CN107506646B - Malicious application detection method and device and computer readable storage medium - Google Patents

Malicious application detection method and device and computer readable storage medium Download PDF

Info

Publication number
CN107506646B
CN107506646B CN201710915977.XA CN201710915977A CN107506646B CN 107506646 B CN107506646 B CN 107506646B CN 201710915977 A CN201710915977 A CN 201710915977A CN 107506646 B CN107506646 B CN 107506646B
Authority
CN
China
Prior art keywords
application
malicious
permission
authority
frequent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710915977.XA
Other languages
Chinese (zh)
Other versions
CN107506646A (en
Inventor
梅俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nubia Technology Co Ltd
Original Assignee
Nubia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nubia Technology Co Ltd filed Critical Nubia Technology Co Ltd
Priority to CN201710915977.XA priority Critical patent/CN107506646B/en
Publication of CN107506646A publication Critical patent/CN107506646A/en
Application granted granted Critical
Publication of CN107506646B publication Critical patent/CN107506646B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention provides a detection method and a device for malicious applications and a computer storage medium, wherein the detection method for the malicious applications acquires application authority information in known malicious applications, acquires authority relevance among the application authority information according to a preset rule, and establishes an authority feature library according to the authority relevance; when an application detection instruction is received, acquiring authority request information of a target application; and judging whether the target application is a malicious application or not according to the authority feature library and the authority request information. The invention establishes a frequent permission set for malicious applications. And the application program is detected through the frequent permission set, so that the malicious program can be identified more accurately, the false alarm rate of normal software in the prior art is reduced, the detection rate of the malicious software is improved, and the technical problem of low precision of the traditional detection method of the malicious application program is solved.

Description

Malicious application detection method and device and computer readable storage medium
Technical Field
The invention relates to the technical field of mobile internet, in particular to a method and a device for detecting malicious applications and a computer readable storage medium.
Background
The Android system is a completely open operating system, and therefore is easily an active place for many malicious application developers. And the malicious application program developer adds malicious codes to domestic and foreign popular applications and then releases the malicious codes to various large forums and application stores. Because a large amount of user privacy information usually exists in the smart phone, a malicious application program in the Android system usually acquires the privacy information on the user phone under the condition that the user is not explicitly prompted or the user is not allowed, and the legal rights and interests of the user are violated. For example, the main malicious behaviors of malicious applications include: malicious deduction, privacy stealing, remote control, malicious propagation, expense consumption, system destruction, fraud trapping, rogue behavior and the like, thereby causing economic loss or mental disturbance to users. The detection method for the malicious application program mainly comprises the following steps: and judging whether the target application program has the authority or not according to a certain single authority corresponding to the malicious application program counted in advance, thereby determining whether the target application program is the malicious application program or not. Because the single authority cannot fully reflect the behavior information of the malicious application program, the detection of the malicious application program is carried out only by a certain single authority, so that misjudgment is easily generated, and the detection accuracy is low.
Disclosure of Invention
The invention mainly aims to provide a detection method and device for malicious applications and a computer readable storage medium, and aims to solve the technical problem that the traditional detection method for malicious applications is low in accuracy.
In order to achieve the above object, the present invention provides a method for detecting a malicious application, which includes the following steps:
acquiring application authority information in known malicious applications, and determining a frequent authority set in the application authority information according to a preset rule;
when an application detection instruction is received, acquiring authority request information of a target application;
and judging whether the target application is a malicious application or not according to the frequent permission set and the permission request information.
Optionally, before the step of obtaining the application permission information in the known malicious application and determining the frequent permission set in the application permission information according to the preset rule, the method further includes:
acquiring known malicious applications, and establishing a malicious application set;
and classifying the known malicious applications in the malicious application set according to the malicious behavior categories of the malicious applications to obtain classified malicious applications.
Optionally, the step of obtaining application authority information in a known malicious application and determining a frequent authority set in the application authority information according to a preset rule includes:
acquiring application authority information in the classified malicious application to generate classified application authority information;
and determining a classification frequent authority set corresponding to the classification application authority information according to the preset rule.
Optionally, after the step of determining whether the target application is a malicious application according to the permission feature library and the permission request information, the method further includes:
and if the target application is a malicious application, determining the malicious behavior category of the target application according to the classified frequent permission set to which the target application belongs.
Optionally, the step of obtaining the application authority information in the known malicious application includes:
analyzing the known malicious application according to a preset static analysis rule, and extracting an entry file corresponding to the known malicious application;
and analyzing the entry file and extracting the application authority information in the entry file.
Optionally, the step of determining a frequent permission set in the application permission information according to a preset rule includes:
and determining a frequent authority set in the application authority information according to the occurrence frequency of each application authority in the known malicious application, wherein the occurrence frequency of the frequent authority in the frequent authority set is greater than a preset frequency.
Optionally, the step of determining whether the target application is a malicious application according to the frequent permission set and the permission request information includes:
judging whether the permission request information is matched with the frequent permission set;
and if the permission request information is matched with the frequent permission set, judging that the target application is a malicious application.
Optionally, after the step of determining whether the permission request information matches the frequent permission set, the method further includes:
if the permission request information is not matched with the frequent permission set, acquiring the downloading amount corresponding to the target application;
and when the download amount exceeds a preset threshold value, judging that the target application is a non-malicious application.
In addition, in order to achieve the above object, the present invention further provides a malicious application detection apparatus, which is characterized in that the malicious application detection apparatus includes a processor, a memory, and a malicious application detection program stored in the memory and capable of running on the processor, where the malicious application detection program, when executed by the processor, implements the steps of the malicious application detection method described above.
In addition, to achieve the above object, the present invention also provides a computer readable storage medium, on which a detection program of a malicious application is stored, and when the detection program of the malicious application is executed by a processor, the steps of the detection method of the malicious application are implemented as described above.
The invention provides a detection method and a device for malicious applications and a computer storage medium, wherein the detection method for the malicious applications acquires application authority information in known malicious applications, acquires authority relevance among the application authority information according to a preset rule, and establishes an authority feature library according to the authority relevance; when an application detection instruction is received, acquiring authority request information of a target application; and judging whether the target application is a malicious application or not according to the authority feature library and the authority request information. Through the method, the application permission information in the known malicious application is analyzed, and the frequent characteristics of the application permission information of the malicious application program are mined, so that the frequent permission set of the malicious application program is established. And the application program is detected through the frequent permission set, so that the malicious program can be identified more accurately, the false alarm rate of normal software in the prior art is reduced, the detection rate of the malicious software is improved, and the technical problem of low precision of the traditional detection method of the malicious application program is solved.
Drawings
Fig. 1 is a schematic diagram of a hardware structure of a mobile terminal implementing various embodiments of the present invention;
fig. 2 is a communication network system architecture diagram provided in the embodiment of the present invention
FIG. 3 is a flowchart illustrating a malicious application detection method according to a first embodiment of the present invention;
FIG. 4 is a flowchart illustrating a malicious application detection method according to a second embodiment of the present invention;
fig. 5 is a flowchart illustrating a method for detecting malicious applications according to a third embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no specific meaning in itself. Thus, "module", "component" or "unit" may be used mixedly.
The terminal may be implemented in various forms. For example, the terminal described in the present invention may include a mobile terminal such as a mobile phone, a tablet computer, a notebook computer, a palmtop computer, a Personal Digital Assistant (PDA), a Portable Media Player (PMP), a navigation device, a wearable device, a smart band, a pedometer, and the like, and a fixed terminal such as a Digital TV, a desktop computer, and the like.
The following description will be given by way of example of a mobile terminal, and it will be understood by those skilled in the art that the construction according to the embodiment of the present invention can be applied to a fixed type terminal, in addition to elements particularly used for mobile purposes.
Referring to fig. 1, which is a schematic diagram of a hardware structure of a mobile terminal for implementing various embodiments of the present invention, the mobile terminal 100 may include: RF (Radio Frequency) unit 101, WiFi module 102, audio output unit 103, a/V (audio/video) input unit 104, sensor 105, display unit 106, user input unit 107, interface unit 108, memory 109, processor 110, and power supply 111. Those skilled in the art will appreciate that the mobile terminal architecture shown in fig. 1 is not intended to be limiting of mobile terminals, which may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The following describes each component of the mobile terminal in detail with reference to fig. 1:
the radio frequency unit 101 may be configured to receive and transmit signals during information transmission and reception or during a call, and specifically, receive downlink information of a base station and then process the downlink information to the processor 110; in addition, the uplink data is transmitted to the base station. Typically, radio frequency unit 101 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like. In addition, the radio frequency unit 101 can also communicate with a network and other devices through wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System for Mobile communications), GPRS (General Packet Radio Service), CDMA2000(Code Division Multiple Access2000 ), WCDMA (Wideband Code Division Multiple Access), TD-SCDMA (Time Division-Synchronous Code Division Multiple Access), FDD-LTE (Frequency Division duplex Long Term Evolution), and TDD-LTE (Time Division duplex Long Term Evolution).
WiFi belongs to short-distance wireless transmission technology, and the mobile terminal can help a user to receive and send e-mails, browse webpages, access streaming media and the like through the WiFi module 102, and provides wireless broadband internet access for the user. Although fig. 1 shows the WiFi module 102, it is understood that it does not belong to the essential constitution of the mobile terminal, and may be omitted entirely as needed within the scope not changing the essence of the invention.
The audio output unit 103 may convert audio data received by the radio frequency unit 101 or the WiFi module 102 or stored in the memory 109 into an audio signal and output as sound when the mobile terminal 100 is in a call signal reception mode, a call mode, a recording mode, a voice recognition mode, a broadcast reception mode, or the like. Also, the audio output unit 103 may also provide audio output related to a specific function performed by the mobile terminal 100 (e.g., a call signal reception sound, a message reception sound, etc.). The audio output unit 103 may include a speaker, a buzzer, and the like.
The a/V input unit 104 is used to receive audio or video signals. The a/V input Unit 104 may include a Graphics Processing Unit (GPU) 1041 and a microphone 1042, the Graphics processor 1041 Processing image data of still pictures or video obtained by an image capturing device (e.g., a camera) in a video capturing mode or an image capturing mode. The processed image frames may be displayed on the display unit 106. The image frames processed by the graphic processor 1041 may be stored in the memory 109 (or other storage medium) or transmitted via the radio frequency unit 101 or the WiFi module 102. The microphone 1042 may receive sounds (audio data) via the microphone 1042 in a phone call mode, a recording mode, a voice recognition mode, or the like, and may be capable of processing such sounds into audio data. The processed audio (voice) data may be converted into a format output transmittable to a mobile communication base station via the radio frequency unit 101 in case of a phone call mode. The microphone 1042 may implement various types of noise cancellation (or suppression) algorithms to cancel (or suppress) noise or interference generated in the course of receiving and transmitting audio signals.
The mobile terminal 100 also includes at least one sensor 105, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor includes an ambient light sensor that can adjust the brightness of the display panel 1061 according to the brightness of ambient light, and a proximity sensor that can turn off the display panel 1061 and/or a backlight when the mobile terminal 100 is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing the posture of a mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a fingerprint sensor, a pressure sensor, an iris sensor, a molecular sensor, a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone, further description is omitted here.
The display unit 106 is used to display information input by a user or information provided to the user. The Display unit 106 may include a Display panel 1061, and the Display panel 1061 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.
The user input unit 107 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the mobile terminal. Specifically, the user input unit 107 may include a touch panel 1071 and other input devices 1072. The touch panel 1071, also referred to as a touch screen, may collect a touch operation performed by a user on or near the touch panel 1071 (e.g., an operation performed by the user on or near the touch panel 1071 using a finger, a stylus, or any other suitable object or accessory), and drive a corresponding connection device according to a predetermined program. The touch panel 1071 may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 110, and can receive and execute commands sent by the processor 110. In addition, the touch panel 1071 may be implemented in various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. In addition to the touch panel 1071, the user input unit 107 may include other input devices 1072. In particular, other input devices 1072 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like, and are not limited to these specific examples.
Further, the touch panel 1071 may cover the display panel 1061, and when the touch panel 1071 detects a touch operation thereon or nearby, the touch panel 1071 transmits the touch operation to the processor 110 to determine the type of the touch event, and then the processor 110 provides a corresponding visual output on the display panel 1061 according to the type of the touch event. Although the touch panel 1071 and the display panel 1061 are shown in fig. 1 as two separate components to implement the input and output functions of the mobile terminal, in some embodiments, the touch panel 1071 and the display panel 1061 may be integrated to implement the input and output functions of the mobile terminal, and is not limited herein.
The interface unit 108 serves as an interface through which at least one external device is connected to the mobile terminal 100. For example, the external device may include a wired or wireless headset port, an external power supply (or battery charger) port, a wired or wireless data port, a memory card port, a port for connecting a device having an identification module, an audio input/output (I/O) port, a video I/O port, an earphone port, and the like. The interface unit 108 may be used to receive input (e.g., data information, power, etc.) from external devices and transmit the received input to one or more elements within the mobile terminal 100 or may be used to transmit data between the mobile terminal 100 and external devices.
The memory 109 may be used to store software programs as well as various data. The memory 109 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, the memory 109 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The processor 110 is a control center of the mobile terminal, connects various parts of the entire mobile terminal using various interfaces and lines, and performs various functions of the mobile terminal and processes data by operating or executing software programs and/or modules stored in the memory 109 and calling data stored in the memory 109, thereby performing overall monitoring of the mobile terminal. Processor 110 may include one or more processing units; preferably, the processor 110 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 110.
The mobile terminal 100 may further include a power supply 111 (e.g., a battery) for supplying power to various components, and preferably, the power supply 111 may be logically connected to the processor 110 via a power management system, so as to manage charging, discharging, and power consumption management functions via the power management system.
Although not shown in fig. 1, the mobile terminal 100 may further include a bluetooth module or the like, which is not described in detail herein.
In order to facilitate understanding of the embodiments of the present invention, a communication network system on which the mobile terminal of the present invention is based is described below.
Referring to fig. 2, fig. 2 is an architecture diagram of a communication Network system according to an embodiment of the present invention, where the communication Network system is an LTE system of a universal mobile telecommunications technology, and the LTE system includes a UE (User Equipment) 201, an E-UTRAN (Evolved UMTS Terrestrial Radio Access Network) 202, an EPC (Evolved Packet Core) 203, and an IP service 204 of an operator, which are in communication connection in sequence.
Specifically, the UE201 may be the terminal 100 described above, and is not described herein again.
The E-UTRAN202 includes eNodeB2021 and other eNodeBs 2022, among others. Among them, the eNodeB2021 may be connected with other eNodeB2022 through backhaul (e.g., X2 interface), the eNodeB2021 is connected to the EPC203, and the eNodeB2021 may provide the UE201 access to the EPC 203.
The EPC203 may include an MME (Mobility Management Entity) 2031, an HSS (Home Subscriber Server) 2032, other MMEs 2033, an SGW (Serving GateWay) 2034, a PGW (PDN GateWay) 2035, and a PCRF (Policy and Charging Rules Function) 2036, and the like. The MME2031 is a control node that handles signaling between the UE201 and the EPC203, and provides bearer and connection management. HSS2032 is used to provide registers to manage functions such as home location register (not shown) and holds subscriber specific information about service characteristics, data rates, etc. All user data may be sent through SGW2034, PGW2035 may provide IP address assignment for UE201 and other functions, and PCRF2036 is a policy and charging control policy decision point for traffic data flow and IP bearer resources, which selects and provides available policy and charging control decisions for a policy and charging enforcement function (not shown).
The IP services 204 may include the internet, intranets, IMS (IP Multimedia Subsystem), or other IP services, among others.
Although the LTE system is described as an example, it should be understood by those skilled in the art that the present invention is not limited to the LTE system, but may also be applied to other wireless communication systems, such as GSM, CDMA2000, WCDMA, TD-SCDMA, and future new network systems.
Based on the above mobile terminal hardware structure and communication network system, the present invention provides various embodiments of the method.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for detecting malicious applications according to a first embodiment of the present invention.
In this embodiment, the method for detecting a malicious application includes the following steps:
step S10, acquiring application authority information in known malicious applications, and determining a frequent authority set in the application authority information according to a preset rule;
the Android system is a completely open operating system, so that any developer can upload a code program written by the developer to the Android system. Along with convenience, the Android system is also easy to become an active place for numerous malicious application developers. Malicious application developers add malicious codes to domestic and foreign popular applications, publish the malicious codes to various large forums and application stores, and download and install the malicious codes by a large number of intelligent terminal users. Because a large amount of user privacy information usually exists in the smart phone, a malicious application program in the Android system usually acquires the privacy information on the user phone under the condition that the user is not explicitly prompted or the user is not allowed, and the legal rights and interests of the user are violated. For example, the main malicious behaviors of malicious applications include: malicious deduction, privacy stealing, remote control, malicious propagation, expense consumption, system destruction, fraud trapping, rogue behavior and the like, thereby causing economic loss or mental disturbance to users. The earliest detection methods for malicious applications mainly include two methods: dynamic analysis and static analysis. The dynamic analysis method mainly comprises the step of modifying an Android simulator kernel to carry out real-time detection on an installed application program or enabling the application program to run according to a specified path by using a symbolic execution method, so that malicious behaviors of the application program are obtained. The static analysis method mainly comprises the steps of analyzing related files in an APK (Android application package), disassembling the related files to obtain byte code information of an application program, comparing the byte code information with preset malicious application program file characteristic information, and determining the files to be malicious programs if the byte code information is consistent with the preset malicious application program file characteristic information. Therefore, the purpose of rapidly and efficiently filtering the application programs without malicious behaviors can not be achieved by the corresponding analysis method under the condition of facing mass Android application programs, so that the cost of analyzing the application programs with the malicious behaviors possibly in the later period is reduced. The existing malicious application detection technology mainly judges whether a target application program has a single authority according to a certain single authority corresponding to a malicious application program counted in advance, so as to determine whether the target application program is the malicious application program. Because the single authority cannot fully reflect the behavior information of the malicious application program, the detection of the malicious application program is carried out only by a certain single authority, so that misjudgment is easily generated, and the detection accuracy is low.
In order to solve the technical problem that the conventional detection method for the malicious application program is low in accuracy, the application permission information in the known malicious application program is analyzed, and frequent features of the application permission information of the malicious application program are mined, so that a frequent permission set of the malicious application program is established. And the application program is detected through the frequent permission set, so that the malicious program can be identified more accurately. Specifically, known malicious application data stored locally or known malicious application data in an external database communicatively connected to the malicious application detection apparatus may be acquired. Then acquiring all application authority information in the known malicious application, wherein the step of acquiring the application authority information comprises the following steps: and automatically analyzing the known malicious applications by a static analysis method. Firstly, decompressing the known malicious application by using an Android asset packaging tool of a tool carried in an Android SDK, extracting an Android manifest. And determining a frequent authority set according to a preset rule, such as an authority frequent pattern mining algorithm, or according to the frequency of the applied authority information appearing in the known malicious application.
Further, the step of determining a frequent permission set in the application permission information according to a preset rule includes:
and determining a frequent authority set in the application authority information according to the occurrence frequency of each application authority in the known malicious application, wherein the occurrence frequency of the frequent authority in the frequent authority set is greater than a preset frequency.
Specifically, a frequent authority set determined in the application authority information is determined according to the frequency of the application authority information appearing in the known malicious application, and the frequency of the authority in the frequent authority set appearing in the known malicious application exceeds a preset frequency. The frequent permission set comprises the characteristic application permission with the maximum malicious application. In a specific embodiment, the authority feature combination corresponding to the known malicious application can be obtained according to a preset rule, and the authority feature combination is stored in an authority feature library. The authority feature library can be used as a comparison template for judging whether the application program is a malicious application.
Step S20, when receiving the application detection instruction, acquiring the authority request information of the target application;
specifically, the malicious application detection device acquires a corresponding target application in an application detection instruction when receiving a triggered application detection instruction. And analyzing the target application to acquire permission request information corresponding to the target application. The triggering mode of the application detection instruction may include that a user sends the application detection instruction through a shortcut icon of the malicious application detection device on a desktop or a shortcut key corresponding to the malicious application detection device. The method can also be used for triggering and generating a corresponding application detection instruction when the terminal downloads the application so that the malicious application device detection device can judge whether the target application is a malicious application.
Further, the step of acquiring application authority information in known malicious applications includes:
analyzing the known malicious application according to a preset static analysis rule, and extracting an entry file corresponding to the known malicious application;
and analyzing the entry file and extracting the application authority information in the entry file.
Specifically, the target application is automatically analyzed by a static analysis method. Firstly, decompressing a target application by using an Android asset packaging tool of a tool carried in an Android SDK, extracting an entry file Android manifest.
And step S30, judging whether the target application is a malicious application according to the frequent authority set and the authority request information.
Specifically, when a frequent permission set in the application permission information is determined and permission request information corresponding to the target application is acquired, whether the permission request information corresponding to the target application includes the permission information in the frequent permission set is judged according to the frequent permission set. When the permission request information corresponding to the target application includes the permission information in the frequent permission set, that is, the permission acquired by the target application is the characteristic permission possessed by the malicious application, so that the target application can be determined to be the malicious application.
The embodiment provides a method and a device for detecting malicious applications and a computer storage medium, wherein the method for detecting the malicious applications comprises the steps of obtaining application permission information in known malicious applications, obtaining permission relevance among the application permission information according to a preset rule, and establishing a permission feature library according to the permission relevance; when an application detection instruction is received, acquiring authority request information of a target application; and judging whether the target application is a malicious application or not according to the authority feature library and the authority request information. Through the method, the application permission information in the known malicious application is analyzed, and the frequent characteristics of the application permission information of the malicious application program are mined, so that the frequent permission set of the malicious application program is established. And the application program is detected through the frequent permission set, so that the malicious program can be identified more accurately, the false alarm rate of normal software in the prior art is reduced, the detection rate of the malicious software is improved, and the technical problem of low precision of the traditional detection method of the malicious application program is solved.
Referring to fig. 4, fig. 4 is a flowchart illustrating a method for detecting malicious applications according to a second embodiment of the present invention.
In this embodiment, based on the above embodiment shown in fig. 3, step S10 specifically includes:
step S01, acquiring known malicious applications, and establishing a malicious application set;
specifically, known malicious applications stored in a local database or stored outside are obtained, and the known malicious applications are stored in a pre-established malicious application set.
Step S02, classifying the known malicious applications in the malicious application set according to the malicious behavior categories of the malicious applications to obtain classified malicious applications.
Because malicious applications with similar malicious behaviors often need the same set of permissions to cooperate with each other to complete the malicious behaviors, and in addition, malicious applications with different malicious behaviors often need different sets of permissions. In this embodiment, the malicious applications are classified, so that the detection accuracy and the detection efficiency are improved. Specifically, when a known malicious application program is acquired, the known malicious application program is classified according to a corresponding malicious behavior category. If malicious behaviors such as stealing passwords, acquiring privacy information, forcibly installing software and the like exist, the malicious applications are divided into: the method includes stealing password applications, privacy information acquisition applications, installing software applications and the like, and for convenience of description, the malicious applications are divided into types A, B, C and the like.
Further, in this embodiment, step S10 specifically includes:
step S11, obtaining the application authority information in the classified malicious application, and generating classified application authority information;
specifically, application permission information corresponding to malicious applications such as class a, class B, class C, etc. is respectively obtained, and corresponding classification application permission information is generated, such as class a application permission corresponding to class a, class B permission information corresponding to class B, class C permission information corresponding to class C, etc.
And step S12, determining a classification frequent authority set corresponding to the classification application authority information according to the preset rule.
Specifically, a class a frequent permission set is determined in class a application permission information corresponding to the class a according to a preset rule, such as a permission frequent pattern mining algorithm, or according to the frequency of the application permission information appearing in the class a malicious application, and each permission in the class a frequent permission set must be that the frequency of the application permission appearing in the class a malicious application exceeds a preset frequency. Namely, the class A frequent permission set comprises the maximum characteristic application permission of the class A malicious application. And then determining a B-type frequent permission set in the B-type malicious application and a C-type frequent permission set in the C-type malicious application according to the method. In a specific embodiment, various authority feature combinations corresponding to various malicious applications can be obtained according to preset rules, and the various authority feature combinations are stored in an authority feature library. The authority feature library can be used as a comparison template for judging whether the application program is a malicious application.
Further, in this embodiment, based on the embodiment shown in fig. 3, the method for detecting a malicious application further includes:
step S40, if the target application is a malicious application, determining the malicious behavior category of the target application according to the classified frequent permission set to which the target application belongs.
Specifically, when the target application is judged to be a malicious application according to the classified frequent permission set, the malicious behavior category of the target application, that is, the category a, the category B, or the category C, is determined according to the category, such as the category a, the category B, or the category C, where the classified frequent permission set is located. In a specific embodiment, a corresponding reminding message may be generated to the user terminal or the server to remind the user that the target application is a malicious application of a certain malicious behavior category, please handle in time, and the like.
In this embodiment, firstly, known malicious applications are classified according to the malicious behavior categories, then, application permission information in the classified malicious applications is respectively obtained and analyzed, and the classification frequent features of the application permission information of the classified malicious applications are mined, so that a classification frequent permission set corresponding to the classified malicious applications is established. And the target application is detected through the classified frequent permission set, so that the detection efficiency can be improved, the malicious program can be identified more accurately, the malicious application category of the target application can be accurately identified, the false alarm rate of normal software is reduced, the technical problem of low accuracy of the traditional detection method for the malicious application program is solved, and the detection speed is improved.
Referring to fig. 5, fig. 5 is a flowchart illustrating a method for detecting malicious applications according to a second embodiment of the present invention.
In this embodiment, based on the embodiment described in fig. 3, step S30 specifically includes:
step S31, judging whether the permission request information is matched with the frequent permission set;
specifically, after the permission request information of the target application program is acquired, each target permission in the permission request information is compared and matched with the frequent permission set, and whether each target permission is matched with each permission in the frequent permission set is judged.
Step S32, if the permission request information matches the frequent permission set, determining that the target application is a malicious application.
Specifically, each permission in the frequent permission set is a feature permission set corresponding to a malicious application, and when the target application has all feature permission sets, it can be determined that the target application is the malicious application.
Step S33, if the permission request information is not matched with the frequent permission set, acquiring the downloading amount corresponding to the target application;
specifically, if the target application only has partial rights in all the feature rights, the download amount corresponding to the target application in the application store is further acquired. Most malicious applications are limited in download number and will not be as large as WeChat, QQ downloads. And judging whether the download quantity of the target application exceeds the download quantity threshold of the normal application.
Step S34, when the download amount exceeds a preset threshold, determining that the target application is a non-malicious application.
Specifically, when the download number of the target application exceeds a preset threshold of the download number corresponding to the normal application, and the permission request information of the target application is not matched with the frequent permission set, it is determined that the target application is a non-malicious application.
The embodiment provides a method and a device for detecting malicious applications and a computer storage medium. And the application program is detected through the frequent permission set, and when the application program is detected to be non-malicious application, whether the target application is malicious application is judged according to the data downloading quantity of a third party, so that the malicious program can be identified more accurately, the false alarm rate of normal software in the prior art is reduced, the detection rate of the malicious software is improved, and the technical problem of low precision of the traditional detection method of the malicious application program is solved.
The invention also provides a mobile terminal.
The mobile terminal comprises a processor, a memory and a detection program of the malicious application, wherein the detection program of the malicious application is stored on the memory and can run on the processor, and when being executed by the processor, the detection program of the malicious application realizes the steps of the detection method of the malicious application.
The method implemented when the detection program of the malicious application is executed may refer to each embodiment of the picture re-editing method of the present invention, and details are not repeated here.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention stores thereon a detection program of a malicious application, which when executed by a processor implements the steps of the picture re-editing method as described above.
The method implemented when the detection program of the malicious application is executed may refer to each embodiment of the picture re-editing method of the present invention, and details are not repeated here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (9)

1. A detection method for malicious applications is characterized by comprising the following steps:
acquiring application authority information in known malicious applications, and determining a frequent authority set in the application authority information according to a preset rule;
when an application detection instruction is received, acquiring authority request information of a target application;
judging whether the target application is a malicious application or not according to the frequent permission set and the permission request information;
wherein, the step of judging whether the target application is a malicious application according to the frequent permission set and the permission request information comprises:
judging whether the permission request information is matched with the frequent permission set;
if the permission request information is not matched with the frequent permission set, acquiring the downloading amount corresponding to the target application;
and when the download amount exceeds a preset threshold value, judging that the target application is a non-malicious application.
2. The method for detecting malicious applications according to claim 1, wherein before the step of obtaining application permission information in known malicious applications and determining a frequent permission set in the application permission information according to a preset rule, the method further comprises:
acquiring known malicious applications, and establishing a malicious application set;
and classifying the known malicious applications in the malicious application set according to the malicious behavior categories of the malicious applications to obtain classified malicious applications.
3. The method for detecting malicious applications according to claim 2, wherein the step of obtaining application permission information in known malicious applications and determining a frequent permission set in the application permission information according to a preset rule comprises:
acquiring application authority information in the classified malicious application to generate classified application authority information;
and determining a classification frequent authority set corresponding to the classification application authority information according to the preset rule.
4. The method for detecting malicious applications according to claim 3, wherein after the step of determining whether the target application is a malicious application according to the permission feature library and the permission request information, the method further comprises:
and if the target application is a malicious application, determining the malicious behavior category of the target application according to the classified frequent permission set to which the target application belongs.
5. The method for detecting malicious applications according to claim 1, wherein the step of obtaining application authority information in known malicious applications comprises:
analyzing the known malicious application according to a preset static analysis rule, and extracting an entry file corresponding to the known malicious application;
and analyzing the entry file and extracting the application authority information in the entry file.
6. The method for detecting malicious applications according to claim 1, wherein the step of determining a frequent permission set in the application permission information according to a preset rule comprises:
and determining a frequent authority set in the application authority information according to the occurrence frequency of each application authority in the known malicious application, wherein the occurrence frequency of the frequent authority in the frequent authority set is greater than a preset frequency.
7. The method for detecting malicious applications according to claim 1, wherein the step of determining whether the permission request information matches the frequent permission set further comprises:
and if the permission request information is matched with the frequent permission set, judging that the target application is a malicious application.
8. A malicious application detection apparatus, comprising a processor, a memory, and a malicious application detection program stored in the memory and executable on the processor, wherein the malicious application detection program, when executed by the processor, implements the steps of the malicious application detection method according to any one of claims 1 to 7.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a detection program of a malicious application, which when executed by a processor implements the steps of the detection method of a malicious application according to any one of claims 1 to 7.
CN201710915977.XA 2017-09-28 2017-09-28 Malicious application detection method and device and computer readable storage medium Active CN107506646B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710915977.XA CN107506646B (en) 2017-09-28 2017-09-28 Malicious application detection method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710915977.XA CN107506646B (en) 2017-09-28 2017-09-28 Malicious application detection method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN107506646A CN107506646A (en) 2017-12-22
CN107506646B true CN107506646B (en) 2021-08-10

Family

ID=60699336

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710915977.XA Active CN107506646B (en) 2017-09-28 2017-09-28 Malicious application detection method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN107506646B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108683652A (en) * 2018-05-04 2018-10-19 北京奇安信科技有限公司 A kind of method and device of the processing attack of Behavior-based control permission
CN109802955B (en) * 2018-12-29 2021-07-20 360企业安全技术(珠海)有限公司 Authority control method and device, storage medium and computer equipment
CN111143843A (en) * 2019-12-12 2020-05-12 北京神州绿盟信息安全科技股份有限公司 Malicious application detection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104376262A (en) * 2014-12-08 2015-02-25 中国科学院深圳先进技术研究院 Android malware detecting method based on Dalvik command and authority combination
CN105426762A (en) * 2015-12-28 2016-03-23 重庆邮电大学 Static detection method for malice of android application programs
CN105740712A (en) * 2016-03-09 2016-07-06 哈尔滨工程大学 Android malicious act detection method based on Bayesian network
CN106845220A (en) * 2015-12-07 2017-06-13 深圳先进技术研究院 A kind of Android malware detecting system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104376262A (en) * 2014-12-08 2015-02-25 中国科学院深圳先进技术研究院 Android malware detecting method based on Dalvik command and authority combination
CN106845220A (en) * 2015-12-07 2017-06-13 深圳先进技术研究院 A kind of Android malware detecting system and method
CN105426762A (en) * 2015-12-28 2016-03-23 重庆邮电大学 Static detection method for malice of android application programs
CN105740712A (en) * 2016-03-09 2016-07-06 哈尔滨工程大学 Android malicious act detection method based on Bayesian network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于权限频繁模式挖掘算法的Android恶意应用检测方法;杨欢 等;《通信学报》;20130831;第34卷(第Z1期);正文第106-114页 *

Also Published As

Publication number Publication date
CN107506646A (en) 2017-12-22

Similar Documents

Publication Publication Date Title
CN107506646B (en) Malicious application detection method and device and computer readable storage medium
CN107133797B (en) Payment abnormity automatic detection method, terminal and computer readable storage medium
CN107466041B (en) Method and device for identifying pseudo base station and mobile terminal
CN109151169B (en) Camera authority management method, mobile terminal and computer readable storage medium
CN108629863B (en) Method for automatically signing in application program, mobile terminal and readable storage medium
CN108075899B (en) Identity authentication method, mobile terminal and computer readable storage medium
CN107832032B (en) Screen locking display method and mobile terminal
CN107220132B (en) Method, equipment and storage medium for monitoring file creation information
CN108833690A (en) authority control method, terminal and computer readable storage medium
CN109522741B (en) Application program permission prompting method and terminal equipment thereof
CN113094670A (en) Privacy protection method, terminal and storage medium
CN109151216B (en) Application starting method, mobile terminal, server and computer readable storage medium
CN108040330B (en) WiFi directional transmission method, mobile terminal and readable storage medium
CN107547741B (en) Information processing method and device and computer readable storage medium
CN111427709A (en) Application program body-separating control method and device and computer readable storage medium
CN109547622B (en) Verification method and terminal equipment
CN109922044B (en) Application marking method, application downloading method, electronic equipment and storage medium
CN110929238A (en) Information processing method and device
CN108322604B (en) Drop processing method of mobile terminal, mobile terminal and storage medium
CN108710789B (en) Unlocking method and terminal equipment
CN108549826B (en) Application program checking method, terminal, server and readable storage medium
CN108009031B (en) Application program control method and mobile terminal
CN107194217B (en) User data access control method, apparatus and computer-readable storage medium
CN107422956B (en) Mobile terminal operation response method, mobile terminal and readable storage medium
CN108667714B (en) Information transmitting method, information receiving method, mobile terminal and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant