CN105631325B - A kind of malicious application detection method and device - Google Patents
A kind of malicious application detection method and device Download PDFInfo
- Publication number
- CN105631325B CN105631325B CN201410610791.XA CN201410610791A CN105631325B CN 105631325 B CN105631325 B CN 105631325B CN 201410610791 A CN201410610791 A CN 201410610791A CN 105631325 B CN105631325 B CN 105631325B
- Authority
- CN
- China
- Prior art keywords
- api
- class
- user information
- parameter
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of malicious application detection method and devices, to improve the accuracy of malicious application detection.According to whether sending message, API is divided into and sends class API and non-sent class API;The method, comprising: extract all user informations in mobile terminal;The parametric variable for each API that the application program that mobile terminal is installed is included is obtained, the parametric variable includes executing parameter or execution parameter and outcome variable;The execution parameter of transmission class API that will acquire is matched with the outcome variable of all user informations of extraction or the non-sent class API of acquisition, determines whether the application program is malicious application according to matching result.
Description
Technical field
The present invention relates to intelligent terminal application security technology area more particularly to a kind of malicious application detection method and
Device.
Background technique
With the rapid development of mobile Internet and increasing for intelligent mobile terminal, maliciously answered accordingly on mobile terminal
Also gradually increased with program threat.It is applied due to the opening and Android of Android platform and is developed by JAVA language, phase
Decompiling analysis and reverse modification are relatively easy to for, while the threshold of Android application research and development is lower, directly results in
Android platform malicious application is spread unchecked.
At present in the mobile terminal from malicious application program of mainstream, most of malicious application, which all exists to collect to obtain, to be used
The malicious acts such as family sensitive information, such as address list information, message registration, short message, bank account information, location information,
Part malicious application encrypts these information, then sends collection to remote server (or destination mobile terminal)
User sensitive information, data encryption increase the difficulty analyzed the malicious act of application program.
It is main to use at present for the malicious act analysis of the malicious application and internet virus in mobile terminal
Means have:
1) static analysis is carried out to malicious application.
Mainly by carrying out to Android application program, reverse, decompiling generates Smali code or dis-assembling generates
Then JAVA source code carries out full text traversal, parsing to decompiling code, (application programming connects the API that application program is used
Mouthful, Application Program Interface) it is matched with the API in predefined malicious act library, by successful match
The API of application program be labeled as malicious act API, while application program authority information is scanned, with predefined dangerous permission
The authority information recorded in library is matched, and the malicious act API of binding marker determines whether application program to be measured is that malice is answered
Use program.Since it has only detected the concrete behavior of application program, the specific operation content of behavior itself, example can not be detected
Such as, it is only able to detect the behavior sent short messages, can not detect the content for sending short message, this makes malicious application detection accurate
Property is lower, while this method is also only able to detect known malicious act.
2) malicious application is cultivated in sandbox, acquires and analyze the network data of malicious application transmission
Packet determines that its malicious act, this method can only analyze malicious application using the data packet sent in plain text, and for encryption
Data packet is helpless, therefore it also can not accurately detect malicious application present in mobile terminal.
Summary of the invention
The embodiment of the present invention provides a kind of malicious application detection method and device, to improve malicious application inspection
The accuracy of survey.
The embodiment of the present invention provides a kind of malicious application detection method, comprising:
Extract all user informations in mobile terminal;
Obtain the parametric variable for each application programming interface API that the application program that mobile terminal is installed is included, institute
Stating parametric variable includes executing parameter, alternatively, executing parameter and outcome variable, wherein each API is according to whether send message, quilt
It is divided into and sends class API and non-sent class API;
The non-sent class API of the execution parameter of transmission class API and all user informations of extraction or acquisition that will acquire
Outcome variable matched, determine whether the application program is malicious application according to matching result.
The embodiment of the present invention provides a kind of malicious application detection device, comprising:
Extraction unit, for extracting all user informations in mobile terminal;
Acquiring unit, each application programming interface API that the application program for obtaining mobile terminal installation is included
Parametric variable, the parametric variable includes executing parameter, alternatively, executing parameter and outcome variable, wherein each API is according to being
No transmission message is divided into and sends class API and non-sent class API;
Determination unit, the execution parameter of transmission class API and all user informations of extraction or acquisition for will acquire
The outcome variable of non-sent class API matched, determine whether the application program is malicious application journey according to matching result
Sequence.
API is divided into and sends class API and non-by malicious application detection method provided in an embodiment of the present invention and device
Class API is sent, for the transmission class API that application program includes, is executed user's letter in the mobile terminal of parameter and extraction
Breath matching, or it is matched with the outcome variable of non-sent class API, according to matching result determine application program whether be
Rogue program.In the above process, this can be traced back to from non-sent class API according to the execution parameter for sending class API and execute ginseng
Therefore raw information of the number before processed even if the user information that application program will acquire carries out the processing such as encrypting, also can
Enough determine whether it is malicious application, thus, improve the certainty of application program detection.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 a is the implementation process diagram of malicious application detection method in the embodiment of the present invention;
Fig. 1 b be the present invention implement in, determine application program whether be malicious application implementation process diagram;
Fig. 2 is that the user information for the execution parameter and extraction that class API is sent in the embodiment of the present invention carries out matched signal
Figure;
Fig. 3 is the implementation process diagram of recursive lookup target API in the embodiment of the present invention;
Fig. 4 is the structural schematic diagram of malicious application detection device in the embodiment of the present invention.
Specific embodiment
In order to improve the accuracy of malicious application detection method, in the embodiment of the present invention, extracts and used in mobile terminal
Family information, in conjunction with the API that application package is contained analysis result come judge mobile terminal install application program whether be evil
Meaning application program.
Below in conjunction with Figure of description, preferred embodiment of the present invention will be described, it should be understood that described herein
Preferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this hair
The feature in embodiment and embodiment in bright can be combined with each other.
Since the malicious application in mobile terminal usually has following apparent feature: collecting the use on mobile terminal
Family information, and the user information of collection is sent to remote server or destination mobile terminal.Therefore, whether sent out according to API
It delivers letters breath, API is divided into and sends class API and non-sent class API and marks, as shown in table 1.
Table 1
When it is implemented, sending class API includes the API for sending information in any way, believe for example, being sent with short message mode
Breath sends information with bluetooth approach or sends information etc. with network data packet mode.Non-sent class API includes except transmission class
API other than API, for example, it may be reading the API of information, including short message reading information, message registration information, address list letter
Breath, location information etc. can also be the API of encryption.
Based on this, in the embodiment of the present invention, when carrying out malicious application detection, predominantly detects and send class API transmission
Information whether be user information on mobile terminal.It as shown in Figure 1a, is malicious application provided in an embodiment of the present invention
The implementation process diagram of detection method, comprising the following steps:
All user informations in S11, extraction mobile terminal.
Wherein, the user information of extraction may include short message, message registration information, address list information, location information
Information related with user on equal mobile terminals.
Preferably, for the ease of subsequent comparison a message identification can be distributed for each user information extracted, such as table 2
It is shown:
Table 2
| The information content | Message identification |
| Short message | ID1 |
| Message registration information | ID2 |
| Location information | ID3 |
| …… | …… |
The parametric variable for each API that S12, the application program for obtaining mobile terminal installation are included.
It should be noted that the classification of API is different, the parametric variable of the API of acquisition is also different, for example, for sending class
For API, parametric variable includes executing parameter, that is, the information content sent, and for the API of non-sent class, ginseng
Number variable, which may include, executes parameter and outcome variable.But not limited to this, in practical applications, it is also possible to send class API's
Parametric variable also includes executing parameter and outcome variable simultaneously.
Specifically, step S12 can be followed the steps below to implement:
Step 1: carrying out reverse decompiling to application program, its corresponding source code is obtained.
When it is implemented, carrying out reverse decompiling to application program installation kit (file for extending entitled .apk), obtain
Smali source code.
Step 2: obtaining the parametric variable for each API that the application program includes according to source code.
When it is implemented, every API can be directed to, label generation is inserted into source code, before API execution and after executing respectively
Code, the marker code includes API classification marker code;The execution information for recording every API, according to the execution information of the API
With the marker code of the API, the classification of the API and the parametric variable of the API are obtained.It can be by for recording holding for each API
The log of row information obtains the parametric variable of each API, and exports the log for recording the execution information of each API.
Preferably, each API for including in application program can be exported in the following ways using the smali source code obtained
Execution parameter or outcome variable: all API for including in scanning smali source code, for every API, before API execution
With marker code is inserted into after execution, including API classification marker code;And by reverse source code beat again packet after run, export
Operation result is the variable parameter of API, when it is implemented, the mode that output journal can be used is exported, it is as follows:
Uri uri=Uri.parse (AllFinalInfo.SMS_URI_INBOX);
SmsContent sc=new SmsContent (this, uri);
Log.v (tag, API Name+API classification marker+code position);
List<SmsInfo>infos=sc.getSmsInfo ();
body.setText(infos.get(position).getSmsbody());
name.setText(infos.get(position).getName());
log.v(tag,infos.get(position).getSmsbody());
log.v(tag,infos.get(position).getSmsbody());
Log.v (tag, API Name);
For sending class API, executes parameter and refer to the information content that API is sent, and for cryptographic API,
Execution parameter is prime information to be encrypted, and outcome variable is encrypted encryption information.
It should be noted that step S11 and step S12 have no it is successive execute sequence, step S12 can also be prior to step
S11 is executed, and two steps also may be performed simultaneously.
S13, the execution parameter of transmission class API that will acquire and all user informations of extraction or the non-sent class of acquisition
The outcome variable of API is matched, and determines whether the application program is malicious application according to matching result.
Preferably, as shown in Figure 1 b, in step S13, can follow the steps below to implement:
S131, each transmission class API for including for application program judge to whether there is and this in the user information extracted
The matched user information of execution parameter of class API is sent, if so, step S132 is executed, it is no to then follow the steps S133.
As shown in Fig. 2, carrying out matched schematic diagram for the user information of the execution parameter of class API and extraction will be sent.With
For sending class API1, according to the sequence of the message identification distributed for user information, successively compares the execution parameter of API1 and mention
The each user information taken, if it executes parameter, the user information compared with currently is identical, it is determined that the user information of extraction
The middle matched user information of execution parameter existed with API1.If found after traversing all user informations, API1's is held
Row parameter and each user information of extraction be all different, it is determined that there is no execute ginseng with API1 in the user information of extraction
The matched user information of number.Assuming that the execution parameter of API1 is that the user information of ID1 is identical with message identification, it is determined that extraction
There is the matched user information of execution parameter with API1 in user information, i.e. the message identification user information that is ID1.
S132, determine that the application program is malicious application, process terminates.
The result change of S133, the non-sent class API for including according to the execution parameter and the application program of transmission class API
Amount, recursive lookup whether there is the matched non-sent class API of user information for executing parameter and extraction from non-sent class API,
If so, executing step S132, otherwise, process terminates.
It should be noted that when it is implemented, every API that application program includes is needed to be traversed for, as long as there is an API full
Sufficient above-mentioned condition can determine that the application program is malicious application, above-mentioned condition is not satisfied in only all API,
It can determine that the application program is not malicious application.
, can whether recursive lookup deposits in non-sent class API in accordance with the following methods as shown in figure 3, in step S133
Transmission class API is claimed in Fig. 3 for ease of description with the matched non-sent class API of user information for executing parameter and extraction
For source API:
S31, search whether that there are the consistent targets of execution parameter of outcome variable and source API in non-sent class API
Otherwise API, executes step S35 if it does, executing step S32.
S32, judge whether the execution parameter of target API matches at least one user information of extraction, if so, executing
Otherwise step S33 executes step S34.
S33, the matched non-sent class API of user information for existing in non-sent class API and executing parameter and extraction, stream are determined
Journey terminates.
S34, it determines that target API is source API, and executes step S31.
S35, determine that the application program comprising source API is not malicious application.
By above-mentioned process it is found that in the embodiment of the present invention, if all users of the execution parameter of target API and extraction believe
When breath mismatches, then continue to be searched according to the execution parameter of target API to whether there is in the outcome variable of non-sent class API
The consistent non-sent class API of parameter is executed with it, until traversing all non-sent class API can if still do not found
It is not malicious application with the application program where determining source API, i.e., its information sent is not the user in mobile terminal
Information.
In order to better understand the present invention in embodiment, the present invention is implemented by taking the transmission class API2 in Fig. 2 as an example below
The implementation process of example is illustrated.In Fig. 2, sending class API2 includes two execution parameters, it is assumed that is respectively A1 and A2, i.e. API1
The information of transmission is A1 and A2.
For A1, it is assumed that matched user information is not present in the user information of extraction, i.e. what API2 was sent
Information A1 may be it is processed after information.Then also need the API that lookup result variable is A1 from non-sent class API, it is assumed that
For non-sent class API1, at this time, it may be necessary to judge the i.e. non-sent class API1 of information before A1 is processed execution parameter whether with
At least one user information matching extracted, it is assumed that be matched to the user information that message identification is ID2, that is to say, that API2 is sent
Information be it is processed after user information, hence, it can be determined that the application program comprising API2 be malicious application.
For A2, it is assumed that matched user information is not present in the user information of extraction, i.e. what API2 was sent
Information A2 be also likely to be it is processed after information.The API that lookup result variable is A2 from non-sent class API is then also needed, it is false
It is set as non-sent class API1, at this time, it may be necessary to judge that the execution parameter B1 of the i.e. non-sent class API1 of information before A2 is processed is
It is no with extract at least one user information match, it is assumed that mismatch, B1 be also possible to be it is processed after information, therefore, after
Continue the non-sent class API that in non-sent class API lookup result variable is B1, it is assumed that the outcome variable of non-sent class API2 is
B1, then judge non-sent class API2 execution parameter (i.e. B2 processed before information) whether at least one user information
Match, if it does, determining that the application program comprising sending class API2 is malicious application.When it is implemented, if still not
Match, then continue recursive lookup in non-sent class API, until traversing all non-sent class API.
It can be seen that in the embodiment of the present invention, even if user information is carried out repeatedly processing later again by malicious application
It is sent, according to above-mentioned process, can still trace back to original user information, so as to accurately detect this using journey
Whether sequence is malicious application.
In the embodiment of the present invention, for the transmission class API that application program includes, if its movement for executing parameter and extraction
In terminal user information matching, then directly determine the application program be malicious application, otherwise, according to its execute parameter and
The outcome variable of non-sent class API, recursive lookup executes the matched non-hair of user information of parameter and extraction in non-sent class
Class API is sent, if found, it is determined that the application program is malicious application.In the above process, if sending class API's
When execution parameter and the user information of extraction mismatch, the execution parameter can also be traced back to from non-sent class API by from
Therefore raw information before reason even if the user information that application program will acquire carries out the processing such as encrypting, is also capable of determining that
Whether it is malicious application, thus, improve the certainty of application program detection.
Based on the same inventive concept, a kind of malicious application detection device is additionally provided in the embodiment of the present invention, due to
The principle that above-mentioned apparatus solves the problems, such as is similar to malicious application detection method, therefore the implementation side of may refer to of above-mentioned apparatus
The implementation of method, overlaps will not be repeated.
As shown in figure 4, being the structural schematic diagram of malicious application detection device provided in an embodiment of the present invention, comprising:
Extraction unit 41, for extracting all user informations in mobile terminal;
Acquiring unit 42, each application programming interface that the application program for obtaining mobile terminal installation is included
The parametric variable of API, the parametric variable includes executing parameter, alternatively, executing parameter and outcome variable, wherein each API according to
Whether message is sent, is divided into and sends class API and non-sent class API;
Determination unit 43, the execution parameter of transmission class API and all user informations of extraction for will acquire or is obtained
The outcome variable of the non-sent class API taken is matched, and determines whether the application program is malicious application according to matching result
Program.
Wherein it is determined that unit 43, may include:
Judgment sub-unit, each transmission class API for including for the application program, judges the user information extracted
In with the presence or absence of the matched user information of execution parameter with transmission class API;
It determines subelement, is to determine the application program when being to dislike for the judging result in the judgment sub-unit
Meaning application program;Or for the user information for executing parameter and extraction to be found from non-sent class API in lookup subelement
When matched non-sent class API, determine that the application program is malicious application;
Subelement is searched, when for the judging result in the judgment sub-unit being no, is held according to the class API of sending
The outcome variable for the non-sent class API that row parameter and the application program include, whether recursive lookup deposits from non-sent class API
In the matched non-sent class API of user information for executing parameter and extraction.
Preferably, searching subelement, may include:
Searching module, for being searched whether from the non-sent class API according to the execution parameter for sending class API
There are outcome variables and the consistent target API of execution parameter for sending class API;And for the judgement knot in judgment module
When fruit is no, continue recursive lookup according to the execution parameter of target API, in the non-sent class API that never traverses with the presence or absence of knot
The consistent non-sent class API of execution parameter of fruit variable and target API, until finding the user information for executing parameter and extraction
Until matched non-sent class API or all non-sent class API of traversal;
Judgment module, for judging the execution parameter of target API when the searching module finds the target API
No matched at least one user information of extraction;
First determining module, for when the judgment result of the judgment module is yes, determining in the non-sent class API
In the presence of the matched non-sent class API of user information for executing parameter and extraction.
Preferably, acquiring unit 42, may include:
Reverse decompiling subelement obtains the application program pair for carrying out reverse decompiling to the application program
The source code answered;
Subelement is obtained, for obtaining each API variable parameter that the application program includes according to the source code.
Wherein, subelement is obtained, comprising:
Mark module is inserted into mark in the source code, before API execution and after executing respectively for being directed to every API
Remember code, the marker code includes API classification marker code;
Logging modle, for recording the execution information of every API, according to the label generation of the execution information of the API and the API
Code, obtains the classification of the API and the parametric variable of the API.
Wherein, subelement is obtained, can be used for the log by the execution information for recording each API, obtains institute
State the parametric variable of each API.
When it is implemented, malicious application detection device provided in an embodiment of the present invention, can also include:
Output unit, for exporting the log for recording the execution information of each API.
When it is implemented, judgment sub-unit, may include:
Comparison module, for successively comparing the execution parameter of the transmission class and each user information of extraction;
Second determining module, if user information of the execution parameter for the transmission class compared with currently is identical, really
Surely there is the matched user information of execution parameter with transmission class API in the user information extracted;If the transmission class is held
Row parameter and each user information of extraction are all different, it is determined that are not present and transmission class API in the user information of extraction
The matched user information of execution parameter.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist
Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (14)
1. a kind of malicious application detection method characterized by comprising
Extract all user informations in mobile terminal;
The parametric variable for each API that the application program that mobile terminal is installed is included is obtained, the parametric variable includes executing ginseng
Number, alternatively, executing parameter and outcome variable, wherein each API is divided into according to whether transmission message and sends class API and Fei Fa
Send class API;
The knot of the non-sent class API of the execution parameter of transmission class API and all user informations of extraction or acquisition that will acquire
Fruit variable is matched, and determines whether the application program is malicious application according to matching result, comprising: answer for described
The each transmission class API for including with program judges in the user information extracted with the presence or absence of the execution parameter with transmission class API
Matched user information;If it is present determining that the application program is malicious application;If it does not exist, then according to institute
The outcome variable for stating the non-sent class API that the execution parameter for sending class API and the application program include, from non-sent class API
Middle recursive lookup is with the presence or absence of the matched non-sent class API of user information for executing parameter and extraction;If it does, described in determining
Application program is malicious application.
2. the method as described in claim 1, which is characterized in that according to the execution parameter and the application for sending class API
The outcome variable for the non-sent class API that program includes, recursive lookup with the presence or absence of execution parameter and is extracted from non-sent class API
The matched non-sent class API of user information, specifically include:
According to it is described send class API execution parameter, searched whether from the non-sent class API there are outcome variable with it is described
Send the consistent target API of execution parameter of class API;
If it is present judging whether the execution parameter of target API matches at least one user information of extraction;
If it is, determining the matched non-sent class of user information for existing in the non-sent class API and executing parameter and extraction
API;
If it is not, then according to the execution parameter of target API, continue whether recursive lookup deposits in the non-sent class API that never traverses
In the consistent non-sent class API of execution parameter of outcome variable and target API, until finding the user for executing parameter and extraction
Until the non-sent class API or all non-sent class API of traversal of information matches.
3. the method as described in claim 1, which is characterized in that the application program of acquisition mobile terminal installation was included respectively answers
With the parametric variable of Program Interfaces API, specifically include:
Reverse decompiling is carried out to the application program, obtains the corresponding source code of the application program;
The parametric variable for each API that the application program includes is obtained according to the source code.
4. method as claimed in claim 3, which is characterized in that according to the source code obtain that the application program includes it is each
API executes parametric variable, specifically includes:
For every API, marker code, the label generation are inserted into the source code, before API execution and after executing respectively
Code includes API classification marker code;
The execution information for recording every API obtains the class of the API according to the marker code of the execution information of the API and the API
Other and the API parametric variable.
5. the method as described in Claims 1-4 any claim, which is characterized in that described to obtain what mobile terminal was installed
The parametric variable for each API that application program is included, comprising:
By the log of the execution information for recording each API, the parametric variable of each API is obtained.
6. method as claimed in claim 5, which is characterized in that further include:
Output records the log of the execution information of each API.
7. the method as described in claim 1, which is characterized in that judge to whether there is and the transmission class in the user information extracted
The matched user information of execution parameter of API, specifically includes:
Successively compare the execution parameter of the transmission class and each user information of extraction;
If user information of the execution parameter of the transmission class compared with currently is identical, it is determined that exist in the user information of extraction
With the matched user information of execution parameter of transmission class API;
If the execution parameter of the transmission class and each user information of extraction are all different, it is determined that in the user information of extraction
There is no the matched user informations of execution parameter with transmission class API.
8. a kind of malicious application detection device characterized by comprising
Extraction unit, for extracting all user informations in mobile terminal;
Acquiring unit, the parametric variable for each API that the application program for obtaining mobile terminal installation is included, the parameter become
Amount includes executing parameter, alternatively, executing parameter and outcome variable, wherein each API is divided into hair according to whether transmission message
Send class API and non-sent class API;
Determination unit, the execution parameter of transmission class API and all user informations of extraction or acquisition for will acquire it is non-
The outcome variable for sending class API is matched, and determines whether the application program is malicious application according to matching result, institute
State determination unit, comprising: judgment sub-unit, each transmission class API for including for the application program judge extraction
With the presence or absence of the matched user information of execution parameter with transmission class API in user information;Subelement is determined, for described
The judging result of judgment sub-unit is to determine that the application program is malicious application when being;Or for searching son list
When member finds the matched non-sent class API of user information for executing parameter and extraction from non-sent class API, determine described in answer
It is malicious application with program;Search subelement, for the judging result in the judgment sub-unit be it is no when, according to described
The outcome variable for the non-sent class API that the execution parameter and the application program for sending class API include, from non-sent class API
Recursive lookup is with the presence or absence of the matched non-sent class API of user information for executing parameter and extraction.
9. device as claimed in claim 8, which is characterized in that the lookup subelement specifically includes:
Searching module, for searching whether exist from the non-sent class API according to the execution parameter for sending class API
Outcome variable and the consistent target API of execution parameter for sending class API;And the judging result in judgment module is
When no, continue recursive lookup according to the execution parameter of target API, in the non-sent class API that never traverses with the presence or absence of result change
The consistent non-sent class API of execution parameter of amount and target API is matched until finding and executing parameter with the user information of extraction
Non-sent class API or all non-sent class API of traversal until;
Judgment module, for when the searching module finds the target API, judge target API execution parameter whether
It is matched at least one user information of extraction;
First determining module, for when the judgment result of the judgment module is yes, determining and existing in the non-sent class API
Execute the matched non-sent class API of user information of parameter and extraction.
10. device as claimed in claim 8, which is characterized in that the acquiring unit specifically includes:
It is corresponding to obtain the application program for carrying out reverse decompiling to the application program for reverse decompiling subelement
Source code;
Subelement is obtained, for obtaining the parametric variable for each API that the application program includes according to the source code.
11. device as claimed in claim 10, which is characterized in that the acquisition subelement, comprising:
Mark module, for for every API, insertion to mark generation in the source code, after the API executes preceding and execution respectively
Code, the marker code includes API classification marker code;
Logging modle, for recording the execution information of every API, according to the marker code of the execution information of the API and the API,
Obtain the classification of the API and the parametric variable of the API.
12. the device as described in claim 8~11 any claim, which is characterized in that
The acquiring unit obtains each API specifically for the log by the execution information for recording each API
Parametric variable.
13. device as claimed in claim 12, which is characterized in that described device further include:
Output unit, for exporting the log for recording the execution information of each API.
14. device as claimed in claim 8, which is characterized in that the judgment sub-unit specifically includes:
Comparison module, for successively comparing the execution parameter of the transmission class and each user information of extraction;
Second determining module, if user information of the execution parameter for the transmission class compared with currently is identical, it is determined that mention
There is the matched user information of execution parameter with transmission class API in the user information taken;If the transmission class executes ginseng
Number is all different with each user information extracted, it is determined that is not present in the user information of extraction and is held with the transmission class API
The matched user information of row parameter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410610791.XA CN105631325B (en) | 2014-11-03 | 2014-11-03 | A kind of malicious application detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410610791.XA CN105631325B (en) | 2014-11-03 | 2014-11-03 | A kind of malicious application detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105631325A CN105631325A (en) | 2016-06-01 |
| CN105631325B true CN105631325B (en) | 2019-04-30 |
Family
ID=56046250
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410610791.XA Active CN105631325B (en) | 2014-11-03 | 2014-11-03 | A kind of malicious application detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105631325B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107958154A (en) * | 2016-10-17 | 2018-04-24 | 中国科学院深圳先进技术研究院 | A kind of malware detection device and method |
| CN108573151B (en) * | 2017-03-10 | 2021-04-16 | 武汉安天信息技术有限责任公司 | Counterfeit application analysis system and method |
| CN109492391B (en) * | 2018-11-05 | 2023-02-28 | 腾讯科技(深圳)有限公司 | Application program defense method and device and readable medium |
| CN111523063B (en) * | 2019-02-01 | 2024-06-07 | 北京搜狗科技发展有限公司 | Application processing method and device for application processing |
| CN116827677A (en) * | 2019-04-16 | 2023-09-29 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting anomalies |
| CN113190835A (en) * | 2021-02-04 | 2021-07-30 | 恒安嘉新(北京)科技股份公司 | Application program violation detection method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102779255A (en) * | 2012-07-16 | 2012-11-14 | 腾讯科技(深圳)有限公司 | Method and device for judging malicious program |
| CN102938040A (en) * | 2012-09-29 | 2013-02-20 | 中兴通讯股份有限公司 | Malicious Android application program detection method, system and device |
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN103916365A (en) * | 2012-12-31 | 2014-07-09 | 西门子公司 | Method and apparatus for exporting and verifying network behavioral characteristics of malicious code |
-
2014
- 2014-11-03 CN CN201410610791.XA patent/CN105631325B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN102779255A (en) * | 2012-07-16 | 2012-11-14 | 腾讯科技(深圳)有限公司 | Method and device for judging malicious program |
| CN102938040A (en) * | 2012-09-29 | 2013-02-20 | 中兴通讯股份有限公司 | Malicious Android application program detection method, system and device |
| CN103916365A (en) * | 2012-12-31 | 2014-07-09 | 西门子公司 | Method and apparatus for exporting and verifying network behavioral characteristics of malicious code |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105631325A (en) | 2016-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105631325B (en) | A kind of malicious application detection method and device | |
| CN104700033B (en) | The method and device of viral diagnosis | |
| CN109753800A (en) | Merge the Android malicious application detection method and system of frequent item set and random forests algorithm | |
| CN103297267B (en) | A kind of methods of risk assessment of network behavior and system | |
| CN104123493A (en) | Method and device for detecting safety performance of application program | |
| WO2020000743A1 (en) | Webshell detection method and related device | |
| CN105354496B (en) | The detection method and system for the rogue program that Android platform automatically generates | |
| CN109063482B (en) | Macro virus identification method, macro virus identification device, storage medium and processor | |
| CN110096433B (en) | Method for acquiring encrypted data on iOS platform | |
| CN106951782A (en) | A kind of malicious code detecting method applied towards Android | |
| IL265518B2 (en) | Management of security vulnerabilities | |
| CN110737881A (en) | Fingerprint verification method and device for intelligent devices | |
| CN109784059B (en) | Trojan file tracing method, system and equipment | |
| KR20100073126A (en) | Apparatus and method for detecting malicious code using packed file properties | |
| CN110020161B (en) | Data processing method, log processing method and terminal | |
| CN106375303A (en) | Attack defense method and apparatus | |
| CN107819758A (en) | A kind of IP Camera leak remote detecting method and device | |
| CN106650439A (en) | Suspicious application program detection method and device | |
| CN112839055A (en) | Network application identification method and device for TLS encrypted traffic | |
| CN110581857B (en) | Virtual execution malicious software detection method and system | |
| CN114285587A (en) | Domain name identification method and device and domain name classification model acquisition method and device | |
| Dubey et al. | Digital forensics techniques and trends: a review. | |
| CN107995167B (en) | Equipment identification method and server | |
| CN114792006B (en) | LSTM-based android cross-application collusion security analysis method and system | |
| CN107229865B (en) | Method and device for analyzing Webshell intrusion reason |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |