CN105631325A - Malicious application detection method and apparatus - Google Patents
Malicious application detection method and apparatus Download PDFInfo
- Publication number
- CN105631325A CN105631325A CN201410610791.XA CN201410610791A CN105631325A CN 105631325 A CN105631325 A CN 105631325A CN 201410610791 A CN201410610791 A CN 201410610791A CN 105631325 A CN105631325 A CN 105631325A
- Authority
- CN
- China
- Prior art keywords
- api
- user profile
- class
- sent
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a malicious application detection method and apparatus, which are used for improving the accuracy of malicious application detection. According to whether a message is sent or not, an API is divided into a sending type API and a non sending type API. The method comprises the steps of extracting all user information in a mobile terminal; obtaining parameter variables of APIs contained in an application installed in the mobile terminal, wherein the parameter variables include an execution parameter or the execution parameter and a result variable; and matching the obtained execution parameter of the sending type API with all the extracted user information or the obtained result variable of the non sending type API, and determining whether the application is a malicious application or not according to a matching result.
Description
Technical field
The present invention relates to intelligent terminal's application safety technical field, particularly relate to a kind of malicious application detection method and device.
Background technology
Along with developing rapidly of mobile Internet and increasing of intelligent mobile terminal, on mobile terminal, corresponding malicious application threatens and also increases gradually. Owing to opening and the Android application of Android platform are developed by JAVA language, decompiling analysis and reverse amendment are relatively easy to comparatively speaking, the threshold of the research and development of Android application simultaneously is relatively low, directly results in spreading unchecked of Android platform malicious application.
In the mobile terminal from malicious application program of current main flow, all there is collection and obtain the malicious acts such as user sensitive information in most malicious application, such as address list information, message registration, short message, bank account information, positional information etc., these information are encrypted by part malicious application, then send the user sensitive information collected to remote server (or destination mobile terminal), data encryption adds the difficulty that the malicious act of application programs is analyzed.
Currently for the malicious act analysis of the malicious application in mobile terminal and the Internet virus, the main means adopted have:
1) malicious application is carried out static analysis.
Mainly by Android application program is carried out reverse, decompiling generates Smali code or dis-assembling generates JAVA source code, then decompiling code is carried out traversal in full, resolve, API (the application programming interface that application program is used, ApplicationProgramInterface) mate with the API in predefined malicious act storehouse, the API of the application program that the match is successful is labeled as malicious act API, scanning application program authority information simultaneously, mate with the authority information recorded in predefined dangerous authority storehouse, the malicious act API of incorporation of markings judges that application program to be measured is whether as malicious application. owing to it has only detected the concrete behavior of application program, the operation content that behavior itself is concrete cannot be detected, such as, it is only able to detect the behavior sent short messages, the content sending note cannot be detected, this makes malicious application detection accuracy relatively low, and the method is also only able to detect known malicious act simultaneously.
2) malicious application is cultivated in sandbox, gather and analyze the network packet that malicious application sends, determine its malicious act, this method can only be analyzed malicious application and use the packet expressly sent, and helpless for encrypted packets, therefore it also cannot accurately detect the malicious application existed in mobile terminal.
Summary of the invention
The embodiment of the present invention provides a kind of malicious application detection method and device, in order to improve the accuracy of malicious application detection.
The embodiment of the present invention provides a kind of malicious application detection method, including:
Extract all user profile in mobile terminal;
The parametric variable of each application programming interface API that the application program that acquisition mobile terminal is installed comprises, described parametric variable includes performing parameter, or, perform parameter and outcome variable, wherein, each API, according to whether send message, is divided into transmission class API and non-sent class API;
The execution parameter of transmission class API obtained is mated with the outcome variable of all user profile of extraction or the non-sent class API of acquisition, determines whether described application program is malicious application according to matching result.
The embodiment of the present invention provides a kind of malicious application detecting device, including:
Extraction unit, for extracting all user profile in mobile terminal;
Acquiring unit, the parametric variable of each application programming interface API that the application program installed for obtaining mobile terminal comprises, described parametric variable includes performing parameter, or, perform parameter and outcome variable, wherein, each API, according to whether send message, is divided into transmission class API and non-sent class API;
Determine unit, for the execution parameter of transmission class API obtained being mated with the outcome variable of all user profile of extraction or the non-sent class API of acquisition, determine whether described application program is malicious application according to matching result.
The malicious application detection method of embodiment of the present invention offer and device, API is divided into transmission class API and non-sent class API, for the transmission class API that application program comprises, performed parameter to mate with the user profile in the mobile terminal of extraction, or it is mated with the outcome variable of non-sent class API, determines whether application program is rogue program according to matching result. In said process, this execution parameter raw information before being processed can be traced back to from non-sent class API according to the execution parameter sending class API, therefore, even if the process such as the user profile of acquisition is encrypted by application program, it also is able to determine whether it is malicious application, thus, improve the definitiveness of application program detection.
Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from description, or understand by implementing the present invention. The purpose of the present invention and other advantages can be realized by structure specifically noted in the description write, claims and accompanying drawing and be obtained.
Accompanying drawing explanation
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the present invention, and the schematic description and description of the present invention is used for explaining the present invention, is not intended that inappropriate limitation of the present invention. In the accompanying drawings:
Fig. 1 a is in the embodiment of the present invention, the implementing procedure schematic diagram of malicious application detection method;
Fig. 1 b is in the invention process, it is determined that whether application program is the implementing procedure schematic diagram of malicious application;
Fig. 2 is in the embodiment of the present invention, and the execution parameter of transmission class API carries out the schematic diagram mated with the user profile of extraction;
Fig. 3 is in the embodiment of the present invention, the implementing procedure schematic diagram of recursive lookup target API;
Fig. 4 is in the embodiment of the present invention, the structural representation of malicious application detecting device.
Detailed description of the invention
In order to improve the accuracy of malicious application detection method, in the embodiment of the present invention, extract user information in mobile terminal, the analysis result of the API comprised in conjunction with application programs to the application program that judges mobile terminal and install whether for malicious application.
Below in conjunction with Figure of description, the preferred embodiments of the present invention are illustrated, it is to be understood that, preferred embodiment described herein is merely to illustrate and explains the present invention, it is not intended to limit the present invention, and when not conflicting, the embodiment in the present invention and the feature in embodiment can be mutually combined.
Owing to the malicious application in mobile terminal is generally of following obvious feature: collect the user profile on mobile terminal, and the user profile of collection is sent to remote server or destination mobile terminal. Therefore, according to whether API sends information, API is divided into transmission class API and non-sent class API labelling, as shown in table 1.
Table 1
When being embodied as, send the class API API including sending information by any way, for instance, send information with short message mode, send information with bluetooth approach or with network data packet mode transmission information etc. Non-sent class API includes the API except sending class API, for instance, it is possible to it is the API of reading information, including short message reading information, message registration information, address list information, positional information etc., it is also possible to be the API of encryption.
Based on this, in the embodiment of the present invention, when carrying out malicious application detection, predominantly detect and send whether the class API information sent is the user profile on mobile terminal. As shown in Figure 1a, for the implementing procedure schematic diagram of malicious application detection method that the embodiment of the present invention provides, comprise the following steps:
S11, all user profile extracted in mobile terminal.
Wherein, the user profile of extraction can include information relevant with user on the mobile terminals such as short message, message registration information, address list information, positional information.
It is also preferred that the left for the ease of follow-up comparison, it is possible to each user profile for extracting distributes a message identification, as shown in table 2:
Table 2
| Information content | Message identification |
| Short message | ID1 |
| Message registration information | ID2 |
| Positional information | ID3 |
| ���� | ���� |
The parametric variable of each API that the application program that S12, acquisition mobile terminal are installed comprises.
It should be noted that the classification of API is different, the parametric variable of the API of acquisition is also different, such as, for sending class API, its parametric variable includes performing parameter, namely the information content sent, and for the API of non-sent class, its parametric variable potentially includes execution parameter and outcome variable. But it is not limited to this, in actual applications, it is also possible to the parametric variable sending class API also includes performing parameter and outcome variable simultaneously.
Concrete, step S12 can implement according to following steps:
Step one, application programs carry out reverse decompiling, obtain the source code of its correspondence.
When being embodied as, application programs installation kit (file of extension .apk by name) carries out reverse decompiling, obtains smali source code.
Step 2, obtain the parametric variable of each API that this application program comprises according to source code.
When being embodied as, it is possible to for each API, respectively in source code, this API perform before and perform after insertion marker code, described marker code includes API key words sorting code; Record the execution information of each API, the marker code according to the execution information of this API He this API, obtain the classification of this API and the parametric variable of this API. The daily record being used for recording the execution information of each API can be passed through, obtain the parametric variable of each API, and export the daily record of the execution information recording each API.
Preferably, utilize the smali source code obtained, execution parameter or the outcome variable of each API comprised in application program can be exported in the following ways: all API comprised in scanning smali source code, for each API, marker code is inserted, including API key words sorting code before this API performs and after performing; And run after reverse source code is beaten again bag, output operation result is the variable parameter of API, when being embodied as, it is possible to use the mode of output journal exports, as follows:
Uriuri=Uri.parse (AllFinalInfo.SMS_URI_INBOX);
SmsContentsc=newSmsContent (this, uri);
Log.v (tag, API Name+API key words sorting+code position);
List<SmsInfo>infos=sc.getSmsInfo ();
Body.setText (infos.get (position) .getSmsbody ());
Name.setText (infos.get (position) .getName ());
Log.v (tag, infos.get (position) .getSmsbody ());
Log.v (tag, infos.get (position) .getSmsbody ());
Log.v (tag, API Name);
To send class API, it performs parameter and refers to the API information content sent, and for cryptographic API, and it performs parameter is prime information to be encrypted, and outcome variable is add confidential information after encrypting.
It should be noted that step S11 and step S12 there is no successively execution sequence, step S12 can also perform prior to step S11, and two steps can also perform simultaneously.
S13, by obtain the execution parameter of transmission class API mate with the outcome variable of all user profile of extraction or the non-sent class API of acquisition, determine whether described application program is malicious application according to matching result.
It is also preferred that the left as shown in Figure 1 b, in step S13, it is possible to implement according to following steps:
S131, each transmission class API comprised for application program, it is judged that whether there is the user profile that the execution parameter with this transmission class API is mated in the user profile of extraction, if it is, perform step S132, otherwise perform step S133.
As in figure 2 it is shown, be the schematic diagram carrying out the execution parameter sending class API with the user profile of extraction mating. To send class API1, order according to the message identification distributed for user profile, compare the execution parameter of API1 and each user profile of extraction successively, if it is identical with the user profile currently compared that it performs parameter, it is determined that the user profile of extraction exists the user profile mated with the execution parameter of API1. If found after traveling through all of user profile, the execution parameter of API1 and each user profile of extraction all differ, it is determined that be absent from the user profile that the execution parameter with API1 is mated in the user profile of extraction. Assume that the execution parameter of API1 is identical with the user profile that message identification is ID1, it is determined that there is the user profile mated with the execution parameter of API1 in the user profile of extraction, namely message identification is the user profile of ID1.
S132, determining that this application program is malicious application, flow process terminates.
The outcome variable of the non-sent class API that S133, execution parameter and this application program according to this transmission class API comprise, from non-sent class API, whether recursive lookup exists the non-sent class API that execution parameter is mated with the user profile of extraction, if it is, perform step S132, otherwise, flow process terminates.
It should be noted that when being embodied as, it is necessary to traversal applications program package containing each API, as long as there being an API to meet above-mentioned condition, namely can determine that this application program is malicious application, only all of API is all unsatisfactory for above-mentioned condition, just can determine that this application program is not malicious application.
As it is shown on figure 3, in step S133, it is possible in non-sent class API, whether recursive lookup exists and performs the non-sent class API that parameter is mated with the user profile of extraction in accordance with the following methods, for the ease of describing, in Fig. 3, transmission class API is called source API:
S31, in non-sent class API, search whether there is the target API that outcome variable is consistent with the execution parameter of source API, if it does, perform step S32, otherwise, perform step S35.
S32, judge that whether the execution parameter of target API mate with at least one user profile extracted, if it is, perform step S33, otherwise, execution step S34.
S33, determining to exist in non-sent class API and perform the non-sent class API that mates with the user profile of extraction of parameter, flow process terminates.
S34, determine that target API is source API, and perform step S31.
S35, determine that the application program comprising source API is not malicious application.
From above-mentioned flow process, in the embodiment of the present invention, if the execution parameter of target API is not all mated with all user profile of extraction, then continue whether the outcome variable of the lookup non-sent class API of the execution parameter according to this target API exists to perform the non-sent class API that parameter is consistent with it, until traveling through all of non-sent class API, if still do not found, then may determine that the application program at API place, source is not malicious application, namely the information of its transmission is not the user profile in mobile terminal.
In order to be better understood from the embodiment of the present invention, for the transmission class API2 in Fig. 2, the implementation process of the embodiment of the present invention is illustrated below. In Fig. 2, send class API2 and comprise two execution parameters, it is assumed that respectively A1 and A2, the information that namely API1 sends is A1 and A2.
For A1, it is assumed that be absent from matched user profile in the user profile of extraction, the information A1 that namely API2 sends is probably the information after being processed. Then also needing to lookup result variable from non-sent class API is the API of A1, it is assumed to be non-sent class API1, now, need to judge A1 processed before information and the executions parameter of non-sent class API1 whether mate with at least one user profile of extraction, assume to match the user profile that message identification is ID2, that is the information that API2 sends is the user profile after being processed, hence, it can be determined that the application program comprising API2 is malicious application.
For A2, it is assumed that be absent from matched user profile in the user profile of extraction, the information A2 that namely API2 sends is also likely to be the information after being processed. then also needing to lookup result variable from non-sent class API is the API of A2, it is assumed to be non-sent class API1, now, need to judge A2 processed before information and the executions parameter B1 of non-sent class API1 whether mate with at least one user profile of extraction, assume not mate, B1 is it is also possible that information after processed, therefore, continuing lookup result variable in non-sent class API is the non-sent class API of B1, the outcome variable assuming non-sent class API2 is B1, then judge non-sent class API2 execution parameter (namely B2 processed before information) whether mate with at least one user profile, if coupling, determine that comprising the application program sending class API2 is malicious application. when being embodied as, if still do not mated, then in non-sent class API, continue recursive lookup, till traveling through all of non-sent class API.
As can be seen here, in the embodiment of the present invention, even if malicious application is transmitted after being undertaken user profile repeatedly processing again, according to above-mentioned flow process, still can trace back to original user profile such that it is able to accurately detect whether this application program is malicious application.
In the embodiment of the present invention, for the transmission class API that application program comprises, mate with the user profile in the mobile terminal of extraction if it performs parameter, then directly determine that this application program is malicious application, otherwise, perform the outcome variable of parameter and non-sent class API according to it, perform, in non-sent apoplexy due to endogenous wind recursive lookup, the non-sent class API that parameter is mated with the user profile of extraction, if found, it is determined that this application program is malicious application. In said process, if the execution parameter sending class API is not mated with the user profile of extraction, this execution parameter raw information before being processed can also be traced back to from non-sent class API, therefore, even if the process such as the user profile of acquisition is encrypted by application program, it also is able to determine whether it is malicious application, thus, improve the definitiveness of application program detection.
Based on same inventive concept, the embodiment of the present invention additionally provides a kind of malicious application detecting device, owing to the principle of said apparatus solution problem is similar to malicious application detection method, therefore the enforcement of said apparatus may refer to the enforcement of method, repeats part and repeats no more.
As shown in Figure 4, for the structural representation of malicious application detecting device that the embodiment of the present invention provides, including:
Extraction unit 41, for extracting all user profile in mobile terminal;
Acquiring unit 42, the parametric variable of each application programming interface API that the application program installed for obtaining mobile terminal comprises, described parametric variable includes performing parameter, or, perform parameter and outcome variable, wherein, each API, according to whether send message, is divided into transmission class API and non-sent class API;
Determine unit 43, for the execution parameter of transmission class API obtained being mated with the outcome variable of all user profile of extraction or the non-sent class API of acquisition, determine whether described application program is malicious application according to matching result.
Wherein it is determined that unit 43, it is possible to including:
Judgment sub-unit, for each transmission class API comprised for described application program, it is judged that whether there is the user profile that the execution parameter with this transmission class API is mated in the user profile of extraction;
Determine subelement, for when the judged result of described judgment sub-unit is for being, it is determined that described application program is malicious application; Or for when searching subelement and finding the non-sent class API that execution parameter is mated with the user profile of extraction from non-sent class API, it is determined that described application program is malicious application;
Search subelement, for when the judged result of described judgment sub-unit is no, the outcome variable of the non-sent class API that execution parameter according to described transmission class API and described application program comprise, from non-sent class API, whether recursive lookup exists and performs the non-sent class API that parameter is mated with the user profile of extraction.
It is also preferred that the left lookup subelement, it is possible to including:
Search module, for the execution parameter according to described transmission class API, from described non-sent class API, search whether there is the target API that outcome variable is consistent with the execution parameter of described transmission class API; And for when the judged result of judge module is no, execution parameter according to target API, never the non-sent class API traveled through continues whether recursive lookup exists the non-sent class API that outcome variable is consistent with the execution parameter of target API, till finding the execution non-sent class API that mates with the user profile of extraction of parameter or traveling through all non-sent class API;
Judge module, for when described lookup module searches is to described target API, it is judged that no at least one user profile being and extract of parameter that performs of target API is mated;
First determines module, for when the judged result of described judge module is for being, it is determined that exists in described non-sent class API and performs the non-sent class API that parameter is mated with the user profile of extraction.
It is also preferred that the left acquiring unit 42, it is possible to including:
Reverse decompiling subelement, for described application program is carried out reverse decompiling, obtains the source code that described application program is corresponding;
Obtain subelement, for obtaining, according to described source code, each API variable parameter that described application program comprises.
Wherein, obtain subelement, including:
Mark module, for for each API, respectively at this described in source code, this API perform before and insertion marker code after performing, described marker code includes API key words sorting code;
Logging modle, for recording the execution information of each API, the marker code according to the execution information of this API He this API, obtains the classification of this API and the parametric variable of this API.
Wherein, subelement is obtained, it is possible to for by being used for recording the daily record of the execution information of described each API, obtaining the parametric variable of described each API.
When being embodied as, the malicious application detecting device that the embodiment of the present invention provides, it is also possible to including:
Output unit, for exporting the daily record of the execution information recording each API.
When being embodied as, it is judged that subelement, it is possible to including:
Comparison module, for comparing the execution parameter of this transmission class and each user profile of extraction successively;
Second determines module, if the execution parameter for this transmission class is identical with the user profile currently compared, it is determined that there is the user profile mated with the execution parameter of this transmission class API in the user profile of extraction; If each user profile of the execution parameter of this transmission class and extraction all differs, it is determined that be absent from the user profile mated with the execution parameter of this transmission class API in the user profile of extraction.
For convenience of description, above each several part is divided by function and is respectively described for each module (or unit). Certainly, the function of each module (or unit) can be realized in same or multiple softwares or hardware when implementing the present invention.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or computer program. Therefore, the present invention can adopt the form of complete hardware embodiment, complete software implementation or the embodiment in conjunction with software and hardware aspect. And, the present invention can adopt the form at one or more upper computer programs implemented of computer-usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) wherein including computer usable program code.
The present invention is that flow chart and/or block diagram with reference to method according to embodiments of the present invention, equipment (system) and computer program describe. It should be understood that can by the combination of the flow process in each flow process in computer program instructions flowchart and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame. These computer program instructions can be provided to produce a machine to the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device so that the instruction performed by the processor of computer or other programmable data processing device is produced for realizing the device of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide in the computer-readable memory that computer or other programmable data processing device work in a specific way, the instruction making to be stored in this computer-readable memory produces to include the manufacture of command device, and this command device realizes the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices provides for realizing the step of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art are once know basic creative concept, then these embodiments can be made other change and amendment. So, claims are intended to be construed to include preferred embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, the present invention can be carried out various change and modification without deviating from the spirit and scope of the present invention by those skilled in the art. So, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (16)
1. a malicious application detection method, it is characterised in that including:
Extract all user profile in mobile terminal;
The parametric variable of each API that the application program that acquisition mobile terminal is installed comprises, described parametric variable includes performing parameter, or, perform parameter and outcome variable, wherein, each API, according to whether send message, is divided into and sends class API and non-sent class API;
The execution parameter of transmission class API obtained is mated with the outcome variable of all user profile of extraction or the non-sent class API of acquisition, determines whether described application program is malicious application according to matching result.
2. the method for claim 1, it is characterized in that, the execution parameter of transmission class API obtained is mated with the outcome variable of all user profile of extraction or the non-sent class API of acquisition, determines whether described application program is malicious application according to matching result, specifically include:
For each transmission class API that described application program comprises, it is judged that whether the user profile of extraction exists the user profile that the execution parameter with this transmission class API is mated;
If it is present determine that described application program is malicious application;
If it does not exist, then the outcome variable of the non-sent class API comprised according to execution parameter and the described application program of described transmission class API, from non-sent class API, whether recursive lookup exists and performs the non-sent class API that parameter is mated with the user profile of extraction;
If it does, determine that described application program is malicious application.
3. method as claimed in claim 2, it is characterized in that, the outcome variable of the non-sent class API that execution parameter according to described transmission class API and described application program comprise, from non-sent class API, whether recursive lookup exists the non-sent class API that execution parameter is mated with the user profile of extraction, specifically includes:
Execution parameter according to described transmission class API, searches whether there is the target API that outcome variable is consistent with the execution parameter of described transmission class API from described non-sent class API;
If it is present judge whether the execution parameter of target API mates with at least one user profile extracted;
If it is, determine and described non-sent class API exist the non-sent class API that execution parameter is mated with the user profile of extraction;
If not, the then execution parameter according to target API, never the non-sent class API traveled through continues whether recursive lookup exists the non-sent class API that outcome variable is consistent with the execution parameter of target API, till finding the execution non-sent class API that mates with the user profile of extraction of parameter or traveling through all non-sent class API.
4. the method for claim 1, it is characterised in that the parametric variable of each application programming interface API that the application program that acquisition mobile terminal is installed comprises, specifically includes:
Described application program is carried out reverse decompiling, obtains the source code that described application program is corresponding;
The parametric variable of each API that described application program comprises is obtained according to described source code.
5. method as claimed in claim 4, it is characterised in that obtain, according to described source code, each API execution parametric variable that described application program comprises, specifically include:
For each API, respectively at this described in source code, this API perform before and insertion marker code after performing, described marker code includes API key words sorting code;
Record the execution information of each API, the marker code according to the execution information of this API He this API, obtain the classification of this API and the parametric variable of this API.
6. the method as described in claim 1 to 5 any claim, it is characterised in that the parametric variable of each API that the application program that described acquisition mobile terminal is installed comprises, including:
By being used for recording the daily record of the execution information of described each API, obtain the parametric variable of described each API.
7. method as claimed in claim 6, it is characterised in that also include:
Output records the daily record of the execution information of each API.
8. the method for claim 1, it is characterised in that judge whether there is, in the user profile extracted, the user profile that the execution parameter with this transmission class API is mated, specifically include:
Compare the execution parameter of this transmission class and each user profile of extraction successively;
If the execution parameter of this transmission class is identical with the user profile currently compared, it is determined that the user profile of extraction exists the user profile mated with the execution parameter of this transmission class API;
If each user profile of the execution parameter of this transmission class and extraction all differs, it is determined that be absent from the user profile mated with the execution parameter of this transmission class API in the user profile of extraction.
9. a malicious application detecting device, it is characterised in that including:
Extraction unit, for extracting all user profile in mobile terminal;
Acquiring unit, the parametric variable of each API that the application program installed for obtaining mobile terminal comprises, described parametric variable includes performing parameter, or, perform parameter and outcome variable, wherein, each API, according to whether send message, is divided into transmission class API and non-sent class API;
Determine unit, for the execution parameter of transmission class API obtained being mated with the outcome variable of all user profile of extraction or the non-sent class API of acquisition, determine whether described application program is malicious application according to matching result.
10. device as claimed in claim 9, it is characterised in that described determine unit, including:
Judgment sub-unit, for each transmission class API comprised for described application program, it is judged that whether there is the user profile that the execution parameter with this transmission class API is mated in the user profile of extraction;
Determine subelement, for when the judged result of described judgment sub-unit is for being, it is determined that described application program is malicious application; Or for when searching subelement and finding the non-sent class API that execution parameter is mated with the user profile of extraction from non-sent class API, it is determined that described application program is malicious application;
Search subelement, for when the judged result of described judgment sub-unit is no, the outcome variable of the non-sent class API that execution parameter according to described transmission class API and described application program comprise, from non-sent class API, whether recursive lookup exists and performs the non-sent class API that parameter is mated with the user profile of extraction.
11. device as claimed in claim 10, it is characterised in that described lookup subelement, specifically include:
Search module, for the execution parameter according to described transmission class API, from described non-sent class API, search whether there is the target API that outcome variable is consistent with the execution parameter of described transmission class API; And for when the judged result of judge module is no, execution parameter according to target API, never the non-sent class API traveled through continues whether recursive lookup exists the non-sent class API that outcome variable is consistent with the execution parameter of target API, till finding the execution non-sent class API that mates with the user profile of extraction of parameter or traveling through all non-sent class API;
Judge module, for when described lookup module searches is to described target API, it is judged that whether the execution parameter of target API mates with at least one user profile extracted;
First determines module, for when the judged result of described judge module is for being, it is determined that exists in described non-sent class API and performs the non-sent class API that parameter is mated with the user profile of extraction.
12. device as claimed in claim 9, it is characterised in that described acquiring unit, specifically include:
Reverse decompiling subelement, for described application program is carried out reverse decompiling, obtains the source code that described application program is corresponding;
Obtain subelement, for obtaining the parametric variable of each API that described application program comprises according to described source code.
13. device as claimed in claim 12, it is characterised in that described acquisition subelement, including:
Mark module, for for each API, respectively at this described in source code, this API perform before and insertion marker code after performing, described marker code includes API key words sorting code;
Logging modle, for recording the execution information of each API, the marker code according to the execution information of this API He this API, obtains the classification of this API and the parametric variable of this API.
14. the device as described in claim 9��13 any claim, it is characterised in that
Described acquisition subelement, specifically for passing through the daily record of the execution information for recording described each API, obtains the parametric variable of described each API.
15. device as claimed in claim 14, it is characterised in that described device also includes:
Output unit, for exporting the daily record of the execution information recording each API.
16. device as claimed in claim 10, it is characterised in that described judgment sub-unit, specifically include:
Comparison module, for comparing the execution parameter of this transmission class and each user profile of extraction successively;
Second determines module, if the execution parameter for this transmission class is identical with the user profile currently compared, it is determined that there is the user profile mated with the execution parameter of this transmission class API in the user profile of extraction; If each user profile of the execution parameter of this transmission class and extraction all differs, it is determined that be absent from the user profile mated with the execution parameter of this transmission class API in the user profile of extraction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410610791.XA CN105631325B (en) | 2014-11-03 | 2014-11-03 | A kind of malicious application detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410610791.XA CN105631325B (en) | 2014-11-03 | 2014-11-03 | A kind of malicious application detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105631325A true CN105631325A (en) | 2016-06-01 |
| CN105631325B CN105631325B (en) | 2019-04-30 |
Family
ID=56046250
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410610791.XA Active CN105631325B (en) | 2014-11-03 | 2014-11-03 | A kind of malicious application detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105631325B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107958154A (en) * | 2016-10-17 | 2018-04-24 | 中国科学院深圳先进技术研究院 | A kind of malware detection device and method |
| CN108573151A (en) * | 2017-03-10 | 2018-09-25 | 武汉安天信息技术有限责任公司 | A kind of counterfeit applied analysis system and method |
| CN109492391A (en) * | 2018-11-05 | 2019-03-19 | 腾讯科技(深圳)有限公司 | A kind of defence method of application program, device and readable medium |
| CN111523063A (en) * | 2019-02-01 | 2020-08-11 | 北京搜狗科技发展有限公司 | Application processing method and device and application processing device |
| CN113190835A (en) * | 2021-02-04 | 2021-07-30 | 恒安嘉新(北京)科技股份公司 | Application program violation detection method, device, equipment and storage medium |
| CN113711559A (en) * | 2019-04-16 | 2021-11-26 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting anomalies |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102779255A (en) * | 2012-07-16 | 2012-11-14 | 腾讯科技(深圳)有限公司 | Method and device for judging malicious program |
| CN102938040A (en) * | 2012-09-29 | 2013-02-20 | 中兴通讯股份有限公司 | Malicious Android application program detection method, system and device |
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN103916365A (en) * | 2012-12-31 | 2014-07-09 | 西门子公司 | Method and apparatus for exporting and verifying network behavioral characteristics of malicious code |
-
2014
- 2014-11-03 CN CN201410610791.XA patent/CN105631325B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN102779255A (en) * | 2012-07-16 | 2012-11-14 | 腾讯科技(深圳)有限公司 | Method and device for judging malicious program |
| CN102938040A (en) * | 2012-09-29 | 2013-02-20 | 中兴通讯股份有限公司 | Malicious Android application program detection method, system and device |
| CN103916365A (en) * | 2012-12-31 | 2014-07-09 | 西门子公司 | Method and apparatus for exporting and verifying network behavioral characteristics of malicious code |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107958154A (en) * | 2016-10-17 | 2018-04-24 | 中国科学院深圳先进技术研究院 | A kind of malware detection device and method |
| CN108573151A (en) * | 2017-03-10 | 2018-09-25 | 武汉安天信息技术有限责任公司 | A kind of counterfeit applied analysis system and method |
| CN109492391A (en) * | 2018-11-05 | 2019-03-19 | 腾讯科技(深圳)有限公司 | A kind of defence method of application program, device and readable medium |
| CN109492391B (en) * | 2018-11-05 | 2023-02-28 | 腾讯科技(深圳)有限公司 | Application program defense method and device and readable medium |
| CN111523063A (en) * | 2019-02-01 | 2020-08-11 | 北京搜狗科技发展有限公司 | Application processing method and device and application processing device |
| CN111523063B (en) * | 2019-02-01 | 2024-06-07 | 北京搜狗科技发展有限公司 | Application processing method and device for application processing |
| CN113711559A (en) * | 2019-04-16 | 2021-11-26 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting anomalies |
| CN113711559B (en) * | 2019-04-16 | 2023-09-29 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting anomalies |
| CN113190835A (en) * | 2021-02-04 | 2021-07-30 | 恒安嘉新(北京)科技股份公司 | Application program violation detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105631325B (en) | 2019-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105631325A (en) | Malicious application detection method and apparatus | |
| CN106796635B (en) | Determining device determines method | |
| US9525706B2 (en) | Apparatus and method for diagnosing malicious applications | |
| CN109753800A (en) | Merge the Android malicious application detection method and system of frequent item set and random forests algorithm | |
| JP5087661B2 (en) | Malignant code detection device, system and method impersonated into normal process | |
| US20180253545A1 (en) | File authentication method and apparatus | |
| US20150256552A1 (en) | Imalicious code detection apparatus and method | |
| CN103294951B (en) | A kind of malicious code sample extracting method based on document type bug and system | |
| CN104700033A (en) | Virus detection method and virus detection device | |
| KR20170068814A (en) | Apparatus and Method for Recognizing Vicious Mobile App | |
| CN110096433B (en) | Method for acquiring encrypted data on iOS platform | |
| CN111967044B (en) | Tracking method and system of leaked privacy data suitable for cloud environment | |
| EP3905084A1 (en) | Method and device for detecting malware | |
| Nguyen et al. | Detecting repackaged android applications using perceptual hashing | |
| CN106650451A (en) | Detection method and device | |
| CN112765672A (en) | Malicious code detection method and device and computer readable medium | |
| CN103886258A (en) | Method and device for detecting viruses | |
| CN114860573A (en) | Software component analysis method and device, electronic device and storage medium | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| KR20130096618A (en) | Method for determining android mobile application, method and apparatus for identifying illegal copied android mobile application using the same | |
| CN107229865B (en) | Method and device for analyzing Webshell intrusion reason | |
| Kedziora et al. | Android malware detection using machine learning and reverse engineering | |
| KR101895876B1 (en) | System and method for detecting malicious of application, recording medium for performing the method | |
| Tian et al. | Android inter-component communication analysis with intent revision | |
| CN114021131A (en) | Method and device for acquiring data analysis map and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |