CN108573151A - A kind of counterfeit applied analysis system and method - Google Patents
A kind of counterfeit applied analysis system and method Download PDFInfo
- Publication number
- CN108573151A CN108573151A CN201710148636.4A CN201710148636A CN108573151A CN 108573151 A CN108573151 A CN 108573151A CN 201710148636 A CN201710148636 A CN 201710148636A CN 108573151 A CN108573151 A CN 108573151A
- Authority
- CN
- China
- Prior art keywords
- sample
- application
- counterfeit
- information
- analysis result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The present invention provides a kind of counterfeit applied analysis system and methods, to counterfeit using sample and the corresponding legal conversed analysis automated using sample, then the comparison of classification of science is carried out to analysis result, it can realize to counterfeit application more fine granularity, more intuitive, more effectively analysis, predefined sensitive information is finally found in counterfeit application sample according to comparative analysis result, it obtains malicious act and analyzes entrance, to realize the counterfeit analysis using malicious act, and then provide perfect preventive means to the user.
Description
Technical field
The present invention relates to mobile security technical field more particularly to a kind of counterfeit applied analysis system and methods.
Background technology
Enriching constantly and develop with mobile APP, the scale of counterfeit application industry chain also expands rapidly.It is announced according to official
The counterfeit applied statistics report of 2015 years, 95% popular APP perplexed by counterfeit application.Therefore, differentiate and analyze legal application
It is to solve a big major issue of mobile APP safety with counterfeit application.
It is directed to the most methods using binary system comparison of analysis of counterfeit application at present(For example, pair of CFG control flow charts
Than)Although whether the legal application of binary system comparison and counterfeit application can be judged using being counterfeit application, can mark where
Changed, but can not comparative analysis go out legal application and counterfeit apply the information more refined(For example, the source code of application is repaiied
The content changed), the malicious act of counterfeit application can not be more analyzed, and then perfect preventive means can not be provided the user with.
Invention content
In view of the above technical problems, the present invention provides a kind of counterfeit applied analysis system and method, legal copy can be obtained
More fine-grained analysis result is applied using with counterfeit, and the malicious act of counterfeit application can be analyzed, and then is provided to the user
Perfect preventive means.
Counterfeit applied analysis system disclosed by the invention, including load analysis engine, comparative analysis engine, output engine and
Sensitive information analysis engine, wherein:
Analysis engine is loaded, for being loaded into counterfeit application sample and corresponding legal sample, and by the first rule respectively to counterfeit
Conversed analysis is carried out using sample, wherein first rule is to be believed from application file attribute sample using sample with legal
At least one of the view information of the source code attribute information, application cease, applied angle is analyzed;
Comparative analysis engine, for according to Second Rule respectively to counterfeit using sample and the legal analysis result using sample into
Row classification, and counterfeit application sample and corresponding legal sample are compared and analyzed according to class categories;
Output engine, for exporting comparative analysis result;
Sensitive information analysis engine, for predefined sensitive information to be found in counterfeit application sample according to comparative analysis result,
It obtains malicious act and analyzes entrance.
Further, the Second Rule include to the analysis result of sample according to text class data, tree structure data,
Graphical file data is classified.
Further, the text class data include:Java source codes text, Smali source codes text,
AndroidManifest texts, resource text, signature form data;Tree structure data includes:Source code class tree structure number
According to, APK packet tree structure datas;Graphical file data includes the CFG information of each Smali and Java.
Further, the output engine is additionally operable to distinguish display to obtaining comparative analysis result, wherein the differentiation side
Method includes:It is distinguished using color, annotation, font size.
Further, the predefined sensitive information includes:The mobile phone in cell-phone number, Java source codes in Smali source codes
Number, the special access right in linked network information, AndroidManifest.xml and behavior.
Further, the application file attribute information includes:Application file size, application file hash value;It is described to answer
Source code attribute information includes:Application file character string information, java class source code structure, Smali turn the decompiling letter of java
Breath;The view information of the application includes:Each CFG information of Smali and Java, the signing messages of application file, resource text
Part information, application icon, application file structural information, AndroidManifest decoded informations.
The invention also discloses a kind of counterfeit application analysis methods, include the following steps:
It is loaded into counterfeit application sample and corresponding legal copy sample, and by the first rule respectively to counterfeit application sample and legal application
Sample carries out conversed analysis, wherein first rule is to be believed from the source code attribute of application file attribute information, application sample
At least one of breath, the view information applied angle is analyzed;
Classify respectively using sample and the legal analysis result for applying sample to counterfeit according to Second Rule, and answers counterfeit
It is compared and analyzed according to class categories with sample and corresponding legal sample;
Export comparative analysis result;
Predefined sensitive information is found in counterfeit application sample according to comparative analysis result, malicious act is obtained and analyzes entrance.
Further, the Second Rule include to the analysis result of sample according to text class data, tree structure data,
Graphical file data is classified.
Further, the text class data include:Java source codes text, Smali source codes text,
AndroidManifest texts, resource text, signature form data;Tree structure data includes:Source code class tree structure number
According to, APK packet tree structure datas;Graphical file data includes the CFG information of each Smali and Java.
Further, also display is distinguished to obtaining comparative analysis result, wherein the differentiation when exporting comparative analysis result
Method includes:It is distinguished using color, annotation, font size.
Further, the predefined sensitive information includes:The mobile phone in cell-phone number, Java source codes in Smali source codes
Number, the special access right in linked network information, AndroidManifest.xml and behavior.
Further, the application file attribute information includes:Application file size, application file hash value;It is described to answer
Source code attribute information includes:Application file character string information, java class source code structure, Smali turn the decompiling letter of java
Breath;The view information of the application includes:Each CFG information of Smali and Java, the signing messages of application file, resource text
Part information, application icon, application file structural information, AndroidManifest decoded informations.
The beneficial effects of the invention are as follows:
The present invention using sample and the corresponding legal conversed analysis automated using sample, then ties analysis to counterfeit
Fruit carries out the comparison of classification of science, can realize to counterfeit application more fine granularity, more intuitive, more effectively analysis, last basis
Comparative analysis result finds predefined sensitive information in counterfeit application sample, obtains malicious act and analyzes entrance, imitative to realize
The analysis using malicious act is emitted, and then provides perfect preventive means to the user.
Description of the drawings
It, below will be to embodiment or the prior art in order to illustrate more clearly of the present invention or technical solution in the prior art
Attached drawing needed in description is briefly described, it should be apparent that, the accompanying drawings in the following description is only in the present invention
Some embodiments recorded for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is a kind of structural schematic diagram of counterfeit applied analysis system of the present invention;
Fig. 2 is a kind of flow chart of counterfeit application analysis method of the present invention.
Specific implementation mode
In order to make those skilled in the art more fully understand the technical solution in the embodiment of the present invention, and make the present invention's
Above objects, features, and advantages can be more obvious and easy to understand, makees below in conjunction with the accompanying drawings to technical solution in the present invention further detailed
Thin explanation.
The present invention gives a kind of embodiments of counterfeit applied analysis system, as shown in Figure 1, the analysis system includes load
Analysis engine 101, comparative analysis engine 102, output engine 103 and sensitive information analysis engine 104, wherein:
Load analysis engine 101, for being loaded into counterfeit application sample and corresponding legal sample, and by first it is regular to the two into
The conversed analysis of row automation.
Specifically, it is described first rule for sample from application file attribute information, application source code attribute information, application
At least one of view information angle analyzed.
It should be understood that application file attribute information can with application file size, the practical writing of unique mark is made to file
Part hash value(Such as MD5 values)Etc..
The source code attribute information of application may include application file character string information, java class source code structure, Smali turn
Decompiling information of java etc..
The view information of application may include the CFG information of each Smali and Java, the signing messages of application file, money
Source file information, application icon, application file structural information, AndroidManifest decoded informations etc..
Comparative analysis engine 102, for dividing respectively using sample using sample and legal copy counterfeit according to Second Rule
Analysis result is classified, and is compared and analyzed according to class categories to counterfeit application sample and corresponding legal sample.
Output engine 103, for exporting comparative analysis result.
In order to carry out more scientific, intuitive comparison of classification to the analysis result of sample, Second Rule can be by sample
Analysis result is divided according to text class data, tree structure data, graphical file data three classes.
(1)Text class data include:Java source codes text, Smali source codes text, AndroidManifest texts, resource
Text, signature form data etc..
(2)Tree structure data includes:Source code class tree structure data, APK packet tree structure datas etc..
(3)Graphical file data includes:The CFG information etc. of each Smali and Java
It is of course also possible to carry out comparison of classification to sample analysis result according to the actual conditions of output engine 103.
In order to it is clearer, get information about comparative analysis as a result, the output engine 103 is additionally operable to obtaining to score
It analyses result and distinguishes display, for example analysis result is distinguished using color, annotation, font size etc..
Sensitive information analysis engine 104, it is predefined quick for being found in counterfeit application sample according to comparative analysis result
Feel information, obtains malicious act and analyze entrance.Predefined sensitive information may include cell-phone number in Smali source codes, the sources Java
Cell-phone number, linked network information, the special access right in AndroidManifest.xml and behavior etc. in code.Utilize sensitivity
Information analysis engine 104 can obtain malicious act analysis entrance, to realize the counterfeit analysis using malicious act, and then be user
Perfect preventive means is provided.
The detection of traditional counterfeit application is all based on icon similarity, code structure similarity etc., and accuracy rate is not high, and
And it can not be analysed in depth.This patent not only can carry out counterfeit judgement by being laid out similitude, but also provide
The interface auxiliary of hommization is analysed in depth.
In addition, the present invention gives a kind of embodiment of counterfeit application analysis method, as shown in Fig. 2, the analysis method
Including:
S201:It is loaded into counterfeit application sample and corresponding legal sample, reverse point automated to the two by the first rule
Analysis.
Specifically, sample file is APK file under normal conditions;First rule is to be believed from application file attribute sample
At least one of the view information of the source code attribute information, application cease, applied angle is analyzed.
It should be understood that application file attribute information can with application file size, the practical writing of unique mark is made to file
Part hash value(Such as MD5 values)Etc..
The source code attribute information of application may include application file character string information, java class source code structure, Smali turn
Decompiling information of java etc..
The view information of application may include the CFG information of each Smali and Java, the signing messages of application file, money
Source file information, application icon, application file structural information, AndroidManifest decoded informations etc..
S202:Classify respectively using sample and the legal analysis result for applying sample to counterfeit according to Second Rule,
And counterfeit application sample and corresponding legal sample are compared and analyzed according to class categories.
S203:Export comparative analysis result.
In order to carry out more scientific, intuitive comparison of classification to the analysis result of sample, Second Rule can be by sample
Analysis result is divided according to text class data, tree structure data, graphical file data three classes.
(1)Text class data include:Java source codes text, Smali source codes text, AndroidManifest texts, resource
Text, signature form data etc..
(2)Tree structure data includes:Source code class tree structure data, APK packet tree structure datas etc..
(3)Graphical file data includes:The CFG information etc. of each Smali and Java
It is of course also possible to carry out comparison of classification to sample analysis result according to the actual conditions of S203.
In order to it is clearer, get information about comparative analysis as a result, in S203 also to obtain comparative analysis result distinguish
It has been shown that, for example analysis result is distinguished using color, annotation, font size etc..
Distinctive information in comparative analysis result distinguishes;Wherein, differentiating method includes:Distinguished using color,
It distinguished using annotation, distinguished using font.
S204:Predefined sensitive information is found in counterfeit application sample according to comparative analysis result, obtains malicious act
Analyze entrance.
Predefined sensitive information may include the cell-phone number in Smali source codes, the cell-phone number in Java source codes, linked network
Special access right and behavior in information, AndroidManifest.xml etc..
The present invention to counterfeit using sample and the corresponding legal conversed analysis automated using sample, then to point
The comparison of classification that result carries out science is analysed, can be realized to counterfeit application more fine granularity, more intuitive, more effectively analysis, finally
Predefined sensitive information is found in counterfeit application sample according to comparative analysis result, malicious act is obtained and analyzes entrance, with reality
The existing counterfeit analysis using malicious act, and then provide perfect preventive means to the user.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and
Change the spirit without departing from the present invention, it is desirable to which the attached claims include these deformations and change without departing from the present invention's
Spirit.
Claims (10)
1. a kind of counterfeit applied analysis system, which is characterized in that including load analysis engine, comparative analysis engine, output engine
With sensitive information analysis engine, wherein:
Analysis engine is loaded, for being loaded into counterfeit application sample and corresponding legal sample, and by the first rule respectively to counterfeit
Conversed analysis is carried out using sample, wherein first rule is to be believed from application file attribute sample using sample with legal
At least one of the view information of the source code attribute information, application cease, applied angle is analyzed;
Comparative analysis engine, for according to Second Rule respectively to counterfeit using sample and the legal analysis result using sample into
Row classification, and counterfeit application sample and corresponding legal sample are compared and analyzed according to class categories;
Output engine, for exporting comparative analysis result;
Sensitive information analysis engine, for predefined sensitive information to be found in counterfeit application sample according to comparative analysis result,
It obtains malicious act and analyzes entrance.
2. the system as claimed in claim 1, which is characterized in that the Second Rule includes to the analysis result of sample according to text
This class data, tree structure data, graphical file data are classified.
3. system as claimed in claim 2, which is characterized in that the text class data include:Java source codes text, Smali
Source code text, AndroidManifest texts, resource text, signature form data;Tree structure data includes:Source code class tree
Shape structured data, APK packet tree structure datas;Graphical file data includes the CFG information of each Smali and Java.
4. the system as claimed in claim 1, which is characterized in that the output engine is additionally operable to obtaining comparative analysis fruiting area
Point display, wherein the differentiating method includes:It is distinguished using color, annotation, font.
5. a kind of counterfeit application analysis method, which is characterized in that include the following steps:
It is loaded into counterfeit application sample and corresponding legal sample, sample is applied with legal to counterfeit application sample respectively by the first rule
This progress conversed analysis, wherein first rule is to be believed from the source code attribute of application file attribute information, application sample
At least one of breath, the view information applied angle is analyzed;
Classify respectively using sample and the legal analysis result for applying sample to counterfeit according to Second Rule, and answers counterfeit
It is compared and analyzed according to class categories with sample and corresponding legal sample;
Export comparative analysis result;
Predefined sensitive information is found in counterfeit application sample according to comparative analysis result, malicious act is obtained and analyzes entrance.
6. method as claimed in claim 5, which is characterized in that the Second Rule includes to the analysis result of sample according to text
This class data, tree structure data, graphical file data are classified.
7. method as claimed in claim 5, which is characterized in that the text class data include:Java source codes text, Smali
Source code text, AndroidManifest texts, resource text, signature form data;Tree structure data includes:Source code class tree
Shape structured data, APK packet tree structure datas;Graphical file data includes the CFG information of each Smali and Java.
8. method as claimed in claim 5, which is characterized in that also to obtaining comparative analysis result when output comparative analysis result
Distinguish display, wherein the differentiating method includes:It is distinguished using color, annotation, font.
9. the system as claimed in claim 1 or method as claimed in claim 5, which is characterized in that the predefined sensitivity
Information includes:Cell-phone number in Smali source codes, the cell-phone number in Java source codes, linked network information,
Special access right in AndroidManifest.xml and behavior.
10. the system as claimed in claim 1 or method as claimed in claim 5, which is characterized in that the application file category
Property information includes:Application file size, application file hash value;The source code attribute information of the application includes:Application file word
Symbol string information, java class source code structure, Smali turn the decompiling information of java;The view information of the application includes:Each
The CFG information of Smali and Java, the signing messages of application file, resource file information, application icon, application file knot
Structure information, AndroidManifest decoded informations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710148636.4A CN108573151B (en) | 2017-03-10 | 2017-03-10 | Counterfeit application analysis system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710148636.4A CN108573151B (en) | 2017-03-10 | 2017-03-10 | Counterfeit application analysis system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108573151A true CN108573151A (en) | 2018-09-25 |
| CN108573151B CN108573151B (en) | 2021-04-16 |
Family
ID=63578316
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710148636.4A Active CN108573151B (en) | 2017-03-10 | 2017-03-10 | Counterfeit application analysis system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108573151B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140059690A1 (en) * | 2012-02-16 | 2014-02-27 | Nec Laboratories America, Inc. | Method for Scalable Analysis of Android Applications for Security Vulnerability |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN104123493A (en) * | 2014-07-31 | 2014-10-29 | 百度在线网络技术(北京)有限公司 | Method and device for detecting safety performance of application program |
| CN105426706A (en) * | 2015-11-20 | 2016-03-23 | 北京奇虎科技有限公司 | Pirate application detection method, device and system |
| CN105631325A (en) * | 2014-11-03 | 2016-06-01 | 中国移动通信集团公司 | Malicious application detection method and apparatus |
-
2017
- 2017-03-10 CN CN201710148636.4A patent/CN108573151B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140059690A1 (en) * | 2012-02-16 | 2014-02-27 | Nec Laboratories America, Inc. | Method for Scalable Analysis of Android Applications for Security Vulnerability |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN104123493A (en) * | 2014-07-31 | 2014-10-29 | 百度在线网络技术(北京)有限公司 | Method and device for detecting safety performance of application program |
| CN105631325A (en) * | 2014-11-03 | 2016-06-01 | 中国移动通信集团公司 | Malicious application detection method and apparatus |
| CN105426706A (en) * | 2015-11-20 | 2016-03-23 | 北京奇虎科技有限公司 | Pirate application detection method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108573151B (en) | 2021-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11689561B2 (en) | Detecting unknown malicious content in computer systems | |
| CN106575166B (en) | Method for processing hand input character, splitting and merging data and processing encoding and decoding | |
| US10223344B2 (en) | Recognition and population of form fields in an electronic document | |
| CN108959924A (en) | A kind of Android malicious code detecting method of word-based vector sum deep neural network | |
| JP6150291B2 (en) | Contradiction expression collection device and computer program therefor | |
| TW201543378A (en) | Detecting and extracting image document components to create flow document | |
| Ison | Detection of Online Contract Cheating Through Stylometry: A Pilot Study. | |
| CN103853979A (en) | Program identification method and device based on machine learning | |
| CN106845220B (en) | Android malicious software detection system and method | |
| CN110991163B (en) | Document comparison and analysis method and device, electronic equipment and storage medium | |
| CN107688742B (en) | Large-scale rapid mobile application APP detection and analysis method | |
| JP2007299226A (en) | Image processor, image processing method, signature registration program, and storage medium | |
| CN108804469B (en) | Webpage identification method and electronic equipment | |
| US7602972B1 (en) | Method and apparatus for identifying white space tables within a document | |
| CN103839006A (en) | Program identification method and device based on machine learning | |
| CN103177204A (en) | Password information tip method and device | |
| CN103473104A (en) | Method for discriminating re-package of application based on keyword context frequency matrix | |
| Bhattacharya et al. | Comparative analysis of different feature ranking techniques in data mining-based android malware detection | |
| Arslan | AndroAnalyzer: android malicious software detection based on deep learning | |
| CN110162472A (en) | A kind of method for generating test case based on fuzzing test | |
| KR101638511B1 (en) | Computer readable medium recording program for authoring online learning contents and d method of authoring online learning contents | |
| CN107679567B (en) | Code copying behavior identification method, device and system | |
| CN113569530A (en) | Intelligent document typesetting method and system | |
| CN106951168B (en) | Word processing method and mobile terminal | |
| CN108573151A (en) | A kind of counterfeit applied analysis system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 430000 No.C20 Building of Wuhan Software New Town Industry Phase III, No.8 Huacheng Avenue, Donghu New Technology Development Zone, Wuhan City, Hubei Province Applicant after: WUHAN ANTIY INFORMATION TECHNOLOGY Co.,Ltd. Address before: Room 01, 12 / F, building B4, phase 4-1, software industry, No.1, Software Park East Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province, 430000 Applicant before: WUHAN ANTIY INFORMATION TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |