CN110737887A - Malicious code detection method and device, electronic equipment and storage medium - Google Patents

Malicious code detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN110737887A
CN110737887A CN201911003904.9A CN201911003904A CN110737887A CN 110737887 A CN110737887 A CN 110737887A CN 201911003904 A CN201911003904 A CN 201911003904A CN 110737887 A CN110737887 A CN 110737887A
Authority
CN
China
Prior art keywords
malicious
detected
application program
display interface
malicious code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911003904.9A
Other languages
Chinese (zh)
Other versions
CN110737887B (en
Inventor
陈鸿图
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Meitu Home Technology Co ltd
Original Assignee
Xiamen Meitu Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Meitu Technology Co Ltd filed Critical Xiamen Meitu Technology Co Ltd
Priority to CN201911003904.9A priority Critical patent/CN110737887B/en
Publication of CN110737887A publication Critical patent/CN110737887A/en
Application granted granted Critical
Publication of CN110737887B publication Critical patent/CN110737887B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Telephone Function (AREA)

Abstract

The application provides malicious code detection methods, devices, electronic equipment and storage media, the method obtains code calling information of an application program to be detected when the application program to be detected is detected to have a preset type of malicious operation behavior when the application program to be detected runs, and determines the malicious code information of the malicious operation behavior according to the code calling information.

Description

Malicious code detection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of computers, and in particular, to malicious code detection methods, apparatuses, electronic devices, and storage media.
Background
During program Development, third party off-the-shelf SDKs (Software Development Kit) are often used to speed Development progress, however developers of third party SDKs may insert malicious code into the code to make profits.
Aiming at the problem, the malicious codes are mainly checked in a static checking and SDK detail comparison mode at present. The static investigation obtains a source code readable by the SDK through decompiling the SDK, and developers investigate the source code. And comparing the SDK details by comparing the old version SDK without malicious codes with the new version SDK to be checked to find out the position of the new version SDK which is modified compared with the old version SDK, and performing key checking on the new version SDK. Thus, the checking range is reduced.
The two modes are manually checked by developers, and when the SDK is large in size, time and labor are wasted, and the technical level requirements of the developers are high. The efficiency and accuracy of the troubleshooting is heavily dependent on the developer.
Disclosure of Invention
The application aims to provide malicious code detection methods, devices, electronic equipment and storage media, and aims to accurately search for malicious codes in an application program.
An object of the embodiment of the present application is to provide a malicious code detection method, applied to an electronic device, the method including:
when an application program to be detected runs, detecting whether the application program to be detected has malicious operation behaviors;
if the application program to be detected has a malicious operation behavior, code calling information when the malicious operation behavior occurs is obtained;
and determining malicious code information for executing the malicious operation behaviors according to the code calling information.
Optionally, the method further comprises:
and if the application program to be detected has the malicious operation behaviors, cutting off the malicious operation behaviors.
Optionally, the electronic device is further in communication with a server, and the method further comprises:
and sending the malicious code information for executing the malicious operation behaviors to the server so as to facilitate the viewing of developers or the warning processing of a background program of the server.
Optionally, when the application program to be detected runs, the step of detecting whether the application program to be detected has a malicious operation behavior includes:
and when the application program to be detected exits the program display interface, detecting whether the application program to be detected triggers a new illegal display interface.
Optionally, the application to be detected is an Android application, and the step of detecting whether the application to be detected triggers a new illegal display interface includes:
acquiring configuration information of the Android application program for triggering a target display interface;
matching the configuration information of the target display interface with preset legal configuration information;
and if the configuration information of the target display interface is unsuccessfully matched with the preset legal configuration information, the target display interface is the illegal display interface.
Optionally, the step of when the application to be detected exits the program display interface includes:
acquiring the number of display interfaces currently opened by the Android application program, wherein the display interfaces are display interfaces displayed by an Activity component of the Android application program;
and when the number of the display interfaces is 0, the Android application program exits the program display interface.
Optionally, the step of obtaining the code calling information when the malicious operation behavior occurs includes:
acquiring a method call stack when the malicious operation behavior occurs through a Java virtual machine;
and obtaining the code calling information according to the method calling stack.
A second objective of the embodiments of the present application is to provide malicious code detection apparatuses, which are applied to electronic devices, where the malicious code detection apparatuses include an operation behavior detection module, a call information acquisition module, and a malicious code determination module;
the operation behavior detection module is used for detecting whether the application program to be detected has malicious operation behaviors when the application program to be detected runs;
the calling information acquisition module is used for acquiring code calling information when the malicious operation behavior occurs if the application program to be detected has the malicious operation behavior;
and the malicious code determining module is used for determining the malicious code information for executing the malicious operation behaviors according to the code calling information.
It is a further object of this embodiment of the present application to provide electronic devices, including a processor and a memory, where the memory stores machine executable instructions capable of being executed by the processor, and the processor can execute the machine executable instructions to implement the malicious code detection method.
It is a fourth object of the embodiments of the present application to provide storage media having stored thereon a computer program that, when executed, implements the malicious code detection method.
Compared with the prior art, the method has the following beneficial effects:
according to the malicious code detection method, the device, the electronic equipment and the storage medium, when the application program to be detected runs and the application program to be detected is detected to have the malicious operation behaviors of the preset type, the code calling information of the application program to be detected is obtained, and the malicious code information of the malicious operation behaviors is determined according to the code calling information.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a hardware structure diagram of an electronic device according to an embodiment of the present disclosure;
fig. 2 is a flowchart illustrating steps of a malicious code detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a desktop of a mobile phone provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of a malicious code detection apparatus according to an embodiment of the present application.
Icon: 100-an electronic device; 110-malicious code detection means; 120-a memory; 130-a processor; 1101-an operational behavior detection module; 1102-calling an information acquisition module; 1103-malicious code determination module.
Detailed Description
To further clarify the objects, aspects and advantages of the embodiments of the present application, reference will now be made in detail to the present embodiments of the application illustrated in the accompanying drawings, which form a part hereof, and to show by way of illustration, and not by way of limitation, some embodiments of the application .
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that like reference numerals and letters refer to like items in the following figures, and thus once a item is defined in figures, it need not be further defined and explained by in subsequent figures.
As described in the background section, if a third-party SDK is used in developing an application, the SDK may be inserted into malicious code by a developer of the application for profit. Therefore, when the application developer uses the third-party SDK, the application developer needs to check the SDK to avoid mixing malicious codes. At present, developers mainly perform manual troubleshooting in the development process of application programs, so that the efficiency is low and the troubleshooting precision is low.
Based on this, the present application provides malicious code detection methods, which are applied to the electronic device 100. the electronic device 100 may be, but is not limited to, a smart phone, a Personal Computer (PC), a tablet PC, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and the like.
Referring to fig. 1, the electronic device 100 includes a malicious code detection apparatus 110, a memory 120, and a processor 130, where the memory 120, the processor 130, and various components are directly or indirectly electrically connected to each other to implement data transmission or interaction, for example, the components may be electrically connected to each other through communication buses or signal lines, the malicious code detection apparatus 110 includes at least software functional modules that can be stored in the memory 120 in the form of software or firmware (firmware) or be solidified in an Operating System (OS) of the electronic device 100, and the processor 130 is configured to execute executable modules stored in the memory 120, such as the software functional modules and computer programs included in the malicious code detection apparatus 110.
The Memory 120 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 120 is used for storing a program, and the processor 130 executes the program after receiving the execution instruction.
The Processor 130 may be kinds of integrated circuit chips with signal Processing capability, and the Processor may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a field programmable array (FPGA) or other programmable logic device, a discrete or a transistor logic device, and discrete hardware components.
Referring to fig. 2, fig. 2 is a flowchart illustrating a malicious code detection method according to an embodiment of the present disclosure, and the method includes various steps which will be described in detail below.
Step S100, when the application program to be detected runs, whether the application program to be detected has malicious operation behaviors or not is detected.
It should be understood that the application program to be detected is a formal version of the application program released to the user, and whether malicious operation behaviors occur or not is detected by the user in the process of using the application program to be detected. It should also be understood that some SDKs do not have malicious code in themselves, and when a user uses an application program that integrates the SDK, the SDK automatically downloads the malicious code from the network online and runs the code. If a developer conducts manual investigation in the development process, the malicious codes of the type cannot be found and solved.
Step S200, if the application program to be detected has a malicious operation behavior, code calling information when the malicious operation behavior occurs is obtained.
And step S300, determining malicious code information for executing the malicious operation behaviors according to the code calling information.
During the running of the application program to be detected, the electronic device 100 , upon detecting a malicious operation behavior, acquires code calling information when the malicious operation behavior occurs, it should be understood that, if the malicious code is from the SDK, the electronic device 100 may call the relevant malicious code in the SDK when the malicious behavior occurs, and therefore, the electronic device 100 acquires context information of the program running of the application program to be detected when the malicious behavior occurs, and further determines the malicious code information when the malicious operation behavior occurs.
Therefore, by detecting the malicious operation behaviors of the application program to be detected during running, developers do not need to manually check malicious codes during development, the checking efficiency is improved, the detection precision is extremely high, and the situation that normal codes are mistakenly judged as malicious codes due to the personal technical level of the developers is avoided.
For example, the electronic device 100 truncates an illegal notification interface once it detects that the illegal operation behavior is about to be opened, and prevents the illegal notification interface from popping up.
Optionally, the electronic device 100 is further communicatively connected to a server, and when malicious code information of the malicious operation behavior is detected, the malicious code information is sent to the server, and then a developer is notified to perform processing. For example, the developer learns the malicious code information through the server, and modifies the SDK accordingly according to the malicious code information. Wherein the malicious code information includes a name and a location in the SDK of the malicious code.
Meanwhile, aiming at the SDK which automatically downloads the malicious codes online from the network, when the malicious operation behavior occurs, the information of the malicious codes is also sent to the server, so that developers can also perform corresponding investigation.
Optionally, the application to be detected is an Android application, please refer to fig. 3, and fig. 3 is a desktop environment of an Android operating system provided by the electronic device 100. The inventor researches and discovers that the malicious operation behaviors of partial malicious codes are extremely hidden. When the user returns to the desktop after using the Android application program, a new illegal display interface is triggered, wherein the illegal display interface can be an interface which is provided by the Android application program and is very similar to other Android application programs, and can also be a display interface which is provided by other Android application programs and is triggered by the Android application program. The user can mistakenly think that the illegal display interface is the interface displayed after the user mistakenly triggers the corresponding Android application program.
It should be understood that the display process of the illegal display interface is not actively triggered by the user, and the illegal display interface is completely popped up without the user knowing.
For example, when the user returns to the desktop after using the Android application, interfaces of shopping websites pop up, so that the user mistakenly thinks that the shopping-type Android application is triggered by mistake.
Based on this, the electronic device 100 needs to first determine whether the Android application exits from the program display interface. The electronic device 100 obtains the number of the currently opened display interfaces of the Android application program, and when the number of the display interfaces is 0, indicates that the Android application program exits the program display interface. The electronic device 100 can respond to operations such as a user clicking a return key and a Home key provided by the Android system or switching to other Android applications, and the current Android application exits the program display interface. In the above manner, the number of the display interfaces of the current Android application program is set to be 0.
The Activity component is of four major components of the Android system, including an Activity component, a Service component, a BroadcastAcceiver component and a ContentProvider component, wherein the Activity component is used for displaying an operation interface when being responsible for interacting with a user, and when the interface displayed by the Activity component of the Android application is 0, the Android application exits the display interface of the Android application and does not occupy the screen of the electronic device 100 any more.
Based on the above principle, the electronic device 100 detects whether a new target display interface is triggered when the Android application exits from the program display interface.
The electronic device 100 acquires configuration information used by the Android application program for triggering a target display interface, matches the configuration information of the target display interface with preset legal configuration information, and if the configuration information of the target display interface fails to match with the preset legal configuration information, the target display interface is an illegal display interface.
It should be understood that the Android system realizes interaction between each component of the Android system and the Android program through an Intent mechanism. Therefore, if the target display interface is triggered by the Android application program, the configuration information of the target display interface needs to be transmitted through an Intent mechanism, so that the Android system selects a corresponding component or other Android programs to display according to the configuration information.
It should be noted that the target display interface may be an interface displayed by an Activity component of the Android application program itself, or an interface displayed by another application Android program.
Based on this principle, the electronic device 100 obtains the configuration information of the target display interface and matches the configuration information with the preset legal configuration information. The configuration information comprises package names of other Android application programs and a scheme protocol, and the scheme protocol is used for enabling the other Android application programs to execute corresponding display actions according to data in the scheme protocol.
For example, the package name of the other Android application is that of a shopping-type Android application, and the data of the scheme protocol is a link of a certain commodity. And the shopping Android application program opens a corresponding shopping interface according to the link in the scheme protocol.
If the electronic device 100 fails to match the configuration information of the target display interface with the preset legal configuration information, the target display interface is an illegal display interface and belongs to a malicious operation behavior executed by a malicious code. The electronic device 100 obtains a method call stack when a malicious operation behavior occurs through a Java virtual machine, and then obtains malicious code information of the malicious code.
Specifically, in possible examples, the malicious code detection method may be implemented by rewriting methods such as startActivity () and startActivities () in an Application class in an Android system.
Optionally, the electronic device 100 is also in communication with a server. If the electronic device 100 finds code information for executing a malicious operation behavior, the malicious code information for executing the malicious operation behavior is sent to the server, so that developers can conveniently view or perform backend program alarm processing on the server.
Therefore, developers can know the current state of the application program in time and perform corresponding processing aiming at the malicious code in time, and the use experience of users is improved.
Referring to fig. 4, an malicious code detection apparatus 110 is further provided in an embodiment of the present application, and is applied to an electronic device 100. from functional division, the malicious code detection apparatus 110 includes an operation behavior detection module 1101, a call information acquisition module 1102, and a malicious code determination module 1103.
The operation behavior detection module 1101 is configured to detect whether a malicious operation behavior exists in the application to be detected when the application to be detected runs.
In the present embodiment, the operation behavior detection module 1101 is configured to execute step S100 in fig. 2, and reference may be made to the detailed description of step S100 for a detailed description of the operation behavior detection module 1101.
The calling information obtaining module 1102 is configured to obtain code calling information when a malicious operation behavior occurs if the application to be detected has the malicious operation behavior.
In this embodiment, the calling information acquiring module 1102 is configured to execute step S200 in fig. 2, and reference may be made to the detailed description of step S200 for a detailed description of the calling information acquiring module 1102.
The malicious code determining module 1103 is configured to determine, according to the code invoking information, malicious code information for executing the malicious operation behavior.
In this embodiment, the malicious code determination module 1103 is configured to perform step S300 in fig. 2, and the detailed description about the malicious code determination module 1103 may refer to the detailed description of step S300.
The embodiment of the present application further provides electronic devices 100, which include a processor 130 and a memory 120, where the memory 120 stores machine executable instructions that can be executed by the processor 130, and the processor 130 can execute the machine executable instructions to implement the malicious code detection method.
The embodiment of the application also provides storage media, on which computer programs are stored, and when the computer programs are executed, the malicious code detection method is realized.
In summary, according to the malicious code detection method, device, electronic device and storage medium provided by the embodiment of the application, when the application to be detected runs and the application to be detected is detected to have a preset type of malicious operation behavior, the code calling information of the application to be detected is acquired, and the malicious code information of the malicious operation behavior is determined according to the code calling information.
The apparatus embodiments described above are merely illustrative, and for example, the flowcharts and block diagrams in the figures may show the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application.
In addition, each functional module in the embodiments of the present application may be integrated in to form independent parts, or each module may exist separately, or two or more modules may be integrated to form independent parts.
Based on the understanding that the technical solution of the present application, in essence or a part contributing to the prior art, or a part of the technical solution, can be embodied in the form of a software product, the computer software product is stored in storage media, and includes several instructions for making computer devices (which may be personal computers, servers, or network devices) execute all or part of the steps of the methods described in the embodiments of the present application.
It should be noted that, in this document, relational terms such as , second and the like are only used to distinguish entities or operations from another entities or operations, and no necessarily requires or implies that any such actual relationship or order exists between the entities or operations.
The above description is only for various embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present application, and all such changes or substitutions are included in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1, malicious code detection method, applied to electronic equipment, the method comprising:
when an application program to be detected runs, detecting whether the application program to be detected has malicious operation behaviors of a preset type;
if the application program to be detected has the malicious operation behaviors, code calling information when the malicious operation behaviors occur is obtained;
and determining malicious code information for executing the malicious operation behaviors according to the code calling information.
2. The malicious code detection method according to claim 1, further comprising:
and if the application program to be detected has the malicious operation behaviors, cutting off the malicious operation behaviors.
3. The malicious code detection method according to claim 1, wherein the electronic device is further in communication with a server, the method further comprising:
and sending the malicious code information for executing the malicious operation behaviors to the server so as to facilitate the viewing of developers or the warning processing of a background program of the server.
4. The method according to claim 1, wherein the step of detecting whether the application to be detected has a malicious operation behavior when the application to be detected runs comprises:
and when the application program to be detected exits the program display interface, detecting whether the application program to be detected triggers a new illegal display interface.
5. The malicious code detection method according to claim 4, wherein the application to be detected is an Android application, and the step of detecting whether the application to be detected triggers a new illegal display interface includes:
acquiring configuration information of the Android application program for triggering a target display interface;
matching the configuration information of the target display interface with preset legal configuration information;
and if the configuration information of the target display interface is unsuccessfully matched with the preset legal configuration information, the target display interface is the illegal display interface.
6. The malicious code detection method according to claim 5, wherein the step of the application program to be detected exiting the program display interface comprises:
acquiring the number of display interfaces currently opened by the Android application program, wherein the display interfaces are display interfaces displayed by an Activity component of the Android application program;
and when the number of the display interfaces is 0, the Android application program exits the program display interface.
7. The method according to claim 5, wherein the step of obtaining code invocation information when the malicious operation behavior occurs comprises:
acquiring a method call stack when the malicious operation behavior occurs through a Java virtual machine;
and obtaining the code calling information according to the method calling stack.
The malicious code detection device is applied to electronic equipment and is characterized by comprising an operation behavior detection module, a calling information acquisition module and a malicious code determination module;
the operation behavior detection module is used for detecting whether the application program to be detected has malicious operation behaviors when the application program to be detected runs;
the calling information acquisition module is used for acquiring code calling information when the malicious operation behavior occurs if the application program to be detected has the malicious operation behavior;
and the malicious code determining module is used for determining the malicious code information for executing the malicious operation behaviors according to the code calling information.
An electronic device of 9, , comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the malicious code detection method of any of claims 1-7 through .
Storage medium 10, , having stored thereon a computer program which, when executed, implements the malicious code detection method of any of claims 1-7 .
CN201911003904.9A 2019-10-22 2019-10-22 Malicious code detection method and device, electronic equipment and storage medium Active CN110737887B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911003904.9A CN110737887B (en) 2019-10-22 2019-10-22 Malicious code detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911003904.9A CN110737887B (en) 2019-10-22 2019-10-22 Malicious code detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110737887A true CN110737887A (en) 2020-01-31
CN110737887B CN110737887B (en) 2021-11-30

Family

ID=69270733

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911003904.9A Active CN110737887B (en) 2019-10-22 2019-10-22 Malicious code detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110737887B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111598589A (en) * 2020-05-20 2020-08-28 闻泰通讯股份有限公司 Electronic equipment detection method and device, storage medium and electronic equipment
CN112231697A (en) * 2020-11-05 2021-01-15 腾讯科技(深圳)有限公司 Third-party SDK behavior detection method, device, medium and electronic equipment
CN112380540A (en) * 2020-11-13 2021-02-19 武汉虹旭信息技术有限责任公司 Android application security detection method and device
WO2022126616A1 (en) * 2020-12-18 2022-06-23 华为技术有限公司 Malicious application detection method and apparatus, and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060005148A1 (en) * 2004-06-30 2006-01-05 Microsoft Corporation System and method for content-based filtering of popup objects
CN103279706A (en) * 2013-06-07 2013-09-04 北京奇虎科技有限公司 Method and device for intercepting installation of Android application program in mobile terminal
CN103309808A (en) * 2013-06-13 2013-09-18 中国科学院信息工程研究所 Label-based black box detection method and system for privacy disclosure of Android user
US20160232347A1 (en) * 2015-02-09 2016-08-11 Palo Alto Networks, Inc. Mitigating malware code injections using stack unwinding
CN106126562A (en) * 2016-06-15 2016-11-16 广东欧珀移动通信有限公司 A kind of pop-up hold-up interception method and terminal
CN107392026A (en) * 2017-06-23 2017-11-24 北京小度信息科技有限公司 leak detection method and device
CN107657177A (en) * 2017-09-30 2018-02-02 北京奇虎科技有限公司 A kind of leak detection method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060005148A1 (en) * 2004-06-30 2006-01-05 Microsoft Corporation System and method for content-based filtering of popup objects
CN103279706A (en) * 2013-06-07 2013-09-04 北京奇虎科技有限公司 Method and device for intercepting installation of Android application program in mobile terminal
CN103309808A (en) * 2013-06-13 2013-09-18 中国科学院信息工程研究所 Label-based black box detection method and system for privacy disclosure of Android user
US20160232347A1 (en) * 2015-02-09 2016-08-11 Palo Alto Networks, Inc. Mitigating malware code injections using stack unwinding
CN106126562A (en) * 2016-06-15 2016-11-16 广东欧珀移动通信有限公司 A kind of pop-up hold-up interception method and terminal
CN107392026A (en) * 2017-06-23 2017-11-24 北京小度信息科技有限公司 leak detection method and device
CN107657177A (en) * 2017-09-30 2018-02-02 北京奇虎科技有限公司 A kind of leak detection method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111598589A (en) * 2020-05-20 2020-08-28 闻泰通讯股份有限公司 Electronic equipment detection method and device, storage medium and electronic equipment
CN112231697A (en) * 2020-11-05 2021-01-15 腾讯科技(深圳)有限公司 Third-party SDK behavior detection method, device, medium and electronic equipment
CN112380540A (en) * 2020-11-13 2021-02-19 武汉虹旭信息技术有限责任公司 Android application security detection method and device
WO2022126616A1 (en) * 2020-12-18 2022-06-23 华为技术有限公司 Malicious application detection method and apparatus, and storage medium

Also Published As

Publication number Publication date
CN110737887B (en) 2021-11-30

Similar Documents

Publication Publication Date Title
CN110737887B (en) Malicious code detection method and device, electronic equipment and storage medium
US10552610B1 (en) Adaptive virtual machine snapshot update framework for malware behavioral analysis
US20200065178A1 (en) Method and system for problem modification and processing
US20150304440A1 (en) Systems and Methods for Pushing Applications
US9367381B2 (en) Method and system for exception detecting and alerting
US10474826B2 (en) Methods and apparatuses for improved app security testing
US10681080B1 (en) System and method for assessing android applications malware risk
US10656981B2 (en) Anomaly detection using sequences of system calls
US10191986B2 (en) Web resource compatibility with web applications
CN107729452B (en) Webpage loading method and device, electronic equipment and computer readable storage medium
US20180227326A1 (en) Detecting sensitive data sent from client device to third-party
CN109815701B (en) Software security detection method, client, system and storage medium
JP2004038273A (en) Computer virus checking equipment and method, computer program, and mail gateway system
CN113391874A (en) Virtual machine detection countermeasure method and device, electronic equipment and storage medium
JP2018200642A (en) Threat detection program, threat detection method, and information processing apparatus
CN112711424B (en) Method and device for determining risk problems of application program and storage medium
CN112905197A (en) Information processing method, device and system, electronic equipment and storage medium
WO2020192179A1 (en) Security detection method, device and system based on ios application
WO2020117222A1 (en) Comparisons of application programming interface interactions to determine compatibilities
JP7230951B2 (en) Mobile terminal, information processing system, control method, and program
CN108985013B (en) Method, device, client and server for detecting use of SWF file by third-party application program
CN106709331B (en) Message hook injection prevention method and device and client
US9830215B1 (en) Computing system error analysis based on system dump data
CN115269252A (en) Application program fault processing method, device, equipment and storage medium
CN111045724B (en) Query method, device and readable storage medium for calling chain information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220706

Address after: 100000 3-701, floor 7, No. 28, Chengfu Road, Haidian District, Beijing

Patentee after: BEIJING MEITU HOME TECHNOLOGY Co.,Ltd.

Address before: B1f-089, Zone C, Huaxun building, software park, torch high tech Zone, Xiamen City, Fujian Province

Patentee before: XIAMEN HOME MEITU TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right