CN110944332A - Short message interception horse detection method and device - Google Patents
Short message interception horse detection method and device Download PDFInfo
- Publication number
- CN110944332A CN110944332A CN201811108791.4A CN201811108791A CN110944332A CN 110944332 A CN110944332 A CN 110944332A CN 201811108791 A CN201811108791 A CN 201811108791A CN 110944332 A CN110944332 A CN 110944332A
- Authority
- CN
- China
- Prior art keywords
- short message
- api
- sequence
- application program
- sensitive operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/12—Messaging; Mailboxes; Announcements
- H04W4/14—Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
The embodiment of the invention provides a method and a device for detecting short message interception horses, wherein the method comprises the following steps: if the short message sensitive operation API is called, acquiring an API sequence historically called by an application program calling the short message sensitive operation API; and if the API sequence historically called by the application program comprises each API in any short message associated operation API sequence corresponding to the short message sensitive operation API, and the calling sequence of the included API in the API sequence historically called by the application program is consistent with the calling sequence in any short message associated operation API sequence, the application program is a short message intercepting horse. According to the invention, because the static characteristics do not need to be extracted, the detection can be carried out no matter whether the short message intercepting horse is reinforced or not.
Description
Technical Field
The embodiment of the invention relates to the technical field of mobile information security, in particular to a method and a device for detecting short message interception horses.
Background
The short message interception horse is an active and high-harm mobile terminal short message interception type Trojan horse, and is mainly used for intercepting and forwarding short messages of an attacked mobile terminal and sending the short messages to a mobile terminal of an attacker. Therefore, an attacker obtains important personal privacy information of the mobile terminal user, such as the user name, the identification number, the bank card account, the payment password, various login accounts and passwords, and the like, and further steals the user funds. By detecting the short message interception horse, measures can be taken in time when the short message interception horse is detected, and property safety of a user is prevented from being threatened.
The main stream detection mode of the short message interception horse is static detection. The static detection means that under the condition that the software to be detected is not operated, static characteristics are extracted from the software to be detected, and the extracted static characteristics are compared with a short message interception horse static characteristic library to realize detection. To avoid static detection, the short message blocking horse is usually reinforced. The reinforcement can cause that the static characteristics of the short message intercepting horse can not be extracted, and further the static detection can not be carried out on the short message intercepting horse.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting a short message interception horse, which are used for solving the problems that the static characteristics of the short message interception horse cannot be extracted and further the static detection of the short message interception horse cannot be carried out due to reinforcement in the prior art.
The embodiment of the invention provides a short message interception horse detection method, which comprises the following steps: if the short message sensitive operation API is called, acquiring an API sequence historically called by an application program calling the short message sensitive operation API; and if the API sequence historically called by the application program comprises each API in any short message associated operation API sequence corresponding to the short message sensitive operation API, and the calling sequence of the included API in the API sequence historically called by the application program is consistent with the calling sequence in any short message associated operation API sequence, the application program is a short message intercepting horse.
The embodiment of the invention provides a short message interception horse detection device, which comprises: the acquisition module is used for acquiring an API sequence historically called by an application program calling the short message sensitive operation API if the short message sensitive operation API is called; and the determining module is used for determining that the application program is a short message intercepting horse if the API sequence historically called by the application program comprises each API in any short message associated operation API sequence corresponding to the short message sensitive operation API, and the calling sequence of the included API in the API sequence historically called by the application program is consistent with the calling sequence in any short message associated operation API sequence.
An embodiment of the present invention provides a computer device, including: a processor; and the processor is used for executing the computer program stored on the memory so as to realize the short message interception horse detection method.
The embodiment of the invention provides a computer storage medium, wherein a computer program is stored in the computer storage medium, and when being executed by a processor, the computer program realizes the short message interception horse detection method.
According to the method and the device for detecting the short message blocking horse, provided by the embodiment of the invention, when an application program triggers a certain short message sensitive operation, whether the application program triggers any group of short message associated operations corresponding to the short message sensitive operation is judged so as to detect whether the application program is the short message blocking horse, and because static characteristics do not need to be extracted, the detection of the short message blocking horse can be realized no matter whether the short message blocking horse is reinforced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a flowchart of a short message interception horse detection method according to an embodiment of the present invention;
fig. 2 is a flowchart of a short message interception horse detection method according to a second embodiment of the present invention;
fig. 3 is a flowchart of a short message interception horse detection method according to a third embodiment of the present invention;
fig. 4 is a flowchart of a short message interception horse detection method according to a fourth embodiment of the present invention;
fig. 5 is a schematic diagram of a short message interception horse detection apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a short message interception horse detection apparatus according to a second embodiment of the present invention;
fig. 7 is a schematic diagram of a short message interception horse detection apparatus according to a third embodiment of the present invention;
fig. 8 is a schematic diagram of a short message interception horse detection apparatus according to a fourth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The short message interception horse is that an attacker acquires important personal privacy information of a mobile terminal user by means of the steps of: user name, identification number, bank card account, payment password, various login account numbers and passwords, and the like. Through the acquired information, an attacker can steal user funds and cause economic loss to a mobile terminal user. In order to avoid the property security of the user from being threatened, static detection is generally adopted to detect the short message blocking horse. However, static detection requires extraction of static features from the software to be detected, and therefore, detection of the reinforced short message blocking horse cannot be performed. Therefore, the invention provides the following short message interception horse detection method to solve the problem.
Fig. 1 is a flowchart of a method for detecting an intercepted short message horse according to an embodiment of the present invention. As shown in fig. 1, in the present embodiment, the method includes:
step S102, if the short message sensitive operation API is called, obtaining an API sequence historically called by an application program calling the short message sensitive operation API;
in this embodiment, the short message sensitive operation refers to an operation on a short message, for example: operations such as reading a short message, sending the short message, intercepting a short message broadcast or deleting the short message may directly cause the short message to be intercepted or stolen. The short message sensitive operation API refers to the called API for realizing the short message sensitive operation. If the short message sensitive operation API is called, it means that there may be an application program that is intercepting or stealing the short message of the mobile terminal, but it may also be a normal application program that is performing a short message operation, such as: the mobile terminal management software authorized by the user is cleaning the historical short messages.
The API sequence of the application program historical calling is formed by arranging the APIs called by the application program according to the calling time sequence before the short message sensitive operation API is called. Obtaining the API sequence of the historical calling of the application program calling the short message sensitive operation API, acquiring a series of operations of the application program before the short message sensitive operation, and further judging whether the called short message sensitive operation API is the short message intercepting horse or the normal application program according to the series of operations.
And step S104, if the API sequence historically called by the application program comprises each API in any short message associated operation API sequence corresponding to the short message sensitive operation API, and the calling sequence of the included API in the API sequence historically called by the application program is consistent with the calling sequence in any short message associated operation API sequence, the application program is a short message intercepting horse.
In this embodiment, the short message association operation refers to an identity hiding operation, an authority obtaining operation, or a data monitoring operation, such as: hiding the icon, registering the equipment manager, inquiring the state of the equipment manager or acquiring a short message PDUS. A group of short message association operations can prepare for short message interception or stealing. The short message correlation operation API sequence refers to a sequence formed by each short message correlation operation API in a group of short message correlation operations.
According to the analysis of the short message intercepting or stealing behaviors of a large number of historical short message intercepting horses, the short message intercepting or stealing behaviors of the historical short message intercepting horses comprise a group of short message correlation operations and a short message sensitive operation. The behavior of intercepting or stealing different short messages may be different in short message association operation, but the short message sensitive operation is the same. That is, a short message sensitive operation may correspond to a plurality of groups of short message associated operations. If the API sequence historically called by the application program contains each API in any short message associated operation API sequence corresponding to the short message sensitive operation API, and the calling sequence of the contained API in the API sequence historically called by the application program is consistent with the calling sequence in any short message associated operation API sequence, it indicates that the short message interception horse is performing short message interception or stealing, and the application program is the short message interception horse.
In the method for detecting a short message blocking horse provided by the embodiment of the invention, when considering that a history short message blocking horse executes a short message sensitive operation after a series of short message associated operations to realize short message blocking or stealing, when an application program triggers a certain short message sensitive operation, whether the application program triggers any group of short message associated operations corresponding to the short message sensitive operation is judged to detect whether the application program is the short message blocking horse, so that the detection of the short message blocking horse is realized. The embodiment of the invention does not need to extract static characteristics, so that the detection of the short message interception horse can be carried out no matter whether the detection of the short message interception horse is reinforced or not.
Fig. 2 is a flowchart of a short message interception horse detection method according to a second embodiment of the present invention. As shown in fig. 2, in the present embodiment, on the basis of the first method embodiment, before step S102, the method further includes:
step S201-1, analyzing a large number of historical short message interception horses, and determining short message sensitive operation and corresponding short message association operation of each group; the short message sensitive operation refers to the short message operation of a historical short message intercepting horse; the short message association operation refers to identity hiding operation, authority obtaining operation or data monitoring operation of a historical short message intercepting horse before the short message sensitive operation;
step S201-2, determining a short message sensitive operation API according to the short message sensitive operation, and determining a short message sensitive operation API sequence of each group according to each group of short message associated operation corresponding to the short message sensitive operation.
In this embodiment, the short message intercepting or stealing behavior of the historical short message intercepting horse includes a group of short message association operations and a short message sensitive operation according to analysis of the short message intercepting or stealing behavior of a large number of historical short message intercepting horses. And obtaining each short message association operation and each group of corresponding short message association operations according to statistics of interception or stealing behaviors of a large number of short messages. For example, the short message association operation corresponding to the short message sensitivity operation "read short message" may be [ hide icon, obtain short message PDUS ], [ hide icon, register device manager, monitor database ], and the like.
Because the short message sensitive operation and the short message associated operation are realized by calling corresponding APIs, the API corresponding to the short message sensitive operation can be determined as the short message sensitive operation API according to each short message sensitive operation, and the API corresponding to each short message sensitive operation in the group of short message sensitive operations is determined according to each group of short message associated operations corresponding to the short message sensitive operation, so that a short message sensitive operation API sequence is formed for detecting the short message intercepting horse.
Accordingly, in step S102 and step S104: if the short message sensitive operation 'reading short message' is triggered, the 'reading short message' API is called by an application program, and the sequence of the historical calling API of the application program comprises 'hidden icon' API 'and' acquiring short message PDUS 'API', namely in the historical API calling record, the 'hidden icon' API is called first and then the 'acquiring short message PDUS' API is called. Therefore, the application program is a short message interception horse.
According to the short message interception horse detection method provided by the embodiment of the invention, each short message associated operation API and each corresponding short message associated operation API sequence are determined by analyzing the short message interception or stealing behavior of a large amount of historical short message interception horses, and detection data are provided for the detection of the short message interception horses.
Fig. 3 is a flowchart of a short message interception horse detection method according to a third embodiment of the present invention. As shown in fig. 3, in this embodiment, on the basis of the first method embodiment, before step S102, the method further includes:
s301, monitoring a short message correlation operation API and a short message sensitive operation API, and acquiring API calling information; the API call information includes an API name and a name of an application program calling the API.
In this embodiment, piles are respectively piled at the short message correlation operation API and the short message sensitive operation API, specifically, an operation of acquiring API call information is newly added in the implementation logic of the short message correlation operation API and the short message sensitive operation API in the framework layer of the mobile terminal operating system, so as to monitor the short message correlation operation API and the short message sensitive operation API, and further, in the API call process, the acquisition of the API call information is realized. Preferably, this process is implemented using HOOK technology, which is commonly used in the art.
When the short message interception horse realizes the short message interception or stealing, the short message correlation operation API and the short message sensitive operation API need to be called. The short message correlation operation API and the short message sensitive operation API are monitored, API calling information is obtained, and whether the called short message correlation operation API or the called short message sensitive operation API is judged according to the name of the API contained in the API calling information. Furthermore, when the short message correlation operation API is called, the API historically called by the application program can be obtained according to the API calling information, and the API sequence historically called by the application program can be further obtained. Specifically, an application program for calling the short message correlation operation API is determined according to the API calling information, and the name of the API contained in the API calling information is added into an API sequence historically called by the application program. And when the short message sensitive operation API is called, the short message interception horse detection can be carried out in time.
In addition, the embodiment of the method further including the step S301 on the basis of the second embodiment of the method is also within the protection scope of the present invention.
Fig. 4 is a flowchart of a short message interception horse detection method according to a fourth embodiment of the present invention. As shown in fig. 4, in the present embodiment, on the basis of the first method embodiment, the method further includes:
and S405, if the application program is the short message interception horse, blocking the short message sensitive operation API.
In this embodiment, logic judgment is added in the implementation logic of the short message correlation operation API and the short message sensitive operation API in the framework layer of the framwork of the mobile terminal operating system, so that in the API calling process, whether an application program calling the API is a short message interception horse is judged first, and then the API calling is stopped when the application program is determined to be the short message interception horse, so as to block the API, so that the short message sensitive operation cannot be completed, and thus the short message interception horse is prevented from realizing short message interception or stealing. Preferably, the blocking process is implemented using HOOK technology, which is commonly used in the art.
In addition, the method embodiment formed by further including step S405 on the basis of the second or third method embodiment is also within the protection scope of the present invention.
Fig. 5 is a schematic diagram of a method for detecting an intercepted short message horse according to an embodiment of the present invention. As shown in fig. 5, in this embodiment, the apparatus further includes:
the obtaining module 102 is used for obtaining an API sequence historically called by an application program calling the short message sensitive operation API if the short message sensitive operation API is called;
the determining module 104 is configured to determine that the application program is a short message intercepting horse if the API sequence historically called by the application program includes each API in any short message associated operation API sequence corresponding to the short message sensitive operation API, and a calling sequence of the included API in the API sequence historically called by the application program is consistent with a calling sequence in any short message associated operation API sequence.
The short message interception horse detection device provided by the embodiment of the invention considers that a history short message interception horse executes short message sensitive operation after a series of short message associated operations to realize short message interception or stealing, and judges whether any group of short message associated operations corresponding to the short message sensitive operations are triggered by an application program or not when the application program triggers the short message sensitive operations so as to detect whether the application program is the short message interception horse or not, thereby realizing the detection of the short message interception horse. The embodiment of the invention does not need to extract static characteristics, so that the detection of the short message interception horse can be carried out no matter whether the detection of the short message interception horse is reinforced or not.
Fig. 6 is a schematic diagram of a short message interception horse detection method according to a second embodiment of the apparatus of the present invention. As shown in fig. 6, in this embodiment, on the basis of the first embodiment of the apparatus, the apparatus further includes:
the first determining module 201-1 is used for analyzing a large number of historical short message intercepting horses and determining short message sensitive operation and corresponding short message association operation of each group; the short message sensitive operation refers to the short message operation of a historical short message intercepting horse; the short message association operation refers to identity hiding operation, authority obtaining operation or data monitoring operation of a historical short message intercepting horse before the short message sensitive operation;
the second determining module 201-2 is configured to determine a short message sensitivity operation API according to the short message sensitivity operation, and determine a short message sensitivity operation API sequence of each group according to each group of short message association operations corresponding to the short message sensitivity operation.
According to the short message interception horse detection method provided by the embodiment of the invention, each short message associated operation API and each corresponding short message associated operation API sequence are determined by analyzing the short message interception or stealing behavior of a large amount of historical short message interception horses, and detection data are provided for the detection of the short message interception horses.
Fig. 7 is a schematic diagram of a short message interception horse detection method according to a third embodiment of the present invention. As shown in fig. 7, in this embodiment, on the basis of the first embodiment of the apparatus, the apparatus further includes:
the monitoring module 301 is configured to monitor a short message association operation API and a short message sensitive operation API, and obtain API call information; the API call information includes an API name and a name of an application program calling the API.
The short message interception horse detection device provided by the third embodiment of the invention obtains the API calling information through the monitoring module, and can judge whether the called API is the short message associated operation API or the short message sensitive operation API according to the name of the API contained in the API calling information. Furthermore, when the short message correlation operation API is called, the API sequence historically called by the application program can be obtained according to the API calling information. Specifically, an application program for calling the short message correlation operation API is determined according to the API calling information, and the name of the API contained in the API calling information is added into a historical calling API sequence of the application program. And when the short message sensitive operation API is called, the short message interception horse detection can be carried out in time.
In addition, an embodiment of the apparatus formed by further including the monitoring module 301 on the basis of the second embodiment of the apparatus is also within the protection scope of the present invention.
Fig. 8 is a schematic diagram of a short message interception horse detection method according to a fourth embodiment of the present invention. As shown in fig. 8, in the present embodiment, the apparatus further includes:
and the blocking module 405 is configured to block the short message sensitive operation API if the application program is the short message blocking horse.
The short message interception horse detection device provided by the fourth embodiment of the invention can immediately block the short message sensitive operation API through the blocking module, so that the short message sensitive operation can not be completed, thereby avoiding the behavior of intercepting or stealing short messages, and further protecting the property and privacy safety of mobile terminal users.
In addition, an embodiment of the apparatus further including a blocking module 405 on the basis of the second or third embodiment of the apparatus is also within the scope of the present invention.
An embodiment of the present invention provides a computer device, including: a processor; and a memory for storing a computer program, wherein the processor is used for executing the computer program stored in the memory to realize the short message interception horse detection method according to the first to the fourth method embodiments.
The embodiment of the invention provides a computer storage medium, wherein a computer program is stored in the computer storage medium, and when being executed by a processor, the computer program realizes the short message interception horse detection method in the first to fourth method embodiments.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (7)
1. A short message intercepted horse detection method is characterized by comprising the following steps:
if the short message sensitive operation API is called, acquiring an API sequence historically called by an application program calling the short message sensitive operation API;
and if the API sequence historically called by the application program comprises each API in any short message associated operation API sequence corresponding to the short message sensitive operation API, and the calling sequence of the included API in the API sequence historically called by the application program is consistent with the calling sequence in any short message associated operation API sequence, the application program is a short message intercepting horse.
2. The method of claim 1, wherein if the short message sensitive operation API is called, before obtaining an API sequence historically called by an application program calling the short message sensitive operation API, the method further comprises:
analyzing a large number of historical short message interception horses, and determining short message sensitive operation and short message association operation of each group corresponding to the short message sensitive operation; the short message sensitive operation refers to the short message operation of the historical short message intercepting horse; the short message association operation refers to identity hiding operation, authority obtaining operation or data monitoring operation of the historical short message intercepting horse before the short message sensitive operation;
and determining the short message sensitive operation API according to the short message sensitive operation, and determining the short message sensitive operation API sequence of each group according to each group of short message associated operation corresponding to the short message sensitive operation.
3. The method of claim 2, wherein if the short message sensitive operation API is called, before obtaining an API sequence historically called by an application program calling the short message sensitive operation API, the method further comprises:
monitoring a short message associated operation API and a short message sensitive operation API, and acquiring API calling information; the API call information includes an API name and a name of an application program calling the API.
4. The method as claimed in any one of claims 1 to 3, wherein the method further comprises:
and if the application program is a short message interception horse, blocking the short message sensitive operation API.
5. A short message interception horse detection device is characterized by comprising:
the acquisition module is used for acquiring an API sequence historically called by an application program calling the short message sensitive operation API if the short message sensitive operation API is called;
and the determining module is used for determining that the application program is a short message intercepting horse if the API sequence historically called by the application program comprises each API in any short message associated operation API sequence corresponding to the short message sensitive operation API, and the calling sequence of the included API in the API sequence historically called by the application program is consistent with the calling sequence in any short message associated operation API sequence.
6. A computer device, comprising:
a processor;
and a memory for storing a computer program, the processor being configured to execute the computer program stored on the memory to implement the method of claims 1-4.
7. A computer storage medium, characterized in that a computer program is stored in the computer storage medium, which computer program, when being executed by a processor, carries out the method according to claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811108791.4A CN110944332B (en) | 2018-09-21 | 2018-09-21 | Short message interception horse detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811108791.4A CN110944332B (en) | 2018-09-21 | 2018-09-21 | Short message interception horse detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110944332A true CN110944332A (en) | 2020-03-31 |
| CN110944332B CN110944332B (en) | 2023-05-02 |
Family
ID=69904515
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811108791.4A Active CN110944332B (en) | 2018-09-21 | 2018-09-21 | Short message interception horse detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110944332B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN103327492A (en) * | 2013-06-04 | 2013-09-25 | 王天时 | Android cellphone intrusion detecting method and detecting system thereof |
| CN105989283A (en) * | 2015-02-06 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for recognizing virus variant |
| CN107729754A (en) * | 2017-09-25 | 2018-02-23 | 暨南大学 | Android malware detection method based on API features |
| CN108241802A (en) * | 2016-12-27 | 2018-07-03 | 卓望数码技术(深圳)有限公司 | A kind of Android platform privacy for polymerizeing multidimensional steals class application automatic identifying method |
-
2018
- 2018-09-21 CN CN201811108791.4A patent/CN110944332B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN103327492A (en) * | 2013-06-04 | 2013-09-25 | 王天时 | Android cellphone intrusion detecting method and detecting system thereof |
| CN105989283A (en) * | 2015-02-06 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for recognizing virus variant |
| CN108241802A (en) * | 2016-12-27 | 2018-07-03 | 卓望数码技术(深圳)有限公司 | A kind of Android platform privacy for polymerizeing multidimensional steals class application automatic identifying method |
| CN107729754A (en) * | 2017-09-25 | 2018-02-23 | 暨南大学 | Android malware detection method based on API features |
Non-Patent Citations (2)
| Title |
|---|
| 李丁蓬;翟瑞;: "Android短信拦截机制的研究" * |
| 陈建民;: "基于行为的移动应用程序安全检测方法研究" * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110944332B (en) | 2023-05-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109831420B (en) | Method and device for determining kernel process permission | |
| US9282112B2 (en) | System and method for determining category of trust of applications performing interface overlay | |
| CN109155774B (en) | System and method for detecting security threats | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20170111388A1 (en) | Centralized and Automated Recovery | |
| Marforio et al. | Evaluation of personalized security indicators as an anti-phishing mechanism for smartphone applications | |
| CN105653947B (en) | The method and device of data safety risk is applied in a kind of assessment | |
| CN109815700B (en) | Application program processing method and device, storage medium and computer equipment | |
| US11847216B2 (en) | Analysis device, analysis method and computer-readable recording medium | |
| CN109684878B (en) | Privacy information tamper-proofing method and system based on block chain technology | |
| CN113632432A (en) | Method and device for judging attack behavior and computer storage medium | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| KR101206153B1 (en) | Sytstem and method for protecting phishing by authenticaion of calling number | |
| CN107040497B (en) | Network account anti-theft method and device | |
| CN114117539A (en) | Data protection method and device | |
| CN110020531A (en) | Internet of things equipment risk checking method and device | |
| CN110944332B (en) | Short message interception horse detection method and device | |
| JP2020086978A (en) | Information processing system and information processing method | |
| CN112054927B (en) | Anti-tampering website updating method and device based on fingerprint verification and electronic equipment | |
| CN113987435A (en) | Illegal copyright detection method and device, electronic equipment and storage medium | |
| WO2021144978A1 (en) | Attack estimation device, attack estimation method, and attack estimation program | |
| CN114124453A (en) | Network security information processing method and device, electronic equipment and storage medium | |
| CN110535886A (en) | For detecting method, apparatus, system, equipment and the medium of man-in-the-middle attack | |
| CN106326732A (en) | Application programming interface (API) protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |