CN105631325A - Malicious application detection method and apparatus - Google Patents

Abstract

The invention discloses a malicious application detection method and apparatus, which are used for improving the accuracy of malicious application detection. According to whether a message is sent or not, an API is divided into a sending type API and a non sending type API. The method comprises the steps of extracting all user information in a mobile terminal; obtaining parameter variables of APIs contained in an application installed in the mobile terminal, wherein the parameter variables include an execution parameter or the execution parameter and a result variable; and matching the obtained execution parameter of the sending type API with all the extracted user information or the obtained result variable of the non sending type API, and determining whether the application is a malicious application or not according to a matching result.

Description

A malicious application detection method and device

technical field

The present invention relates to the technical field of smart terminal application security, in particular to a method and device for detecting malicious application programs.

Background technique

With the rapid development of the mobile Internet and the increase of smart mobile terminals, the corresponding threats of malicious applications on mobile terminals are also gradually increasing. Due to the openness of the Android platform and the development of Android applications in the JAVA language, it is relatively easy to decompile, analyze and reverse modify. At the same time, the threshold for developing Android applications is low, which directly leads to the proliferation of malicious applications on the Android platform.

Among the current mainstream mobile terminal malicious applications, most malicious applications have malicious behaviors such as collecting and obtaining user sensitive information, such as address book information, call records, SMS information, bank account information, location information, etc. Some malicious applications The information is encrypted, and then the collected user sensitive information is sent to the remote server (or the target mobile terminal). Data encryption increases the difficulty of analyzing the malicious behavior of the application.

At present, for the analysis of malicious behaviors of malicious applications in mobile terminals and Internet viruses, the main methods used are:

1) Static analysis of malicious applications.

Mainly generate Smali code or JAVA source code by decompilation through reverse engineering and decompilation of Android applications, and then perform full-text traversal and analysis on the decompiled codes, and combine the API (Application Programming Interface, ApplicationProgramInterface) used by the application with the predefined The API in the malicious behavior library is matched, and the API of the successfully matched application is marked as a malicious behavior API. At the same time, the application permission information is scanned, and the permission information recorded in the predefined dangerous permission library is matched. Combined with the marked malicious behavior The API determines whether the application under test is a malicious application. Because it only detects the specific behavior of the application, it cannot detect the specific operation content of the behavior itself. For example, it can only detect the behavior of sending text messages, but cannot detect the content of the sent text messages, which makes the detection accuracy of malicious applications low. , and this method can only detect known malicious behaviors.

2) Breed malicious applications in the sandbox, collect and analyze network data packets sent by malicious applications, and determine their malicious behavior. This method can only analyze data packets sent by malicious applications in plain text, while encrypted data There is nothing the package can do, so it cannot accurately detect malicious applications that exist in the mobile terminal.

Contents of the invention

Embodiments of the present invention provide a malicious application program detection method and device, which are used to improve the accuracy of malicious application program detection.

An embodiment of the present invention provides a malicious application detection method, including:

Extract all user information in the mobile terminal;

Obtain the parameter variables of each application programming interface API included in the application program installed in the mobile terminal, the parameter variables include execution parameters, or execution parameters and result variables, wherein each API is divided into sending classes according to whether to send messages API and non-sending API;

Match the obtained execution parameters of the sending API with all the extracted user information or the obtained result variables of the non-sending API, and determine whether the application is a malicious application according to the matching result.

An embodiment of the present invention provides a malicious application detection device, including:

an extracting unit, configured to extract all user information in the mobile terminal;

The obtaining unit is used to obtain the parameter variables of each application programming interface API included in the application program installed on the mobile terminal, the parameter variables include execution parameters, or execution parameters and result variables, wherein each API depends on whether to send a message, Divided into sending API and non-sending API;

The determining unit is configured to match the obtained execution parameters of the sending API with all the extracted user information or the obtained result variables of the non-sending API, and determine whether the application is a malicious application according to the matching result.

The malicious application detection method and device provided by the embodiments of the present invention divide APIs into sending APIs and non-sending APIs, and match the execution parameters of the sending APIs included in the application with the extracted user information in the mobile terminal , or match it with the result variable of the non-sending API, and determine whether the application program is a malicious program according to the matching result. In the above process, according to the execution parameters of the sending API, the original information of the execution parameters before being processed can be traced from the non-sending API. Therefore, even if the application program encrypts the obtained user information, it can also be determined. Whether it is a malicious application program, thereby improving the certainty of application program detection.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Description of drawings

The accompanying drawings described here are used to provide a further understanding of the present invention, and constitute a part of the present invention. The schematic embodiments of the present invention and their descriptions are used to explain the present invention, and do not constitute improper limitations to the present invention. In the attached picture:

FIG. 1a is a schematic diagram of the implementation flow of a malicious application program detection method in an embodiment of the present invention;

Fig. 1b is a schematic diagram of an implementation flow for determining whether an application is a malicious application during the implementation of the present invention;

2 is a schematic diagram of matching the execution parameters of the sending API with the extracted user information in an embodiment of the present invention;

FIG. 3 is a schematic diagram of an implementation process of recursively searching for a target API in an embodiment of the present invention;

FIG. 4 is a schematic structural diagram of an apparatus for detecting malicious applications in an embodiment of the present invention.

detailed description

In order to improve the accuracy of the malicious application detection method, in the embodiment of the present invention, the user information in the mobile terminal is extracted, and combined with the analysis result of the API included in the application, it is judged whether the application installed in the mobile terminal is a malicious application.

The preferred embodiments of the present invention will be described below in conjunction with the accompanying drawings. It should be understood that the preferred embodiments described here are only used to illustrate and explain the present invention, and are not intended to limit the present invention, and in the absence of conflict, the present invention The embodiments and the features in the embodiments can be combined with each other.

Malicious application programs in mobile terminals usually have the following obvious features: collecting user information on the mobile terminal, and sending the collected user information to a remote server or a target mobile terminal. Therefore, according to whether the API sends information, APIs are divided into sending APIs and non-sending APIs and marked, as shown in Table 1.

Table 1

During specific implementation, the sending APIs include APIs for sending information in any way, for example, sending information in the form of SMS, sending information in the form of bluetooth, or sending information in the form of network data packets, and so on. Non-sending APIs include APIs other than sending APIs. For example, they can be APIs for reading information, including reading SMS information, call record information, address book information, location information, etc., and can also be encrypted APIs.

Based on this, in the embodiment of the present invention, when detecting malicious applications, it is mainly detected whether the information sent by the sending API is user information on the mobile terminal. As shown in Figure 1a, it is a schematic diagram of the implementation flow of the malicious application detection method provided by the embodiment of the present invention, including the following steps:

S11. Extract all user information in the mobile terminal.

Wherein, the extracted user information may include short message information, call record information, address book information, location information and other information related to the user on the mobile terminal.

Preferably, in order to facilitate subsequent comparisons, an information identifier can be assigned to each extracted user information, as shown in Table 2:

Table 2

information information identification SMS message ID1 call log information ID2 location information ID3 ... ...

S12. Obtain parameter variables of each API included in the application program installed on the mobile terminal.

It should be noted that the parameter variables of the acquired API are different for different types of APIs. For example, for sending APIs, the parameter variables include execution parameters, that is, the content of the sent information, while for non-sending APIs , whose parameter variables may include execution parameters and result variables. But not limited thereto, in practical applications, it is also possible to send the parameter variables of the API-like to include execution parameters and result variables at the same time.

Specifically, step S12 can be implemented according to the following steps:

Step 1: Perform reverse decompilation on the application program to obtain its corresponding source code.

During specific implementation, the application installation package (the file with the extension .apk) is reversely decompiled to obtain the smali source code.

Step 2: Obtain the parameter variables of each API included in the application program according to the source code.

During specific implementation, for each API, markup codes can be inserted in the source code, before and after execution of the API, the markup codes include API classification markup codes; record the execution information of each API, according to the execution information of the API and the markup code of the API to obtain the category of the API and the parameter variables of the API. The parameter variable of each API can be obtained through the log used to record the execution information of each API, and the log recording the execution information of each API can be output.

Preferably, by using the obtained smali source code, the execution parameters or result variables of each API contained in the application program can be output in the following manner: scan all APIs contained in the smali source code, and for each API, before and after execution of the API Then insert the markup code, including the API classification markup code; repackage the reversed source code and run it, and the output operation result will be the variable parameters of the API. When implementing it, you can use the output log to output, as shown below:

Uriuri = Uri.parse(AllFinalInfo.SMS_URI_INBOX);

SmsContentsc = newSmsContent(this, uri);

Log.v(tag, API name + API classification mark + code position);

List<SmsInfo>infos=sc.getSmsInfo();

body.setText(infos.get(position).getSmsbody());

name.setText(infos.get(position).getName());

log.v(tag, infos.get(position).getSmsbody());

log.v(tag, infos.get(position).getSmsbody());

Log.v(tag, API name);

Taking the sending API as an example, the execution parameter refers to the content of the information sent by the API, while for the encryption API, the execution parameter is the original information to be encrypted, and the result variable is the encrypted encrypted information.

It should be noted that step S11 and step S12 are not performed sequentially, step S12 may also be performed prior to step S11, and the two steps may also be performed simultaneously.

S13. Match the acquired execution parameters of the sending API with all the extracted user information or the obtained result variables of the non-sending API, and determine whether the application is a malicious application according to the matching result.

Preferably, as shown in Figure 1b, in step S13, it can be implemented according to the following steps:

S131. For each sending API included in the application program, determine whether there is user information matching the execution parameters of the sending API in the extracted user information, if yes, execute step S132, otherwise execute step S133.

As shown in FIG. 2 , it is a schematic diagram of matching the execution parameters of the sending API with the extracted user information. Taking the sending API1 as an example, according to the order of the information identification assigned to the user information, compare the execution parameters of API1 with each extracted user information in turn, and if the execution parameters are the same as the currently compared user information, determine the extracted user information User information matching the execution parameters of API1 exists in . If it is found after traversing all the user information that the execution parameters of API1 are different from each extracted user information, it is determined that there is no user information matching the execution parameters of API1 among the extracted user information. Assuming that the execution parameters of API1 are the same as the user information whose information identifier is ID1, it is determined that there is user information matching the execution parameters of API1 in the extracted user information, that is, the user information whose information identifier is ID1.

S132. Determine that the application program is a malicious application program, and the process ends.

S133. According to the execution parameters of the sending API and the result variables of the non-sending API included in the application, recursively search from the non-sending APIs whether there is a non-sending API whose execution parameters match the extracted user information, if yes , execute step S132, otherwise, the process ends.

It should be noted that, during the specific implementation, it is necessary to traverse each API contained in the application program. As long as there is one API that meets the above conditions, the application program can be determined to be a malicious application program. Only when all APIs do not meet the above conditions can the Make sure the app is not malicious.

As shown in Figure 3, in step S133, it can be recursively searched in the non-sending API according to the following method to see if there is a non-sending API that matches the execution parameters and the extracted user information. The API is called the source API:

S31. Search whether there is a target API whose result variable is consistent with the execution parameters of the source API among the non-sending APIs. If yes, execute step S32; otherwise, execute step S35.

S32. Determine whether the execution parameter of the target API matches the extracted at least one user information, if yes, perform step S33, otherwise, perform step S34.

S33. It is determined that there is a non-sending API whose execution parameters match the extracted user information among the non-sending APIs, and the process ends.

S34. Determine that the target API is the source API, and execute step S31.

S35. Determine that the application program containing the source API is not a malicious application program.

As can be seen from the above process, in the embodiment of the present invention, if the execution parameters of the target API do not match all the extracted user information, then continue to search for the result variable of the non-sending API according to the execution parameters of the target API. Non-sending APIs with consistent parameters, until all non-sending APIs are traversed, if still not found, it can be determined that the application where the source API is located is not a malicious application, that is, the information it sends is not user information in the mobile terminal.

In order to better understand the embodiment of the present invention, the implementation process of the embodiment of the present invention will be described below by taking the sending API2 in FIG. 2 as an example. In Fig. 2, the sending class API2 includes two execution parameters, which are assumed to be A1 and A2 respectively, that is, the information sent by API1 is A1 and A2.

For A1, it is assumed that there is no matching user information among the extracted user information, that is, the information A1 sent by API2 may be processed information. It is also necessary to find the API whose result variable is A1 from the non-sending APIs, assuming it is a non-sending API1. At this time, it is necessary to judge whether the information before A1 is processed, that is, whether the execution parameters of the non-sending API1 are consistent with the extracted at least one user For information matching, it is assumed that the user information whose information identifier is ID2 is matched, that is to say, the information sent by API2 is processed user information. Therefore, it can be determined that the application program containing API2 is a malicious application program.

For A2, it is assumed that there is no matching user information in the extracted user information, that is, the information A2 sent by API2 may also be processed information. It is also necessary to find the API whose result variable is A2 from the non-sending APIs, assuming it is a non-sending API1. At this time, it is necessary to judge whether the information before A2 is processed, that is, the execution parameter B1 of the non-sending API1 is consistent with at least one of the extracted The user information matches, assuming they do not match, B1 may be processed information, so continue to search for the non-sending API with the result variable B1 in the non-sending API, assuming that the result variable of the non-sending API2 is B1, then Determine whether the execution parameters of the non-sending API2 (ie, the information before B2 is processed) match at least one user information, and if so, determine that the application containing the sending API2 is a malicious application. During specific implementation, if there is still no match, the recursive search is continued in the non-sending API until all non-sending APIs are traversed.

It can be seen that in the embodiment of the present invention, even if the malicious application program processes the user information multiple times before sending it, according to the above process, the original user information can still be traced back, so that it can be accurately detected whether the application program is malicious or not. application.

In the embodiment of the present invention, for the sending API included in the application, if its execution parameters match the extracted user information in the mobile terminal, it is directly determined that the application is a malicious application; otherwise, according to its execution parameters and non-sending The result variable of the class API, recursively search the non-sending class API whose execution parameters match the extracted user information in the non-sending class, if found, determine that the application is a malicious application. In the above process, if the execution parameters of the sending API do not match the extracted user information, the original information of the execution parameters before being processed can also be traced from the non-sending API. Therefore, even if the application will obtain the user information By performing encryption and other processing on the information, it is also possible to determine whether it is a malicious application program, thereby improving the certainty of application program detection.

Based on the same inventive concept, a malicious application detection device is also provided in the embodiment of the present invention. Since the problem-solving principle of the above-mentioned device is similar to the malicious application detection method, the implementation of the above-mentioned device can refer to the implementation of the method. No longer.

As shown in Figure 4, it is a schematic structural diagram of a malicious application detection device provided by an embodiment of the present invention, including:

An extracting unit 41, configured to extract all user information in the mobile terminal;

The obtaining unit 42 is used to obtain the parameter variables of each application programming interface API included in the application program installed in the mobile terminal, the parameter variables include execution parameters, or execution parameters and result variables, wherein each API depends on whether to send a message , is divided into sending API and non-sending API;

The determining unit 43 is configured to match the obtained execution parameters of the sending API with all the extracted user information or the obtained result variables of the non-sending API, and determine whether the application is a malicious application according to the matching result.

Wherein, the determining unit 43 may include:

A judging subunit, configured to, for each sending API included in the application program, judge whether there is user information matching the execution parameters of the sending API in the extracted user information;

The determining subunit is used to determine that the application program is a malicious application program when the judgment result of the judging subunit is yes; or it is used to find out the execution parameters and extract the user from the non-sending API in the searching subunit When the information matches the non-sending API, it is determined that the application is a malicious application;

The search subunit is used to recurse from the non-sending API according to the execution parameters of the sending API and the result variables of the non-sending API contained in the application program when the judgment result of the judging sub-unit is No Find whether there is a non-sending API whose execution parameters match the extracted user information.

Preferably, the search for subunits may include:

The search module is used to search from the non-transmission API according to the execution parameters of the transmission API to find whether there is a target API whose result variable is consistent with the execution parameters of the transmission API; and for judging in the judgment module When the result is no, according to the execution parameters of the target API, continue to recursively search whether there is a non-sending API whose result variable is consistent with the execution parameters of the target API, until the execution parameters and the extracted user are found Information matching non-sending API or traversing all non-sending APIs;

A judging module, configured to judge whether the execution parameters of the target API match the extracted at least one user information when the search module finds the target API;

The first determining module is configured to determine that there is a non-sending API among the non-sending APIs whose execution parameters match the extracted user information when the judging result of the judging module is yes.

Preferably, the acquisition unit 42 may include:

The reverse decompilation subunit is used to reversely decompile the application program to obtain the source code corresponding to the application program;

The acquiring subunit is configured to acquire various API variable parameters included in the application program according to the source code.

Among them, subunits are obtained, including:

A marking module, for each API, respectively inserting marking codes in the source code, before and after execution of the API, where the marking codes include API classification marking codes;

The recording module is used to record the execution information of each API, and obtain the category of the API and the parameter variables of the API according to the execution information of the API and the mark code of the API.

Wherein, the acquiring subunit may be configured to acquire parameter variables of each API through a log for recording execution information of each API.

During specific implementation, the malicious application detection device provided in the embodiment of the present invention may also include:

The output unit is configured to output a log recording execution information of each API.

During specific implementation, the judging subunit may include:

A comparison module, used to sequentially compare the execution parameters of the sending class with the extracted user information;

The second determination module is used to determine that there is user information matching the execution parameters of the sending class API in the extracted user information if the execution parameters of the sending class are the same as the currently compared user information; if the execution parameters of the sending class If it is different from each of the extracted user information, it is determined that there is no user information matching the execution parameters of the sending API among the extracted user information.

For the convenience of description, the above parts are divided into modules (or units) according to their functions and described separately. Certainly, when implementing the present invention, the functions of each module (or unit) can be implemented in one or more pieces of software or hardware.

Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow diagram procedure or procedures and/or block diagram procedures or blocks.

While preferred embodiments of the present invention have been described, additional changes and modifications can be made to these embodiments by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be construed to cover the preferred embodiment as well as all changes and modifications which fall within the scope of the invention.

Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies thereof, the present invention also intends to include these modifications and variations.

Claims (16)

1. A method for detecting malicious applications, comprising: Extract all user information in the mobile terminal; Obtain the parameter variables of each API contained in the application program installed on the mobile terminal, the parameter variables include execution parameters, or execution parameters and result variables, wherein each API is divided into sending APIs and non-sending APIs according to whether to send messages Class API; Match the obtained execution parameters of the sending API with all the extracted user information or the obtained result variables of the non-sending API, and determine whether the application is a malicious application according to the matching result. 2. The method according to claim 1, wherein the obtained execution parameters of the sending API are matched with all the extracted user information or the obtained result variables of the non-sending API, and the application is determined according to the matching result. Whether the program is a malicious application, including: For each sending API included in the application program, determine whether there is user information matching the execution parameters of the sending API in the extracted user information; If there is, then determining that the application is a malicious application; If it does not exist, according to the execution parameters of the sending API and the result variables of the non-sending API included in the application program, recursively search whether there is a non-sending API whose execution parameters match the extracted user information. Class API; If there is, it is determined that the application program is a malicious application program. 3. The method according to claim 2, wherein, according to the execution parameters of the sending API and the result variable of the non-sending API included in the application program, it is recursively searched whether there is an execution variable from the non-sending API. Non-sending API whose parameters match the extracted user information, including: According to the execution parameters of the sending API, search whether there is a target API whose result variable is consistent with the execution parameters of the sending API from the non-sending API; If it exists, it is judged whether the execution parameters of the target API match the extracted at least one user information; If yes, then determine that there is a non-sending API whose execution parameters match the extracted user information in the non-sending API; If not, according to the execution parameters of the target API, continue to recursively search whether there is a non-sending API whose result variable is consistent with the execution parameters of the target API, until the execution parameters and the extracted user information are found Matching non-sending APIs or traversing all non-sending APIs. 4. The method according to claim 1, wherein obtaining the parameter variable of each application programming interface API contained in the application program installed in the mobile terminal specifically includes: performing reverse decompilation on the application program to obtain the source code corresponding to the application program; The parameter variables of each API included in the application program are acquired according to the source code. 5. The method according to claim 4, wherein, according to the source code, obtaining each API execution parameter variable contained in the application program specifically includes: For each API, insert markup codes in the source code, before and after execution of the API, the markup codes include API classification markup codes; Record the execution information of each API, and obtain the category of the API and the parameter variables of the API according to the execution information of the API and the mark code of the API. 6. The method according to any one of claims 1 to 5, wherein said acquisition of parameter variables of each API included in the application program installed on the mobile terminal comprises: The parameter variables of the various APIs are acquired through the log for recording the execution information of the various APIs. 7. The method of claim 6, further comprising: Output a log that records the execution information of each API. 8. The method according to claim 1, wherein judging whether there is user information matching the execution parameters of the sending API in the extracted user information includes: Sequentially compare the execution parameters of the sending class with the extracted user information; If the execution parameters of the sending class are the same as the currently compared user information, it is determined that there is user information matching the execution parameters of the sending class API in the extracted user information; If the execution parameters of the sending class are different from each of the extracted user information, it is determined that there is no user information matching the execution parameters of the sending class API among the extracted user information. 9. A device for detecting malicious applications, comprising: an extracting unit, configured to extract all user information in the mobile terminal; The obtaining unit is used to obtain the parameter variables of each API included in the application program installed on the mobile terminal, the parameter variables include execution parameters, or execution parameters and result variables, wherein each API is divided into sending class API and non-send class API; The determining unit is configured to match the obtained execution parameters of the sending API with all the extracted user information or the obtained result variables of the non-sending API, and determine whether the application is a malicious application according to the matching result. 10. The device according to claim 9, wherein the determining unit comprises: A judging subunit, configured to, for each sending API included in the application program, judge whether there is user information matching the execution parameters of the sending API in the extracted user information; The determining subunit is used to determine that the application program is a malicious application program when the judgment result of the judging subunit is yes; or it is used to find out the execution parameters and extract the user from the non-sending API in the searching subunit When the information matches the non-sending API, it is determined that the application is a malicious application; The search subunit is used to recurse from the non-sending API according to the execution parameters of the sending API and the result variables of the non-sending API contained in the application program when the judgment result of the judging sub-unit is No Find whether there is a non-sending API whose execution parameters match the extracted user information. 11. The device according to claim 10, wherein the search subunit specifically comprises: The search module is used to search from the non-transmission API according to the execution parameters of the transmission API to find whether there is a target API whose result variable is consistent with the execution parameters of the transmission API; and for judging in the judgment module When the result is no, according to the execution parameters of the target API, continue to recursively search whether there is a non-sending API whose result variable is consistent with the execution parameters of the target API, until the execution parameters and the extracted user are found Information matching non-sending API or traversing all non-sending APIs; A judging module, configured to judge whether the execution parameters of the target API match the extracted at least one user information when the search module finds the target API; The first determining module is configured to determine that there is a non-sending API among the non-sending APIs whose execution parameters match the extracted user information when the judging result of the judging module is yes. 12. The device according to claim 9, wherein the acquiring unit specifically comprises: The reverse decompilation subunit is used to reversely decompile the application program to obtain the source code corresponding to the application program; The acquisition subunit is configured to acquire parameter variables of each API included in the application program according to the source code. 13. The device according to claim 12, wherein the acquiring subunit comprises: A marking module, for each API, respectively inserting marking codes in the source code, before and after execution of the API, where the marking codes include API classification marking codes; The recording module is used to record the execution information of each API, and obtain the category of the API and the parameter variables of the API according to the execution information of the API and the mark code of the API. 14. The device according to any one of claims 9-13, characterized in that, The acquiring subunit is specifically configured to acquire parameter variables of each API through a log for recording execution information of each API. 15. The device of claim 14, further comprising: The output unit is configured to output a log recording execution information of each API. 16. The device according to claim 10, wherein the judging subunit specifically comprises: A comparison module, used to sequentially compare the execution parameters of the sending class with the extracted user information; The second determination module is used to determine that there is user information matching the execution parameters of the sending class API in the extracted user information if the execution parameters of the sending class are the same as the currently compared user information; if the execution parameters of the sending class If it is different from each of the extracted user information, it is determined that there is no user information matching the execution parameters of the sending API among the extracted user information.