CN106778271A - A kind of Android reinforces the reverse process method of plug-in unit - Google Patents

A kind of Android reinforces the reverse process method of plug-in unit Download PDF

Info

Publication number
CN106778271A
CN106778271A CN201611156778.7A CN201611156778A CN106778271A CN 106778271 A CN106778271 A CN 106778271A CN 201611156778 A CN201611156778 A CN 201611156778A CN 106778271 A CN106778271 A CN 106778271A
Authority
CN
China
Prior art keywords
plug
unit
reverse
class
reinforcing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611156778.7A
Other languages
Chinese (zh)
Other versions
CN106778271B (en
Inventor
李瑞轩
张宏民
辜希武
章衡
韩洪木
汤俊伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201611156778.7A priority Critical patent/CN106778271B/en
Publication of CN106778271A publication Critical patent/CN106778271A/en
Application granted granted Critical
Publication of CN106778271B publication Critical patent/CN106778271B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/74Reverse engineering; Extracting design information from source code
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Abstract

The invention discloses a kind of reverse process method that Android reinforces plug-in unit, comprise the following steps:Executable file dex to applying carries out collection of illustrative plates treatment, generates the visualization collection of illustrative plates of dex files;Key Functions of the virtual machine to the class loading of java class are obtained, it is determined that the timing node of reverse plug-in unit;Dalvik virtual machine to Android system is modified, all of kind disposable in application is carried out into class loading and initialization, all of class will be decrypted and is loaded into internal memory, collect all of category information in internal memory, by it is all it is reverse after class carry out reconfiguring the new dex files of generation, due to instruction of the java class in internal memory can be changed in class initialization procedure, it is modified in the information in collecting internal memory, therefore this reverse process method that the present invention is provided can obtain most reinforcing plug-in unit source code, and automaticity is higher, the reverse process that plug-in unit is reinforced for Android is realized by cost of less performance cost.

Description

A kind of Android reinforces the reverse process method of plug-in unit
Technical field
The invention belongs to mobile security technical field, the reverse process side of plug-in unit is reinforced more particularly, to a kind of Android Method.
Background technology
Used as the main carriers that the mobile Internet epoch calculate, mobile intelligent terminal stores more private datas, wraps Associated person information, message registration and geographical location information etc. are included, safety problem is more also easy to produce, privacy of user data leak may band Carry out catastrophic consequence.
Android (Android) application is easily reverse by malicious attacker based on Java language exploitation, causes developer to work hard The application of exploitation is obtained by malicious attacker;Application source code after reverse can be also implanted into malice generation by some malicious attackers Code, causes to beat again bag malicious application prevailing.Security firm is in order to solve problems, there is provided Android applications are reinforced and serviced. However, because security firm usually not carries out security sweep to uploading application, causing many malicious attackers by malicious application Reinforced, to escape the killing of security engine.Current malicious attacker is to use dynamic load skill using more advanced technology Art, delay start malicious code, opening timing device, reflection performs malicious code.
Reinforced and the safety problem existing for Dynamic loading technique, research both domestic and external to solve Android application programs Personnel have been carried out some and explore and research.DexHunter(Zhang Y,Luo X,Yin H.Dexhunter:Toward extracting hidden code from packed android applications.in:Proceedings of 20th European Symposium on Research in Computer Security.Vienna:Springer,2015.293- 311.) start with from the reinforcing service provider of current main flow, it is proposed that for the reverse process method for reinforcing service provider at present, in application Load into after internal memory, obtain position of the executable file in internal memory, all of java class in traversal executable file enters to it The loading and initialization of row active, then the information in internal memory is obtained, what is now obtained is exactly to be instructed using real, but the method Without solution dynamic load plug-in unit Reverse Problem.Poeplau S(Poeplau S,Fratantonio Y,Bianchi A,et al.Execute This!Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications.in:21st Annual Network and Distributed System Security Symposium.San Diego:ISOC, 2014.34-46) it is systematic analyze dynamic load code band come security ask Topic, the code of dynamic load is found using static analysis tools automatically;May be by malicious attacker using leakage for benign application Hole loads the problem of malicious plugins, by changing the android system Framework layers of integrality school come dynamic load code Test;But the method lacks practicality and integrality;In sum, current method carries out inverse primarily directed to Android applications To, or solution is proposed to the safety problem that dynamic load is present;From from the perspective of implementation, existing solution The odex files after optimizing after application is installed simply are obtained, the plug-in unit for reinforcing cannot then obtain its source code.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides the reverse place that a kind of Android reinforces plug-in unit Reason method, its object is to identify the Scheme of Strengthening that unknown malicious application is used, can get triggering when plug-in unit is installed Plug-in unit, and it is carried out inversely, source code analysis to be carried out with to plug-in unit.
To achieve the above object, according to one aspect of the present invention, there is provided a kind of Android reinforces the reverse process of plug-in unit Method, by changing Android system virtual machine class load mechanism and initial method, its first Java is loaded plug-in unit is reinforced By the traversal of all of java class active in the reinforcing plug-in unit and loaded into internal memory before class, initialize all of Java Class, all of information on the reinforcing plug-in unit in internal memory is got up to be assembled into new odex files, after obtaining inversely Plug-in unit source code information.
Preferably, the method for carrying out reverse process to unknown plug-in unit using the above method, specifically includes following steps:
(1) service platform is reinforced by application to reinforce the unknown plug-in unit;And carry out collection of illustrative plates to reinforcing plug-in unit Treatment, it is determined that using reinforcing service platform to the reinforcing Optimal Parameters of plug-in unit;
(2) Android system source code is changed, the dynamic load path for obtaining and reinforcing plug-in unit is monitored on simulator;
(3) critical path loaded according to virtual machine class in Android system, changes virtual machine initialization procedure, initial in class The change stage is carried out inversely to reinforcing plug-in unit, the odex files after generation is reverse, and changes the value of virtual machine control variables;
(4) plug-in download is triggered, is owned in recognizing plug-in unit according to the value of virtual machine control variables in plug-in unit implementation procedure Position of the java class in internal memory;
The java class in odex files after traversal is reverse, actively carries out class loading and initialization, is stored according in internal memory It is reverse after information generate new odex files;
(5) decompiling is carried out to the new odex files using the instrument increased income, obtains test reinforcing plug-in unit Smail codes;Can be compared by by the smail codes and its source code, know malicious attack information.
Preferably, above-mentioned Android reinforces the reverse process method of plug-in unit, and its step (2) includes following sub-step:
(2.1) according to the dynamic load Frame Source increased income, the calling interface of dynamic load odex files is found out;
(2.2) calling interface is changed, the path for obtaining the dynamic load for reinforcing plug-in unit is monitored by daily record on simulator.
Preferably, above-mentioned Android reinforces the reverse process method of plug-in unit, and its step (3) includes following sub-step:
(3.1) function call of the process of java class, the loading of tracking class and initialization is performed according to Android system virtual machine Process, obtains the Key Functions of initialization;
(3.2) all of java class is traveled through, all of java class is initialized according to Key Functions;
(3.3) test is carried out with reinforcing plug-in unit inversely in java class initial phase, the odex files after generation is reverse, And change the value of virtual machine control variables.
Preferably, above-mentioned Android reinforces the reverse process method of plug-in unit, and its step (4) includes following sub-step:
(4.1) download of plug-in unit is reinforced in triggering, reinforces the change of triggering control variables when plug-in unit is performed first;
(4.2) value according to control variables identifies position of all of java class in internal memory in reinforcing plug-in unit, and will Odex file paths after reverse are delivered to reverse module;
(4.3) reverse module is traveled through to all of java class in the odex files after reverse, actively carries out class loading And initialization, and will it is reverse after information Store to internal memory;
(4.4) according to be collected into internal memory it is reverse after information generate new odex files.
In general, by the contemplated above technical scheme of the present invention compared with prior art, can obtain down and show Beneficial effect:
(1) Android that the present invention is provided reinforces the reverse process method of plug-in unit, is carried out by the virtual machine to Android system Modification, the process that class one by one is loaded is changed to carry out class loading and initialization to all of kind disposable in application, will All of class is decrypted and is loaded into internal memory, collects all of category information in internal memory, by it is all it is reverse after class carry out group again The odex files of symphysis Cheng Xin;
Due to instruction of the java class in internal memory can be changed in class initialization procedure, the meeting in the information in collecting internal memory It is modified, therefore most reinforcing plug-in unit source code can be got, and automaticity is higher, with less performance Expense reinforces the reverse of plug-in unit for cost is realized for Android;
(2) Android that the present invention is provided reinforces the reverse process method of plug-in unit, the insertion reverse generation at the class loading of application Code, finds the Key Functions of java class loading in Android system virtual machine, and all of java class is carried out in Key Functions Traversal, reinitializes, and starts overall flow at the related application-specific DLL of private data so that institute of the present invention Increased flow affects only small portion in all flows of total system, and the modularity unrelated with private data is not influenceed Energy.
Brief description of the drawings
Fig. 1 is integrated stand composition of the invention;
Fig. 2 is the schematic flow sheet of the reverse process method that Android provided in an embodiment of the present invention reinforces plug-in unit;
Fig. 3 is the schematic flow sheet of embodiment of the present invention step 1;
Fig. 4 is the schematic flow sheet of embodiment of the present invention step 2;
Fig. 5 is the schematic flow sheet of embodiment of the present invention step 3;
Fig. 6 is the schematic flow sheet of embodiment of the present invention step 4;
Fig. 7 is the schematic flow sheet of embodiment of the present invention step 5.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.As long as additionally, technical characteristic involved in invention described below each implementation method Not constituting conflict each other can just be mutually combined.
Hereinafter just technical term involved in the present invention is explained and illustrated first:
Android:The Mobile operating system based on linux kernel of exploitation is dominated by Google;
Virtual machine:Refer specifically to Dalvik virtual machine;
Android is applied:The application program in android system is operated in, is mainly developed by Java language;
Host program:The main part of Android application programs, that is, be under the jurisdiction of the code section of developer, mainly includes The corn module of application program;
Android plug-in units:Substantially it is also Android application programs, Android plug-in units are in application operation as application One function module loading to host application in;
Android is reinforced:Similar to data encryption, the source code of Android application programs is protected, in operation Shi Xiemi;
Private data:User's storage personal data in systems, mainly include associated person information, lead in a mobile device Words record, geographical location information and device-dependent message etc.;
Malicious plugins:Obtain the plug-in unit of the behavior such as privacy of user data or the normal operation of destruction equipment;
Dynamic load:Plug-in unit dynamically is loaded into application operation, operation is embedded into using plug-in unit as a fraction In.
The reverse process method that Android provided by the present invention reinforces plug-in unit is done below in conjunction with specific embodiments and the drawings Further illustrate.
The Android reinforcing reverse scheme of plug-in unit that the present invention is provided, the plug-in unit the purpose is to intercept and capture dynamic load, and to it certainly The carrying out of dynamicization is reverse, improves reverse efficiency, and comprehensively obtains the source code of reinforcement application as far as possible;Modification bottom Virtual machine class load mechanism and initial method, all of Java in it will be applied before reinforcement application loads first java class The traversal of class active, and loading into internal memory, initializes all of java class, by all of information applied on this in internal memory Collect, be reassembled into new odex files, this odex file be exactly it is reverse after application source code information, by opening Source instrument be reduced into reinforcement application before original code java class information.
It is the overall architecture of the Android reinforcing plug-in unit reverse methods that the present invention is provided shown in Fig. 1, wherein Dalvik is empty Plan machine part represents modified system module;The work of the method is concentrated mainly on following two parts:To the evil reinforced Meaning application carries out collection of illustrative plates, the feature after being reinforced, and determines the mode that unknown applications are reinforced;Modification Dalvik virtual machine class adds Support method, all of class in traversal applications, and be loaded into internal memory, all of class is initialized, reverse module and plug-in unit are loaded Mechanism is combined, and sets control variables, collects all of code information in internal memory, is reassembled into new odex files.
Fig. 2 is the schematic flow sheet that the Android that embodiment is provided reinforces plug-in unit reverse method, specifically includes following steps:
(1) upload test application (known source code) to be reinforced to each application reinforcing service provider, download after reinforcing Using, collection of illustrative plates treatment is carried out, obtain the feature that each application is reinforced after service provider reinforces;
(2) android system source code is changed, the critical path of plug-in unit dynamic load is obtained;
(3) Android application implementation procedures are analyzed, android system virtual machine is changed, in class initial phase to reinforcing Using or plug-in unit carry out inversely, generating new odex files, and change the value of control variables;
(4) download of malicious plugins is reinforced in triggering, and plug-in unit can also be loaded through system virtual machine, according to control variables Value, can obtain position of the plug-in unit in internal memory, and then plug-in unit is carried out inversely;
(5) new odex files can be generated under application installation directory after reverse success, using the instrument increased income to odex File inversely obtain the smail codes of original application.
In embodiment, the flow of step (1) is as shown in figure 3, including following sub-step:
(1.1) an Android application is developed;In embodiment, by taking a news client end AP P as an example;
(1.2) news client end AP P is signed, using this APP as probe card;
(1.3) probe card is uploaded into Tengxun's pleasure reinforcing platform to be reinforced;
(1.4) download and reinforce plug-in unit and decompress, obtain executable file class.dex, collection of illustrative plates is carried out to it, risen The happy reinforcing feature for reinforcing platform of news;By above-mentioned steps, the spectrum library of each reinforcing platform can be set up, to store each reinforcing platform Reinforcing feature;
In embodiment, the flow of step (2) is as shown in figure 4, including following sub-step:
(2.1) the dynamic load Frame Source increased income at present is analyzed, dynamic load dex files or jar file is found out Calling interface;
(2.2) calling interface that tracking developer calls, obtains the critical path of plug-in unit dynamic load, and positioning plug-in unit is being The position stored after system bottom loading.
In embodiment, the flow of step (3) is as shown in figure 5, including following sub-step:
(3.1) process for performing java class is explained according to Dalvik virtual machine in android system, finding reverse reinforcing should Method;
(3.2) open dex files, loading class files, initialize class, call specific plug-in unit when actively traversal open The customized all of java class of originator;
(3.3) collect to information of all of java class in internal memory in plug-in unit, be reorganized into new dex files;
(3.4) value of control variables is changed.
In embodiment, the flow of step (4) is as shown in fig. 6, including following sub-step:
(4.1) after plug-in unit is installed, the change of control variables can be triggered when performing first;
(4.2) after plug-in download is triggered, the virtual machine of modification can be identified according to the value of control variables to be reinforced in plug-in unit Position of all of java class in internal memory, and will it is reverse after odex file paths be delivered to reverse module
(4.3) during reverse module will change odex all of java class is traveled through, and active carries out class loading and initialization, Now stored in internal memory be it is reverse after information;
(4.4) information after collecting inversely is reorganized into new odex files.
In embodiment, the flow of step (5) is as shown in fig. 7, comprises following sub-step:
(5.1) plug-in unit decompression will be reinforced, executable file class.dex files will be obtained, the tools mesh under SDK will be copied to Under record;
(5.2) baksmali-2.0.0.jar and jd-gui.exe programs are downloaded, baksmali-2.0.2.jar is put into Under tools catalogues under SDK;
(5.3) the tools catalogues entered under SDK, input java-jar baksmail-2.0.0.jar-o Classout/class.dex, generates the smali codes of class.dex under classout catalogues;
(5.4) the plug-in unit plugin.dex to generation after reverse is also carried out same treatment, to the smali codes that generate and Source code is compared, and determines malicious code information.
As it will be easily appreciated by one skilled in the art that the foregoing is only presently preferred embodiments of the present invention, it is not used to The limitation present invention, all any modification, equivalent and improvement made within the spirit and principles in the present invention etc., all should include Within protection scope of the present invention.

Claims (5)

1. a kind of Android reinforces the reverse process method of plug-in unit, it is characterised in that loaded by changing Android system virtual machine class Mechanism and initial method, are reinforcing all of java class in the reinforcing plug-in unit before plug-in unit loads its first java class The traversal of active is simultaneously loaded into internal memory, initializes all of java class, will be all of on the reinforcing plug-in unit in internal memory Information gets up and is assembled into new odex files, the plug-in unit source code information after obtaining inversely.
2. reverse process method as claimed in claim 1, it is characterised in that carried out inversely to unknown plug-in unit using methods described The method for the treatment of, specifically includes following steps:
(1) service platform is reinforced by application to reinforce the unknown plug-in unit;And collection of illustrative plates treatment is carried out to reinforcing plug-in unit, It is determined that using reinforcing service platform to the reinforcing Optimal Parameters of plug-in unit;
(2) Android system source code is changed, the dynamic load path for obtaining and reinforcing plug-in unit is monitored on simulator;
(3) critical path loaded according to virtual machine class in Android system, changes virtual machine initialization procedure, and rank is initialized in class Section is carried out inversely to reinforcing plug-in unit, the odex files after generation is reverse, and changes the value of virtual machine control variables;
(4) plug-in download is triggered, it is all of in recognizing plug-in unit according to the value of virtual machine control variables in plug-in unit implementation procedure Position of the java class in internal memory;
Traversal it is described it is reverse after odex files in java class, actively carry out class loading and initialization, stored according in internal memory It is reverse after information generate new odex files;
(5) decompiling is carried out to the new odex files using the instrument increased income, obtains test with the smail generations for reinforcing plug-in unit Code;Can be compared by by the smail codes and its source code, know malicious attack information.
3. reverse process method as claimed in claim 2, it is characterised in that the step (2) includes following sub-step:
(2.1) according to the dynamic load Frame Source increased income, the calling interface of dynamic load odex files is found out;
(2.2) calling interface is changed, the path for obtaining the dynamic load for reinforcing plug-in unit is monitored by daily record on simulator.
4. reverse process method as claimed in claim 2 or claim 3, it is characterised in that the step (3) includes following sub-step:
(3.1) function call process of the process of java class, the loading of tracking class and initialization is performed according to Android system virtual machine, Obtain the Key Functions of initialization;
(3.2) all of java class is traveled through, class is initialized according to the Key Functions;
(3.3) test is carried out with reinforcing plug-in unit inversely in class initial phase, the odex files after generation is reverse, and changes void The value of plan machine control variables.
5. reverse process method as claimed in claim 2 or claim 3, it is characterised in that the step (4) includes following sub-step:
(4.1) download of plug-in unit is reinforced in triggering;The change for reinforcing triggering control variables when plug-in unit is performed first;
(4.2) value according to control variables identifies position of all of java class in internal memory in reinforcing plug-in unit, and will be reverse Odex file paths afterwards are delivered to reverse module;
(4.3) reverse module is traveled through to all of java class in the odex files after reverse, actively carries out class loading and just Beginningization, and will it is reverse after information Store to internal memory;
(4.4) according to be collected into internal memory it is reverse after information generate new odex files.
CN201611156778.7A 2016-12-15 2016-12-15 A kind of Android reinforces the reverse process method of plug-in unit Active CN106778271B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611156778.7A CN106778271B (en) 2016-12-15 2016-12-15 A kind of Android reinforces the reverse process method of plug-in unit

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611156778.7A CN106778271B (en) 2016-12-15 2016-12-15 A kind of Android reinforces the reverse process method of plug-in unit

Publications (2)

Publication Number Publication Date
CN106778271A true CN106778271A (en) 2017-05-31
CN106778271B CN106778271B (en) 2019-05-14

Family

ID=58888940

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611156778.7A Active CN106778271B (en) 2016-12-15 2016-12-15 A kind of Android reinforces the reverse process method of plug-in unit

Country Status (1)

Country Link
CN (1) CN106778271B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104021321A (en) * 2014-06-17 2014-09-03 北京奇虎科技有限公司 Reinforcing protection method and device for software installation package
CN104111832A (en) * 2014-07-03 2014-10-22 北京思特奇信息技术股份有限公司 Android application program installation package packing method and system and unpacking method
CN105184160A (en) * 2015-07-24 2015-12-23 哈尔滨工程大学 API object calling relation graph based method for detecting malicious behavior of application program in Android mobile phone platform
CN105391763A (en) * 2015-10-13 2016-03-09 北京奇虎科技有限公司 Method and server for reinforcing a plurality of apk files
CN105608393A (en) * 2016-01-19 2016-05-25 北京鼎源科技有限公司 Reinforcement method of executable file reorganization on basis of Android
CN105608346A (en) * 2015-12-25 2016-05-25 北京奇虎科技有限公司 ELF file protection method and system based on ARM instruction virtualization
CN105930692A (en) * 2016-04-20 2016-09-07 北京鼎源科技有限公司 Dynamic shelling method for Android application
CN106022130A (en) * 2016-05-20 2016-10-12 中国科学院信息工程研究所 Shelling method and device for reinforced application program
CN106203110A (en) * 2016-06-30 2016-12-07 中国地质大学(武汉) Android safety enhancing system based on resolving inversely mechanism

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104021321A (en) * 2014-06-17 2014-09-03 北京奇虎科技有限公司 Reinforcing protection method and device for software installation package
CN104111832A (en) * 2014-07-03 2014-10-22 北京思特奇信息技术股份有限公司 Android application program installation package packing method and system and unpacking method
CN105184160A (en) * 2015-07-24 2015-12-23 哈尔滨工程大学 API object calling relation graph based method for detecting malicious behavior of application program in Android mobile phone platform
CN105391763A (en) * 2015-10-13 2016-03-09 北京奇虎科技有限公司 Method and server for reinforcing a plurality of apk files
CN105608346A (en) * 2015-12-25 2016-05-25 北京奇虎科技有限公司 ELF file protection method and system based on ARM instruction virtualization
CN105608393A (en) * 2016-01-19 2016-05-25 北京鼎源科技有限公司 Reinforcement method of executable file reorganization on basis of Android
CN105930692A (en) * 2016-04-20 2016-09-07 北京鼎源科技有限公司 Dynamic shelling method for Android application
CN106022130A (en) * 2016-05-20 2016-10-12 中国科学院信息工程研究所 Shelling method and device for reinforced application program
CN106203110A (en) * 2016-06-30 2016-12-07 中国地质大学(武汉) Android safety enhancing system based on resolving inversely mechanism

Also Published As

Publication number Publication date
CN106778271B (en) 2019-05-14

Similar Documents

Publication Publication Date Title
Damshenas et al. M0droid: An android behavioral-based malware detection model
CN105068932B (en) A kind of detection method of Android application programs shell adding
Xue et al. Auditing anti-malware tools by evolving android malware and dynamic loading technique
Canfora et al. Acquiring and analyzing app metrics for effective mobile malware detection
De Maio et al. Pexy: The other side of exploit kits
Wei et al. Jn-saf: Precise and efficient ndk/jni-aware inter-language static analysis framework for security vetting of android applications with native code
Al-Sharif et al. Live forensics of software attacks on cyber–physical systems
KR20170068814A (en) Apparatus and Method for Recognizing Vicious Mobile App
Homayoun et al. A blockchain-based framework for detecting malicious mobile applications in app stores
Huang et al. Ontology-based intelligent system for malware behavioral analysis
Faruki et al. Droidanalyst: Synergic app framework for static and dynamic app analysis
Zhang et al. ScanMe mobile: a cloud-based Android malware analysis service
CN104598287B (en) Detection method, device and the client of rogue program
Shankar et al. AndroTaint: An efficient android malware detection framework using dynamic taint analysis
CN106845234A (en) A kind of Android malware detection method based on the monitoring of function flow key point
Kim et al. Attack detection application with attack tree for mobile system using log analysis
Meng et al. Androvault: Constructing knowledge graph from millions of android apps for automated analysis
Abderrahmane et al. Android malware detection based on system calls analysis and CNN classification
CN106778271A (en) A kind of Android reinforces the reverse process method of plug-in unit
Stirparo et al. In-memory credentials robbery on android phones
Alptekin et al. Trapdroid: Bare-metal android malware behavior analysis framework
Caputo et al. Droids in disarray: detecting frame confusion in hybrid android apps
KR101530530B1 (en) Apparatus and Method for Detecting Malicious Process Execution in a Mobile Terminal
Lei et al. Vulnerable implicit service: A revisit
Jiang et al. Mrdroid: A multi-act classification model for android malware risk assessment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant