CN108133139B - Android malicious application detection system based on multi-operation environment behavior comparison - Google Patents
Android malicious application detection system based on multi-operation environment behavior comparison Download PDFInfo
- Publication number
- CN108133139B CN108133139B CN201711217805.1A CN201711217805A CN108133139B CN 108133139 B CN108133139 B CN 108133139B CN 201711217805 A CN201711217805 A CN 201711217805A CN 108133139 B CN108133139 B CN 108133139B
- Authority
- CN
- China
- Prior art keywords
- behavior
- application program
- environment
- simulator
- records
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
An android malicious application detection system based on multi-operation environment behavior comparison comprises: the information extraction module is used for decompiling the detected APK installation file and providing data support for subsequent log analysis; the dynamic analysis module is used for dynamically analyzing the Android application program by using a sandbox technology and recording the executed behavior in the program running process; the environment detection countermeasure module is used for detecting the environment detection behaviors in the program running process in real time, performing countermeasure aiming at the detection behaviors of different levels, and modifying the running environment detection result in the application program into a disguised running environment characteristic; the behavior record analysis module is used for uniformly processing and analyzing all behavior logs after a certain application program to be tested is repeatedly run for many times and is completely finished; and the system operation scheduling module controls the whole operation flow in the system operation process. The method and the device can capture the behavior difference condition of the application program, detect whether the malicious behavior exists or not, and are suitable for identifying the environment-sensitive malicious application program.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an android malicious application detection system based on multi-operation environment behavior comparison.
Background
The rapid growth of the internet today is already of considerable scale. With the rise of intelligent mobile terminal equipment in recent years, mobile internet is rapidly developed, and smart phones and tablet computers are widely popularized in the lives of people. With the gradual popularization of an intelligent mobile terminal operating system, the Android system platform is popular with a plurality of mobile equipment research and development and manufacturers by virtue of the advantages of convenience and easiness in use, excellent reconstruction and expansibility, system source opening and the like of the operation, and meanwhile, the Android system platform gradually has a large group of system enthusiasts and user groups.
Due to the extremely high user occupancy rate and the specific open source characteristics of the Android system, the Android system becomes an attack target of many malicious software makers and black industry actors, and a large amount of malicious codes aiming at the Android platform appear. Therefore, by researching a mature technology for rapidly and effectively detecting the malicious codes, not only can the privacy and property safety of the broad masses of users be protected, the benefit loss of the users is reduced, but also the benefits of Android application developers can be protected to a great extent. At present, technologies for detecting Android malicious codes can be mainly classified into static and dynamic technologies.
Most of the traditional static detection methods are used for analyzing a large amount of repackaging phenomena existing in malicious codes and permission abuse phenomena in the malicious codes, and an APK installation package of an Android application program needs to be analyzed, executable files in the APK installation package are decompiled, other resource files are analyzed to obtain basic data, and then further mining and classification are carried out to judge the properties of the application program. However, with the continuous development of encryption technology and obfuscation technology, it is difficult for the static analysis method to obtain effective information details.
The existing malicious code dynamic detection technology is mainly used for detecting malicious codes on the basis of monitoring real dynamic characteristic information shown by application programs by really running the application programs to be detected in various simulation environments. The simulation operation environment widely used by the current dynamic detection system is mainly based on virtualization technologies such as QEMU, Virtual Box, VMWare and the like, no matter which technology is adopted, the simulation operation environment of the system is always different from real physical equipment to a certain extent, and the application program can acquire the information which can indicate the operation environment from the operation environment in the operation process. Therefore, if a malicious application is sensitive to the operating environment, finds that it is currently operating in a simulated environment, and the simulated environment may be a component of a dynamic detection system, the malicious application will not directly perform its sensitive behavior, thereby achieving the purpose of evading detection. This behavior of detecting a simulated operating environment and changing the operating state is called anti-simulator behavior, and this situation is an important factor limiting the detection effect of the dynamic detection method. Therefore, there is a need for a method for effectively detecting malicious applications sensitive to the environment, which can cope with the anti-simulator behavior of the applications, so as to cope with the shortcomings of the dynamic detection technology in these aspects.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention aims to provide an android malicious application detection system based on multi-operation environment behavior comparison, which relies on a dynamic analysis isolation sandbox technology, by detecting the operation environment detection behavior in the operation process of the application program and adopting targeted countermeasure, the actual operation environment is disguised as a plurality of different operation environments, the application program is placed in the different operation environments, the application behavior dynamic capturing method is adopted, recording the specific behaviors applied in different operating environments, analyzing and comparing the behavior of the application program, comparing the difference of the operating behaviors of the application program in different environments, therefore, the behavior difference condition of the application program is captured, whether malicious behaviors exist is detected, and the method is suitable for identifying the environment-sensitive malicious application program which cannot be effectively detected by the existing detection technology.
In order to achieve the purpose, the invention adopts the technical scheme that:
an android malicious application detection system based on multi-operation environment behavior comparison comprises:
the information extraction module is used for performing decompiling on the detected APK installation file, analyzing relevant information of each class in a smali file generated after decompiling, and providing data support for subsequent log analysis;
the dynamic analysis module is used for dynamically analyzing the Android application program by using a sandbox technology, comprises a system operation mirror image which is modified based on an Android native system and has a system calling recording function and a customized simulator operation file system, is combined into a simulator sandbox operation environment, records a series of behaviors executed in the operation process of the application program, and consists of submodules for recording the behaviors expressed when the detected application program operates;
the environment detection countermeasure module is used for detecting the environment detection behaviors in the running process of the application program in real time, performing countermeasure aiming at the detection behaviors of different layers, and modifying the running environment detection result in the application program into a disguised running environment characteristic, and comprises a dynamic modification submodule for dynamically modifying the characteristics of an application layer, an android system layer, a Linux system layer and a simulator architecture layer respectively;
the behavior record analysis module is used for uniformly processing and analyzing all behavior logs after a certain application program to be tested is repeatedly run for multiple times and is completely finished, and comprises an application behavior log preprocessing submodule, a behavior sequence extraction submodule, a behavior analysis comparison submodule and a report generation submodule;
and the system operation scheduling module controls the whole operation flow in the system operation process and comprises a simulator operation scheduling submodule, an application management submodule to be analyzed, a system event simulation submodule and a user interface event triggering submodule.
The system running mirror image is an executable file obtained by compiling after secondary modification is carried out on the basis of Android system source codes, the modification content is an execution flow for calling API (application programming interface) for each specific system in the 6 types of behaviors in the application dynamic analysis module, and the purpose is to enable the dynamic analysis module to record various behaviors of the application program during the execution process of the application program.
The customized simulator operating file system is a file system image file added with user use behavior data such as address book information, call record information, short message information, photo information and the like in an initially configured Android simulator file system image file.
The dynamic analysis module comprises a network communication operation recording submodule, a file operation recording submodule, an encryption and decryption operation recording submodule, a system Shell operation recording submodule, a privacy behavior acquisition recording submodule, a sensitive operation recording submodule and the like.
Compared with the prior art, the invention has the beneficial effects that:
1. by adopting a dynamic analysis method, the method effectively avoids the application of countermeasures such as shell adding, confusion and the like which are difficult to solve by static analysis.
2. By adopting the method of repeatedly running the application program in various running environments and analyzing and comparing the behavior expression of the application program, the anti-simulator behavior of the application program can be accurately detected, whether hidden malicious behavior exists or not is judged, and whether the hidden malicious behavior exists or not is marked.
3. By adopting a simple and efficient data analysis algorithm, the real behavior of the application can be recorded in real time, and a large amount of behavior data can be processed efficiently.
4. The collected application behavior data has reliability and accuracy, and any additional other information of the application program to be detected does not need to be acquired.
5. The dynamically generated operating environment can flexibly customize various environmental characteristics, and the whole system can be updated, upgraded and expanded conveniently.
6. The android malicious application analysis platform can be used as an expansion of various existing android application analysis platforms, and the overall analysis and detection capability of the android malicious application analysis platform is enhanced.
Drawings
FIG. 1 is a flow chart of the overall operation of the system of the present invention.
FIG. 2 is a diagram of each sub-module in the dynamic analysis module according to the present invention.
FIG. 3 is a flow chart of a system operation scheduling module of the present invention.
FIG. 4 is a flow chart of a dynamic analysis module of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings and exemplary embodiments. It should be understood that the exemplary embodiments described herein are only for illustrating the present invention and are not intended to limit the scope of the present invention.
Firstly, the overall operation flow of the android malicious application detection system based on behavior comparison is shown in fig. 1. The 4 drawn main modules are an information extraction module, a dynamic analysis module, an environment detection countermeasure module and a behavior record analysis module respectively, and the system operation scheduling module is not drawn in the flow chart. The system operation scheduling module is responsible for controlling the whole operation process in the system operation process, and repeatedly operates the same application program to be detected for multiple times: firstly, restoring the running environment of a simulator sandbox in a dynamic analysis module to a preset initial state; then installing and starting an application program to be detected, carrying out disguised countermeasures on the environment characteristics of an application layer, an android system layer, a Linux system layer and a simulator architecture layer by an environment detection countermeasure module when the application program runs, and recording system calling behaviors of the application program when the application program runs by a dynamic analysis module and storing the system calling behaviors in a series of behavior log files; after the same application program runs for multiple times and is completely finished, the behavior record analysis module processes and analyzes a series of running logs generated by the application, calculates the consistency among the running logs, judges whether the application has malicious behaviors hidden in a specific running environment according to a consistency matrix obtained by calculation, marks the malicious behaviors, and outputs a detection report.
The detailed functional contents of each module are as follows:
1. information extraction module
And as the subsequent behavior comparison module needs to acquire the information of all classes of files in the application program, firstly performing decompiling on the original APK installation file, and analyzing the information of each class in the decompiled smali file to prepare for subsequent behavior log analysis.
Before each application program is operated in a dynamic analysis environment, an android APK installation file decompiling tool apktool is used for decompiling the APK file to obtain a series of smali format files, information of class files in all source codes is extracted through the smali files obtained through scanning decompiling, and the extracted smali files are stored in a database to be used by a subsequent behavior comparison module.
2. Dynamic analysis module
The dynamic analysis module of the system dynamically analyzes the Android application program by using a sandbox technology, the main body of the module is a simulator sandbox operating environment which is formed by combining a system operating mirror image with a system calling recording function and a customized simulator operating file system based on Android native system modification, and the specific operating flow is shown in fig. 4.
The system running mirror image applied in the module is an executable file obtained by compiling after secondary modification is carried out on the basis of Android system source codes, the modification content is an execution flow for calling API (application programming interface) for each specific system in the 6 types of behaviors in the dynamic analysis module, and the purpose is to enable the dynamic analysis module to record various behaviors of the application program during the execution process of the application program.
The customized simulator operating file system applied in the module is a file system image file added with user use behavior data such as address book information, call record information, short message information, photo information and the like in an initially configured Android simulator file system image file.
The main process is as follows:
step 1: and starting the simulator, and unlocking the screen after the simulator is started.
Step 2: and if the bugNum in the current analysis state is less than 2, continuing to acquire the APK file from the application program list or the queue to be analyzed.
And step 3: setting the simulator state as busy, installing an application program, opening the application program, switching the application program between the foreground and the background, calling the simulation system event operation, and closing and uninstalling the application program. If any error occurs in the whole process, the bugNum is directly added with 1, and the next step is carried out.
And 4, step 4: and after the simulator busy state is cancelled, the simulator is gracefully closed by using a telnet command, and if the simulator fails, the simulator process is directly closed by using a kill command.
And the simulator can be subjected to various operations including application program installation and the like only after being completely started. And simply judging whether the system attribute of sys.boot _ completed automatically set in the system is 1 is not enough to accurately judge that the starting of the simulator is finished. Therefore, after finding that the property of the sys. boot _ completed system is already 1, it is necessary to determine whether the current simulator screen is still completely black, and if the screen is still black, it indicates that the system is not completely started; after the screen of the simulator appears, whether the number of processes in the system is still increasing needs to be judged, and when the number of processes is not increased any more within a period of time, the simulator is indicated to be completely started.
The malicious application activation of the malicious behavior is mostly realized by registering a broadcast receiver for receiving a specific system event in the system, and the system events utilized by the malicious application mostly belong to several types of events capable of reflecting the running state of the system, and have certain regularity, such as system startup completion broadcast, user interaction behavior broadcast, WIFI network state change broadcast, SIM card network state change broadcast and the like. Thus, after the simulator is fully started, the application to be tested is installed therein and the operating environment characteristics are set, the application needs to be started and a series of the aforementioned system events are input to trigger the response behavior of the application.
Furthermore, in order to ensure that the input information is exactly the same during several different runs with one application, the sequence and interval time of the first transmission of the sequence of system events needs to be recorded, and the subsequent runs transmit the same system events at the same time point according to the record. In addition, after a malicious application program receives a system event, a Service component may be started to perform running environment detection and sensitive behavior execution in a background concealed manner, or a certain Activity component in the application program may be popped to the foreground, and a user is induced to perform an operation through a phishing interface, so that other rights or user privacy information is acquired. Therefore, a user interface of the application needs to be operated by using a ui (user interface) triggering technology, and the user interface operation is processed by a system running scheduling module.
Meanwhile, the module is also responsible for recording a series of behaviors executed in the running process of the application program, and the main recording function includes the following 6 aspects, as shown in fig. 2:
(1) network communication behavior recording: including TCP communication records, UDP communication records, HTTP communication records, DNS communication records, and network communication traffic records.
(2) Recording file operation behaviors: including file operation records and sqlite database operation records.
(3) And (3) encryption and decryption operation behavior recording: including encryption operation records and decryption operation records.
(4) Recording the operation behavior of the system shell: including a refer command, a mount command, a crown command, a chmod command record.
(5) And (3) acquiring the behavior record of the private information: the method comprises the steps of obtaining system information behavior records, obtaining phone/call/email information behavior records, obtaining browser information behavior records and obtaining position information behavior records.
(6) Sensitive operation behavior recording: the method comprises the steps of dynamically loading behavior records, Android component operation behavior records and sensitive operation behavior records.
The dynamic analysis module monitors and records all the behaviors in the running process of the application program to be detected, stores the behaviors in the log file, extracts the application program from the simulation environment after one-time running of the application program to be detected is finished, stores the application program in a log file directory to be analyzed, and waits for the behavior recording analysis module to process.
All monitoring information is output in a log system of an Android system, and a log tool carried by the Android system can filter and extract system logs according to labels and record the system logs in a disk file. However, if all the calling situations of the monitored system APIs are recorded, then a large number of actions executed by the system application also need to be recorded by an additional disk, which may cause the efficiency of system operation to be greatly reduced, and seriously affect the execution speed of dynamic analysis. Therefore, when the monitored API is called, whether the process number of the caller is equal to the process number of the monitored application program or not can be judged, if so, the real recorded disk operation can be carried out, otherwise, the record is not carried out, and the influence on the running speed of the system can be reduced to the minimum degree.
Since the android application program often has the condition of multi-thread execution, the module adopts a behavior record generation technology and a behavior record comparison technology which are adaptive to the execution characteristics of the multi-process application program to solve the problems. When recording the system API called in the running process of the application program, the process number of the API caller and the call stack of the thread of the API caller are recorded together and finally stored in a disk file. After the application program runs in the simulator, the dynamic analysis module extracts the behavior record file from the simulator, classifies and summarizes each record according to the class name and the process number of the running caller, sorts the records according to the timestamp of the record, and finally forms an Android system API calling sequence of each process in the running process of the application program.
3. Environment detection countermeasure module
The module can detect the environment detection behaviors in the running process of the application program in real time, and can perform countermeasures against the detection behaviors of different levels, and modify the running environment detection result in the application program into a disguised running environment characteristic. According to different methods for detecting and simulating the operating environment by the application program, the characteristics capable of indicating the category of the operating environment respectively belong to 4 different levels:
(1) application layer
The application layer anti-simulator method mainly judges whether the running environment is a simulated environment or a real environment by detecting whether the contact person record, the call record, the short message record and other use trace characteristics exist in the equipment.
(2) Android system layer
The anti-simulator method of the Android system layer is mainly characterized in that whether the running environment is a simulated environment or a real environment is judged by detecting characteristics of equipment state information (including IMSI, ICCID, IMEI, phone number and the like), equipment hardware information (including battery power information, WiFi module Mac address information, GPS positioning information and the like), system attribute information (including calling an Android equipment system attribute acquisition method, reading a build
(3) Linux system layer
The anti-simulator method of the Linux system layer is mainly used for judging whether the running environment is a simulated environment or a real environment by detecting equipment driving information, equipment feature files, getprop commands and the like.
(4) Simulator architecture layer
The anti-simulator method of the simulator architecture layer mainly detects the CPU information characteristic file of the device, the device characteristic process and other methods to judge whether the operation environment is a simulation environment or a real environment.
In addition to the methods included in the above-listed 4 classes, the environment detection countermeasure module may also modify other features as needed to generate a new operating environment, thereby achieving the purpose of spoofing the application to be detected.
For the dynamic camouflage of the running environment with the characteristics, the source code of the Android system can be modified, and the dynamic camouflage can also be realized by other methods. The implementation of modifying the source code of the Android system mainly uses the following three methods to dynamically customize each feature.
Firstly, the environmental characteristics belonging to the system attributes can use a special system attribute modification tool to modify the attribute values in the system kernel after the simulator is started, and meanwhile, some custom attributes are added to control disguising of API characteristics and file characteristics of the Android system. The modification of the tool is needed because some read-only attributes cannot be modified by default in the system, and therefore, the modification needs to be realized by a method of modifying the memory. A special case of system attributes is Build static variables in the Android system, such as the Build. Such attributes belong to Java objects modified as static final, the values of which cannot be changed directly by modifying the memory, code needs to be injected into the zygate initialization process in a process injection manner, the modifiers thereof are modified in a reflection manner, and then the values thereof are modified. Since the zygate process in the Android system is the parent process of all other applications, after the zygate process is modified, the value of the Build static variable in the subsequently started application is the same as the value of the Build static variable in the subsequently started application.
Secondly, for the characteristic that the return value is obtained by calling the API of the Android system to be used as the information for judging the running environment, when the application program calls the API, the Android frame can obtain the custom attribute value which is added before and corresponds to the API from the system attribute, and the value of the custom attribute is used as the return value called by the API and is returned to the application program instead of the actual value. Many system applications in the Android system running process also obtain values of partial system attributes by calling the API, and if the obtained return values do not conform to the actual situation, the system running may be unstable or even the system may crash directly. Therefore, when the APIs run in the Android frames, the process from which the current call comes can be judged, and only the call from the process of the detected application program can be returned to the disguised value.
And thirdly, for the detection method belonging to the file characteristics, the application program can detect whether the characteristic file exists in the running environment or not or whether the characteristic character string exists in the file or not to judge the running environment. Therefore, when a file is opened, the Android frame can judge whether the process for calling the file opening operation is the process of the detected application program, then judge whether the file to be opened is a feature file capable of representing the operating environment, and redirect the file operation to a prepared disguised file if the two conditions are met, so that the disguising of the file feature of the operating environment is realized.
4. Behavior record analysis module
The module can carry out unified processing and analysis on all behavior logs after a certain application program to be tested is completely run repeatedly for many times, and comprises an application behavior log preprocessing submodule, a behavior sequence extraction submodule, a behavior analysis comparison submodule and a report generation submodule.
The behavior log preprocessing submodule arranges the original behavior log file, extracts all system calls appearing in the log, arranges the system calls into a list, and each system call corresponds to a unique integer number; then the behavior sequence extraction submodule converts each individual behavior log behavior sequence according to the corresponding relation between the system call and the serial number generated in the last step; the behavior analysis comparison submodule compares each behavior sequence by adopting a comparison algorithm, calculates the similarity between every two behavior sequences, generates a consistency matrix, and simultaneously counts the number of API calls in each behavior record; and the report generation submodule judges whether the application has hidden malicious behaviors or not according to the characteristics of the consistency matrix, marks the malicious behaviors, and outputs a detection report.
When comparing two behavior records obtained by an application program in different operating environments, the behavior analysis comparison submodule firstly respectively calculates the similarity of system API calling sequences between corresponding threads in the two behavior records according to thread numbers in the two behavior records. In order to accurately reflect the similarity between two calling sequences, the editing distance between the two calling sequences is calculated to measure the similarity between the two calling sequences, a real number between 0 and 1 is obtained as the measure of the similarity, and the greater the similarity is, the more similar the two calling sequences are. After the similarity between each thread pair is obtained through calculation, the individual similarities are added into an overall similarity according to the proportion of the number of API call records in the system API call sequence in each thread to the total number of the API call records in the whole behavior record, and the overall similarity is used as the final result of the similarity of the two behavior records of the application program. And after the similarity comparison between all the behavior records is completed, a consistency matrix of the runtime behaviors of the application program is formed. Besides the similarity between the application program behavior records, the submodule can also count the difference between the types and the number of the specific calling system API functions between the two corresponding threads to obtain the behavior classification statistical result. If the behavior records in a certain pair of corresponding threads in the two behavior records are not identical, and one thread calls the sensitive API function, and the other thread does not call the API function, the application program is indicated to hide the sensitive behavior according to the collected running environment information.
The report generation submodule synthesizes a consistency matrix between behavior records output by an application program after several times of dynamic operation, and judges whether the application program has behavior difference by using a judgment algorithm. If the comparison result between the behavior record in the operation environment after the disguise of a certain class and the behavior record in the original simulation operation environment is smaller than the threshold value, the behavior difference of the application program is proved, and the detection simulation operation environment method used by the application program belongs to the class, so that the class of the behavior of the anti-simulator used by the application program is judged. In addition, the decision algorithm analyzes whether the sensitive behaviors are hidden in some running environments according to the difference of the behavior classification statistical results, and if the hidden sensitive behaviors exist, the application program is judged to be a malicious application program which uses an anti-simulator method. And finally, the submodule collects all analysis results into an analysis and detection report and outputs the analysis and detection report to a user.
6. System operation scheduling module
The module controls the operation process of the whole system and comprises 4 submodules, namely a simulator operation scheduling submodule, an application management submodule to be analyzed, a system event simulation submodule and a user interface event triggering submodule.
The simulator operation scheduling sub-module starts the simulators according to the input number of the started simulators during system initialization, and then starts the control threads of the simulators, as shown in fig. 3. The simulator control thread provides a series of control operations for the simulator: stop operation, application acquisition, application installation and operation, stop application uninstallation, and the like.
The application management submodule to be analyzed monitors the application storage directory to be analyzed, and maintains an application queue to be analyzed, an application queue under analysis and an application queue after analysis. And the simulator operation scheduling submodule takes one application to be analyzed from the application queue to be analyzed each time for analysis, places the application queue in the process of analysis, and places the application queue after the analysis is completed in the analysis completion application queue.
The system event simulation sub-module is responsible for simulating system events which can occur in the use process of some real devices in the running process of the application program which is being detected so as to trigger possible response behaviors of the application program to be detected to the system time, wherein the possible response behaviors include simulation of boot complete events, screen locking and unlocking operation events, short message receiving and sending, telephone dialing and receiving, position change and the like.
The user interface event trigger submodule simulates user operation of the application program to trigger response action of the application program for the user operation, and automatically starts various components existing in the application program, including exposed components and non-exposed components. And traversing the UI Tree according to a depth-first algorithm during interactive simulation of the user interface. When traversing the UI control in the UITree, the user interface interaction simulation function triggers different UI component events according to different types of the UI control, so as to realize the simulation of user operation. The UI Tree traversal employs depth-first traversal. During traversal, the application is started first, and then all UI interfaces are traversed. When a UI interface is traversed, all the effective UI controls of the interface need to be obtained first, then all the obtained UI controls are traversed, and different UI component events are triggered according to different types of the UI controls. And if the UI interface changes after the UI component event of a certain control is triggered, storing the information of the original UI interface into a stack, traversing the new UI interface, and returning to the original UI interface to continuously traverse other controls after the traversal is finished.
The end stage outputs the inspection report when an application completes all the repetitive operation processes in the inspection system.
Because malicious applications in the application program with definite anti-simulator behaviors account for a considerable proportion, and the output result of the android malicious application detection system can judge whether the application program is a malicious application program with anti-simulator behaviors by combining the record analysis and comparison of the sensitive behaviors of the application program, namely the application program can hide the sensitive malicious behaviors in a specific running environment.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
In summary, the android malicious application detection system based on multi-operating environment behavior comparison provided by the invention detects the malicious behavior of the APK program by analyzing the behaviors of the APK program in different operating environments, thereby further determining whether the application is malicious or not.
Claims (9)
1. An android malicious application detection system based on multi-operation environment behavior comparison comprises:
the information extraction module is used for performing decompiling on the detected APK installation file, analyzing relevant information of each class in a smali file generated after decompiling, and providing data support for subsequent log analysis;
the dynamic analysis module is used for dynamically analyzing the Android application program by using a sandbox technology, comprises a system operation mirror image which is modified based on an Android native system and has a system calling recording function and a customized simulator operation file system, is combined into a simulator sandbox operation environment, records a series of behaviors executed by the application program in the operation process of the application program, and consists of submodules for recording the behaviors expressed when the detected application program operates;
the environment detection countermeasure module is used for detecting the environment detection behaviors in the running process of the application program in real time, performing countermeasure aiming at the detection behaviors of different layers, and modifying the running environment detection result in the application program into a disguised running environment characteristic, and comprises a dynamic modification submodule for dynamically modifying the characteristics of an application layer, an android system layer, a Linux system layer and a simulator architecture layer respectively;
the behavior record analysis module is used for uniformly processing and analyzing all behavior logs after a certain application program to be tested is repeatedly run for multiple times and is completely finished, and comprises an application behavior log preprocessing submodule, a behavior sequence extraction submodule, a behavior analysis comparison submodule and a report generation submodule;
the system operation scheduling module controls the whole operation flow in the system operation process and comprises a simulator operation scheduling submodule, an application management submodule to be analyzed, a system event simulation submodule and a user interface event triggering submodule;
the behavior log preprocessing submodule is used for sorting original behavior log files, extracting all system calls appearing in the logs, and sorting the system calls into a list, wherein each system call corresponds to a unique integer number;
the behavior sequence extraction submodule is converted into each individual behavior log behavior sequence according to the corresponding relation between the system call and the serial number generated in the last step;
the behavior analysis comparison submodule compares each behavior sequence by adopting a comparison algorithm, calculates the similarity between every two behavior sequences, generates a consistency matrix, and simultaneously counts the number of API calls in each behavior record;
and the report generation submodule judges whether the application has hidden malicious behaviors or not according to the characteristics of the consistency matrix, marks the malicious behaviors, and outputs a detection report.
2. The system for detecting android malicious applications based on multi-runtime environment behavior comparison as claimed in claim 1, wherein the dynamic analysis module workflow is as follows:
step 1: starting the simulator, and unlocking the screen after the simulator is started;
step 2: if the bugNum in the current analysis state is less than 2, continuing to acquire an APK file from the application program list under analysis or the queue to be analyzed;
and step 3: setting the simulator state as busy, installing an application program, opening the application program, switching the application program between the front and the back platforms, calling simulation system event operation, closing and uninstalling the application program, and if any error occurs in the whole process, directly adding 1 to bugNum and entering the next step;
and 4, step 4: and after the simulator busy state is cancelled, the simulator is closed by using a telnet command, and if the simulator fails, the simulator process is directly closed by using a kill command.
3. The android malicious application detection system based on multi-runtime environment behavior comparison as claimed in claim 2, wherein after finding that the sys. Judging whether the number of processes in the system is increased after the screen of the simulator appears, and indicating that the simulator is completely started after the number of processes is not increased within a period of time; after the simulator is completely started, the detected application program is installed in the simulator and the running environment characteristics are set, the application program is started, a series of system events are input to trigger the response behavior of the application program, the sequence and the interval time of the system event sequence are recorded for the first time, and the same system events are sent at the same time point according to the record in the subsequent running process.
4. The system for detecting android malicious applications based on multi-operating environment behavior comparison as claimed in claim 1, wherein the environment detection countermeasure module, according to the difference of the method for detecting the simulated operating environment by the application program, can indicate the features of the operating environment categories as follows:
(1) application layer
Judging whether the running environment is a simulated environment or a real environment by detecting whether the use trace characteristics exist in the equipment;
(2) android system layer
Judging whether the running environment is a simulated environment or a real environment by detecting equipment state information, equipment hardware information and system attribute information;
(3) linux system layer
Judging whether the operating environment is a simulated environment or a real environment by detecting equipment driving information, an equipment feature file and a getprop command;
(4) simulator architecture layer
And judging whether the operating environment is a simulated environment or a real environment by detecting the CPU information characteristic file of the equipment and the characteristic process of the equipment.
5. The system according to claim 1, wherein the Android malicious application detection system based on multi-runtime environment behavior comparison dynamically generates a runtime environment with the runtime environment characteristics by modifying Android system source codes, and specifically includes:
firstly, environmental characteristics belonging to system attributes can modify attribute values in a system kernel by using a special system attribute modification tool after a simulator is started, meanwhile, some custom attributes are added to control disguise of API characteristics and file characteristics of an Android system, for Build static variables of the Android system in the system attributes, the numerical values of the Build static variables cannot be directly changed by modifying a memory, codes are injected into a zygate initialization process in a process injection mode, modifiers of the code are modified in a reflection mode, and then the numerical values of the code are modified;
secondly, for the characteristic that the return value is obtained by calling the API of the Android system to be used as the information for judging the running environment, when the application program calls the API, the Android frame can obtain the previously added custom attribute value corresponding to the API from the system attribute, and the value of the custom attribute is used as the return value called by the API and returned to the application program instead of returning the real value of the API, when the API runs in the Android frame, the process from which the current calling comes can be judged, and only the calling from the process in which the detected application program is located can be returned to the disguised value;
and thirdly, as for the detection method belonging to the file characteristics, the application program can detect whether the characteristic file exists in the running environment or not or whether the characteristic character string exists in the file or not to judge the running environment, the Android frame can judge whether the process for calling the file opening operation is the process of the detected application program when the file is opened, then judge whether the file to be opened is the characteristic file capable of representing the running environment or not, and redirect the file operation to a prepared disguised file if the two conditions are met, so that the disguise of the file characteristics of the running environment is realized.
6. The system for detecting android malicious applications based on multi-runtime environment behavior comparison as claimed in claim 1, wherein the dynamic analysis module mainly records functions including the following aspects:
(1) network communication behavior recording: including TCP communication records, UDP communication records, HTTP communication records, DNS communication records, and network communication traffic records;
(2) recording file operation behaviors: the method comprises the following steps of (1) including file operation records and sqlite database operation records;
(3) and (3) encryption and decryption operation behavior recording: the method comprises the steps of encrypting operation records and decrypting operation records;
(4) recording the operation behavior of the system shell: the method comprises the steps of recording a right-lifting command, a mount command, a crown command and a chmod command;
(5) and (3) acquiring the behavior record of the private information: the method comprises the steps of obtaining system information behavior records, obtaining phone/call/email information behavior records, obtaining browser information behavior records and obtaining position information behavior records;
(6) sensitive operation behavior recording: the method comprises the steps of dynamically loading behavior records, Android component operation behavior records and sensitive operation behavior records;
the dynamic analysis module monitors and records all behaviors in the running process of the application program to be detected, all monitoring information is output in a log system of an Android system, when the monitored API is called, whether the process number of a caller is equal to the process number of the monitored application program or not is judged, if yes, the really recorded disk operation is carried out, and otherwise, the record is not carried out;
in the dynamic analysis module, when recording a system API called in the running process of an application program, the process number of the API caller and the call stack of the thread of the API caller are recorded together and finally stored in a disk file; after the application program runs in the simulator, the behavior record generation module extracts the disk file from the simulator, classifies and summarizes each record according to the class name and the process number of the running caller, sorts the records according to the recorded timestamp, and finally forms an Android system API calling sequence of each process in the running process of the application program.
7. The Android malicious application detection system based on multi-operation environment behavior comparison as claimed in claim 6, wherein the system operation image is an executable file compiled after secondary modification on the basis of Android system source code, and the modification content is an execution flow for calling an API to each specific system in the 6 types of behaviors in the dynamic analysis module, so that the dynamic analysis module can record various behaviors of an application program during the execution process of the application program;
the customized simulator operating file system adds file system image files containing user use behavior data including address book information, call record information, short message information and photo information in initially configured Android simulator file system image files.
8. The system for detecting android malicious applications based on multi-operation environment behavior comparison of claim 1, wherein the behavior analysis comparison submodule, when comparing two behavior records obtained by one application program in different operation environments, first calculates system API call sequence similarity between corresponding threads in the two behavior records according to thread numbers in the two behavior records; after the similarity between each thread pair is obtained through calculation, according to the number of API call records in a system API call sequence in each thread and the proportion of the API call records in the total number of the API call records in the whole behavior record, the single similarities are added to form an overall similarity, the overall similarity is used as a final result of the similarity of the two behavior records of the application program, and a consistency matrix of the behavior of the application program during operation is formed after the similarity comparison between all the behavior records is completed;
the behavior analysis also counts the difference of the types and the number of specific calling system API functions between two corresponding threads compared with the submodule to obtain a behavior classification statistical result, if the behavior records of a certain pair of corresponding threads in the two behavior records are not completely the same, and one corresponding thread calls the sensitive API function, and the other corresponding thread does not call the API function, the application program is indicated to hide the sensitive behavior according to the collected running environment information;
the report generation submodule synthesizes a consistency matrix of output behavior records of an application program after several times of dynamic operation, judges whether the application program has behavior difference by using a judgment algorithm, if the comparison result between the behavior record in a certain kind of disguised operation environment and the behavior record in the original simulation operation environment is less than a threshold value, proves that the application program has the behavior difference, and a detection simulation operation environment method used by the report generation submodule belongs to the kind, so that the kind of the behavior of an anti-simulator used by the application program is judged; the decision algorithm also analyzes whether the behavior classification statistical result hides the sensitive behavior in some running environments according to the difference of the behavior classification statistical result, and if the hidden sensitive behavior exists, the application program is judged to be a malicious application program using an anti-simulator method.
9. The android malicious application detection system based on multi-operation environment behavior comparison of claim 1, wherein the simulator operation scheduling sub-module starts the simulators according to the input number of the started simulators during system initialization, and then starts the control threads of each simulator, and the simulator control threads provide a series of control operations on the simulators;
the to-be-analyzed application management submodule monitors an to-be-analyzed application storage directory, maintains an in-analysis application queue, an analysis application queue and an analysis completion application queue, and operates the scheduling submodule to take one to-be-analyzed application from the to-be-analyzed application queue for analysis each time, place the to-be-analyzed application in the in-analysis application queue and place the to-be-analyzed application queue after the analysis is completed;
the system event simulation submodule is responsible for simulating system events which can occur in the using process of some real equipment in the running process of the application program which is being detected so as to trigger possible response behaviors of the application program to be detected to the system time;
the user interface event triggering sub-module simulates user operation application programs to trigger the application programs to generate response behaviors aiming at the user operations, meanwhile, the user interface event triggering sub-module also automatically starts various components in the application programs, including exposed components and non-exposed components, the UI Tree is traversed according to a depth-first algorithm during user interface interaction simulation, and when UI controls in the UI Tree are traversed, different UI component events are triggered by a user interface interaction simulation function according to different types of the UI controls, so that simulation of the user operations is realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711217805.1A CN108133139B (en) | 2017-11-28 | 2017-11-28 | Android malicious application detection system based on multi-operation environment behavior comparison |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711217805.1A CN108133139B (en) | 2017-11-28 | 2017-11-28 | Android malicious application detection system based on multi-operation environment behavior comparison |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108133139A CN108133139A (en) | 2018-06-08 |
| CN108133139B true CN108133139B (en) | 2020-06-26 |
Family
ID=62389035
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711217805.1A Active CN108133139B (en) | 2017-11-28 | 2017-11-28 | Android malicious application detection system based on multi-operation environment behavior comparison |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108133139B (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109492391B (en) * | 2018-11-05 | 2023-02-28 | 腾讯科技(深圳)有限公司 | Application program defense method and device and readable medium |
| CN111259382A (en) * | 2018-11-30 | 2020-06-09 | 中国电信股份有限公司 | Malicious behavior identification method, device and system and storage medium |
| CN111382424A (en) * | 2018-12-27 | 2020-07-07 | 全球能源互联网研究院有限公司 | Mobile application sensitive behavior detection method and system based on controlled environment |
| CN110135160B (en) * | 2019-04-29 | 2021-11-30 | 北京邮电大学 | Software detection method, device and system |
| CN110377499B (en) * | 2019-06-06 | 2023-05-23 | 奇安信科技集团股份有限公司 | Method and device for testing application program |
| CN110166493B (en) * | 2019-07-01 | 2021-10-15 | 武汉斗鱼鱼乐网络科技有限公司 | Social client address book dynamic protection method and device |
| CN110430177A (en) * | 2019-07-26 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior |
| CN110427752A (en) * | 2019-08-06 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of method, mobile terminal and the storage medium of sandbox monitoring application program |
| CN110543760A (en) * | 2019-08-28 | 2019-12-06 | 南京市晨枭软件技术有限公司 | Software management system and software protection method thereof |
| CN110737463A (en) * | 2019-10-24 | 2020-01-31 | 北京智游网安科技有限公司 | analysis method of key function source information, intelligent terminal and storage medium |
| CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
| CN110990054B (en) * | 2019-12-03 | 2023-03-21 | 北京明略软件系统有限公司 | Configuration processing method and device of open source framework |
| CN111104337A (en) * | 2019-12-30 | 2020-05-05 | 杭州云缔盟科技有限公司 | Method for detecting terminal simulator |
| CN112187813A (en) * | 2020-03-21 | 2021-01-05 | 薛爱君 | Data processing method and system based on online office environment |
| CN111740817A (en) * | 2020-06-17 | 2020-10-02 | 国网天津市电力公司电力科学研究院 | Code tampering detection method and system for concentrator in electric power data acquisition system |
| CN112527672B (en) * | 2020-12-21 | 2021-10-22 | 北京深思数盾科技股份有限公司 | Detection method and equipment for shell adding tool |
| CN112685737A (en) * | 2020-12-24 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | APP detection method, device, equipment and storage medium |
| CN112887388B (en) * | 2021-01-20 | 2022-09-16 | 每日互动股份有限公司 | Data processing system based on sandbox environment |
| CN113672918A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103077351A (en) * | 2012-12-20 | 2013-05-01 | 北京奇虎科技有限公司 | Anti-detection system of virtual machine system |
| CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10135861B2 (en) * | 2015-10-20 | 2018-11-20 | Sophos Limited | Mitigation of anti-sandbox malware techniques |
-
2017
- 2017-11-28 CN CN201711217805.1A patent/CN108133139B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103077351A (en) * | 2012-12-20 | 2013-05-01 | 北京奇虎科技有限公司 | Anti-detection system of virtual machine system |
| CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
Non-Patent Citations (1)
| Title |
|---|
| 基于多层次行为差异的沙箱逃逸检测及其实现;张翔飞;《计算机工程与应用》;20170629;第113页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108133139A (en) | 2018-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108133139B (en) | Android malicious application detection system based on multi-operation environment behavior comparison | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| CN110795734B (en) | Malicious mobile application detection method | |
| Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
| US10169585B1 (en) | System and methods for advanced malware detection through placement of transition events | |
| CN103927484B (en) | Rogue program behavior catching method based on Qemu simulator | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| CN104834858A (en) | Method for statically detecting malicious code in android APP (Application) | |
| KR20150044490A (en) | A detecting device for android malignant application and a detecting method therefor | |
| CN112084497A (en) | Method and device for detecting malicious program of embedded Linux system | |
| CN106845234A (en) | A kind of Android malware detection method based on the monitoring of function flow key point | |
| CN108595953A (en) | Method for carrying out risk assessment on mobile phone application | |
| CN108647517B (en) | Vulnerability detection system and method for Android mixed application code injection | |
| CN112035354A (en) | Method, device and equipment for positioning risk code and storage medium | |
| CN105205398B (en) | It is a kind of that shell side method is looked into based on APK shell adding software dynamic behaviours | |
| KR101256468B1 (en) | Apparatus and method for detecting malicious file | |
| Kandukuru et al. | Android malicious application detection using permission vector and network traffic analysis | |
| Zhang et al. | A multiclass detection system for android malicious apps based on color image features | |
| CN108932199B (en) | Automatic taint analysis system based on user interface analysis | |
| CN110781081B (en) | Mobile application callback forced triggering method, system and storage medium | |
| Su et al. | Detection of android malware by static analysis on permissions and sensitive functions | |
| CN115659340B (en) | Counterfeit applet identification method and device, storage medium and electronic equipment | |
| CN115552401A (en) | Fast application detection method, device, equipment and storage medium | |
| CN116305120A (en) | Dual-verification android malicious software hybrid detection system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |