CN112528286A - Terminal device security detection method, associated device and computer program product - Google Patents
Terminal device security detection method, associated device and computer program product Download PDFInfo
- Publication number
- CN112528286A CN112528286A CN202011572678.9A CN202011572678A CN112528286A CN 112528286 A CN112528286 A CN 112528286A CN 202011572678 A CN202011572678 A CN 202011572678A CN 112528286 A CN112528286 A CN 112528286A
- Authority
- CN
- China
- Prior art keywords
- detection
- detection result
- client
- detected
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 385
- 238000004590 computer program Methods 0.000 title claims description 13
- 238000009434 installation Methods 0.000 claims abstract description 95
- 238000000034 method Methods 0.000 claims abstract description 36
- 230000003068 static effect Effects 0.000 claims description 36
- 230000002452 interceptive effect Effects 0.000 claims description 20
- 230000000694 effects Effects 0.000 claims description 7
- 238000013473 artificial intelligence Methods 0.000 abstract description 3
- 238000004891 communication Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 241000700605 Viruses Species 0.000 description 5
- 230000006399 behavior Effects 0.000 description 5
- 238000007689 inspection Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- Virology (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method, a device, equipment and a storage medium for detecting the safety of terminal equipment, which relate to the technical field of artificial intelligence, and the method for detecting the safety of the terminal equipment comprises the following steps: when detecting that a client of the terminal equipment is started, scanning an installation package file of a corresponding terminal equipment environment of the client to determine key features to be detected based on the installation package file; carrying out safety detection on the key features to be detected to obtain a detection result; and if the detection result is a risk detection result, prompting the client to have a safety risk. Financial potential safety hazard is avoided to this application, promotes the security of user's financial operation.
Description
Technical Field
The present application relates to the field of artificial intelligence technology for financial technology (Fintech), and in particular, to a method for detecting security of a terminal device, an associated device, and a computer program product.
Background
With the continuous development of financial technologies, especially internet technology and finance, more and more technologies (such as distributed, Blockchain, artificial intelligence and the like) are applied to the financial field, but the financial industry also puts higher requirements on the technologies, such as higher requirements on security in the financial industry.
With the development of the mobile internet, more and more users perform financial operations on the terminal, for example, the users perform financial payment on the terminal through internet banking, wechat and the like, on the basis, more and more hackers also have more and more intentions to attack financial payment software through plug-ins or trojan viruses and the like so as to maliciously steal user account numbers, passwords and personal financial information privacy information, and at present, the economic loss of the users is avoided only by means of the improvement of the security consciousness of the users, namely, the preset terminal application operating environment is a trusted environment, so that the problem of financial security hidden danger exists in the user terminal.
Disclosure of Invention
The application mainly aims to provide a method, a device, equipment and a storage medium for detecting the safety of terminal equipment, and aims to solve the technical problem that the existing terminal equipment has financial potential safety hazards.
In order to achieve the above object, the present application provides a method for detecting security of a terminal device, where the method for detecting security of a terminal device includes:
when detecting that a client of the terminal equipment is started, scanning an installation package file of a corresponding terminal equipment environment of the client to determine key features to be detected based on the installation package file;
carrying out safety detection on the key features to be detected to obtain a detection result;
and if the detection result is a risk detection result, prompting the client to have a safety risk.
Optionally, when it is detected that the client of the terminal device is started, the step of scanning the installation package file of the environment corresponding to the terminal device of the client to determine the key feature to be detected based on the installation package file includes:
when detecting that a client of a terminal device is started, scanning an installation package file of a corresponding terminal device environment of the client, and determining a component structure of the installation package file;
determining key characteristics of each component structure of the installation package file by presetting specified setting information;
and determining the key features to be detected based on the key features of each component structure.
Optionally, the step of performing security detection on the key feature to be detected to obtain a detection result includes:
and performing first safety detection on the key features to be detected locally at the client, and/or performing second safety detection on the key features to be detected at the server corresponding to the client to obtain a detection result.
Optionally, the step of performing, locally at the client, a first security detection on the key feature to be detected to obtain a detection result includes:
locally at the client, performing first sub-safety detection on the key features to be detected through a local safety detection module to obtain a detection result;
and/or locally at the client, performing second safety sub-detection on the key features to be detected through a first malicious recorded information base which is pulled from the server and then stored locally, and obtaining a detection result.
Optionally, the step of performing, at the client corresponding to the server, a second security detection on the key feature to be detected to obtain a detection result includes:
uploading the installation package file to a server side, so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result based on the feature record matched with the key feature to be detected;
and obtaining a detection result based on the static detection result.
Optionally, the step of uploading the installation package file to a server side, so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result based on the feature record matched with the key feature to be detected, includes:
if the static detection result is a result without malicious records, dynamically detecting the key features to be detected by simulating the operation of the installation package file at the server side to obtain a dynamic detection result;
and obtaining a detection result based on the static detection result and the dynamic detection result.
Optionally, before the step of uploading the installation package file to a server side for the server side to search a feature record matched with the key feature to be detected based on a preset second malicious record information base, the method includes:
reporting the login identity state information and sending the login identity state information to a server side, so that the server side determines whether the interactive authentication information is converted correspondingly or not according to the reported login identity state information and feeds the interactive authentication information back to the user;
and if receiving the interactive authentication information fed back by the server, uploading the installation package file to the server so that the server searches the feature record matched with the key feature to be detected based on a preset second malicious record information base.
Optionally, the step of performing a first security check on the key feature to be detected locally at the client, and performing a second security check on the key feature to be detected at the server corresponding to the client, to obtain a detection result includes:
performing first safety detection on the key features to be detected locally at the client to determine whether suspicious features exist;
and if the suspicious features exist, performing second safety detection on the suspicious features at the corresponding server side of the client to obtain a detection result.
Optionally, if the detection result is a risk detection result, the step of prompting the client that a security risk exists includes:
if the detection result is a risk detection result, determining the grade of the risk detection result according to the times of hitting the characteristic record and/or the malicious record by the key characteristic to be detected;
determining a target prompt level based on the level of the risk detection result;
and prompting the client to have a safety risk based on a prompting mode corresponding to the target prompting level.
Optionally, the key features to be detected include at least one of a package name feature, a version number feature, a digital signature feature, a component receiving association feature, a component sending association feature, a component activity association feature, an instruction feature of an executable file, a character string feature of the executable file, and an MD5 value feature of each file in an installation package directory.
The application also provides a terminal equipment safety detection device, and the terminal equipment safety detection method comprises the following steps:
the scanning module is used for scanning an installation package file of a terminal equipment environment corresponding to a client when the client of the terminal equipment is detected to be started so as to determine key features to be detected based on the installation package file;
the safety detection module is used for carrying out safety detection on the key features to be detected to obtain a detection result;
and the prompting module is used for prompting that the client has a safety risk if the detection result is a risk detection result.
Optionally, the scanning module comprises:
the system comprises a first detection unit, a second detection unit and a third detection unit, wherein the first detection unit is used for scanning an installation package file of a terminal equipment environment corresponding to a client when the client of the terminal equipment is detected to be started, and determining a component structure of the installation package file;
the first determining unit is used for determining key characteristics of each component structure of the installation package file by presetting specified setting information;
and the second determining unit is used for determining the key features to be detected based on the key features of each component structure.
Optionally, the security detection module includes:
and the second detection unit is used for locally performing first safety detection on the key features to be detected at the client and/or performing second safety detection on the key features to be detected at the server corresponding to the client to obtain a detection result.
Optionally, the second detection unit includes:
the first detection subunit is used for carrying out first sub-safety detection on the key features to be detected locally at the client through a local safety detection module to obtain a detection result;
and/or locally at the client, performing second safety sub-detection on the key features to be detected through a first malicious recorded information base which is pulled from the server and then stored locally, and obtaining a detection result.
Optionally, the second detection unit includes:
the second detection subunit is used for uploading the installation package file to a server side, so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result after the feature record is matched with the key feature to be detected based on the feature record;
and the first acquisition subunit is used for obtaining a detection result based on the static detection result.
Optionally, the second detecting unit further includes:
the third detection subunit is configured to, if the static detection result is a result that no malicious record exists, perform dynamic detection on the key feature to be detected by simulating operation of the installation package file at the server side to obtain a dynamic detection result;
and the second obtaining subunit is used for obtaining a detection result based on the static detection result and the dynamic detection result.
Optionally, the terminal device security detection apparatus further includes:
the first determining module is used for reporting the login identity state information and sending the login identity state information to the server side, so that the server side can determine whether the interactive authentication information is converted correspondingly or not according to the reported login identity state information and feed back the interactive authentication information to the user;
and the receiving module is used for uploading the installation package file to the server side so that the server side can search the feature record matched with the key feature to be detected based on a preset second malicious record information base if the interactive authentication information fed back by the server side is received.
Optionally, the second detecting unit further includes:
the determining subunit is configured to perform, locally at the client, first security detection on the key feature to be detected to determine whether a suspicious feature exists;
and the second safety detection subunit is used for performing second safety detection on the suspicious features at the corresponding server side of the client side if the suspicious features exist, so as to obtain a detection result.
Optionally, the prompting module includes:
a third determining unit, configured to determine, if the detection result is a risk detection result, a level of the risk detection result according to the number of times that the key feature to be detected hits the feature record and/or the malicious record;
a fourth determining unit, configured to determine a target prompt level based on the level of the risk detection result;
and the prompting unit is used for prompting that the client has a safety risk based on a prompting mode corresponding to the target prompting level.
Optionally, the key features to be detected include at least one of a package name feature, a version number feature, a digital signature feature, a component receiving association feature, a component sending association feature, a component activity association feature, an instruction feature of an executable file, a character string feature of the executable file, and an MD5 value feature of each file in an installation package directory.
The application also provides a terminal equipment safety inspection equipment, terminal equipment safety inspection equipment is entity equipment, terminal equipment safety inspection equipment includes: the terminal equipment safety detection method comprises a memory, a processor and a program of the terminal equipment safety detection method, wherein the program of the terminal equipment safety detection method can realize the steps of the terminal equipment safety detection method when the program of the terminal equipment safety detection method is executed by the processor.
The application also provides a storage medium, wherein the storage medium stores a program for implementing the terminal device safety detection method, and the program for implementing the terminal device safety detection method realizes the steps of the terminal device safety detection method when being executed by a processor.
The present application also provides a computer program product, comprising a computer program, which when executed by a processor implements the steps of the above-mentioned terminal device security detection method.
The application provides a terminal equipment safety detection method, associated equipment and a computer program product, compared with the situation that the current preset terminal application operation environment is a trusted environment, so that potential financial safety hazards exist, the method scans an installation package file of a client corresponding to the terminal equipment environment when the client of the terminal equipment is detected to be started, so as to determine key features to be detected based on the installation package file; carrying out safety detection on the key features to be detected to obtain a detection result; and if the detection result is a risk detection result, prompting the client to have a safety risk. In the application, when a client of a terminal device is started, a user environment is preset to be a zero trust environment, namely any installation package file of the client corresponding to the terminal device environment is scanned, so that key features to be detected are determined based on the installation package file, safety detection is carried out on the key features to be detected, non-safety features existing in the user can be found out and informed in time, namely if the detection result is a risk detection result, the client is prompted to have a safety risk, financial potential safety hazards are avoided, and the safety of financial operation of the user is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a first embodiment of a security detection method for a terminal device according to the present application;
fig. 2 is a detailed flowchart of the step S10 in the first embodiment of the terminal device security detection method according to the present application;
fig. 3 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present application.
The objectives, features, and advantages of the present application will be further described with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In a first embodiment of the terminal device security detection method of the present application, referring to fig. 1, the terminal device security detection method includes:
step S10, when detecting that a client of the terminal device is started, scanning an installation package file of a corresponding terminal device environment of the client to determine key features to be detected based on the installation package file;
step S20, carrying out safety detection on the key features to be detected to obtain a detection result;
and step S30, if the detection result is a risk detection result, prompting the client that a security risk exists.
The method comprises the following specific steps:
step S10, when detecting that a client of the terminal device is started, scanning an installation package file of a corresponding terminal device environment of the client to determine key features to be detected based on the installation package file;
in this embodiment, the terminal device security detection method is applied to a terminal device security detection apparatus, the terminal device security detection apparatus belongs to a terminal device security detection device, and the terminal device security detection device may be a terminal device itself, or a server, or a detection system formed by combining a terminal device and a server.
In this embodiment, the method for detecting security of a terminal device is applicable to an Android platform or an Android system, and when detecting that a client of the terminal device is started, scans an installation package file of a terminal device environment corresponding to the client to determine key features to be detected based on the installation package file, specifically, when detecting that the client of the terminal device is started to log in, or when detecting that the terminal device is started and has completed logging in, scans an installation package file of a terminal device environment corresponding to the client to determine key features to be detected based on the installation package file, in this embodiment, an Android installation package (APK package) can be downloaded and installed on a mobile terminal through an Android application market, and can also be installed from a PC terminal through a USB data line interface or wireless data transmission, and if viruses, trojans and other malicious software need to enter the mobile terminal, also must pack into the form of APK file package, therefore the installation package file of scanning terminal equipment environment can accomplish safety inspection, and in this embodiment, the main objective of the installation package file of scanning terminal equipment environment is to scan the key feature of waiting to detect of terminal equipment environment, and not whole feature or not whole file to promote detection efficiency when guaranteeing safety inspection, wherein, the definite mode of waiting to detect the key feature can be:
the first method is as follows: determining key features to be detected through preset configuration information;
the second method comprises the following steps: and determining the key features to be detected according to information carried in a starting instruction when the client application is started.
Referring to fig. 2, when it is detected that the client of the terminal device is started, the step of scanning the installation package file of the environment corresponding to the terminal device of the client to determine the key feature to be detected based on the installation package file includes:
step S11, when detecting that the client of the terminal device is started, scanning the installation package file of the environment corresponding to the terminal device of the client, and determining the component structure of the installation package file;
in this embodiment, after scanning an installation package file of a client corresponding to a terminal device environment, a component structure of the installation package file is determined first, that is, a structure of an Android installation package is determined, and specifically, the component structure of the installation package file is determined in a manner of reading a directory.
The Android installation package can comprise the following component structure or directory structure:
the assets catalog: the system is used for storing static files to be packaged into the APK;
the lib directory: here deposit native library files on which the application depends;
res directory: res is an abbreviation for resource to store resource files;
META-INF catalog: storing signature information of the application, wherein the signature information can verify the integrity of the APK file package;
xml catalog: is a configuration file of an Android application program to describe a setting file of the whole information of the Android application;
classs. dex is a Dalvik virtual machine executable file that contains all code layer execution logic;
resources. arcc catalog: used for recording the mapping relation between the resource file and the resource ID.
Step S12, determining key characteristics of each component structure of the installation package file through presetting designated setting information;
the key features of each component structure of the installation package file are determined by presetting the specified setting information, namely what the key features of each component structure have been indicated in the preset specified setting information, namely the key features are preset (preset key features most representative for security detection), so that the key features can be extracted from the APK file package, and the key features can be package names, version numbers, digital signatures, entry information of modules listed in android manifest.
Specifically, the key feature to be detected may include at least one of a package name feature, a version number feature, a digital signature feature, a component receiving association feature, a component sending association feature, a component activity association feature, an instruction feature of an executable file, a character string feature of an executable file, an MD5 value of each file in an installation package directory, and the like of the installation package file.
And step S13, determining key features to be detected based on the key features of each component structure.
And after the key features of each component structure are obtained, fusing or merging the key features to obtain the key features to be detected.
Step S20, carrying out safety detection on the key features to be detected to obtain a detection result;
in this embodiment, each key feature to be detected is subjected to security detection, and a detection result is obtained. The following is a specific description taking detection of key features to be detected of a Dex file and an android manifest.xml file as an example:
the Dex document states: in the architecture design of the Android system, Android applications are usually developed by using Java language to obtain files developed by using Java language, specifically, the files developed by using Java language are compiled by an Android development tool and then become binary byte codes (byte codes), the binary byte codes are packed into class.
The following specific description takes the detection of the key features to be detected of the android manifest.
In order to call the functions of the Android system, the Android system provides a set of running environment (Android frame), each function of the Android application call system is realized by calling a library of the Android frame, and specifically, four major components developed in an Android environment are respectively: an Activity component for providing a screen for an interactive function; a Service component, running a Service in the background, and providing no interface presentation; a broadcast receiver (Broadcas tReceiver) component for receiving a broadcast; the Content Provider (Content Provider) component, which supports storing and reading data in multiple applications, is equivalent to a database. And carrying out safety detection through the key characteristics to be detected of the four large components to obtain a detection result.
The step of carrying out safety detection on the key features to be detected to obtain a detection result comprises the following steps:
and step S21, performing first safety detection on the key features to be detected locally at the client, and/or performing second safety detection on the key features to be detected at the server corresponding to the client, so as to obtain a detection result.
The actual safety detection comprises the detection of various safety scenes, wherein the detection of various safety scenes comprises single detection and combined detection;
specifically, the performing a first security detection on the key feature to be detected locally at the client, and/or performing a second security detection on the key feature to be detected at the server corresponding to the client, and obtaining a detection result includes:
the first method is as follows: performing first safety detection on the key features to be detected locally at the client to obtain a detection result;
in this embodiment, the detection result may be obtained only by performing the first security detection locally at the client, specifically, after the key feature to be detected is detected locally at the client, if it is determined that the key feature to be detected belongs to a feature without malicious intent, or it is determined that the key feature to be detected belongs to a feature with malicious intent, that is, as long as each key feature to be detected is determined in the attribute of the local client, rather than being suspected, the detection result may be obtained.
In this embodiment, it should be noted that the manner for detecting the key feature to be detected is as follows: and determining whether the key features to be detected are malicious or not by determining whether the key features to be detected hit the feature records and/or the malicious records or not, wherein if the key features to be detected hit the feature records and/or the malicious records, determining that the key features to be detected are malicious.
The first safety detection is only carried out on the key features to be detected locally at the client side to obtain the detection result, so that the waste of resources can be avoided, and the detection efficiency is improved.
The second method comprises the following steps: performing second safety detection on the key features to be detected at the server side corresponding to the client side to obtain a detection result;
in this embodiment, the first security detection is not performed locally at the client, but the second security detection is performed on the key feature to be detected at the server corresponding to the client, so as to obtain the detection result, specifically, the client reports the detection request information to the server, the server authenticates the client, and if the authentication is passed, the second security detection is performed on the key feature to be detected, so as to obtain the detection result.
In this embodiment, since the second security detection is performed on the key feature to be detected at the server side to obtain the detection result, the detection accuracy can be improved.
The third method comprises the following steps: and carrying out first safety detection on the key features to be detected locally at the client, and carrying out second safety detection on the key features to be detected at the server corresponding to the client to obtain a detection result.
The method comprises the following steps of performing first safety detection on the key features to be detected locally at the client, and performing second safety detection on the key features to be detected at the server corresponding to the client to obtain a detection result, wherein the steps comprise:
performing first safety detection on the key features to be detected locally at the client to determine whether suspicious features exist;
and if the suspicious features exist, performing second safety detection on the suspicious features at the corresponding server side of the client to obtain a detection result.
In this embodiment, after the first security detection is performed locally at the client, if the attribute of the key feature to be detected is ambiguous at the local attribute of the client, that is, the key feature is a suspected malicious feature or a suspicious feature, the APK packet file is sent to the server, so that the second security detection is performed on the key feature to be detected at the server corresponding to the client, and a detection result is obtained. And the second detection, namely the combined detection, is carried out at the server side, so that the accuracy of the detection result can be ensured while the detection result is obtained efficiently.
The step of locally performing first security detection on the key features to be detected at the client to obtain a detection result includes:
step S211, locally at the client, performing first sub-safety detection on the key features to be detected through a local safety detection module to obtain a detection result;
and S212, and/or locally at the client, performing second safety sub-detection on the key features to be detected through the first malicious recorded information base which is pulled from the server and then stored locally, so as to obtain a detection result.
In this embodiment, the first security detection may be locally performed on the key feature to be detected in different manners at the client, specifically, the first security detection is locally performed on the key feature to be detected at the client, and the step of obtaining the detection result includes:
the first method is as follows: locally at the client, performing first sub-safety detection on the key features to be detected through a local safety detection module to obtain a detection result;
the second method comprises the following steps: locally at the client, performing second safety sub-detection on the key features to be detected through a first malicious record information base which is pulled from the server and then stored locally;
specifically, a remote server pulls a (first malicious recorded information base) risk detection fingerprint base to a terminal, single or combined query is carried out on several key characteristics of the extracted Android installation package, such as package name, version number, characteristics of an Android component receiver, characteristics of an Android component service, characteristics of an Android component activity and the like, when a matching feature record is found, returning the security information corresponding to the feature record, wherein the security information may include a description of the security level and a hint level or hint information corresponding to the security level, if the information of one or more combined characteristics identifies a hit, the file can be judged to be a malicious file, the user is prompted to have the malicious file, if there is suspicious risk of hitting in the information identification of one kind or several kinds of combinations, then can judge as "suspicious risk APP", later through user reminding module, the suggestion user: the name of the malicious APP is designed to interact with the user, and the user is guided to conduct further safe disposal. If all the characteristic records known by the exhaustive local first malicious record information base are not matched, reporting the characteristics of the application to a server side for information archiving.
In this embodiment, the first sub-security detection is performed on the key feature to be detected only by the local security detection module locally at the client to obtain the detection result, or the second sub-security detection is performed on the key feature to be detected only locally at the client by pulling the first malicious recorded information library stored locally after being pulled from the server, so that the waste of local resources is avoided.
The third method comprises the following steps: and locally performing first sub-security detection on the key features to be detected through a local security detection module at the client, and performing second sub-security detection on the key features to be detected through a first malicious record information base which is pulled from the server and then stored locally at the client to obtain a detection result.
In this embodiment, the first security sub-detection and the second security sub-detection are performed locally and synchronously, so that the detection efficiency can be improved when the security detection efficiency is required to be improved.
In this embodiment, it should be noted that the to-be-detected key feature may be statically detected by a local security detection module of the client, and the to-be-detected key feature may be dynamically detected in a local first malicious record information base. The static detection refers to performing feature matching detection, if the application has a security risk, it is possible that the application itself is malware, and the static detection may be performed, and the dynamic detection refers to simulating an operation behavior of the application, and then performing detection, specifically, for example, the application is normal software, but because a security vulnerability exists or a malicious illegal action tendency (such as reading sensitive data related to the user and the APP, and performing screen capture when the user uses the APP), privacy and data security of the user are threatened, and at this time, the dynamic detection is required.
And step S30, if the detection result is a risk detection result, prompting the client that a security risk exists.
In this embodiment, if the detection result is a risk detection result, that is, when a malicious feature exists, the client is prompted to have a security risk. At the moment, the user fund loss is avoided in advance through the interaction between the client and the user.
If the detection result is a risk detection result, the step of prompting the client to have a security risk comprises the following steps:
step S31, if the detection result is a risk detection result, determining the grade of the risk detection result according to the times of hitting the key features to be detected into the feature records and/or the malicious records;
step S32, determining a target prompt level based on the level of the risk detection result;
in this embodiment, if the detection result is a risk detection result, determining the level of the risk detection result according to the number of times that the key feature to be detected hits the feature record and/or the malicious record, and determining the target prompt level based on the level of the risk detection result.
Wherein, the grade of the risk detection result may be:
safety: the application is a normal application without any behavior threatening the safety of the user;
and (3) suspicious: the application has security risk, and is possibly malicious software or normal software, but because of security vulnerability or malicious illegal action tendency, privacy and data security of the user are threatened;
malicious: the application is a virus, trojan horse, or other malware.
The above definitions of the three levels of security, suspicious and malicious are only used as examples, and other security level classifications and definitions may be provided according to practical applications.
And determining a target prompt level based on the level of the risk detection result, specifically, if the level of the risk detection result is safe, the target prompt level may be a first prompt level, if the level of the risk detection result is suspicious, the target prompt level may be a second prompt level, and if the level of the risk detection result is malicious, the target prompt level may be a third prompt level.
And step S33, prompting the client to have safety risk based on the prompting mode corresponding to the target prompting level.
And prompting the client to have a safety risk based on a prompting mode corresponding to the target prompting level.
In particular, a first prompt level may be no prompt, a second prompt level may be no prominent prompt, such as by a reduced version of the display box prompt, and a third prompt level may be a prominent prompt, such as by a red bold display box prompt.
In this embodiment, the prompting classification is performed to prompt the user to the application with the serious potential safety hazard, so as to avoid causing economic loss of the user.
The application provides a terminal equipment safety detection method, associated equipment and a computer program product, compared with the situation that the current preset terminal application operation environment is a trusted environment, so that potential financial safety hazards exist, the method scans an installation package file of a client corresponding to the terminal equipment environment when the client of the terminal equipment is detected to be started, so as to determine key features to be detected based on the installation package file; carrying out safety detection on the key features to be detected to obtain a detection result; and if the detection result is a risk detection result, prompting the client to have a safety risk. In the application, when a client of a terminal device is started, a user environment is preset to be a zero trust environment, namely any installation package file of the client corresponding to the terminal device environment is scanned, so that key features to be detected are determined based on the installation package file, safety detection is carried out on the key features to be detected, non-safety features are found in time, namely if the detection result is a risk detection result, the client is prompted to have a safety risk, financial safety hazards are avoided, and the safety of financial operation of the user is improved.
In another embodiment of the terminal device security detection method, the step of performing a second security detection on the key feature to be detected at the server corresponding to the client to obtain a detection result includes:
step S213, uploading the installation package file to a server side, so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result based on the feature record matched with the key feature to be detected;
in this embodiment, a process of how to perform static detection at the server side to obtain a detection result is specifically described.
In this embodiment, a client reports information (an APP installation list and APP related information) to a server, after the server authenticates the client successfully, the server uploads the installation package file to the server, so that the server searches for a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result based on the feature record matched with the key feature to be detected, specifically, the client uploads the specified feature information to the server, and searches for a feature record matched with the specified single feature information or a combination thereof in a security identification base preset by the server; the security identification library (a second malicious record information library) preset by the server comprises feature records and security levels corresponding to the feature records, each feature record comprises single feature information or a combination of the feature information, the client receives a security detection result, namely a static detection result, which is returned by the server and aims at the Android installation package, and displays the security detection result or the static detection result on a user interface of the client, wherein the security detection result or the static detection result comprises the security level corresponding to the feature record searched by the server. Such as: local malicious files: "Trojan APP name", suspicious file: "suspicious APP name", further security disposition is required.
In this embodiment, it should be noted that a plurality of feature records are preset in the server security identification library (the second malicious record information library), where a single feature information may constitute a feature record, and a combination of a plurality of feature information may also constitute a feature record. For example, dozens of feature records are preset in a security identification library, wherein a first feature record lists the Android installation package name of a certain virus, a second feature record lists the Android installation package version number of a certain normal application and the MD5 value of a digital signature thereof, a third feature record lists the Android installation package name of a certain normal application and the reciver feature thereof, and a fourth feature record lists the Android installation package name of a certain Trojan, the version number thereof, a specific character string in a DEX file thereof, and the like. That is, the security identification library preset in the server collects feature information for identifying various malicious software such as viruses and trojans, and also collects feature information for identifying normal applications, which is different from many databases only used for identifying malicious software. This ensures that the key features to be detected are accurately identified.
And step S214, obtaining a detection result based on the static detection result.
After obtaining the static detection result, in this embodiment, the static detection result is taken as the detection result and output.
The step of uploading the installation package file to a server side so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result based on the feature record matched with the key feature to be detected, includes:
step A1, if the static detection result is a result that no malicious record exists, dynamically detecting the key features to be detected by simulating the operation of the installation package file at the server side to obtain a dynamic detection result;
step A2, obtaining a detection result based on the static detection result and the dynamic detection result.
In this embodiment, after static matching, if a suspicious file or a suspicious file with a characteristic is found, an APK file package is run in a simulated Android environment to perform behavior analysis on the APK, if a malicious behavior is found, the APK is determined to be a malicious APK, and the malicious APK is added to a malicious information base (a second malicious record information base). That is, in this embodiment, the dynamic detection refers to simulating the running behavior of the application at the server side, and then performing detection, specifically, for example, the application is normal software, but privacy and data security of the user are threatened because of security holes or a malicious illegal action tendency (for example, actions such as reading sensitive data related to the user and the APP, and capturing a screen when the user uses the APP), and at this time, dynamic detection or manual detection needs to be performed at the server side model.
In this embodiment, the installation package file is uploaded to a server side, so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result based on the feature record matched with the key feature to be detected; and obtaining a detection result based on the static detection result. In the embodiment, the detection result can be accurately obtained at the server side.
In another embodiment of the method for detecting the security of the terminal device, before the step of uploading the installation package file to a server side for the server side to search a feature record matched with the key feature to be detected based on a preset second malicious record information base, the method includes:
step B1, reporting the login identity state information and sending the information to the server end, so that the server end can determine whether to convert the interactive authentication information correspondingly according to the reported login identity state information and feed back the information to the user;
and step B2, if receiving the interactive authentication information fed back by the server, executing the step of uploading the installation package file to the server so that the server searches the feature record matched with the key feature to be detected based on a preset second malicious record information base.
In this embodiment, a process of authenticating the client is described to ensure that the client and the server only perform secure interaction. I.e. to protect the server side from unauthorized malicious use.
Specifically, after the user starts the client application, if the user does not log in, the authentication KEY submitted to the server is empty, and the server limits the frequency of the request corresponding to the client and the number of times of the request per day for such a request that the KEY is empty. If the client is in a post-login state or a history logged-in state, the login identity state of normal login of the user is taken, the cloud query authentication logic of the user login state request server side is used, the authentication logic judges whether the authentication is passed according to the reported login identity state (first token), if the authentication of the login identity state of the user is passed, the server side converts the first token into a second token, namely the token2, and feeds the second token back to the user, the subsequent interactive logic key (key value) of the user is the token2, and the whole security request and the interactive request can be completed through the token 2.
In this embodiment, it should be noted that the authority of the second token is smaller than that of the first token, so as to ensure that the client and the server only perform secure interaction.
In this embodiment, it should be noted that, for a client in a logged-in mode, a server has a greater request frequency and a greater number of times of single ip requests than that in an un-logged-in state, and it should be noted that an expiration date KEY of the token2 is 7 days (an actual condition may be adjusted according to a wind control and a user experience condition, and this value is non-fixed data), and after expiration, a user needs to convert one token2 according to the token again to use as the KEY.
In the embodiment, the login status information is reported and sent to the server side, so that the server side determines whether the interactive authentication information is converted correspondingly or not according to the reported login status information and feeds back the converted interactive authentication information to the user; and if receiving the interactive authentication information fed back by the server, uploading the installation package file to the server so that the server searches the feature record matched with the key feature to be detected based on a preset second malicious record information base. In this embodiment, the client is authenticated first, so as to avoid unauthorized malicious use of the server.
Referring to fig. 3, fig. 3 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present application.
As shown in fig. 3, the terminal device security detection device may include: a processor 1001, such as a CPU, a memory 1005, and a communication bus 1002. The communication bus 1002 is used for realizing connection communication between the processor 1001 and the memory 1005. The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a memory device separate from the processor 1001 described above.
Optionally, the terminal device security detection device may further include a rectangular user interface, a network interface, a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and the like. The rectangular user interface may comprise a Display screen (Display), an input sub-module such as a Keyboard (Keyboard), and the optional rectangular user interface may also comprise a standard wired interface, a wireless interface. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface).
Those skilled in the art will appreciate that the terminal device security detection device configuration shown in fig. 3 does not constitute a limitation of the terminal device security detection device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 3, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, and a terminal device security detection program. The operating system is a program for managing and controlling hardware and software resources of the terminal device security detection device, and supports the operation of the terminal device security detection program and other software and/or programs. The network communication module is used for realizing communication among the components in the memory 1005 and with other hardware and software in the terminal device security detection system.
In the terminal device security detection device shown in fig. 3, the processor 1001 is configured to execute a terminal device security detection program stored in the memory 1005, and implement the steps of the terminal device security detection method described in any one of the above.
The specific implementation of the terminal device security detection device of the present application is substantially the same as the embodiments of the terminal device security detection method described above, and is not described herein again.
The application also provides a terminal equipment safety detection device, and the terminal equipment safety detection method comprises the following steps:
the scanning module is used for scanning an installation package file of a terminal equipment environment corresponding to a client when the client of the terminal equipment is detected to be started so as to determine key features to be detected based on the installation package file;
the safety detection module is used for carrying out safety detection on the key features to be detected to obtain a detection result;
and the prompting module is used for prompting that the client has a safety risk if the detection result is a risk detection result.
Optionally, the scanning module comprises:
the system comprises a first detection unit, a second detection unit and a third detection unit, wherein the first detection unit is used for scanning an installation package file of a terminal equipment environment corresponding to a client when the client of the terminal equipment is detected to be started, and determining a component structure of the installation package file;
the first determining unit is used for determining key characteristics of each component structure of the installation package file by presetting specified setting information;
and the second determining unit is used for determining the key features to be detected based on the key features of each component structure.
Optionally, the security detection module includes:
and the second detection unit is used for locally performing first safety detection on the key features to be detected at the client and/or performing second safety detection on the key features to be detected at the server corresponding to the client to obtain a detection result.
Optionally, the second detection unit includes:
the first detection subunit is used for carrying out first sub-safety detection on the key features to be detected locally at the client through a local safety detection module to obtain a detection result;
and/or locally at the client, performing second safety sub-detection on the key features to be detected through a first malicious recorded information base which is pulled from the server and then stored locally, and obtaining a detection result.
Optionally, the second detection unit includes:
the second detection subunit is used for uploading the installation package file to a server side, so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result after the feature record is matched with the key feature to be detected based on the feature record;
and the first acquisition subunit is used for obtaining a detection result based on the static detection result.
Optionally, the second detecting unit further includes:
the third detection subunit is configured to, if the static detection result is a result that no malicious record exists, perform dynamic detection on the key feature to be detected by simulating operation of the installation package file at the server side to obtain a dynamic detection result;
and the second obtaining subunit is used for obtaining a detection result based on the static detection result and the dynamic detection result.
Optionally, the terminal device security detection apparatus further includes:
the first determining module is used for reporting the login identity state information and sending the login identity state information to the server side, so that the server side can determine whether the interactive authentication information is converted correspondingly or not according to the reported login identity state information and feed back the interactive authentication information to the user;
and the receiving module is used for uploading the installation package file to the server side so that the server side can search the feature record matched with the key feature to be detected based on a preset second malicious record information base if the interactive authentication information fed back by the server side is received.
Optionally, the second detecting unit further includes:
the determining subunit is configured to perform, locally at the client, first security detection on the key feature to be detected to determine whether a suspicious feature exists;
and the second safety detection subunit is used for performing second safety detection on the suspicious features at the corresponding server side of the client side if the suspicious features exist, so as to obtain a detection result.
Optionally, the prompting module includes:
a third determining unit, configured to determine, if the detection result is a risk detection result, a level of the risk detection result according to the number of times that the key feature to be detected hits the feature record and/or the malicious record;
a fourth determining unit, configured to determine a target prompt level based on the level of the risk detection result;
and the prompting unit is used for prompting that the client has a safety risk based on a prompting mode corresponding to the target prompting level.
Optionally, the key features to be detected include at least one of a package name feature, a version number feature, a digital signature feature, a component receiving association feature, a component sending association feature, a component activity association feature, an instruction feature of an executable file, a character string feature of the executable file, and an MD5 value feature of each file in an installation package directory.
The specific implementation of the terminal device security detection apparatus of the present application is substantially the same as that of each embodiment of the terminal device security detection method, and is not described herein again.
The embodiment of the present application provides a storage medium, and the storage medium stores one or more programs, and the one or more programs are further executable by one or more processors for implementing the steps of the terminal device security detection method described in any one of the above.
The specific implementation of the storage medium of the present application is substantially the same as the embodiments of the security detection method for the terminal device, and is not described herein again.
The present application also provides a computer program product, comprising a computer program, which when executed by a processor implements the steps of the above-mentioned terminal device security detection method.
The specific implementation of the computer program product of the present application is substantially the same as that of each embodiment of the terminal device security detection method, and is not described herein again.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings, or which are directly or indirectly applied to other related technical fields, are included in the scope of the present application.
Claims (14)
1. A terminal device security detection method is characterized by comprising the following steps:
when detecting that a client of the terminal equipment is started, scanning an installation package file of a corresponding terminal equipment environment of the client to determine key features to be detected based on the installation package file;
carrying out safety detection on the key features to be detected to obtain a detection result;
and if the detection result is a risk detection result, prompting the client to have a safety risk.
2. The method for detecting the security of the terminal device according to claim 1, wherein the step of scanning an installation package file of a terminal device environment corresponding to a client when the client of the terminal device is detected to be started so as to determine the key features to be detected based on the installation package file comprises:
when detecting that a client of a terminal device is started, scanning an installation package file of a corresponding terminal device environment of the client, and determining a component structure of the installation package file;
determining key characteristics of each component structure of the installation package file by presetting specified setting information;
and determining the key features to be detected based on the key features of each component structure.
3. The method for detecting the security of the terminal device according to claim 1, wherein the step of performing the security detection on the key feature to be detected to obtain the detection result comprises:
and performing first safety detection on the key features to be detected locally at the client, and/or performing second safety detection on the key features to be detected at the server corresponding to the client to obtain a detection result.
4. The method for detecting the security of the terminal device according to claim 3, wherein the step of performing the first security detection on the key feature to be detected locally at the client to obtain the detection result comprises:
locally at the client, performing first sub-safety detection on the key features to be detected through a local safety detection module to obtain a detection result;
and/or locally at the client, performing second safety sub-detection on the key features to be detected through a first malicious recorded information base which is pulled from the server and then stored locally, and obtaining a detection result.
5. The method for detecting the security of the terminal device according to claim 3, wherein the step of performing the second security detection on the key feature to be detected at the server corresponding to the client to obtain the detection result comprises:
uploading the installation package file to a server side, so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result based on the feature record matched with the key feature to be detected;
and obtaining a detection result based on the static detection result.
6. The method for detecting the security of the terminal device according to claim 5, wherein the step of uploading the installation package file to a server side, so that the server side searches a feature record matched with the key feature to be detected based on a preset second malicious record information base, and obtains a static detection result based on the step of matching the feature record with the key feature to be detected, comprises:
if the static detection result is a result without malicious records, dynamically detecting the key features to be detected by simulating the operation of the installation package file at the server side to obtain a dynamic detection result;
and obtaining a detection result based on the static detection result and the dynamic detection result.
7. The method for detecting the security of the terminal device according to claim 5, wherein before the step of uploading the installation package file to the server side for the server side to search the feature record matched with the key feature to be detected based on a preset second malicious record information base, the method comprises:
reporting the login identity state information and sending the login identity state information to a server side, so that the server side determines whether the interactive authentication information is converted correspondingly or not according to the reported login identity state information and feeds the interactive authentication information back to the user;
and if receiving the interactive authentication information fed back by the server, uploading the installation package file to the server so that the server searches the feature record matched with the key feature to be detected based on a preset second malicious record information base.
8. The terminal device security detection method of claim 3,
the steps of carrying out first safety detection on the key features to be detected locally at the client and carrying out second safety detection on the key features to be detected at the server corresponding to the client to obtain detection results include:
performing first safety detection on the key features to be detected locally at the client to determine whether suspicious features exist;
and if the suspicious features exist, performing second safety detection on the suspicious features at the corresponding server side of the client to obtain a detection result.
9. The method for detecting the security of the terminal device according to any one of claims 1 to 8, wherein the step of prompting the client that the security risk exists if the detection result is a risk detection result comprises:
if the detection result is a risk detection result, determining the grade of the risk detection result according to the times of hitting the characteristic record and/or the malicious record by the key characteristic to be detected;
determining a target prompt level based on the level of the risk detection result;
and prompting the client to have a safety risk based on a prompting mode corresponding to the target prompting level.
10. The terminal device security detection method according to any one of claims 1 to 8,
the key features to be detected comprise at least one of a package name feature, a version number feature, a digital signature feature, a component receiving association feature, a component sending association feature, a component activity association feature, an executable file instruction feature, an executable file character string feature and an MD5 value feature of each file under an installation package directory.
11. The terminal equipment safety detection device is characterized by comprising:
the scanning module is used for scanning an installation package file of a terminal equipment environment corresponding to a client when the client of the terminal equipment is detected to be started so as to determine key features to be detected based on the installation package file;
the safety detection module is used for carrying out safety detection on the key features to be detected to obtain a detection result;
and the prompting module is used for prompting that the client has a safety risk if the detection result is a risk detection result.
12. A terminal device safety detection device, characterized in that, the terminal device safety detection device includes: a memory, a processor and a program stored on the memory for implementing the terminal device security detection method,
the memory is used for storing a program for realizing the terminal equipment safety detection method;
the processor is configured to execute a program implementing the terminal device security detection method to implement the steps of the terminal device security detection method according to any one of claims 1 to 10.
13. A storage medium having stored thereon a program for implementing a method for security detection of a terminal device, the program being executed by a processor to implement the steps of the method for security detection of a terminal device according to any one of claims 1 to 10.
14. A computer program product comprising a computer program, characterized in that the computer program realizes the method of any of claims 1 to 10 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011572678.9A CN112528286B (en) | 2020-12-25 | 2020-12-25 | Terminal equipment safety detection method, associated equipment and computer program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011572678.9A CN112528286B (en) | 2020-12-25 | 2020-12-25 | Terminal equipment safety detection method, associated equipment and computer program product |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112528286A true CN112528286A (en) | 2021-03-19 |
| CN112528286B CN112528286B (en) | 2024-05-10 |
Family
ID=74976747
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011572678.9A Active CN112528286B (en) | 2020-12-25 | 2020-12-25 | Terminal equipment safety detection method, associated equipment and computer program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112528286B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113778877A (en) * | 2021-09-10 | 2021-12-10 | 中金金融认证中心有限公司 | Method for detecting application program installation package and related product |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103400076A (en) * | 2013-07-30 | 2013-11-20 | 腾讯科技(深圳)有限公司 | Method, device and system for detecting malicious software on mobile terminal |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN104484598A (en) * | 2014-12-31 | 2015-04-01 | 北京奇虎科技有限公司 | Method and device for protecting safety of intelligent terminal |
| CN104573492A (en) * | 2014-12-19 | 2015-04-29 | 阳珍秀 | Method and device for safely downloading and installing application software |
| CN105577662A (en) * | 2015-12-22 | 2016-05-11 | 深圳前海微众银行股份有限公司 | Terminal environmental security control method and server |
| KR101642222B1 (en) * | 2015-03-21 | 2016-07-22 | 홍동철 | Method of Spy Application and System Scan Based on Android Operating System |
-
2020
- 2020-12-25 CN CN202011572678.9A patent/CN112528286B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103400076A (en) * | 2013-07-30 | 2013-11-20 | 腾讯科技(深圳)有限公司 | Method, device and system for detecting malicious software on mobile terminal |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN104573492A (en) * | 2014-12-19 | 2015-04-29 | 阳珍秀 | Method and device for safely downloading and installing application software |
| CN104484598A (en) * | 2014-12-31 | 2015-04-01 | 北京奇虎科技有限公司 | Method and device for protecting safety of intelligent terminal |
| KR101642222B1 (en) * | 2015-03-21 | 2016-07-22 | 홍동철 | Method of Spy Application and System Scan Based on Android Operating System |
| CN105577662A (en) * | 2015-12-22 | 2016-05-11 | 深圳前海微众银行股份有限公司 | Terminal environmental security control method and server |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113778877A (en) * | 2021-09-10 | 2021-12-10 | 中金金融认证中心有限公司 | Method for detecting application program installation package and related product |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112528286B (en) | 2024-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| US11570211B1 (en) | Detection of phishing attacks using similarity analysis | |
| US9582668B2 (en) | Quantifying the risks of applications for mobile devices | |
| US7613918B2 (en) | System and method for enforcing a security context on a downloadable | |
| US8850585B2 (en) | Systems and methods for automated malware artifact retrieval and analysis | |
| KR101558715B1 (en) | System and Method for Server-Coupled Malware Prevention | |
| WO2016122735A1 (en) | Methods and systems for identifying potential enterprise software threats based on visual and non-visual data | |
| US20100037317A1 (en) | Mehtod and system for security monitoring of the interface between a browser and an external browser module | |
| WO2013126259A1 (en) | Off-device anti-malware protection for mobile devices | |
| KR101902747B1 (en) | Method and Apparatus for Analyzing Web Vulnerability for Client-side | |
| CN112084497A (en) | Method and device for detecting malicious program of embedded Linux system | |
| CN112749088B (en) | Application program detection method and device, electronic equipment and storage medium | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| JP2012008732A (en) | Installation control device and program | |
| JP5478390B2 (en) | Log extraction system and program | |
| CN112528286B (en) | Terminal equipment safety detection method, associated equipment and computer program product | |
| CN111314326B (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| CN111666567A (en) | Detection method, device, computer program and medium for malicious modification of application program | |
| Han et al. | Medusa Attack: Exploring Security Hazards of {In-App}{QR} Code Scanning | |
| Puente Arribas et al. | Malware Analysis on Android | |
| Shakoori Gustafsson | Ensuring the Security of PyPI Packages | |
| Crippa | Prospettiva del difensore sul malware moderno su Android | |
| CN116226834A (en) | Risk detection method and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |