CN106934284A - Application program detection method and device and terminal - Google Patents

Application program detection method and device and terminal Download PDF

Info

Publication number
CN106934284A
CN106934284A CN201511021184.0A CN201511021184A CN106934284A CN 106934284 A CN106934284 A CN 106934284A CN 201511021184 A CN201511021184 A CN 201511021184A CN 106934284 A CN106934284 A CN 106934284A
Authority
CN
China
Prior art keywords
application program
group
signature
time
band
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201511021184.0A
Other languages
Chinese (zh)
Other versions
CN106934284B (en
Inventor
曾欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Internet Security Software Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201511021184.0A priority Critical patent/CN106934284B/en
Publication of CN106934284A publication Critical patent/CN106934284A/en
Application granted granted Critical
Publication of CN106934284B publication Critical patent/CN106934284B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition

Abstract

The embodiment of the invention discloses an application program detection method, an application program detection device and a terminal, and the scheme comprises the following steps: identifying a first application program existing under a system directory of the terminal; grouping the first application program according to the signature information of the first application program to generate a first group comprising at least one group of signature groups, wherein the signature groups have unique correspondence with the signature information; grouping the first application program according to the installation time of the first application program to generate a second group comprising at least one group of time groups, wherein the time groups have unique correspondence with the installation time; judging whether a first signature group meeting a preset condition exists in the first group, if so, determining a first application program in the first signature group as a virus program, wherein the preset condition at least comprises the following steps: the included first application is capable of overriding the first application included in the at least one time group. By applying the embodiment of the invention, the virus program invisibly installed in the terminal can be identified.

Description

A kind of application program detection method, device and terminal
Technical field
The present invention relates to information security field, more particularly to a kind of application program detection method, device and terminal.
Background technology
In recent years, with the popularization and exploitation of the various operating systems on terminal, various operation systems are directed to The Virus of system is also increasingly savage.In technological layer, Virus can be attempted stealthily obtaining the operating system Root authority, and then " stealth " be installed in the operating system, backstage consumption terminal flow, The information in terminal is obtained, wherein, so-called " stealth " is referred specifically to:The program icon of the Virus is not It is displayed in the main interface of terminal or on desktop.
And the Virus of the root authority for this operating system that is stealthy installing and obtaining terminal, it is existing Although having technology can discover the presence for the Virus, it is difficult to determine the position of the Virus, then For how to recognize that the Virus becomes problem demanding prompt solution.
The content of the invention
The embodiment of the invention discloses a kind of application program detection method, device and terminal, to realize to " hidden Shape " is installed on the identification of the Virus of terminal.Concrete scheme is as follows:
In a first aspect, the embodiment of the invention provides a kind of application program detection method, terminal is applied to, institute The method of stating includes:
Identification is present in the application program under the system directory of the terminal, is defined as the first application program;
According to the signing messages of first application program, first application program is grouped, generated Band 1, the Band 1 includes at least one set of signature group, and signature group has uniquely with signing messages Correspondence;
According to the set-up time of first application program, first application program is grouped, generated Second group, second group includes at least one set of time group, and time group has uniquely with the set-up time Correspondence;
Judge with the presence or absence of the first signature group for conforming to a predetermined condition in the Band 1, if it is, will The first application program included by first signature group is defined as Virus, wherein, the predetermined condition At least include:The first included application program can cover the first included application of at least one set of time group Program.
Preferably, the predetermined condition also includes:The minimum number of included first application program;
The judgement whether there is the first signature group for conforming to a predetermined condition in the Band 1, including:
Judge in the Band 1, if there is the first included application program can cover at least one First signature of the first included application program of group time group and the minimum number of included first application program Group.
Preferably, the signature group of first application program includes:
The primary class signature group of system, hardware vendor's class signature group, equipment vendors' class signature group or application vendor label Name group.
Preferably, the set-up time according to first application program, enters to first application program Row packet, including:
According to the installed date of first application program, first application program is grouped.
Preferably, a kind of application program detection method that the embodiment of the present invention is provided, also includes:
After the first application program included by first signature group is defined as into Virus, output prompting letter Breath, to point out the first application program included by the first signature group described in user to be defined as Virus.
Preferably, a kind of application program detection method that the embodiment of the present invention is provided, also includes:
After the first application program included by first signature group is defined as into Virus, system power is obtained Limit, Virus described in forced unloading.
Second aspect, the embodiment of the present invention additionally provides a kind of application program detection means, is applied to terminal, Described device includes:Determining module, the first grouping module, second packet module and judge module;
The determining module:For recognizing the application program being present under the system directory of the terminal, it is determined that It is the first application program;
First grouping module:For the signing messages according to first application program, to described first Application program is grouped, and generates Band 1, and the Band 1 includes at least one set of signature group, and signs Name group has unique correspondence with signing messages;
The second packet module:For the set-up time according to first application program, to described first Application program is grouped, and generates the second group, and second group includes at least one set of time group, and when Between group with the set-up time there is unique correspondence;
The judge module:For judging in the Band 1 with the presence or absence of first for conforming to a predetermined condition Signature group, if it is, the first application program included by first signature group is defined as Virus, Wherein, the predetermined condition at least includes:The first included application program can cover at least one set of time The first included application program of group.
Preferably, the predetermined condition also includes:The minimum number of included first application program;
The judge module specifically for:
Judge in the Band 1, if there is the first included application program can cover at least one First signature of the first included application program of group time group and the minimum number of included first application program Group.
Preferably, the signature group of first application program includes:
The primary class signature group of system, hardware vendor's class signature group, equipment vendors' class signature group or application vendor label Name group.
Preferably, the second packet module specifically for:
According to the installed date of first application program, first application program is grouped.
Preferably, a kind of application program detection means that the embodiment of the present invention is provided, also including information output Module;
The prompt message output module:For the judge module by included by first signature group After one application program is defined as Virus, prompt message is exported, to point out the first signature group institute described in user Including the first application program be defined as Virus.
Preferably, a kind of application program detection means that the embodiment of the present invention is provided, also including Unload module;
The Unload module:First included by first signature group is applied into journey for the judge module After sequence is defined as Virus, System Privileges, Virus described in forced unloading are obtained.
The third aspect, the embodiment of the present invention additionally provides a kind of terminal, including:Housing, processor, storage Device, circuit board and power circuit, wherein, circuit board is placed in the interior volume that housing is surrounded, processor and Memory is set on circuit boards;Power circuit, powers for each circuit or device for terminal;Storage Device is used to store executable program code;Processor is by reading the executable program code stored in memory To run program corresponding with executable program code, for performing following steps:
Identification is present in the application program under the system directory of the terminal, is defined as the first application program;
According to the signing messages of first application program, first application program is grouped, generated Band 1, the Band 1 includes at least one set of signature group, and signature group has uniquely with signing messages Correspondence;
According to the set-up time of first application program, first application program is grouped, generated Second group, second group includes at least one set of time group, and time group has uniquely with the set-up time Correspondence;
Judge with the presence or absence of the first signature group for conforming to a predetermined condition in the Band 1, if it is, will The first application program included by first signature group is defined as Virus, wherein, the predetermined condition At least include:The first included application program can cover the first included application of at least one set of time group Program.
In this programme, identification first is present in the first application program under the system directory of the terminal;So Afterwards according to the signing messages of first application program, first application program is grouped, generation bag The Band 1 of at least one set of signature group is included, wherein, signature group has unique correspondence with signing messages;According to According to the set-up time of first application program, first application program is grouped, generation includes at least one Second group of group time group, wherein, time group has unique correspondence with the set-up time;Judge this With the presence or absence of the first signature group for conforming to a predetermined condition in one group, if it is, first signature group is wrapped The first application program for including is defined as Virus, wherein, the predetermined condition at least includes:Included One application program can cover the first included application program of at least one set of time group.It can be seen that, by we Case can realize the identification of the Virus that terminal is installed on to " stealth ".Certainly, implement of the invention Any product or method must be not necessarily required to while reaching all the above advantage.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to implementing Example or the accompanying drawing to be used needed for description of the prior art are briefly described, it should be apparent that, describe below In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying On the premise of going out creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of schematic flow sheet of application program detection method provided in an embodiment of the present invention;
Fig. 2 is a kind of another schematic flow sheet of application program detection method provided in an embodiment of the present invention;
Fig. 3 is a kind of another schematic flow sheet of application program detection method provided in an embodiment of the present invention;
Fig. 4 is a kind of structural representation of application program detection means provided in an embodiment of the present invention;
Fig. 5 is a kind of another structural representation of application program detection means provided in an embodiment of the present invention;
Fig. 6 is a kind of another structural representation of application program detection means provided in an embodiment of the present invention;
Fig. 7 is a kind of structural representation of terminal provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly Chu, it is fully described by, it is clear that described embodiment is only a part of embodiment of the invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation Property work under the premise of the every other embodiment that is obtained, belong to the scope of protection of the invention.
To solve prior art problem, a kind of application program detection method, device are the embodiment of the invention provides And terminal, it is possible to achieve the identification of the Virus of terminal is installed on to " stealth ".
A kind of application program detection method for being provided the embodiment of the present invention first below is introduced.
It should be noted that a kind of application program detection method that the embodiment of the present invention is provided, can apply In terminal, the terminal can be desktop computer, notebook computer, panel computer and smart mobile phone.No matter The terminal in the case of connecting network or in the case of not connected network, can apply the present invention real Apply the application program detection method that example is provided.
Also, realize that a kind of functional software of application program detection method that the embodiment of the present invention is provided can be with It is special client software, or, or the existing client software that can detect Virus Plug-in unit or antivirus client software plug-in unit, it is, of course, also possible to be the plug-in unit of the operating system based on terminal, This is all rational.
As shown in figure 1, a kind of application program detection method provided in an embodiment of the present invention, the step can be wrapped Include:
S101:Identification is present in the application program under the system directory of the terminal, is defined as the first application program;
It should be noted that being detected to the application program that the terminal is installed periodically or non-periodically, knows It is not present in the application program under the system directory of the terminal, this is present under the system directory of the terminal Application program is defined as the first application program, wherein, the detection that the application program installed to the terminal is carried out Time can be functional software acquiescence detection time, or the time that user is voluntarily set.
Also, the specific implementation that identification is present in the application program under the system directory of the terminal can be adopted With implementation present in prior art, do not limit herein.
S102:According to the signing messages of first application program, first application program is grouped, it is raw Into Band 1, the Band 1 includes at least one set of signature group, and signature group has uniquely with signing messages Correspondence;
It should be noted that for any operation system, such as android system, it is all to be installed to using the behaviour Making the application program in the terminal of system must all have a digital certificate, and the digital certificate is used to identify the application The source of program, and the trusting relationship set up between source and application program, being somebody's turn to do in the embodiment of the present invention Signing messages is equal to digital certificate here.Meanwhile, the signing messages of the application program in different source is not Together, the signing messages of the application program of same source is identical.
It is understood that in the signing messages according to first application program, entering to first application program Row packet, during generation Band 1, can include at least one set of signature group, and signature group in the Band 1 There is unique correspondence with signing messages, i.e., for the signing messages and signature group, different signature group institutes Corresponding signing messages is different, the signing messages of at least one first application programs included by each signature group It is identical.
Specifically, the signature group of first application program can include:
The primary class signature group of system, hardware vendor's class signature group, equipment vendors' class signature group or application vendor label Name group.
Wherein, for operating system is for the terminal of android system, the primary class signature group of its system is paddy The song primary class signature groups of Google.Certainly, it is IOS systems or the end of windows systems for operating system , there is the primary class signature group of the system corresponding to it at end, can correspond to for different operating system different The primary class signature group of system, the embodiment of the present invention is not defined to the primary class signature group of system.
It should be noted that for the first application program, because the source of first application program is different, Its corresponding signing messages is also different, and the source may be soft for the terminal hardware manufacturer, the terminal Download of part manufacturer, the terminal sale businessman and the terminal user etc., it is possible that following situation: It is included in the Band 1 of its generation when being grouped according to the signing messages of first application program At least one signature group may be different;Certainly for same terminal different time according to first application program Signing messages is grouped, and at least one included signature group is likely to difference in the Band 1 of its generation; Signing messages of the embodiment of the present invention not to first application program is defined.
S103:According to the set-up time of first application program, first application program is grouped, it is raw Into the second group, second group includes at least one set of time group, and time group has uniquely with the set-up time Correspondence;
It should be noted that according to the set-up time of first application program, being carried out to first application program It is grouped, generates the second group, second group can includes at least one set of time group, and time group and installation Time has unique correspondence, i.e., for time group and set-up time, the peace corresponding to different time group ETL estimated time of loading is different, and the set-up time of at least one first included application programs of each time group is identical.
Specifically, the set-up time according to first application program, is divided first application program Group, can include:
According to the installed date of first application program, first application program is grouped.
It is understood that according to the set-up time of first application program, being carried out to first application program Packet, can be according to the installed date of first application program, it is also possible to according to the essence of first application program Really to the set-up time of hour, naturally it is also possible to time range is set, by the set-up time in same time range The first application program be divided into one group, the embodiment of the present invention is not to first application program according to the set-up time The specific packet situation of packet be defined.
S104:Judge with the presence or absence of the first signature group for conforming to a predetermined condition in the Band 1, if it is, Step S105 is performed, if it is not, terminating flow;
Wherein, the predetermined condition at least includes:When the first included application program can cover at least one set Between organize the first included application program;
S105:The first application program included by first signature group is defined as Virus.
For Virus, the signing messages of itself may be pretended or be modified as others by it when mounted Signing messages, but all can be identical for its camouflage of the Virus of same alike result or the signing messages changed; And can be installed on simultaneously in the terminal of its infection for the Virus of same alike result.
It is understood that the first application program included by first signature group is defined as Virus, Can determine that the title of first application program (Virus), you can according to the first application program (disease Malicious program) title, realize to the positioning of first application program (Virus).
It should be noted that judge with the presence or absence of the first signature group for conforming to a predetermined condition in the Band 1, If it is, there is at least one set of signature group in proving the Band 1, at least one set of signature group meets default Condition, this is pre-conditioned at least to include:The first included application program can at least one set of signature group The first included application program of at least one set of time group of covering, at least one set of signature group is the first signature Group, now, then can determine that the first application program included by first signature group is defined as Virus; If it is not, then proving in the absence of the first pre-conditioned signature group is met, then to prove institute in all signature groups Including the first application program all may be non-viral program, terminate flow.
For example, there are 3 signature groups of A, B, C in Band 1, wherein, wrapped in the A signature groups The first application program a, b, c are included, the B signature groups include the first application program d, e, f, g, the C Signature group includes the first application program h, m, n, o, p;When there is X, Y, Z 3 in the second group Between group, the X signature groups include the first application program a, b, and the Y signature groups include the first application program C, d, e, f, g, m, the Z signature groups include the first application program h, n, o, p;Understand, the A Signature group include the first application program a, b, c cover the X signature groups include the first application program a, B, it is determined that the A signature groups include that the first application program a, b, c are Virus.
In the scheme that the present embodiment is provided, identification first is present in the under the system directory of the terminal One application program;Then according to the signing messages of first application program, first application program is entered Row packet, generation includes the Band 1 of at least one set of signature group, wherein, signature group has with signing messages Unique correspondence;According to the set-up time of first application program, first application program is grouped, Generation includes the second group of at least one set of time group, wherein, time group has unique corresponding with the set-up time Property;Judge with the presence or absence of the first signature group for conforming to a predetermined condition in the Band 1, if it is, should The first application program included by first signature group is defined as Virus, wherein, the predetermined condition is at least wrapped Include:The first included application program can cover the first included application program of at least one set of time group. It can be seen that, can realize being installed on " stealth " identification of the Virus of terminal by this programme.
Further, in a practical situation, in the terminal, it is if being mounted with Virus, the disease Compared with the application program of the non-viral program that the terminal is installed, its quantity can be relatively little for malicious program, and If included signature group is relatively more in Band 1, with all of signature group in Band 1 and the If all of time group is detected in two groups, it is necessary to time can be very long, in order to improve viral journey The determination precision and saving detection time of sequence, the quantity of signature group present in Band 1 exceed During given threshold, when determining the first signature group, the predetermined condition can also include:Included first applies journey The minimum number of sequence;
Accordingly, the judgement whether there is the first signature group for conforming to a predetermined condition in the Band 1, Can include:
Judge in the Band 1, if there is the first included application program can cover at least one set First signature of the first included application program of time group and the minimum number of included first application program Group.
For example, when the quantity of signature group included in Band 1 is less than a certain given threshold, sentence Break in the Band 1 with the presence or absence of conform to a predetermined condition the first signature group when, the selected predetermined bar Part can be:The first included application program can cover the first included application of at least one set of time group Program;It is selected to be somebody's turn to do when the quantity of signature group included in Band 1 exceedes a certain given threshold Predetermined condition can be:The first included application program can cover included the of at least one set of time group The minimum number of one application program and included first application program.
Further, when the application program detection method that the application embodiment of the present invention is provided detects viral journey After sequence, in order to preferably ensure the interests of user, after Virus is determined, carrying for correlation can be exported Show information, be Virus to point out the user application program, so that user is operated accordingly, to this Virus is processed, specifically, be based on step S101~step S105, as shown in Fig. 2 by this After the first application program included by one signature group is defined as Virus, the embodiment of the present invention provided one Planting application program detection method can also include:
S106:Output prompt message, to point out the first application program included by user first signature group true It is set to Virus.
It should be noted that the prompt message can be auditory tone cues, can be pointed out for screen intensity, can be with It is Word message prompting, prompting, etc. can also be redirected for interface, the embodiment of the present invention is not to the prompting The prompting form of information is defined.
It is understood that output prompt message is applied with playing point out user to be classified as Virus first The specific installation site of the title of program and the Virus, follow-up, user can believe for the prompting Breath is operated accordingly to the Virus, wherein, the corresponding operation can be user manually to the disease Malicious program carries out Force Deletion or unloading, and certain terminal can also carry out pressure and delete to the Virus automatically Except or unloading, etc., this is all rational.
Further, based on step S101~step S105, as shown in figure 3, first signature group is wrapped After the first application program for including is defined as Virus, the application program detection side that the embodiment of the present invention is provided Method can also include:
S107:Obtain System Privileges, the forced unloading Virus.
Specifically, it is determined that the first application program included by first signature group for Virus after, can be with Continue to take appropriate measures and the Virus deleted or unloaded from the terminal, then for this be difficult by The application program deleted or unload, can obtain the System Privileges of the terminal, then the forced unloading disease first Malicious program.It is understood that obtaining the tool of the System Privileges of the operating system of terminal in the embodiment of the present invention Body implementation can be any one System Privileges acquisition modes of prior art, not limit herein.Lift For example, the System Privileges can be root authority, wherein, after root authority is obtained, end can be controlled Any object in end.
Corresponding to above method embodiment, as shown in figure 4, the embodiment of the present invention additionally provides one kind application journey Sequence detection apparatus, the device can include:Determining module 401, the first grouping module 402, second packet mould Block 403 and judge module 404;
The determining module 401:For recognizing the application program being present under the system directory of the terminal, it is defined as First application program;
First grouping module 402:For the signing messages according to first application program, to first application Program is grouped, and generates Band 1, and the Band 1 includes at least one set of signature group, and signature group with Signing messages has unique correspondence;
The second packet module 403:For the set-up time according to first application program, to first application Program is grouped, and generates the second group, and second group includes at least one set of time group, and time group and Set-up time has unique correspondence;
The judge module 404:For judging in the Band 1 with the presence or absence of the first label for conforming to a predetermined condition Name group, if it is, the first application program included by first signature group is defined as Virus, wherein, The predetermined condition at least includes:It is included that the first included application program can cover at least one set of time group The first application program.
Using the embodiment of the present invention, recognize that be present under the system directory of the terminal first applies journey first Sequence;According to the signing messages of first application program, first application program is grouped, generated Band 1 including at least one set of signature group, signature group has unique correspondence with signing messages;Foundation should The set-up time of the first application program, first application program is grouped, when generation includes at least one set Between the second group for organizing, time group and set-up time have unique correspondence;Judge be in the Band 1 It is no to there is the first signature group for conforming to a predetermined condition, if it is, first in first signature group is applied into journey Sequence is defined as Virus, and the predetermined condition at least includes:The first included application program can cover to The first included application program of few one group of time group, it is possible to achieve the virus of terminal is installed on to " stealth " The identification of program.
Specifically, the predetermined condition also includes:The minimum number of included first application program;
The judge module 404 specifically for:
Judge in the Band 1, if there is the first included application program can cover at least one set First signature of the first included application program of time group and the minimum number of included first application program Group.
Specifically, the signature group of first application program can include:
The primary class signature group of system, hardware vendor's class signature group, equipment vendors' class signature group or application vendor label Name group.
Specifically, the second packet module specifically for:
According to the installed date of first application program, first application program is grouped.
Further, as shown in figure 5, a kind of application program detection means that the embodiment of the present invention is provided may be used also With including prompt message output module 405;
The prompt message output module 405:For the judge module 404 by included by first signature group After one application program is defined as Virus, prompt message is exported, to point out the first signature group institute described in user Including the first application program be defined as Virus.
Further, as shown in fig. 6, a kind of application program detection means that the embodiment of the present invention is provided may be used also With including Unload module 406;
The Unload module 406:First included by first signature group is applied into journey for the judge module 404 After sequence is defined as Virus, System Privileges, the forced unloading Virus are obtained.
In addition, the embodiment of the present invention additionally provides a kind of terminal, as shown in fig. 7, the terminal can include:Shell Body 701, processor 702, memory 703, circuit board 704 and power circuit 705, wherein, circuit board 704 The interior volume that housing 701 is surrounded is placed in, processor 702 and memory 703 are arranged on circuit board 704; Power circuit 705, powers for each circuit or device for terminal;Memory 703 is used to store executable Program code;Processor 702 run by reading the executable program code stored in memory 703 with can The corresponding program of configuration processor code, for performing following steps:
Identification is present in the application program under the system directory of the terminal, is defined as the first application program;
According to the signing messages of first application program, first application program is grouped, generation first Group, the Band 1 includes at least one set of signature group, and signature group has unique correspondence with signing messages;
According to the set-up time of first application program, first application program is grouped, generation second Group, second group includes at least one set of time group, and time group has unique correspondence with the set-up time;
Judge with the presence or absence of the first signature group for conforming to a predetermined condition in the Band 1, if it is, should The first application program included by first signature group is defined as Virus, wherein, the predetermined condition is at least wrapped Include:The first included application program can cover the first included application program of at least one set of time group.
Processor 702 is to the specific implementation procedure and processor 702 of above-mentioned steps by running executable program The step of code is further to perform, may refer to the description of Fig. 1-6 illustrated embodiments of the present invention, herein no longer Repeat.
Using the embodiment of the present invention, recognize that be present under the system directory of the terminal first applies journey first Sequence;According to the signing messages of first application program, first application program is grouped, generated Band 1 including at least one set of signature group, signature group has unique correspondence with signing messages;Foundation should The set-up time of the first application program, first application program is grouped, when generation includes at least one set Between the second group for organizing, time group and set-up time have unique correspondence;Judge be in the Band 1 It is no to there is the first signature group for conforming to a predetermined condition, if it is, first in first signature group is applied into journey Sequence is defined as Virus, and the predetermined condition at least includes:The first included application program can cover to The first included application program of few one group of time group, it is possible to achieve the virus of terminal is installed on to " stealth " The identification of program.
The terminal exists in a variety of forms, including but not limited to:
(1) mobile communication equipment:The characteristics of this kind equipment is that possess mobile communication function, and with provide speech, Data communication is main target.This Terminal Type includes:Smart mobile phone (such as iPhone), multimedia handset, Feature mobile phone, and low-end mobile phone etc..
(2) super mobile personal computer equipment:This kind equipment belongs to the category of personal computer, has calculating and locates Reason function, typically also possesses mobile Internet access characteristic.This Terminal Type includes:PDA, MID and UMPC equipment Deng such as iPad.
(3) portable entertainment device:This kind equipment can show and play content of multimedia.The kind equipment includes: Audio, video player (such as iPod), handheld device, e-book, and intelligent toy and portable In-vehicle navigation apparatus.
(4) server:The equipment that the service of calculating is provided, the composition of server include processor, hard disk, internal memory, System bus etc., server is similar with general computer architecture, but due to needing to provide highly reliable clothes Business, therefore at aspects such as disposal ability, stability, reliability, security, scalability, manageabilitys It is required that higher.
(5) other have the electronic installation of data interaction function.
For device and terminal embodiment, because it is substantially similar to embodiment of the method, so description It is fairly simple, the relevent part can refer to the partial explaination of embodiments of method.
It should be noted that herein, such as first and second or the like relational terms be used merely to by One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these There is any this actual relation or order between entity or operation.And, term " including ", "comprising" Or any other variant thereof is intended to cover non-exclusive inclusion, so that a series of mistake including key elements Journey, method, article or equipment not only include those key elements, but also other including being not expressly set out Key element, or it is this process, method, article or the intrinsic key element of equipment also to include.Do not having In the case of more limitations, the key element limited by sentence "including a ...", it is not excluded that wanted including described Also there is other identical element in process, method, article or the equipment of element.
One of ordinary skill in the art will appreciate that realizing all or part of step in above method implementation method Program be can be by instruct the hardware of correlation to complete, described program can be stored in computer-readable In taking storage medium, storage medium designated herein, such as:ROM/RAM, magnetic disc, CD etc..
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the scope of the present invention. All any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in In protection scope of the present invention.

Claims (10)

1. a kind of application program detection method, it is characterised in that be applied to terminal, methods described includes:
Identification is present in the application program under the system directory of the terminal, is defined as the first application program;
According to the signing messages of first application program, first application program is grouped, generated Band 1, the Band 1 includes at least one set of signature group, and signature group has uniquely with signing messages Correspondence;
According to the set-up time of first application program, first application program is grouped, generated Second group, second group includes at least one set of time group, and time group has uniquely with the set-up time Correspondence;
Judge with the presence or absence of the first signature group for conforming to a predetermined condition in the Band 1, if it is, will The first application program included by first signature group is defined as Virus, wherein, the predetermined condition At least include:The first included application program can cover the first included application of at least one set of time group Program.
2. method according to claim 1, it is characterised in that the predetermined condition also includes:Wrapped Include the minimum number of the first application program;
The judgement whether there is the first signature group for conforming to a predetermined condition in the Band 1, including:
Judge in the Band 1, if there is the first included application program can cover at least one First signature of the first included application program of group time group and the minimum number of included first application program Group.
3. method according to claim 1 and 2, it is characterised in that the signature of first application program Group includes:
The primary class signature group of system, hardware vendor's class signature group, equipment vendors' class signature group or application vendor label Name group.
4. method according to claim 1 and 2, it is characterised in that described to apply journey according to described first The set-up time of sequence, first application program is grouped, including:
According to the installed date of first application program, first application program is grouped.
5. method according to claim 1 and 2, it is characterised in that also include:
After the first application program included by first signature group is defined as into Virus, output prompting letter Breath, to point out the first application program included by the first signature group described in user to be defined as Virus.
6. method according to claim 1 and 2, it is characterised in that also include:
After the first application program included by first signature group is defined as into Virus, system power is obtained Limit, Virus described in forced unloading.
7. a kind of application program detection means, it is characterised in that be applied to terminal, described device includes:Really Cover half block, the first grouping module, second packet module and judge module;
The determining module:For recognizing the application program being present under the system directory of the terminal, it is determined that It is the first application program;
First grouping module:For the signing messages according to first application program, to described first Application program is grouped, and generates Band 1, and the Band 1 includes at least one set of signature group, and signs Name group has unique correspondence with signing messages;
The second packet module:For the set-up time according to first application program, to described first Application program is grouped, and generates the second group, and second group includes at least one set of time group, and when Between group with the set-up time there is unique correspondence;
The judge module:For judging in the Band 1 with the presence or absence of first for conforming to a predetermined condition Signature group, if it is, the first application program included by first signature group is defined as Virus, Wherein, the predetermined condition at least includes:The first included application program can cover at least one set of time The first included application program of group.
8. device according to claim 7, it is characterised in that the predetermined condition also includes:Wrapped Include the minimum number of the first application program;
The judge module specifically for:
Judge in the Band 1, if there is the first included application program can cover at least one First signature of the first included application program of group time group and the minimum number of included first application program Group.
9. the device according to claim 7 or 8, it is characterised in that the signature of first application program Group includes:
The primary class signature group of system, hardware vendor's class signature group, equipment vendors' class signature group or application vendor label Name group.
10. a kind of terminal, it is characterised in that including:Housing, processor, memory, circuit board and electricity Source circuit, wherein, circuit board is placed in the interior volume that housing is surrounded, and processor and memory are arranged on electricity On the plate of road;Power circuit, powers for each circuit or device for terminal;Memory is used to store and can hold Line program code;Processor runs and can perform by reading the executable program code stored in memory The corresponding program of program code, for performing following steps:
Identification is present in the application program under the system directory of the terminal, is defined as the first application program;
According to the signing messages of first application program, first application program is grouped, generated Band 1, the Band 1 includes at least one set of signature group, and signature group has uniquely with signing messages Correspondence;
According to the set-up time of first application program, first application program is grouped, generated Second group, second group includes at least one set of time group, and time group has uniquely with the set-up time Correspondence;
Judge with the presence or absence of the first signature group for conforming to a predetermined condition in the Band 1, if it is, will The first application program included by first signature group is defined as Virus, wherein, the predetermined condition At least include:The first included application program can cover the first included application of at least one set of time group Program.
CN201511021184.0A 2015-12-30 2015-12-30 Application program detection method and device and terminal Active CN106934284B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511021184.0A CN106934284B (en) 2015-12-30 2015-12-30 Application program detection method and device and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511021184.0A CN106934284B (en) 2015-12-30 2015-12-30 Application program detection method and device and terminal

Publications (2)

Publication Number Publication Date
CN106934284A true CN106934284A (en) 2017-07-07
CN106934284B CN106934284B (en) 2020-02-11

Family

ID=59442541

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511021184.0A Active CN106934284B (en) 2015-12-30 2015-12-30 Application program detection method and device and terminal

Country Status (1)

Country Link
CN (1) CN106934284B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102222183A (en) * 2011-04-28 2011-10-19 奇智软件(北京)有限公司 Mobile terminal software package safety detection method and system thereof
CN102799824A (en) * 2012-07-13 2012-11-28 珠海市君天电子科技有限公司 Method and system for defending virus file with digital signature information
CN103150510A (en) * 2013-03-18 2013-06-12 珠海市君天电子科技有限公司 Method and device for processing malicious behaviors of software
CN103500311A (en) * 2013-09-30 2014-01-08 北京金山网络科技有限公司 Software testing method and system
WO2014039455A1 (en) * 2012-09-05 2014-03-13 Symantec Corporation Systems and methods for detecting illegitimate applications
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104462974A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program clearing method, device and system
CN104680084A (en) * 2015-03-20 2015-06-03 北京瑞星信息技术有限公司 Method and system for protecting user privacy in computer
CN104766008A (en) * 2014-01-07 2015-07-08 腾讯科技(深圳)有限公司 Application program installation package safety detection method and server
CN104933364A (en) * 2015-07-08 2015-09-23 中国科学院信息工程研究所 Automatic malicious code homology judgment method and system based on calling behaviors

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102222183A (en) * 2011-04-28 2011-10-19 奇智软件(北京)有限公司 Mobile terminal software package safety detection method and system thereof
CN102799824A (en) * 2012-07-13 2012-11-28 珠海市君天电子科技有限公司 Method and system for defending virus file with digital signature information
WO2014039455A1 (en) * 2012-09-05 2014-03-13 Symantec Corporation Systems and methods for detecting illegitimate applications
CN103150510A (en) * 2013-03-18 2013-06-12 珠海市君天电子科技有限公司 Method and device for processing malicious behaviors of software
CN103500311A (en) * 2013-09-30 2014-01-08 北京金山网络科技有限公司 Software testing method and system
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN104766008A (en) * 2014-01-07 2015-07-08 腾讯科技(深圳)有限公司 Application program installation package safety detection method and server
CN104462974A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program clearing method, device and system
CN104680084A (en) * 2015-03-20 2015-06-03 北京瑞星信息技术有限公司 Method and system for protecting user privacy in computer
CN104933364A (en) * 2015-07-08 2015-09-23 中国科学院信息工程研究所 Automatic malicious code homology judgment method and system based on calling behaviors

Also Published As

Publication number Publication date
CN106934284B (en) 2020-02-11

Similar Documents

Publication Publication Date Title
CN105593868B (en) Fingerprint identification method and device and mobile terminal
CN101430745B (en) Digital rights management method and apparatus of mobile terminal
CN109564598B (en) Terminal detection method and terminal
CN102404706B (en) Method for managing tariff safety and mobile terminal
CN105407453A (en) Bluetooth pairing method and device
CN104951685A (en) Method and mobile terminal for running application programs
CN104184587A (en) Voiceprint generation method, voiceprint generation server, client and voiceprint generation system
CN104125216A (en) Method, system and terminal capable of improving safety of trusted execution environment
CN106778283A (en) A kind of guard method of system partitioning critical data and system
CN105024986A (en) Account login method, device and system
CN106934277A (en) Application program detection method and device and terminal
CN107729764A (en) Guard method, device, storage medium and the electronic equipment of sensitive information
CN105809471A (en) Method and device for acquiring user attribute and electronic equipment
CN106155753A (en) A kind of application program installation method, device and terminal
CN104683299A (en) Control method for software registration, authentication server and terminal
US7437563B2 (en) Software integrity test
CN103034810B (en) A kind of detection method, device and electronic equipment
CN104899488B (en) Numeric value transfer and device
CN106934284A (en) Application program detection method and device and terminal
CN106372466A (en) License burning and processing method and device of WIFI module
CN105049473A (en) Application upgrading method and system
CN106055615A (en) Method, device and system for obtaining music information
CN105787302B (en) A kind of processing method of application program, device and electronic equipment
CN104102538A (en) Information processing method and electronic equipment
CN104679785B (en) Method and device for distinguishing software types

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant