defendd in stand-by time |
| CN108197462A (en) * | 2016-12-08 | 2018-06-22 | 武汉安天信息技术有限责任公司 | It is extorted under a kind of Android system using detecting system and method |
| EP3592005A4 (en) * | 2017-03-10 | 2020-01-08 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for controlling broadcast recipient, and mobile terminal |
| US10863521B1 (en) | 2017-03-10 | 2020-12-08 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Broadcast receiver control method and apparatus, and mobile terminal |
| CN107291517A (en) * | 2017-07-26 | 2017-10-24 | 广东小天才科技有限公司 | A kind of discharging method of application, device and terminal device |
| CN109711172A (en) * | 2018-06-26 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Data prevention method and device |
| CN110020530A (en) * | 2018-12-24 | 2019-07-16 | 中国银联股份有限公司 | For determining the method and device thereof of the safety of application program at runtime |
| CN110020530B (en) * | 2018-12-24 | 2023-07-04 | 中国银联股份有限公司 | Method for determining security of application program in running time and device thereof |
| CN110213443A (en) * | 2019-05-30 | 2019-09-06 | 努比亚技术有限公司 | Prevent third party's desktop application self-start method, mobile terminal and storage medium |
| CN111639341A (en) * | 2020-05-29 | 2020-09-08 | 北京金山云网络技术有限公司 | Malicious program detection method and device, electronic device and storage medium |
| CN111639341B (en) * | 2020-05-29 | 2023-09-05 | 北京金山云网络技术有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015196982A1 (en) | 2015-12-30 |
| CN105335654B (en) | 2018-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105335654A (en) | Android malicious program detection and processing method, device and equipment | |
| US9852289B1 (en) | Systems and methods for protecting files from malicious encryption attempts | |
| EP3692440B1 (en) | Systems and methods for preventing malicious applications from exploiting application services | |
| US8719935B2 (en) | Mitigating false positives in malware detection | |
| WO2015123226A1 (en) | Systems and methods for scanning packed programs in response to detecting suspicious behaviors | |
| KR101768082B1 (en) | Securing method for protecting the ransomware | |
| US9721095B2 (en) | Preventing re-patching by malware on a computer | |
| US10210330B1 (en) | Systems and methods for detecting malicious processes that encrypt files | |
| EP3014515B1 (en) | Systems and methods for directing application updates | |
| CN107563192B (en) | Lesso software protection method and device, electronic equipment and storage medium | |
| CN107066298B (en) | Method and device for running application program without traces | |
| WO2017107896A1 (en) | Document protection method and device | |
| US10318272B1 (en) | Systems and methods for managing application updates | |
| CN104036188A (en) | Android malicious program detection method, device and equipment | |
| US9166995B1 (en) | Systems and methods for using user-input information to identify computer security threats | |
| US9811659B1 (en) | Systems and methods for time-shifted detection of security threats | |
| US9450965B2 (en) | Mobile device, program, and control method | |
| KR101290852B1 (en) | Apparatus and Method for Preventing Data Loss Using Virtual Machine | |
| CN104008338A (en) | Android malicious program processing method, device and equipment | |
| US10999310B2 (en) | Endpoint security client embedded in storage drive firmware | |
| CN113935045A (en) | User data recovery method, device, terminal and computer storage medium | |
| US20070300303A1 (en) | Method and system for removing pestware from a computer | |
| WO2016187877A1 (en) | System switching method, device and terminal | |
| KR20180044506A (en) | System recovery method in advanced persistent threat | |
| KR101606273B1 (en) | Uninstaller control method and uninstaller update method for performing to electronic apparatus. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |