CN110737887B - Malicious code detection method and device, electronic equipment and storage medium - Google Patents

Malicious code detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN110737887B
CN110737887B CN201911003904.9A CN201911003904A CN110737887B CN 110737887 B CN110737887 B CN 110737887B CN 201911003904 A CN201911003904 A CN 201911003904A CN 110737887 B CN110737887 B CN 110737887B
Authority
CN
China
Prior art keywords
malicious
detected
application program
display interface
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911003904.9A
Other languages
Chinese (zh)
Other versions
CN110737887A (en
Inventor
陈鸿图
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Meitu Home Technology Co ltd
Original Assignee
Xiamen Meitu Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Meitu Technology Co Ltd filed Critical Xiamen Meitu Technology Co Ltd
Priority to CN201911003904.9A priority Critical patent/CN110737887B/en
Publication of CN110737887A publication Critical patent/CN110737887A/en
Application granted granted Critical
Publication of CN110737887B publication Critical patent/CN110737887B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Telephone Function (AREA)

Abstract

The application provides a malicious code detection method and device, electronic equipment and a storage medium. The method comprises the steps of acquiring code calling information of an application program to be detected when the application program to be detected is detected to have a preset type of malicious operation behavior when the application program to be detected runs. And determining the malicious code information of the malicious operation behavior according to the code calling information. Therefore, the malicious code is automatically detected when the application program runs, and the precision and the efficiency of checking the malicious code are improved.

Description

Malicious code detection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of computers, and in particular, to a malicious code detection method, apparatus, electronic device, and storage medium.
Background
During the program Development process, an off-the-shelf SDK (Software Development Kit) is often used to speed up the Development process. However, developers of third party SDKs may insert malicious code into the code to make profit. For example, advertising promotion is performed using the inserted code to charge an advertising fee.
Aiming at the problem, the malicious codes are mainly checked in a static checking and SDK detail comparison mode at present. The static investigation obtains a source code readable by the SDK through decompiling the SDK, and developers investigate the source code. And comparing the SDK details by comparing the old version SDK without malicious codes with the new version SDK to be checked to find out the position of the new version SDK which is modified compared with the old version SDK, and performing key checking on the new version SDK. Thus, the checking range is reduced.
The two modes are manually checked by developers, and when the SDK is large in size, time and labor are wasted, and the technical level requirements of the developers are high. The efficiency and accuracy of the troubleshooting is heavily dependent on the developer.
Disclosure of Invention
The application aims to provide a malicious code detection method, a malicious code detection device, electronic equipment and a storage medium, and aims to accurately search malicious codes in an application program.
An object of an embodiment of the present application is to provide a malicious code detection method, which is applied to an electronic device, and the method includes:
when an application program to be detected runs, detecting whether the application program to be detected has malicious operation behaviors;
if the application program to be detected has a malicious operation behavior, code calling information when the malicious operation behavior occurs is obtained;
and determining malicious code information for executing the malicious operation behaviors according to the code calling information.
Optionally, the method further comprises:
and if the application program to be detected has the malicious operation behaviors, cutting off the malicious operation behaviors.
Optionally, the electronic device is further in communication with a server, and the method further comprises:
and sending the malicious code information for executing the malicious operation behaviors to the server so as to facilitate the viewing of developers or the warning processing of a background program of the server.
Optionally, when the application program to be detected runs, the step of detecting whether the application program to be detected has a malicious operation behavior includes:
and when the application program to be detected exits the program display interface, detecting whether the application program to be detected triggers a new illegal display interface.
Optionally, the application to be detected is an Android application, and the step of detecting whether the application to be detected triggers a new illegal display interface includes:
acquiring configuration information of the Android application program for triggering a target display interface;
matching the configuration information of the target display interface with preset legal configuration information;
and if the configuration information of the target display interface is unsuccessfully matched with the preset legal configuration information, the target display interface is the illegal display interface.
Optionally, the step of when the application to be detected exits the program display interface includes:
acquiring the number of display interfaces currently opened by the Android application program, wherein the display interfaces are display interfaces displayed by an Activity component of the Android application program;
and when the number of the display interfaces is 0, the Android application program exits the program display interface.
Optionally, the step of obtaining the code calling information when the malicious operation behavior occurs includes:
acquiring a method call stack when the malicious operation behavior occurs through a Java virtual machine;
and obtaining the code calling information according to the method calling stack.
A second object of the embodiments of the present application is to provide a malicious code detection apparatus, which is applied to an electronic device, and includes an operation behavior detection module, a call information acquisition module, and a malicious code determination module;
the operation behavior detection module is used for detecting whether the application program to be detected has malicious operation behaviors when the application program to be detected runs;
the calling information acquisition module is used for acquiring code calling information when the malicious operation behavior occurs if the application program to be detected has the malicious operation behavior;
and the malicious code determining module is used for determining the malicious code information for executing the malicious operation behaviors according to the code calling information.
It is a further object of an embodiment of the present application to provide an electronic device, which includes a processor and a memory, where the memory stores machine executable instructions that can be executed by the processor, and the processor can execute the machine executable instructions to implement the malicious code detection method.
It is a fourth object of the embodiments of the present application to provide a storage medium having a computer program stored thereon, where the computer program is executed to implement the malicious code detection method.
Compared with the prior art, the method has the following beneficial effects:
the embodiment of the application provides a malicious code detection method and device, electronic equipment and a storage medium. The method comprises the steps of acquiring code calling information of an application program to be detected when the application program to be detected is detected to have a preset type of malicious operation behavior when the application program to be detected runs. And determining the malicious code information of the malicious operation behavior according to the code calling information. Therefore, the malicious code is automatically detected when the program runs, and the precision and the efficiency of checking the malicious code are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a hardware structure diagram of an electronic device according to an embodiment of the present disclosure;
fig. 2 is a flowchart illustrating steps of a malicious code detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a desktop of a mobile phone provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of a malicious code detection apparatus according to an embodiment of the present application.
Icon: 100-an electronic device; 110-malicious code detection means; 120-a memory; 130-a processor; 1101-an operational behavior detection module; 1102-calling an information acquisition module; 1103-malicious code determination module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
As described in the background section, if a third-party SDK is used in developing an application, the SDK may be inserted into malicious code by a developer of the application for profit. Therefore, when the application developer uses the third-party SDK, the application developer needs to check the SDK to avoid mixing malicious codes. At present, developers mainly perform manual troubleshooting in the development process of application programs, so that the efficiency is low and the troubleshooting precision is low.
Based on this, the embodiment of the present application provides a malicious code detection method, which is applied to the electronic device 100. The electronic Device 100 may be, but is not limited to, a smart phone, a Personal Computer (PC), a tablet PC, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and the like.
Referring to fig. 1, the electronic device 100 includes a malicious code detection apparatus 110, a memory 120, and a processor 130. The memory 120, the processor 130, and the various elements are electrically connected to each other, directly or indirectly, to enable data transfer or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The malicious code detection apparatus 110 includes at least one software functional module which can be stored in the memory 120 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the electronic device 100. The processor 130 is used for executing executable modules stored in the memory 120, such as software functional modules and computer programs included in the malicious code detection apparatus 110.
The Memory 120 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 120 is used for storing a program, and the processor 130 executes the program after receiving the execution instruction.
The processor 130 may be an integrated circuit chip having signal processing capabilities. The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Referring to fig. 2, fig. 2 is a flowchart illustrating a malicious code detection method according to an embodiment of the present disclosure, and the method includes various steps which will be described in detail below.
Step S100, when the application program to be detected runs, whether the application program to be detected has malicious operation behaviors or not is detected.
It should be understood that the application program to be detected is a formal version of the application program released to the user, and whether malicious operation behaviors occur or not is detected by the user in the process of using the application program to be detected. It should also be understood that some SDKs do not have malicious code in themselves, and when a user uses an application program that integrates the SDK, the SDK automatically downloads the malicious code from the network online and runs the code. If a developer conducts manual investigation in the development process, the malicious codes of the type cannot be found and solved.
Step S200, if the application program to be detected has a malicious operation behavior, code calling information when the malicious operation behavior occurs is obtained.
And step S300, determining malicious code information for executing the malicious operation behaviors according to the code calling information.
During the running of the application program to be detected, once the electronic device 100 detects the malicious operation behavior, the code calling information when the malicious operation behavior occurs is acquired. It should be understood that if the malicious code is from the SDK, the electronic device 100 may invoke the relevant malicious code in the SDK when the malicious behavior occurs. Therefore, the electronic device 100 obtains context information of program running of the application program to be detected when a malicious behavior occurs, and further determines malicious code information of the malicious operation behavior.
Therefore, by detecting the malicious operation behaviors when the application program to be detected runs, developers do not need to manually check malicious codes during development, and the checking efficiency is improved. And the detection precision is extremely high, and the problem that some normal codes are mistakenly judged as malicious codes due to the personal technical level of developers is avoided.
Optionally, in order to improve user experience, when the electronic device 100 detects a malicious operation behavior, the malicious operation behavior is intercepted, so as to avoid affecting user experience. For example, the electronic device 100, upon detecting that an illegal advertisement interface is about to be opened, truncates the illegal advertisement interface and prevents the illegal advertisement interface from popping up.
Optionally, the electronic device 100 is further communicatively connected to a server, and when malicious code information of the malicious operation behavior is detected, the malicious code information is sent to the server, and then a developer is notified to perform processing. For example, the developer learns the malicious code information through the server, and modifies the SDK accordingly according to the malicious code information. Wherein the malicious code information includes a name and a location in the SDK of the malicious code.
Meanwhile, aiming at the SDK which automatically downloads the malicious codes online from the network, when the malicious operation behavior occurs, the information of the malicious codes is also sent to the server, so that developers can also perform corresponding investigation.
Optionally, the application to be detected is an Android application, please refer to fig. 3, and fig. 3 is a desktop environment of an Android operating system provided by the electronic device 100. The inventor researches and discovers that the malicious operation behaviors of partial malicious codes are extremely hidden. When the user returns to the desktop after using the Android application program, a new illegal display interface is triggered, wherein the illegal display interface can be an interface which is provided by the Android application program and is very similar to other Android application programs, and can also be a display interface which is provided by other Android application programs and is triggered by the Android application program. The user can mistakenly think that the illegal display interface is the interface displayed after the user mistakenly triggers the corresponding Android application program.
It should be understood that the display process of the illegal display interface is not actively triggered by the user, and the illegal display interface is completely popped up without the user knowing.
For example, when the user returns to the desktop after using the Android application, some interfaces of the shopping website are popped up, so that the user mistakenly thinks that the shopping-type Android application is falsely triggered.
Based on this, the electronic device 100 needs to first determine whether the Android application exits from the program display interface. The electronic device 100 obtains the number of the currently opened display interfaces of the Android application program, and when the number of the display interfaces is 0, indicates that the Android application program exits the program display interface. The electronic device 100 can respond to operations such as a user clicking a return key and a Home key provided by the Android system or switching to other Android applications, and the current Android application exits the program display interface. In the above manner, the number of the display interfaces of the current Android application program is set to be 0.
It should be understood that the display interface is the display interface displayed by the Activity component of the Android application. The Activity component is one of four major components of an Android system, and comprises an Activity component, a Service component, a BroadcastReceiver component and a ContentProvider component. The Activity component is used for displaying an operation interface when interacting with a user, and when the interface displayed by the Activity component of the Android application program is 0, the Android application program exits the program display interface and does not occupy the screen of the electronic device 100.
Based on the above principle, the electronic device 100 detects whether a new target display interface is triggered when the Android application exits from the program display interface.
The electronic device 100 acquires configuration information used by the Android application program for triggering a target display interface, matches the configuration information of the target display interface with preset legal configuration information, and if the configuration information of the target display interface fails to match with the preset legal configuration information, the target display interface is an illegal display interface.
It should be understood that the Android system realizes interaction between each component of the Android system and the Android program through an Intent mechanism. Therefore, if the target display interface is triggered by the Android application program, the configuration information of the target display interface needs to be transmitted through an Intent mechanism, so that the Android system selects a corresponding component or other Android programs to display according to the configuration information.
It should be noted that the target display interface may be an interface displayed by an Activity component of the Android application program itself, or an interface displayed by another application Android program.
Based on this principle, the electronic device 100 obtains the configuration information of the target display interface and matches the configuration information with the preset legal configuration information. The configuration information comprises package names of other Android application programs and a scheme protocol, and the scheme protocol is used for enabling the other Android application programs to execute corresponding display actions according to data in the scheme protocol.
For example, the package name of the other Android application is that of a shopping-type Android application, and the data of the scheme protocol is a link of a certain commodity. And the shopping Android application program opens a corresponding shopping interface according to the link in the scheme protocol.
If the electronic device 100 fails to match the configuration information of the target display interface with the preset legal configuration information, the target display interface is an illegal display interface and belongs to a malicious operation behavior executed by a malicious code. The electronic device 100 obtains a method call stack when a malicious operation behavior occurs through a Java virtual machine, and then obtains malicious code information of the malicious code.
Specifically, in a possible example, the malicious code detection method may be implemented by rewriting startActivities () and startActivities () in an Application class in an Android system.
Optionally, the electronic device 100 is also in communication with a server. If the electronic device 100 finds code information for executing a malicious operation behavior, the malicious code information for executing the malicious operation behavior is sent to the server, so that developers can conveniently view or perform backend program alarm processing on the server.
Therefore, developers can know the current state of the application program in time and perform corresponding processing aiming at the malicious code in time, and the use experience of users is improved.
Referring to fig. 4, an embodiment of the present application further provides a malicious code detection apparatus 110, which is applied to the electronic device 100. Functionally, the malicious code detection apparatus 110 includes an operation behavior detection module 1101, a call information acquisition module 1102, and a malicious code determination module 1103.
The operation behavior detection module 1101 is configured to detect whether a malicious operation behavior exists in the application to be detected when the application to be detected runs.
In the present embodiment, the operation behavior detection module 1101 is configured to execute step S100 in fig. 2, and reference may be made to the detailed description of step S100 for a detailed description of the operation behavior detection module 1101.
The calling information obtaining module 1102 is configured to obtain code calling information when a malicious operation behavior occurs if the application to be detected has the malicious operation behavior.
In this embodiment, the calling information acquiring module 1102 is configured to execute step S200 in fig. 2, and reference may be made to the detailed description of step S200 for a detailed description of the calling information acquiring module 1102.
The malicious code determining module 1103 is configured to determine, according to the code invoking information, malicious code information for executing the malicious operation behavior.
In this embodiment, the malicious code determination module 1103 is configured to perform step S300 in fig. 2, and the detailed description about the malicious code determination module 1103 may refer to the detailed description of step S300.
The embodiment of the present application further provides an electronic device 100, which includes a processor 130 and a memory 120, where the memory 120 stores machine executable instructions that can be executed by the processor 130, and the processor 130 can execute the machine executable instructions to implement the malicious code detection method.
The embodiment of the application also provides a storage medium, on which a computer program is stored, and when the computer program is executed, the malicious code detection method is realized.
In summary, the embodiments of the present application provide a malicious code detection method, apparatus, electronic device, and storage medium. The method comprises the steps of acquiring code calling information of an application program to be detected when the application program to be detected is detected to have a preset type of malicious operation behavior when the application program to be detected runs. And determining the malicious code information of the malicious operation behavior according to the code calling information. Therefore, the malicious code is automatically detected when the program runs, and the precision and the efficiency of checking the malicious code are improved.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only for various embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present application, and all such changes or substitutions are included in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (9)

1. A malicious code detection method is applied to an electronic device, and comprises the following steps:
when an application program to be detected runs, detecting whether the application program to be detected has malicious operation behaviors of a preset type, wherein the detection includes judging whether the application program to be detected exits from a program display interface, and when the application program to be detected exits from the program display interface, judging whether the application program to be detected triggers a new illegal display interface;
if the application program to be detected has the malicious operation behavior, code calling information when the malicious operation behavior occurs is obtained, wherein the code calling information is context information of program running of the application program to be detected when the malicious behavior occurs;
and determining malicious code information for executing the malicious operation behaviors according to the code calling information.
2. The malicious code detection method according to claim 1, further comprising:
and if the application program to be detected has the malicious operation behaviors, intercepting the malicious operation behaviors.
3. The malicious code detection method according to claim 1, wherein the electronic device is further in communication with a server, the method further comprising:
and sending the malicious code information for executing the malicious operation behaviors to the server so as to facilitate the viewing of developers or the warning processing of a background program of the server.
4. The malicious code detection method according to claim 1, wherein the application to be detected is an Android application, and the step of determining whether the application to be detected triggers a new illegal display interface includes:
acquiring configuration information of the Android application program for triggering a target display interface;
matching the configuration information of the target display interface with preset legal configuration information;
and if the configuration information of the target display interface is unsuccessfully matched with the preset legal configuration information, the target display interface is the illegal display interface.
5. The malicious code detection method according to claim 4, wherein the step of determining whether the application to be detected exits the program display interface comprises:
acquiring the number of display interfaces currently opened by the Android application program, wherein the display interfaces are display interfaces displayed by an Activity component of the Android application program;
and when the number of the display interfaces is 0, the Android application program exits the program display interface.
6. The method according to claim 4, wherein the step of obtaining code invocation information when the malicious operation behavior occurs comprises:
acquiring a method call stack when the malicious operation behavior occurs through a Java virtual machine;
and obtaining the code calling information according to the method calling stack.
7. The malicious code detection device is applied to electronic equipment and comprises an operation behavior detection module, a calling information acquisition module and a malicious code determination module;
the operation behavior detection module is used for detecting whether the application program to be detected has malicious operation behaviors when the application program to be detected runs, judging whether the application program to be detected exits the program display interface or not, and judging whether the application program to be detected triggers a new illegal display interface or not when the application program to be detected exits the program display interface;
the calling information acquisition module is used for acquiring code calling information when the malicious operation behavior occurs if the application program to be detected has the malicious operation behavior, wherein the code calling information is context information of program operation of the application program to be detected when the malicious behavior occurs;
and the malicious code determining module is used for determining the malicious code information for executing the malicious operation behaviors according to the code calling information.
8. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the malicious code detection method of any of claims 1-6.
9. A storage medium having stored thereon a computer program which, when executed, implements the malicious code detection method of any one of claims 1 to 6.
CN201911003904.9A 2019-10-22 2019-10-22 Malicious code detection method and device, electronic equipment and storage medium Active CN110737887B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911003904.9A CN110737887B (en) 2019-10-22 2019-10-22 Malicious code detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911003904.9A CN110737887B (en) 2019-10-22 2019-10-22 Malicious code detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110737887A CN110737887A (en) 2020-01-31
CN110737887B true CN110737887B (en) 2021-11-30

Family

ID=69270733

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911003904.9A Active CN110737887B (en) 2019-10-22 2019-10-22 Malicious code detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110737887B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111598589A (en) * 2020-05-20 2020-08-28 闻泰通讯股份有限公司 Electronic equipment detection method and device, storage medium and electronic equipment
CN112231697A (en) * 2020-11-05 2021-01-15 腾讯科技(深圳)有限公司 Third-party SDK behavior detection method, device, medium and electronic equipment
CN112380540A (en) * 2020-11-13 2021-02-19 武汉虹旭信息技术有限责任公司 Android application security detection method and device
WO2022126616A1 (en) * 2020-12-18 2022-06-23 华为技术有限公司 Malicious application detection method and apparatus, and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106126562A (en) * 2016-06-15 2016-11-16 广东欧珀移动通信有限公司 A kind of pop-up hold-up interception method and terminal
CN107392026A (en) * 2017-06-23 2017-11-24 北京小度信息科技有限公司 leak detection method and device
CN107657177A (en) * 2017-09-30 2018-02-02 北京奇虎科技有限公司 A kind of leak detection method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060005148A1 (en) * 2004-06-30 2006-01-05 Microsoft Corporation System and method for content-based filtering of popup objects
CN103279706B (en) * 2013-06-07 2016-06-22 北京奇虎科技有限公司 Intercept the method and apparatus installing Android application program in the terminal
CN103309808B (en) * 2013-06-13 2016-06-15 华为技术有限公司 Based on privacy disclosure of Android user black box detection method and the system of label
US20160232347A1 (en) * 2015-02-09 2016-08-11 Palo Alto Networks, Inc. Mitigating malware code injections using stack unwinding

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106126562A (en) * 2016-06-15 2016-11-16 广东欧珀移动通信有限公司 A kind of pop-up hold-up interception method and terminal
CN107392026A (en) * 2017-06-23 2017-11-24 北京小度信息科技有限公司 leak detection method and device
CN107657177A (en) * 2017-09-30 2018-02-02 北京奇虎科技有限公司 A kind of leak detection method and device

Also Published As

Publication number Publication date
CN110737887A (en) 2020-01-31

Similar Documents

Publication Publication Date Title
CN110737887B (en) Malicious code detection method and device, electronic equipment and storage medium
US11604723B2 (en) A/B testing for mobile applications
US11281515B2 (en) Method and system for problem modification and processing
US9367381B2 (en) Method and system for exception detecting and alerting
US9852296B2 (en) Rollback feature
US8516471B2 (en) Detecting impact of operating system upgrades
US8020149B2 (en) System and method for mitigating repeated crashes of an application resulting from supplemental code
CN107729452B (en) Webpage loading method and device, electronic equipment and computer readable storage medium
US7987450B2 (en) Stack-based problem identification for a software component
EP3488346A1 (en) Anomaly detection using sequences of system calls
CN110704311A (en) Application program testing method and device, electronic equipment and readable storage medium
US10387809B2 (en) Method and apparatus for extracting mobile application suitability features for a mobile business application
US20210382764A1 (en) Comparisons of application programming interface interactions to determine compatibilities
CN109726550B (en) Abnormal operation behavior detection method and device and computer readable storage medium
CN111142735B (en) Software page creating method and device, terminal equipment and storage medium
CN112307466A (en) Application program detection method and device, electronic equipment and storage medium
CN107295088B (en) Dotting information monitoring method and device and client
CN112583891A (en) Interface document acquisition method and device and server
CN107291513B (en) File loading method and device and computer readable storage medium
CN110825417A (en) Application program updating method and system
US11704014B1 (en) Supporting micro swipes for generating custom user interface responses
KR102651294B1 (en) Method for assisting collect information about screen component
US10997285B2 (en) Selectively blocking the loading of a privileged application
CN117494115A (en) Rebound shell detection method, device, equipment and medium in container environment
CN113867598A (en) Opening method, device, equipment and storage medium of in-application debugging tool

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220706

Address after: 100000 3-701, floor 7, No. 28, Chengfu Road, Haidian District, Beijing

Patentee after: BEIJING MEITU HOME TECHNOLOGY Co.,Ltd.

Address before: B1f-089, Zone C, Huaxun building, software park, torch high tech Zone, Xiamen City, Fujian Province

Patentee before: XIAMEN HOME MEITU TECHNOLOGY Co.,Ltd.