CN110069926A - Android beats again malicious code localization method, storage medium and the terminal of packet application - Google Patents
Android beats again malicious code localization method, storage medium and the terminal of packet application Download PDFInfo
- Publication number
- CN110069926A CN110069926A CN201910288274.8A CN201910288274A CN110069926A CN 110069926 A CN110069926 A CN 110069926A CN 201910288274 A CN201910288274 A CN 201910288274A CN 110069926 A CN110069926 A CN 110069926A
- Authority
- CN
- China
- Prior art keywords
- android
- code
- packet application
- sensitive api
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Mobile Radio Communication Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
A kind of Android beats again malicious code localization method, storage medium and the terminal of packet application, the described method includes: determining that the sensitive API beats again the position in packet application in the Android when determining that Android is beaten again in packet application in the presence of the calling to preset sensitive API;The calling path in packet application to identified sensitive API is beaten again based on the Android, determines that the Android beats again suspect code present in packet application;Identified suspect code is individually performed, to detect whether the suspect code is malicious code.Above-mentioned scheme can accurately determine Android and beat again malicious code in packet application.
Description
Technical field
The present invention relates to computer security technical fields, and the malice generation of packet application is beaten again more particularly to a kind of Android
Code localization method, storage medium and terminal.
Background technique
Both mobile communication and internet are combined into one by mobile Internet, are technology, platform, the business model of internet
With application in conjunction with mobile communication technology and the movable general name practiced.In recent years, with the continuous development of Internet technology and
The reduction of manufacturing cost gradually gos deep into people's lives by the mobile terminal device of representative of smart phone.
Development of Mobile Internet technology also brings various hidden danger while offering convenience to us.Especially in Android
It after operating system is released, opened by it, be convenient for the features such as exploitation, captured the half of the country of Mobile operating system rapidly,
But this also becomes the target of mobile phone rogue program attack.2018 year CVE Details report display, android system
Product loophole quantity list forefront is occupied with 611 loopholes.The publication of 360 internet security centers " malice of Android in 2018 is soft
Part specialist paper " in also indicate that, 2018 annual accumulative monitoring mobile terminal malware infection amounts are about 1.1 hundred million person-times, average every
Day malware infection amount is up to 29.2 ten thousand person-times.The loss as caused by Android malicious application is increasing.Therefore, such as
What efficiently and accurately tells threat present in application, currently has important research significance.
But the localization method that existing Android beats again malicious code in packet application has that accuracy is low.
Summary of the invention
Present invention solves the technical problem that being how to accurately determine Android to beat again malicious code in packet application.
In order to achieve the above object, the present invention provides a kind of Android malicious code localization method for beating again packet application, institute
The method of stating includes:
When determining that Android is beaten again in packet application in the presence of the calling to preset sensitive API, the sensitive API is determined
The position in packet application is beaten again in the Android;
Based on the sensitive API the Android beat again packet application in position and the Android beat again packet application
In to the calling path of identified sensitive API, determine that the Android beats again suspect code present in packet application;
Identified suspect code is individually performed, to detect whether the suspect code is malicious code.
Optionally, the determining sensitive API beats again the position in packet application in the Android, comprising:
Comparison Android beats again the java code applied with master Android of packet application, finds out Android and beats again packet and answers
Newly-increased code module in;
When determining in the newly-increased code module in the presence of the calling to the sensitive API, the tune to sensitive API will be present
Newly-increased code is recorded, and beats again the position in packet application in the Android as sensitive API.
Optionally, described that position and described in packet application is beaten again in the Android based on the sensitive API
Android beats again the calling path in packet application to identified sensitive API, determines that the Android is beaten again in packet application and deposits
Suspect code, comprising:
Generate the function call relationship graph that the Android beats again packet application;
The Android function call graph for beating again packet application is traversed, determines the calling road to the sensitive API
Diameter;
When the terminal in the identified calling path to the sensitive API is beaten again for the sensitive API in the Android
When wrapping the position in application, using the corresponding program code in calling path to the sensitive API as the suspect code.
Optionally, the function call graph for generating the Android and beating again packet application, comprising:
The Android installation kit for beating again packet application is converted into corresponding intermediate code file;
The intermediate code file being converted to is analyzed, function calling relationship present in it is obtained;
Using acquired function calling relationship, the function call graph of packet program is beaten again described in generation.
Optionally, the intermediate code file is jimple intermediate code file.
Optionally, whether the detection suspect code is malicious code, comprising:
Based on the process performing feature of identified suspect code, determine whether the suspect code is malicious code.
Optionally, the sensitive API includes at least one of the following:
Malice is deducted fees class sensitive API;
Information stealth class sensitive API;
Long-range control class sensitive API;
Malicious dissemination class sensitive API;
Rate consume class sensitive API.
The embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer instruction, described
Computer instruction executes the step that Android described in any of the above embodiments beats again the malicious code localization method of packet application when running
Suddenly.
The embodiment of the invention also provides a kind of terminal, including memory and processor, energy is stored on the memory
Enough computer instructions run on the processor, the processor execute any of the above-described when running the computer instruction
The Android beats again the step of malicious code localization method of packet application.
Compared with prior art, the invention has the benefit that
Above-mentioned scheme is determined when determining that Android is beaten again in packet application in the presence of the calling to preset sensitive API
The sensitive API beats again the position in packet application in the Android, and is beaten again in packet application based on the Android to institute
The calling path of determining sensitive API determines that the Android beats again suspect code present in packet application, then by independent
Suspect code determined by executing is combined using dynamic with static state with detecting whether the suspect code is malicious code
Mode obtains the malicious code calling path that Android beats again packet application program from static angle, and by completely executing
Malicious code calls path, it is ensured that the integrality of malicious act analysis, therefore Android can be improved beat again in packet application program and dislike
The accuracy of meaning Code location.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for
For those of ordinary skill in the art, without any creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is the process signal for the malicious code localization method that a kind of Android of the embodiment of the present invention beats again packet application
Figure;
Fig. 2 shows the call relations of three Activity composition in master application program Ori;
Fig. 3 shows Android and beats again packet using all having invoked in the function call relationship graph of Mal
The calling path schematic diagram of malciousMethod () method;
Fig. 4 is the process signal for the malicious code positioning device that a kind of Android of the embodiment of the present invention beats again packet application
Figure.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.Related directionality instruction in the embodiment of the present invention (such as upper and lower, left and right,
It is forward and backward etc.) it is only used for the relative positional relationship explained under a certain particular pose (as shown in the picture) between each component, movement feelings
Condition etc., if the particular pose changes, directionality instruction is also correspondingly changed correspondingly.
As stated in the background art, the prior art mainly carries out malicious code positioning by way of characteristic matching, but needs
The feature for extracting malicious code in advance can be generated and be failed to report if unknown characteristic.
Technical solution of the present invention is by beating again the tune existed in packet application to preset sensitive API as determining Android
Used time determines that the sensitive API beats again the position in packet application in the Android, and beats again packet based on the Android and answer
To the calling path of identified sensitive API in, determine that the Android beats again suspect code present in packet application, then
By the way that identified suspect code is individually performed, to detect whether the suspect code is malicious code, using dynamic and static state
The mode combined obtains Android from static angle and beats again the malicious code calling path of packet application program, and passed through
Site preparation executes malicious code and calls path, it is ensured that the integrality of malicious act analysis, therefore Android can be improved and beat again packet application
The accuracy that malicious code positions in program.
It is understandable to enable above-mentioned purpose of the invention, feature and beneficial effect to become apparent, with reference to the accompanying drawing to this
The specific embodiment of invention is described in detail.
Fig. 1 is the process signal for the malicious code localization method that a kind of Android of the embodiment of the present invention beats again packet application
Figure.Referring to Fig. 1, a kind of Android beats again the malicious code localization method of packet application, can specifically include following step:
Step S101: when determining that Android is beaten again in packet application in the presence of the calling to preset sensitive API, institute is determined
It states sensitive API and beats again the position in packet application in the Android.
In specific implementation, the sensitive applications interface (sensitive API) is that some common rogue programs tend to
The application programming interfaces of calling.Wherein, some common rogue programs according to behavior be divided into privacy steal, remotely control, dislike
Meaning deduct fees, the consumption of malicious dissemination, rate, eight class of system destruction, indecent behavior and data corruption.In an embodiment of the present invention,
The sensitive API includes that five kinds of most common rogue programs tend to the API called, is enumerated as follows:
(1) it maliciously deducts fees class sensitive API, such as sendTextMessage (), abortBroadcast (), undle.get
(" pdus "), registerReceiver (), setPriority () and sendTextMessage () etc..
(2) information stealth class sensitive API, such as getContentResolver (), query () and Socket ().
(3) long-range controlling behavior class sensitive API, such as: getContentResolver (), query (),
SendTextMessage (), Socket () and getAssets () etc..
(4) malicious dissemination class sensitive API, such as getContentResolver (), query () sendTextMessage ()
Socket (), getAssets () and Runtime.getRuntime () .exec () etc..
(5) rate consume class sensitive API, such as sendTextMessage (), abortBroadcast (), bundle.get
(" pdus "), registerReceiver (), setPriority (), sendTextMessage () etc..
In specific implementation, judging that Android beats again in packet application with the presence or absence of to the calling of preset sensitive API
When, decompiling the installation kit of packet application program and master application program can be beaten again first, such as (such as using decompiling instrument
Jadx, jd-gui etc.) installation kit of packet application program and master application program is beaten again in decompiling, then passes through comparison Android
The java code that packet application is applied with master Android, such as the mode that character string compares are beaten again, the Android weight is searched
It is packaged in application and whether there is the corresponding calling to preset sensitive API.
Wherein, when the Android is beaten again in packet application with the presence or absence of the corresponding calling to preset sensitive API,
The java code that packet application is applied with master Android is beaten again by comparing Android, Android is found and beats again in packet application
Newly-increased code module;And then judge to whether there is the calling to preset sensitive API in the newly-increased code module found out,
When determining in newly-increased code module in the presence of the calling to preset sensitive API, then this is increased newly code module as sensitive API
The position in packet application is beaten again in the Android.
Step S102: position and the Android in packet application are beaten again in the Android based on the sensitive API
The calling path in packet application to identified sensitive API is beaten again, it is suspicious present in packet application to determine that the Android is beaten again
Code.
In specific implementation, to the calling road of identified sensitive API in beating again packet application based on the Android
Diameter can firstly generate the Android and beat again packet when determining that the Android beats again suspect code present in packet application
The function call relationship graph of application, then the function call graph by beating again packet application to the Android traverse, and determining pair
The calling path of the sensitive API, and using the identified corresponding program code in calling path to the sensitive API as institute
State suspect code.
In an embodiment of the present invention, first when generating the Android and beating again the function call relationship graph for wrapping application
First, the Android installation kit for beating again packet application is converted into corresponding intermediate code file, such as uses soot tool pair
The installation package file that Android beats again packet application is converted, and corresponding jimple intermediate code is obtained.Then, to being converted to
Intermediate code file analyzed, function calling relationship present in it is obtained, such as by jimple intermediate code
The record of invoke sentence and the Intent in Android application program is tracked, obtains some method meeting in program
Which method or component are called, the function call graph for beating again packet application program is thus obtained.
In specific implementation, the position and described in packet application is being beaten again in the Android based on the sensitive API
Android beats again the calling path in packet application to identified sensitive API, determines that the Android is beaten again in packet application and deposits
Suspect code when, first to the Android beat again packet application function call graph traverse, determine to the sensitivity
The calling path of API.Then, to the terminal in the calling path of the sensitive API whether be before determined by the sensitive API
The position in packet application is beaten again in the Android.Wherein, when the terminal in the identified calling path to the sensitive API
It is the sensitive API when the Android beats again the position in packet application, the calling path to the sensitive API is corresponding
Program code as the suspect code.
Step S103: being individually performed identified suspect code, to detect whether the suspect code is malicious code.
In specific implementation, it by the way that identified suspect code is individually performed, obtains in the process performing of the suspect code
Hold, whether has malice process performing model with the determination suspect code, so that it is determined that whether the suspect code is malice generation
Code.
In an embodiment of the present invention, identified suspect code is individually performed, with detect the suspect code whether be
When malicious code, the Android application program an of blank can be created first, by the malicious code found out and execute this section
The xml document and resource file that code needs are added into blank Android application program, and a kind of mode of reselection executes evil
Meaning code (triggers the execution of malicious code such as setting button monitor), observes the behavioural characteristic of its process performing, and according to
Its feature judges whether the calling of its sensitive API is that malice is called.
Below in conjunction with specific example, the malicious code for beating again packet application to the Android in the embodiment of the present invention is fixed
Position method is explained.
Assuming that having Android malice to beat again packet applies (APP) and master application, Android malice beats again packet application
Entitled Mal, the name of master application are Ori.Wherein, Ori is made of three Activity:
Com.example.testapplication.MainActivity component;
Com.example.testapplication.DisplayMainActivity component;
Com.example.impicitcall.AnotherActivity component.
Wherein, com.example.testapplication.MainActivity is the entrance Activity group of application
Part.
Fig. 2 shows the call relations of three Activity above-mentioned in Ori composition.Wherein:
Com.example.testapplication.MainActivity component passes through the display method of calling of Intent
Com.example.testapplication.DisplayMainActivity component is called, code is as follows:
Intent intent=new Intent (MainActivity.this, DisplayActivity.
class);
Then, it recalls startActivity () method and sends Intent, code is as follows:
startActivity(intent);
Com.example.testapplication.MainActivity component further through Intent implicit invocation side
Formula calls com.example.impicitcall.AnotherActivity component.Wherein, com.example.testappli
The Intent setting code of cation.MainActivity component is as follows:
Intent intent=new Intent ();
intent.setAction("com.example.testapplication.testImplicitCall");
intent.addCategory("com.example.testapplication.category");
By setAction () method and addCategory () method to intent add Action attribute and
Then Category attribute recalls startActivity () method and sends Intent:
startActivity(intent);
Because AnotherActivity is added in the AndroidManifest file in Android application program
Intent-fileter, which provided following sentences:
In onCreate () method of AnotherActivity, the reception of Intent is realized using following sentence:
Intent intent=getIntent ();In this way, AnotherActivity can be passed through by MainActivity
Intent implicit invocation.
By above-mentioned analysis it is found that Android malice beat again packet using Mal not to the structure of master application Ori into
Row modification, is only added to method in com.example.impicitcall.AnotherActivity component
MalciousMethod (), and malciousMethod () method is had invoked in onCreate () method, and
MalciousMethod () method call sensitive API.
The target that the Android provided in the embodiment of the present invention beats again the malicious code localization method of packet application is in positioning
The calling path of malciousMethod () in the example stated, and calling path to be individually performed, learn the interior of its behavior
Hold, accurately to judge whether it is malicious code, specifically:
Firstly, summarizing the sensitive API that malice APP is often called.
Then, the Java code and various resources text of Ori and Mal are gone out using decompiling instrument (such as jadx) decompiling
Part.
Later, by being carried out to the Java file that decompiling comes out from the Java file and Mal that decompiling in Ori comes out
Compare, finds there is no malciousMethod () method in master application Ori, and malciousMethod () method is also adjusted
With we have concluded that come sensitive API, so calling suspicion object as malice.
Then, it is jimple file by the apk document analysis of Mal, i.e., the Java code in classes.dex is resolved to
Jimple file.
Then, the function call graph (i.e. method call figure) of Mal is generated.
Wherein, the call relation that Android beats again function in packet application includes following two type:
Situation one: pass through object reference or static call.For example, following sentence:
intent.setAction("com.example.testapplication.testImplicitCall");
Its jimple format are as follows:
virtualinvoke$r7.<android.content.Intent:
android.content.IntentsetAction(java.lang.String)>("com.example.testapplicat
ion.testImplicitCall");
It can be seen that " android.content.Intent " therein shows the class of object $ r7,
" android.content.Intent " shows that the return value of setAction () method is Intent.SetAction is subsequent
What the java.lang.String in bracket was indicated is the formal parameter of setAction () method, the side of being in last round bracket
The actual parameter of method.It can be seen that Java code is parsed very detailed by jimple.
By continuing to search setAction () method in android.content.Intent.jimple file
Content learns which method of setAction () method call.And so on, function calling relationship can be ultimately generated
Figure.Certainly, setAction () method herein is the method in the jar packet of Android, is equivalent to an API, is that will not give birth to
At jimple file, so can not be also It is not necessary to learn which other methods setAction () has invoked
?.
Situation two: other assemblies are called by Intent.
It includes display calling and implicit invocation two ways that Intent is called again.Display is called, such as MainActivity tune
Use DisplayActivity;Implicit invocation, as MainActivity calls AnotherActivity.
Display in Intent calling is called so that MainActivity calls DisplayActivity as an example, Intent's
Sentence is set are as follows:
Intent intent=new Intent (MainActivity.this, DisplayActivity.class);
Its jimple format are as follows:
$ r7=new android.content.Intent;
$ r2=$ r0. < com.example.testapplication.MainActivity $ 1:
com.example.testapplication.MainActivity this$0>;
specialinvoke$r7.<android.content.Intent:void
<init>(android.content.Context,java.lang.Class)>($r2,class
"Lcom/example/testapplication/DisplayActivity;");
By above-mentioned code it is found that the DisplayActivity.class in original code is resolved to " L+
DisplayActivity path ".According to com.example.testapplication.DisplayMainActivity group
The path of part can find the com.example.testapplication.DisplayActivity.j in jimple file
Imple file.Then, pass through analysis com.example.testapplication.DisplayMainActivity component
Jimple file it is known that com.example.testapplication.DisplayMainActivity component life
Which method periodic function all has invoked.The rest may be inferred, can recall formation component and call path.
For the implicit invocation of Intent by taking MainActivity calls AnotherActivity as an example, sentence is arranged in Intent
Are as follows:
Intent intent=new Intent ();
intent.setAction("com.example.testapplication.testImplicitCall");
intent.addCategory("com.example.testapplication.category");
Its jimple format are as follows:
$ r7=new android.content.Intent;
specialinvoke$r7.<android.content.Intent:void<init>()>();
virtualinvoke$r7.<android.content.Intent:android.content.Intent
setAction(java.lang.String)>("com.example.testapplication.tes
tImplicitCall");
virtualinvoke$r7.<android.content.Intent:android.content.Intent
addCategory(java.lang.String)>("com.example.testapplication.catego
ry");
Believed by the Action attribute and Category attribute of the available Intent object $ r7 of above-mentioned jimple code
Breath.Then, the qualified component of intent-filter is found from AndroidManifest file.It can know from above
Road, the intent-filter of com.example.impicitcall.AnotherActivity component be it is qualified, this
Sample just searches out the component that the Intent can be called.
According to circumstances, Reusability above situation one, the determination method of the function calling relationship of situation two, so that it may generate
The function call relationship graph of entire Mal application program.
Then, it according to the sensitive API screened, i.e. malciousMethod () method, is applied by traversing entire Mal
The function call relationship graph of program, available all paths for having invoked malciousMethod () method, obtained road
Diameter is as shown in Figure 3.
Finally, it is simultaneously single to call the corresponding program code in path individually to extract the sensitive API that previous step extracts
It solely executes, then by analyzing its process performing content, judges whether it is that malice is called.When determining extracted sensitivity
When the process performing of the corresponding program code in API Calls path is preset malicious act mode, the suspect code can be determined
For malicious code.
The above-mentioned method in the embodiment of the present invention is described in detail, below will be to the above-mentioned corresponding dress of method
It sets and is introduced.
Fig. 4 shows the knot that one of embodiment of the present invention Android beats again the malicious code positioning device of packet application
Structure schematic diagram.Referring to fig. 4, a kind of Android beats again the malicious code positioning device 40 of packet application, may include that position determines list
Member 401, code-determining unit 402 and detection unit 403, in which:
The position determination unit 401, suitable for existing when determining Android is beaten again in packet application to preset sensitive API
Calling when, determine the sensitive API the Android beat again packet application in position;
The code-determining unit 402, suitable for beating again the position in packet application in the Android based on the sensitive API
It sets and beats again the calling path wrapped in application to identified sensitive API with the Android, determine that the Android beats again packet
The suspect code present in;
The detection unit 403, suitable for identified suspect code is individually performed, with the determination suspect code whether be
Malicious code.
In an embodiment of the present invention, the position determination unit 401 beats again packet application and original suitable for comparison Android
The java code of version Android application, finds out Android and beats again the newly-increased code module wrapped in application;It is described newly-increased when determining
When there is the calling to the sensitive API in code module, it will be present and the newly-increased code of the calling of sensitive API is recorded,
The position in packet application is beaten again in the Android as sensitive API.
In an alternative embodiment of the invention, the code-determining unit 402 is beaten again packet suitable for the generation Android and is answered
Function call relationship graph;The Android function call graph for beating again packet application is traversed, is determined to the sensitivity
The calling path of API;When the terminal in the identified calling path to the sensitive API is the sensitive API described
It, can as described in using the corresponding program code in calling path to the sensitive API when Android beats again the position in packet application
Doubt code.
In still another embodiment of the process, the code-determining unit 403, suitable for the Android is beaten again packet application
Installation kit be converted to corresponding intermediate code file;The intermediate code file being converted to is analyzed, is obtained present in it
Function calling relationship;Using acquired function calling relationship, the function call graph of packet program is beaten again described in generation.Wherein, institute
Stating intermediate code file can be jimple intermediate code file.
In an embodiment of the present invention, the detection unit 403, suitable for the process performing based on identified suspect code
Feature determines whether the suspect code is malicious code.
In specific implementation, the sensitive API may include malice deduct fees class sensitive API, information stealth class sensitive API,
At least one of long-range control class sensitive API, malicious dissemination class sensitive API and rate consumption class sensitive API.
The embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer instruction, described
The step of Android beats again the malicious code localization method of packet application is executed when computer instruction is run.Wherein, described
The malicious code localization method that Android beats again packet application refers to being discussed in detail for preceding sections, repeats no more.
The embodiment of the invention also provides a kind of terminal, including memory and processor, energy is stored on the memory
Enough computer instructions run on the processor, the processor execute described when running the computer instruction
Android beats again the step of malicious code localization method of packet application.Wherein, the Android beats again the malice generation of packet application
Code localization method refers to being discussed in detail for preceding sections, repeats no more.
Using the above-mentioned scheme in the embodiment of the present invention, wrap in application when determining that Android is beaten again in the presence of to preset
When the calling of sensitive API, determine that the sensitive API beats again the position in packet application in the Android, and based on described
Android beats again the calling path in packet application to identified sensitive API, determines that the Android is beaten again in packet application and deposits
Suspect code, then by the way that identified suspect code is individually performed, to detect whether the suspect code is malicious code,
The mode combined using dynamic with static state obtains the malicious code tune that Android beats again packet application program from static angle
Path is called with path, and by completely executing malicious code, it is ensured that the integrality of malicious act analysis, therefore can be improved
Android beats again the accuracy that malicious code positions in packet application program.
The basic principles, main features and advantages of the present invention have been shown and described above.The technology of the industry
Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this
The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, the present invention
Claimed range is delineated by the appended claims, the specification and equivalents thereof from the appended claims.
Claims (9)
1. the malicious code localization method that a kind of Android beats again packet application characterized by comprising
When determining that Android is beaten again in packet application in the presence of the calling to preset sensitive API, determine the sensitive API in institute
It states Android and beats again the position wrapped in application;
Based on the sensitive API the Android beat again packet application in position and the Android beat again packet application in it is right
The calling path of identified sensitive API determines that the Android beats again suspect code present in packet application;
Identified suspect code is individually performed, to detect whether the suspect code is malicious code.
2. the malicious code localization method that Android according to claim 1 beats again packet application, which is characterized in that described
Determine that sensitive API beats again the position in packet application in the Android, comprising:
Comparison Android beats again the java code applied with master Android of packet application, finds out the Android and beats again packet and answers
Newly-increased code in;
When determining in the newly-increased code module in the presence of the calling to the sensitive API, will be present to the calling of sensitive API
Newly-increased code is recorded, and beats again the position in packet application in the Android as sensitive API.
3. the malicious code localization method that Android according to claim 1 beats again packet application, which is characterized in that described
Based on the sensitive API the Android beat again packet application in position and the Android beat again packet application in really
The calling path of fixed sensitive API determines that the Android beats again suspect code present in packet application, comprising:
Generate the function call relationship graph that the Android beats again packet application;
The Android function call graph for beating again packet application is traversed, determines the calling path to the sensitive API;
Packet is beaten again in the Android for the sensitive API when the terminal in the identified calling path to the sensitive API to answer
When position in, using the corresponding program code in calling path to the sensitive API as the suspect code.
4. the malicious code localization method that Android according to claim 3 beats again packet application, which is characterized in that described
Generate the function call graph that the Android beats again packet application, comprising:
The Android installation kit for beating again packet application is converted into corresponding intermediate code file;
The intermediate code file being converted to is analyzed, function calling relationship present in it is obtained;
Using acquired function calling relationship, the function call graph of packet program is beaten again described in generation.
5. the malicious code localization method that Android according to claim 4 beats again packet application, which is characterized in that described
Intermediate code file is jimple intermediate code file.
6. the malicious code localization method that Android according to claim 1 beats again packet application, which is characterized in that described
Detect whether the suspect code is malicious code, comprising:
Based on the process performing feature of identified suspect code, determine whether the suspect code is malicious code.
7. Android according to any one of claims 1 to 6 beats again the malicious code localization method of packet application, feature
It is, the sensitive API includes at least one of the following:
Malice is deducted fees class sensitive API;
Information stealth class sensitive API;
Long-range control class sensitive API;
Malicious dissemination class sensitive API;
Rate consume class sensitive API.
8. a kind of computer readable storage medium, is stored thereon with computer instruction, which is characterized in that the computer instruction fortune
The step of perform claim requires 1 to 7 described in any item Android to beat again the malicious code localization method of packet application when row.
9. a kind of terminal, which is characterized in that including memory and processor, storing on the memory can be in the processing
The computer instruction run on device, perform claim requires described in 1 to 7 any one when the processor runs the computer instruction
Android beat again packet application malicious code localization method the step of.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910288274.8A CN110069926B (en) | 2019-04-11 | 2019-04-11 | Malicious code positioning method, storage medium and terminal for Android repackaging application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910288274.8A CN110069926B (en) | 2019-04-11 | 2019-04-11 | Malicious code positioning method, storage medium and terminal for Android repackaging application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110069926A true CN110069926A (en) | 2019-07-30 |
| CN110069926B CN110069926B (en) | 2022-10-25 |
Family
ID=67367387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910288274.8A Active CN110069926B (en) | 2019-04-11 | 2019-04-11 | Malicious code positioning method, storage medium and terminal for Android repackaging application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110069926B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113094709A (en) * | 2021-04-15 | 2021-07-09 | 中国工商银行股份有限公司 | Detection method and device for risk application and server |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107608852A (en) * | 2017-09-01 | 2018-01-19 | 清华大学 | A kind of process monitoring method and device |
| CN109582496A (en) * | 2018-10-25 | 2019-04-05 | 平安科技(深圳)有限公司 | Creation method, device and the computer readable storage medium of consistency snapshot group |
-
2019
- 2019-04-11 CN CN201910288274.8A patent/CN110069926B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107608852A (en) * | 2017-09-01 | 2018-01-19 | 清华大学 | A kind of process monitoring method and device |
| CN109582496A (en) * | 2018-10-25 | 2019-04-05 | 平安科技(深圳)有限公司 | Creation method, device and the computer readable storage medium of consistency snapshot group |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113094709A (en) * | 2021-04-15 | 2021-07-09 | 中国工商银行股份有限公司 | Detection method and device for risk application and server |
| CN113094709B (en) * | 2021-04-15 | 2024-04-05 | 中国工商银行股份有限公司 | Detection method, device and server for risk application |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110069926B (en) | 2022-10-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| He et al. | {EOSAFE}: security analysis of {EOSIO} smart contracts | |
| US9973517B2 (en) | Computing device to detect malware | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| Rasthofer et al. | Making malory behave maliciously: Targeted fuzzing of android execution environments | |
| US20110289582A1 (en) | Method for detecting malicious javascript | |
| CN105491053A (en) | Web malicious code detection method and system | |
| US9690946B2 (en) | Security analysis using relational abstraction of data structures | |
| US9990500B2 (en) | Determining application vulnerabilities | |
| Beaman et al. | Fuzzing vulnerability discovery techniques: Survey, challenges and future directions | |
| Kim et al. | WebMon: ML-and YARA-based malicious webpage detection | |
| Feng et al. | Mace: High-coverage and robust memory analysis for commodity operating systems | |
| Salehi et al. | Detecting malicious applications using system services request behavior | |
| Qin et al. | Nsfuzz: Towards efficient and state-aware network service fuzzing | |
| WO2021146988A1 (en) | Method and apparatus for protecting smart contracts against attacks | |
| CN111428239A (en) | Detection method of malicious mining software | |
| Tian et al. | MDCD: A malware detection approach in cloud using deep learning | |
| Zhu et al. | Detecting privilege escalation attacks through instrumenting web application source code | |
| CN116450533B (en) | Security detection method and device for application program, electronic equipment and medium | |
| CN110069926A (en) | Android beats again malicious code localization method, storage medium and the terminal of packet application | |
| US11361077B2 (en) | Kernel-based proactive engine for malware detection | |
| CN110084040A (en) | Android beats again the malicious code positioning device of packet application | |
| Cheng et al. | Automatic inference of taint sources to discover vulnerabilities in soho router firmware | |
| Skormin et al. | Prevention of information attacks by run-time detection of self-replication in computer codes | |
| Jawhar | A Survey on Malware Attacks Analysis and Detected | |
| CN113779589B (en) | Android smart phone application misconfiguration detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |