CN113918944A - An Android counterfeit application detection method based on interface layout - Google Patents

An Android counterfeit application detection method based on interface layout Download PDF

Info

Publication number
CN113918944A
CN113918944A CN202111158960.7A CN202111158960A CN113918944A CN 113918944 A CN113918944 A CN 113918944A CN 202111158960 A CN202111158960 A CN 202111158960A CN 113918944 A CN113918944 A CN 113918944A
Authority
CN
China
Prior art keywords
activity
interface
feature
android
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111158960.7A
Other languages
Chinese (zh)
Other versions
CN113918944B (en
Inventor
付雄
聂晓晗
邓松
王俊昌
程春玲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN202111158960.7A priority Critical patent/CN113918944B/en
Publication of CN113918944A publication Critical patent/CN113918944A/en
Application granted granted Critical
Publication of CN113918944B publication Critical patent/CN113918944B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to an Android counterfeit application detection method based on interface layout, which is characterized in that interface structure characteristic vectors of the interface layout and type characteristic vectors corresponding to preset characteristics of various types are extracted based on various Activity running interfaces in a genuine Android application and an Android application to be detected; screening out each Activity group to be analyzed according to the interface structure feature vector and the screenshot of the interface, and calculating the corresponding similarity of each Activity group to be analyzed through the type feature vector corresponding to each preset type feature; finally, judging whether the Android application to be detected is counterfeit application or not based on the similarity between the genuine Android application and the Android application to be detected; compared with the existing mainstream counterfeit APP detection algorithm, the method has the main advantages that the method is strong in confusion resistance, high in execution efficiency and capable of effectively detecting different types of application counterfeit, not only can the traditional application counterfeit behaviors be detected, but also more complex and more targeted application interface counterfeit can be effectively detected.

Description

Android counterfeit application detection method based on interface layout
Technical Field
The invention relates to an Android counterfeit application detection method based on interface layout, and belongs to the technical field of mobile terminal safety and counterfeit identification.
Background
With the recent rise of the mobile market, the Android system is also developing as a mainstream mobile terminal operating system. Data analysis organization StatCounter data shows that the Android market share is steadily increasing year by year from the date of release, and as far as 2020, the Android system already occupies 74.3% of the global mobile terminal market share. Meanwhile, the number of Android applications is also in line with the explosive growth of the Android market, and nearly one million application programs available for downloading are newly put on the shelf in 2017 by the Google Play which is an Android official application store. Although the number of applications on Google Play has fallen back in 2018 for various reasons, there are nearly three million applications available in the application market and the Android application market is still full of vitality.
With the rapid development of the Android mobile application industry, mobile black and gray products (namely, the mobile end black industry and the gray industry, the same below) are also gradually activated. Black gray is an industry that makes profit by means of infringing on the interests of users, original application authors or other third parties, or by other suspicious means. On the one hand, as the threshold for developing mobile applications has decreased, the cost of developing a mobile application has generally been lower than the cost required to develop a similar desktop-level application; on the other hand, the mobile application function is flexible in implementation, the complexity of the mobile application is increased, and various new challenges are faced for the analysis and interception of black and gray products. The two aspects are combined to provide a good foundation for the development of the black and gray application in the mobile terminal.
Counterfeit applications are a widely existing class of mobile gray black products. The counterfeit application means that the counterfeiter applies the same application original data or application metadata as the original application to induce the user to download, for example, similar logo, similar name, similar UI interface and content, thereby achieving the emulational audio-visual emulational software. Most counterfeit application developers seek benefits by counterfeiting relatively popular applications with large downloads in application stores. Once a user downloads such a mock application, its built-in malicious behavior may manifest itself, such as: spreading illegal violation information such as violence terror, obscene pornography and the like; stealing user privacy information, unauthorized use of payment service, malicious advertisement pushing and the like directly damages the substantial benefits of users and threatens the safety of user privacy information.
Most of the existing application counterfeit fraud detection researches concern the problem of application repackaging, and fraud detection is realized by extracting and comparing application static characteristics. Some student studies have enabled detection of counterfeit fraud based on similarity of interface content. However, in recent years, as fraud detection countermeasures have been upgraded, some experienced malicious developers have deliberately modified interface content and functional code to circumvent detection. Particularly, there are the following questions: the counterfeit application needs to keep the similarity of the interface and the original application to deceive the user, and on the premise of little influence on the program dynamic display interface, the content characteristics of the interface are very easy to be modified by a malicious developer, and the structural characteristics of the interface are relatively kept stable.
Therefore, with the formation and improvement of the mobile application ecosystem, the traditional fraud behaviors are migrated to the mobile internet, and a novel fraud means is adopted, so that the infinite novel fraud behaviors not only cause huge damage to the ecosystem, but also bring a serious challenge to the application market and the supervision department. Fraud detection countermeasures are continuously upgraded, experienced malicious developers evade existing detection methods by upgrading fraud technologies, and existing technologies and means cannot effectively detect novel fraud behaviors with higher pertinence.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an Android counterfeit application detection method based on interface layout, and the accuracy and efficiency of counterfeit application detection can be effectively improved by adopting a brand-new detection comparison design.
The invention adopts the following technical scheme for solving the technical problems: the invention designs an Android counterfeit application detection method based on interface layout, which is used for detecting an Android application to be detected corresponding to the original Android application based on the original Android application, and comprises the following steps:
step A, acquiring screenshots of all Activity running interfaces in the Android application and layout information of all Activity running interfaces aiming at a legal Android application and an Android application to be tested respectively, and then entering step B;
step B, respectively aiming at each Activity operation interface in the legal Android application and the Android application to be tested, obtaining an interface structure feature vector corresponding to the Activity operation interface and a type feature vector of each type of preset feature corresponding to the Activity operation interface according to the layout information of the Activity operation interface, and then entering the step C;
step C, establishing pairwise combinations of each Activity running interface in the legal Android application and each Activity running interface in the to-be-analyzed Android application as each Activity group, screening each Activity group according to an interface structure feature vector corresponding to each Activity running interface and a screenshot of each Activity running interface, taking each obtained Activity group as each Activity group to be analyzed, and then entering step D;
step D, according to type feature vectors of each type of feature respectively corresponding to each Activity running interface in the legal Android application and the Android application to be analyzed, respectively aiming at each Activity group to be analyzed, obtaining feature similarity of each preset type of feature respectively corresponding to each Activity group to be analyzed, further obtaining feature similarity of each preset type of feature respectively corresponding to each Activity group to be analyzed, and then entering step E;
step E, respectively aiming at each Activity group to be analyzed, regarding each judgment condition that the feature similarity of each preset type of feature of the Activity group to be analyzed is not smaller than the similarity threshold of each corresponding type of feature, if at least one judgment condition is satisfied, defining the similarity corresponding to the Activity group to be analyzed as 1; if all the judgment conditions are not satisfied, defining the similarity corresponding to the Activity group to be analyzed as 0; then obtaining the similarity corresponding to each Activity group to be analyzed, and then entering step F;
step F, obtaining the sum G of the similarity corresponding to each Activity group to be analyzed, and then according to the following formula:
Figure BDA0003289364540000031
obtaining the similarity SIMAPP between the legal Android application and the Android application to be tested, and judging whether the similarity SIMAPP is greater than a preset application similarity threshold value or not, if so, judging the Android application to be tested as a counterfeit application, otherwise, judging the Android application to be tested as a non-counterfeit application; u, V respectively represents the number of Activity running interfaces in the genuine Android application and the number of Activity running interfaces in the to-be-tested Android application.
As a preferred technical scheme of the invention: in the step A, the following steps A1 to A3 are executed respectively for the genuine Android application and the Android application to be tested, screenshot of each Activity running interface in the Android application and layout information of each Activity running interface are obtained, and then the step B is started;
a1, carrying out decompression decompiling by using ApkTool aiming at an APK (Android Package) of the Android application to obtain a compiling result corresponding to the Android application, and entering the step A2;
a2, filtering out the third-party library activities registered in android manifest.xml in the compiling result, adding an intent-filter node, an action sub-node and a category sub-node for each remaining Activity in the compiling result, packaging the compiling result to form an APK to be processed, and entering the step A3;
and step A3, installing the APK to be processed based on the android simulator, starting each Activity in the APK to be processed by the Apdium, calling a getScreenshop () function provided by the Apium to obtain screenshots of each Activity running interface on the android simulator, and calling a getPageSource () function provided by the Apium to obtain layout information of each Activity running interface on the android simulator.
As a preferred technical scheme of the invention: in the step B, the following steps B1 to B4 are executed respectively for each Activity running interface in the legal Android application and the Android application to be tested, interface structure characteristic vectors corresponding to the Activity running interfaces and preset characteristic vectors of various types are obtained, and then the step C is carried out;
b1, traversing each control in the layout information in sequence according to the layout information of the Activity operation interface, constructing each layer and each control contained in each layer by extracting the upper and lower boundaries of a vertical coordinate from the bounds attributes of the controls, further forming a layer set corresponding to the Activity operation interface by combining the layers, and then entering the step B2;
step B2, aiming at the layer set corresponding to the Activity operation interface, obtaining each independent layer in a mode of combining adjacent layers containing the same control type and the same control number to form the independent layer, setting the attribute of the overlapped layer of each independent layer as true, directly taking the rest layers as each independent layer, setting the attribute of the overlapped layer of each independent layer as false, further forming the independent layer set corresponding to the Activity operation interface by combining the independent layers, and then entering the step B3;
step B3, combining the number of the layer concentration layers corresponding to the Activity operation interface, the number of the independent layers corresponding to the independent layer concentration layers and the number of the independent layers with the attribute of the overlapped layer of the independent layer concentration being true to form an interface structure characteristic vector corresponding to the Activity operation interface, and then entering the step B4;
step B4. traverses each independent layer in the independent layer set corresponding to the Activity running interface to obtain type feature vectors of each preset type feature corresponding to the Activity running interface.
As a preferred technical scheme of the invention: the step B1 comprises the following steps B1-1 to B1-4;
step B1-1. initialize l ═ 1, k ═ 1, and proceed to step B1-2;
b1-2, traversing the first control in the layout information according to the layout information of the Activity operation interface, extracting the upper and lower bounds of the vertical coordinate from the bounds attributes of the controls as the upper and lower bounds corresponding to the first control, and entering the step B1-3;
step B1-3, if l is 1, taking the upper and lower boundaries corresponding to the l-th control as the upper and lower boundaries of the kth layer, adding the l-th control into the kth layer, and then entering step B1-4;
if l is greater than 1, judging whether the upper and lower boundaries corresponding to the l control are included in the upper and lower boundaries of the kth layer, if so, adding the l control into the kth layer, and performing the step B1-4; otherwise, taking the upper and lower boundaries corresponding to the l-th control as the upper and lower boundaries of the (k + 1) th layer, adding the l-th control into the (k + 1) th layer, then updating by adding 1 according to the value of k, and then entering the step B1-4;
step B1-4, judging whether L is equal to the number L of the controls in the layout information of the Activity operation interface, if so, forming a layer set corresponding to the Activity operation interface by each layer and each control contained in each layer; otherwise, updating by adding 1 for the value of l, and returning to the step B1-2.
As a preferred technical scheme of the invention: the step C comprises the following steps C1 to C3;
c1, constructing pairwise combinations of each Activity running interface in the legal Android application and each Activity running interface in the to-be-tested Android application to serve as each Activity group, and entering the step C2;
step C2., obtaining, for each Activity group, an absolute value a of a difference between the numbers of the layers in the Activity group corresponding to the two Activity running interfaces, respectively, and an absolute value b of a difference between the numbers of the independent layers in the independent layer set corresponding to the two Activity running interfaces, respectively, with the attribute true, then judging whether a is greater than a preset first threshold or b is greater than a preset second threshold, if so, deleting the Activity group, otherwise, defining the Activity group as a primary Activity group; then proceed to step C3;
step C3. is to apply LMgist algorithm to obtain the space envelope feature vectors of the screenshots of the two Activity running interfaces of the initially selected Activity group, and to calculate the cosine similarity distance between the two space envelope feature vectors, and to judge whether the cosine similarity distance is larger than the preset third threshold, if yes, the initially selected Activity group is defined as the Activity group to be analyzed, otherwise, the initially selected Activity group is deleted.
As a preferred technical scheme of the invention: in the step D, according to type feature vectors of each type of feature, which are respectively preset correspondingly to each Activity running interface in the legal Android application and the Android application to be analyzed, the following operation is executed respectively for each Activity group to be analyzed, feature similarities of each preset type of feature, which correspond to each Activity group to be analyzed, are obtained, and then the step E is carried out;
the operation is as follows: aiming at each preset type feature, respectively, according to type feature vectors f of the type features respectively corresponding to two Activity operation interfaces in the Activity group to be analyzedA、fBAccording to the following formula:
Figure BDA0003289364540000051
obtaining the feature similarity SIM (f) of the Activity group to be analyzed corresponding to the type featureA,fB) Wherein I represents a type feature vector f of one Activity operation interface corresponding to the type feature in the Activity group to be analyzedAJ represents a type feature vector f of another Activity operation interface corresponding to the type feature in the Activity group to be analyzedBNumber of characteristic elements in (C)A,iA type feature vector f representing that one of the Activity running interfaces in the Activity group to be analyzed corresponds to the type featureAThe ith characteristic element of (1), CB,jA type feature vector f representing that another Activity operation interface in the Activity group to be analyzed corresponds to the type featureBThe jth feature element in (1), and SIM (C)A,i,CB,j) Obtained as follows:
Figure BDA0003289364540000052
and further obtaining the feature similarity of the Activity group to be analyzed corresponding to each preset type of feature.
As a preferred technical scheme of the invention: in step B4, traversing each independent layer in the independent layer set corresponding to the Activity running interface, storing the text or content-desc text of each control contained in the independent layer in the text characteristic set corresponding to the independent layer, further obtaining text characteristic sets corresponding to each independent layer, and combining the text characteristic sets to form the text characteristic vector corresponding to the Activity running interface.
As a preferred technical scheme of the invention: in step B4, traversing each independent layer in the independent layer set corresponding to the Activity running interface, storing the text of the class attribute of each control contained in the independent layer in the control type characteristic set corresponding to the independent layer, further obtaining the control type characteristic sets corresponding to each independent layer, and combining the control type characteristic sets to form the control type characteristic vector corresponding to the Activity running interface.
As a preferred technical scheme of the invention: in step B4, traversing each independent layer in the independent layer set corresponding to the Activity running interface, storing the text of resource-ID attribute of each control contained in the independent layer in the control ID characteristic set corresponding to the independent layer, further obtaining control ID characteristic sets corresponding to each independent layer, and combining the control ID characteristic sets to form the control ID characteristic vector corresponding to the Activity running interface.
Compared with the prior art, the Android counterfeit application detection method based on the interface layout has the following technical effects:
the invention designs an Android counterfeit application detection method based on interface layout, which comprises the steps of firstly obtaining screenshots of all Activity running interfaces in a legal Android application and an Android application to be detected and layout information of all Activity running interfaces; then preprocessing the layout information of each Activity operation interface, and extracting an interface structure feature vector, a text feature vector, a control type feature vector and a control ID feature vector of the interface layout; screening out each Activity group to be analyzed similar between the legal application and the application to be analyzed through the interface structure feature vector and the screenshot of the interface, and calculating the similarity corresponding to each Activity group to be analyzed through the text feature vector, the control type feature vector and the control ID feature vector; finally, calculating the similarity SIMAPP between the genuine Android application and the Android application to be detected based on the similarity between the Activity operation interfaces, and judging whether the Android application to be detected is a counterfeit application or not according to the calculation result; compared with the existing mainstream counterfeit APP detection algorithm, the method has the main advantages that the method is strong in confusion resistance, high in execution efficiency and capable of effectively detecting different types of application counterfeit, not only can the traditional application counterfeit behaviors be detected, but also more complex and more targeted application interface counterfeit can be effectively detected.
Drawings
FIG. 1 is a schematic flow chart of the Android counterfeit application detection method based on the interface layout.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
The invention designs an Android counterfeit application detection method based on interface layout, which is used for detecting an Android application to be detected corresponding to the original Android application based on the original Android application, and specifically executes the following steps A to A in practical application as shown in figure 1.
And step A, acquiring screenshots of all Activity running interfaces in the Android application and layout information of all Activity running interfaces aiming at the legal Android application and the Android application to be tested respectively, and then entering step B.
In practical application, in the step a, the following steps a1 to a step A3 are executed respectively for the genuine Android application and the to-be-tested Android application, so as to obtain screenshots of each Activity running interface in the Android application and layout information of each Activity running interface, and then the step B is performed.
And A1, carrying out decompression decompiling by using ApkTool aiming at the APK of the Android application to obtain a compiling result corresponding to the Android application, and entering the step A2.
And A2, filtering out the third-party library activities registered in the android manifest.xml in the compiling result, adding an intent-filter node, an action sub-node and a category sub-node for each remaining Activity in the compiling result, packaging the compiling result to form an APK to be processed, and entering the step A3.
And step A3, installing the APK to be processed based on the android simulator, starting each Activity in the APK to be processed by the Apdium, calling a getScreenshop () function provided by the Apium to obtain screenshots of each Activity running interface on the android simulator, and calling a getPageSource () function provided by the Apium to obtain layout information of each Activity running interface on the android simulator.
In application, the existing automatic testing tool is low in efficiency and not suitable for large-scale counterfeit fraud detection application scenes, and the average time for completely traversing all interfaces in one application is several hours. Since the Activity component needs to be declared in the android manifest. Therefore, after the Activity registered in android manifest xml is analyzed by decompiling the APK and the android. Therefore, analysis time such as interface entry point searching when the traditional automation tool traverses the application is saved. The complexity and time required for this approach is much less, a balance being achieved between UI coverage and automated test performance.
In specific implementation, because the Activity component of each application needs to have an "android. intent. launcher" tag, the original application program needs to be preprocessed, and the application program is decompiled by using a reverse tool Apktool to modify an android manifest. xml file in the application. And in consideration of the influence of the third-party library on the detection result, filtering out relevant Activity components according to a public white list of the third-party library. For each declared Activity, the intent-filter node and its action and category child nodes are added, then repackaged with Apktool and re-signed with Signapk to generate a new application that can run.
And B, respectively aiming at each Activity running interface in the legal Android application and the Android application to be tested, obtaining an interface structure feature vector corresponding to the Activity running interface and a type feature vector of each type of preset feature corresponding to the Activity running interface according to the layout information of the Activity running interface, and then entering the step C.
In practical application, in the step B, the following steps B1 to B4 are executed for each Activity running interface in the genuine Android application and the Android application to be tested, so as to obtain the interface structure feature vector corresponding to the Activity running interface and preset feature vectors of various types, and then the step C is performed.
And B1, traversing each control in the layout information in sequence according to the layout information of the Activity operation interface, constructing each layer and each control contained in each layer by extracting the upper and lower boundaries of a vertical coordinate from the bounds attributes of the controls, forming a layer set corresponding to the Activity operation interface by combining the layers, and entering the step B2.
The step B1 includes the following steps B1-1 to B1-4.
Step B1-1. initialize l ═ 1, k ═ 1, and proceed to step B1-2.
And B1-2, traversing the ith control in the layout information according to the layout information of the Activity operation interface, extracting the upper and lower bounds of the vertical coordinate from the bounds attributes of the controls as the upper and lower bounds corresponding to the ith control, and entering the step B1-3.
And step B1-3, if l is 1, taking the upper and lower boundaries corresponding to the l-th control as the upper and lower boundaries of the k-th layer, adding the l-th control into the k-th layer, and then entering the step B1-4.
If l is greater than 1, judging whether the upper and lower boundaries corresponding to the l control are included in the upper and lower boundaries of the kth layer, if so, adding the l control into the kth layer, and performing the step B1-4; otherwise, taking the upper and lower bounds corresponding to the l-th control as the upper and lower bounds of the (k + 1) -th layer, adding the l-th control into the (k + 1) -th layer, then updating by adding 1 according to the value of k, and then entering the step B1-4.
Step B1-4, judging whether L is equal to the number L of the controls in the layout information of the Activity operation interface, if so, forming a layer set corresponding to the Activity operation interface by each layer and each control contained in each layer; otherwise, updating by adding 1 for the value of l, and returning to the step B1-2.
And B2, aiming at the layer set corresponding to the Activity operation interface, acquiring each independent layer in a mode of combining adjacent layers containing the same control type and the same control number to form the independent layer, setting the attribute of the overlapped layer of each independent layer as true, directly taking the rest layers as each independent layer, setting the attribute of the overlapped layer of each independent layer as false, further forming the independent layer set corresponding to the Activity operation interface by combining the independent layers, and then entering the step B3.
And B3, combining the number of the layer concentration layers corresponding to the Activity operation interface, the number of the independent layers corresponding to the independent layer concentration layers and the number of the independent layers with the attribute of the overlapped layer of the independent layer concentration being true to form an interface structure characteristic vector corresponding to the Activity operation interface, and then entering the step B4.
Step B4. traverses each independent layer in the independent layer set corresponding to the Activity running interface to obtain type feature vectors of each preset type feature corresponding to the Activity running interface.
Pairwise comparisons of Activity runtime interfaces are very time consuming, since most applications contain no less than 10 activities, and the number of levels in an Activity is no less than 5, which results in feature comparisons of Activity runtime interfaces between applications more than 2500 times. In addition, the visual effects of the Activity running interfaces of many applications are extremely different, and the comparison of the Activity running interfaces is meaningless. Through observation, two Activity operation interfaces with larger visual effect difference mainly present two aspects on the hierarchical structure characteristics: (1) the number of layers differs greatly; (2) the number of overlapping layers differs greatly. Therefore, by using the method based on the hierarchical structure feature priority comparison, if the hierarchical structure features of the two Activity operation interfaces are greatly different, the two Activity operation interfaces are determined to be dissimilar, and the following step C is continuously executed without further comparison of other features.
And C, constructing pairwise combinations of each Activity running interface in the legal Android application and each Activity running interface in the to-be-analyzed Android application to serve as each Activity group, screening each Activity group according to the interface structure feature vector corresponding to each Activity running interface and the screenshot of each Activity running interface, taking each obtained Activity group as each Activity group to be analyzed, and entering the step D.
In practical applications, the step C is performed as the following steps C1 to C3.
And C1, constructing pairwise combinations of each Activity running interface in the legal Android application and each Activity running interface in the to-be-tested Android application to serve as each Activity group, and entering the step C2.
Step C2., obtaining, for each Activity group, an absolute value a of a difference between the numbers of the layers in the Activity group corresponding to the two Activity running interfaces, respectively, and an absolute value b of a difference between the numbers of the independent layers in the independent layer set corresponding to the two Activity running interfaces, respectively, with the attribute true, then judging whether a is greater than a preset first threshold or b is greater than a preset second threshold, if so, deleting the Activity group, otherwise, defining the Activity group as a primary Activity group; then proceed to step C3.
Step C3. is to apply LMgist algorithm to obtain the space envelope feature vectors of the screenshots of the two Activity running interfaces of the initially selected Activity group, and to calculate the cosine similarity distance between the two space envelope feature vectors, and to judge whether the cosine similarity distance is larger than the preset third threshold, if yes, the initially selected Activity group is defined as the Activity group to be analyzed, otherwise, the initially selected Activity group is deleted.
And D, respectively presetting type feature vectors of various types of features according to the Activity running interfaces in the legal Android application and the to-be-analyzed Android application, respectively aiming at each Activity group to be analyzed, obtaining feature similarity of the to-be-analyzed Activity group corresponding to the preset various types of features respectively, further obtaining the feature similarity of each to-be-analyzed Activity group corresponding to the preset various types of features respectively, and then entering the step E.
In practical application, in the step D, according to type feature vectors of each type of feature, which are respectively preset in correspondence to each Activity running interface in the genuine Android application and the to-be-analyzed Android application, the following operation is executed for each Activity group to be analyzed, so as to obtain feature similarities of each preset type of feature corresponding to each Activity group to be analyzed, further obtain feature similarities of each preset type of feature corresponding to each Activity group to be analyzed, and then the step E is performed.
The operation is as follows: aiming at each preset type feature, respectively, according to type feature vectors f of the type features respectively corresponding to two Activity operation interfaces in the Activity group to be analyzedA、fBAccording to the following formula:
Figure BDA0003289364540000091
obtaining the feature similarity SIM (f) of the Activity group to be analyzed corresponding to the type featureA,fB) Wherein I represents a type feature vector f of one Activity operation interface corresponding to the type feature in the Activity group to be analyzedAJ represents a type feature vector f of another Activity operation interface corresponding to the type feature in the Activity group to be analyzedBNumber of characteristic elements in (C)A,iA type feature vector f representing that one of the Activity running interfaces in the Activity group to be analyzed corresponds to the type featureAThe ith characteristic element of (1), CB,jA type feature vector f representing that another Activity operation interface in the Activity group to be analyzed corresponds to the type featureBThe jth characteristic element of (1), and
Figure BDA0003289364540000101
obtained as follows:
Figure BDA0003289364540000102
and further obtaining the feature similarity of the Activity group to be analyzed corresponding to each preset type of feature.
Specifically, in the step D, it is preset that each type of feature vector includes a text feature vector, a control type feature vector, and a control ID feature vector, where for the text feature vector, in the step B4, traversing each independent layer in the independent layer set corresponding to the Activity running interface, storing texts of text or content-desc of each control included in the independent layer in the text feature set corresponding to the independent layer, further obtaining text feature sets respectively corresponding to each independent layer, and combining the text feature sets to form the text feature vector corresponding to the Activity running interface.
For the control type feature vector, in the step B4, traversing each independent layer in the independent layer set corresponding to the Activity running interface, storing the text of the class attribute of each control included in the independent layer in the control type feature set corresponding to the independent layer, further obtaining the control type feature sets corresponding to each independent layer, and combining the control type feature sets to form the control type feature vector corresponding to the Activity running interface.
For the control ID feature vector, in the step B4, traversing each independent layer in the independent layer set corresponding to the Activity running interface, storing the text of resource-ID attribute of each control included in the independent layer in the control ID feature set corresponding to the independent layer, further obtaining the control ID feature sets corresponding to each independent layer, and combining the control ID feature sets to form the control ID feature vector corresponding to the Activity running interface.
Step E, respectively aiming at each Activity group to be analyzed, regarding each judgment condition that the feature similarity of each preset type of feature of the Activity group to be analyzed is not smaller than the similarity threshold of each corresponding type of feature, if at least one judgment condition is satisfied, defining the similarity corresponding to the Activity group to be analyzed as 1; if all the judgment conditions are not satisfied, defining the similarity corresponding to the Activity group to be analyzed as 0; and then obtaining the similarity corresponding to each Activity group to be analyzed, and then entering the step F.
Step F, obtaining the sum G of the similarity corresponding to each Activity group to be analyzed, and then according to the following formula:
Figure BDA0003289364540000103
obtaining the similarity SIMAPP between the legal Android application and the Android application to be tested, and judging whether the similarity SIMAPP is greater than a preset application similarity threshold value or not, if so, judging the Android application to be tested as a counterfeit application, otherwise, judging the Android application to be tested as a non-counterfeit application; u, V respectively represents the number of Activity running interfaces in the genuine Android application and the number of Activity running interfaces in the to-be-tested Android application.
The Android counterfeit application detection method based on the interface layout is designed in the technical scheme, and includes the steps that firstly, screenshots of all Activity running interfaces in a legal Android application and an Android application to be detected and layout information of all Activity running interfaces are obtained; then preprocessing the layout information of each Activity operation interface, and extracting an interface structure feature vector, a text feature vector, a control type feature vector and a control ID feature vector of the interface layout; screening out each Activity group to be analyzed similar between the legal application and the application to be analyzed through the interface structure feature vector and the screenshot of the interface, and calculating the similarity corresponding to each Activity group to be analyzed through the text feature vector, the control type feature vector and the control ID feature vector; finally, calculating the similarity SIMAPP between the genuine Android application and the Android application to be detected based on the similarity between the Activity operation interfaces, and judging whether the Android application to be detected is a counterfeit application or not according to the calculation result; compared with the existing mainstream counterfeit APP detection algorithm, the method has the main advantages that the method is strong in confusion resistance, high in execution efficiency and capable of effectively detecting application counterfeit of different types, not only can the traditional application counterfeit behavior be detected in application, but also more complex and more targeted application interface counterfeit can be effectively detected.
The embodiments of the present invention will be described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (9)

1.一种基于界面布局的Android仿冒应用检测方法,基于正版Android应用,针对与之对应的待测Android应用进行检测,其特征在于,包括如下步骤:1. an Android counterfeit application detection method based on interface layout, based on genuine Android application, is detected for the Android application to be tested corresponding to it, it is characterized in that, comprises the steps: 步骤A.分别针对正版Android应用与待测Android应用,获得Android应用中各个Activity运行界面的截图、以及各Activity运行界面的布局信息,然后进入步骤B;Step A. For the genuine Android application and the Android application to be tested, respectively, obtain screenshots of each Activity running interface in the Android application and the layout information of each Activity running interface, and then proceed to Step B; 步骤B.分别针对正版Android应用与待测Android应用中的各个Activity运行界面,根据Activity运行界面的布局信息,获得Activity运行界面所对应的界面结构特征向量、以及该Activity运行界面分别对应预设各类型特征的类型特征向量,然后进入步骤C;Step B. For each Activity running interface in the genuine Android application and the Android application to be tested, according to the layout information of the Activity running interface, obtain the interface structure feature vector corresponding to the Activity running interface, and the Activity running interface corresponds to each preset each. Type feature vector of type feature, and then enter step C; 步骤C.构建正版Android应用中各个Activity运行界面分别与待测Android应用中各个Activity运行界面之间的两两组合,作为各个Activity组,并根据各Activity运行界面所对应的界面结构特征向量、以及各Activity运行界面的截图,针对各Activity组进行筛选,所获各个Activity组作为各个待分析Activity组,然后进入步骤D;Step C. Build a pairwise combination between each Activity running interface in the genuine Android application and each Activity running interface in the Android application to be tested, as each Activity group, and according to the interface structure feature vector corresponding to each Activity running interface, and Screenshots of the running interface of each Activity are screened for each Activity group, and each Activity group obtained is used as each Activity group to be analyzed, and then goes to Step D; 步骤D.根据正版Android应用与待测Android应用中各Activity运行界面分别对应预设各类型特征的类型特征向量,分别针对各个待分析Activity组,获得待分析Activity组分别对应预设各类型特征的特征相似度,进而获得各个待分析Activity组分别对应预设各类型特征的特征相似度,然后进入步骤E;Step D. According to each Activity running interface in the genuine Android application and the Android application to be tested, the type feature vectors of each type of feature are correspondingly preset, respectively, and for each Activity group to be analyzed, respectively, obtain the Activity group to be analyzed corresponding to the preset types of features respectively. feature similarity, and then obtain the feature similarity of each Activity group to be analyzed corresponding to the preset features of each type, and then enter step E; 步骤E.分别针对各个待分析Activity组,关于待分析Activity组对应预设各类型特征的特征相似度分别不小于对应类型特征相似阈值的各个判断条件,若存在至少一个判断条件成立,则定义该待分析Activity组所对应的相似度为1;若各个判断条件均不成立,则定义该待分析Activity组所对应的相似度为0;进而获得各待分析Activity组分别所对应的相似度,然后进入步骤F;Step E. For each Activity group to be analyzed, the feature similarity of the corresponding preset features of each Activity group to be analyzed is not less than each judgment condition of the corresponding type feature similarity threshold, if there is at least one judgment condition, then define the The similarity corresponding to the Activity group to be analyzed is 1; if each judgment condition is not established, define the similarity corresponding to the Activity group to be analyzed as 0; then obtain the similarity corresponding to each Activity group to be analyzed, and then enter step F; 步骤F.获得各待分析Activity组分别所对应相似度之和G,然后按如下公式:Step F. Obtain the sum G of similarity corresponding to each Activity group to be analyzed, and then press the following formula:
Figure FDA0003289364530000011
Figure FDA0003289364530000011
 获得正版Android应用与待测Android应用之间的相似度SIMAPP,并判断相似度SIMAPP是否大于预设应用相似度阈值,是则判定该待测Android应用为仿冒应用,否则判定该待测Android应用为非仿冒应用;其中,U、V分别表示正版Android应用中Activity运行界面的数量、待测Android应用中Activity运行界面的数量。Obtain the similarity SIMAPP between the genuine Android application and the Android application to be tested, and determine whether the similarity SIMAPP is greater than the preset application similarity threshold. If so, determine that the Android application to be tested is a counterfeit application; Non-counterfeit applications; among them, U and V respectively represent the number of Activity running interfaces in the genuine Android application and the number of Activity running interfaces in the Android application to be tested. 2.根据权利要求1所述一种基于界面布局的Android仿冒应用检测方法,其特征在于:所述步骤A中,分别针对正版Android应用与待测Android应用,执行如下步骤A1至步骤A3,获得Android应用中的各个Activity运行界面截图、以及各Activity运行界面的布局信息,然后进入步骤B;2. a kind of Android counterfeit application detection method based on interface layout according to claim 1, is characterized in that: in described step A, respectively for genuine Android application and Android application to be tested, execute following steps A1 to step A3, obtain Screenshots of each Activity running interface in the Android application and the layout information of each Activity running interface, and then enter step B; 步骤A1.应用ApkTool针对Android应用的APK执行解压反编译,获得Android应用所对应的编译结果,并进入步骤A2;Step A1. Apply ApkTool to decompress and decompile the APK of the Android application, obtain the compilation result corresponding to the Android application, and enter step A2; 步骤A2.过滤掉编译结果中AndroidManifest.xml中所注册的第三方库Activity,并为编译结果中剩余的各个Activity添加intent-filter节点、以及action子节点、category子节点,然后针对编译结果打包构成待处理APK,再进入步骤A3;Step A2. Filter out the third-party library Activity registered in AndroidManifest.xml in the compilation result, and add intent-filter nodes, action sub-nodes, and category sub-nodes to the remaining activities in the compilation results, and then package the compilation results to form To process the APK, then go to step A3; 步骤A3.基于安卓模拟器安装待处理APK,由Appium启动待处理APK中的各个Activity,并调用Appium所提供的getScreenshotAs()函数,获取安卓模拟器上各个Activity运行界面的截图,以及调用Appium所提供的getPageSource()函数,获取安卓模拟器上各Activity运行界面的布局信息。Step A3. Install the pending APK based on the Android emulator, start each Activity in the pending APK by Appium, and call the getScreenshotAs() function provided by Appium to obtain screenshots of the running interface of each Activity on the Android emulator, and call Appium The provided getPageSource() function obtains the layout information of each Activity running interface on the Android emulator. 3.根据权利要求1所述一种基于界面布局的Android仿冒应用检测方法,其特征在于:所述步骤B中,分别针对正版Android应用与待测Android应用中的各个Activity运行界面,执行如下步骤B1至步骤B4,获得Activity运行界面所对应的界面结构特征向量、以及预设各类型特征向量,然后进入步骤C;3. a kind of Android counterfeit application detection method based on interface layout according to claim 1, is characterized in that: in described step B, respectively for each Activity running interface in genuine Android application and Android application to be tested, execute the following steps From B1 to step B4, obtain the interface structure feature vector corresponding to the Activity running interface and preset feature vectors of various types, and then enter step C; 步骤B1.根据Activity运行界面的布局信息,依次遍历布局信息中的各控件,通过从控件的bounds属性中提取纵坐标的上下界,构建各个层、以及各层分别所包含的各个控件,进而由各个层组合构成该Activity运行界面所对应的层集,然后进入步骤B2;Step B1. According to the layout information of the Activity running interface, traverse each control in the layout information in turn, and construct each layer and each control contained in each layer by extracting the upper and lower bounds of the ordinate from the bounds property of the control, and then by Each layer combination constitutes a layer set corresponding to the Activity running interface, and then enters step B2; 步骤B2.针对该Activity运行界面所对应的层集,以包含相同控件类型、相同控件数量的各相邻层进行合并构成独立层的方式,获得各个独立层,并设定该各独立层的重叠层属性为true,其余各层直接作为各个独立层,并设定该各独立层的重叠层属性为false,进而由各个独立层组合构成该Activity运行界面所对应的独立层集,然后进入步骤B3;Step B2. For the layer set corresponding to the Activity running interface, each adjacent layer containing the same control type and the same number of controls is merged to form an independent layer to obtain each independent layer, and set the overlap of each independent layer The layer attribute is true, the other layers are directly used as independent layers, and the overlapping layer attribute of each independent layer is set to false, and then the independent layer set corresponding to the Activity running interface is formed by the combination of each independent layer, and then goes to step B3 ; 步骤B3.以该Activity运行界面所对应层集中层的数量、所对应独立层集中独立层的数量、所对应独立层集中重叠层属性为true的独立层的数量,组合构成该Activity运行界面所对应的界面结构特征向量,然后进入步骤B4;Step B3. Combining the number of centralized layers corresponding to the Activity running interface, the number of independent layers in the corresponding independent layer set, and the number of independent layers whose overlapping layer attribute is true in the corresponding independent layer set, the combination constitutes the corresponding Activity running interface. The interface structure feature vector of , and then enter step B4; 步骤B4.遍历该Activity运行界面所对应独立层集中的各独立层,获得该Activity运行界面分别对应预设各类型特征的类型特征向量。Step B4. Traverse each independent layer in the set of independent layers corresponding to the Activity running interface, and obtain type feature vectors corresponding to preset types of features in the Activity running interface respectively. 4.根据权利要求3所述一种基于界面布局的Android仿冒应用检测方法,其特征在于:所述步骤B1包括如下步骤B1-1至步骤B1-4;4. A kind of Android counterfeit application detection method based on interface layout according to claim 3, is characterized in that: described step B1 comprises following steps B1-1 to step B1-4; 步骤B1-1.初始化l=1、k=1,并进入步骤B1-2;Step B1-1. Initialize l=1, k=1, and enter step B1-2; 步骤B1-2.根据Activity运行界面的布局信息,遍历布局信息中的第l个控件,从控件的bounds属性中提取纵坐标的上下界,作为第l个控件所对应的上下界,并进入步骤B1-3;Step B1-2. According to the layout information of the Activity running interface, traverse the lth control in the layout information, extract the upper and lower bounds of the ordinate from the bounds property of the control, as the upper and lower bounds corresponding to the lth control, and enter the step B1-3; 步骤B1-3.若l=1,则以第l个控件所对应的上下界作为第k层的上下界,并将第l个控件加入第k层中,然后进入步骤B1-4;Step B1-3. If l=1, then take the upper and lower bounds corresponding to the lth control as the upper and lower bounds of the kth layer, and add the lth control to the kth layer, and then enter step B1-4; 若l>1,则判断第l个控件所对应的上下界是否包含在第k层的上下界,是则将第l个控件加入第k层中,并进入步骤B1-4;否则以第l个控件所对应的上下界作为第k+1层的上下界,并将第l个控件加入第k+1层中,然后针对k的值进行加1更新,再进入步骤B1-4;If l>1, then judge whether the upper and lower bounds corresponding to the lth control are included in the upper and lower bounds of the kth layer, if so, add the lth control to the kth layer, and enter step B1-4; otherwise, use the lth control The upper and lower bounds corresponding to each control are used as the upper and lower bounds of the k+1th layer, and the lth control is added to the k+1th layer, and then the value of k is updated by adding 1, and then goes to step B1-4; 步骤B1-4.判断l是否等于该Activity运行界面布局信息中控件的数量L,是则由各个层、以及各层分别所包含的各个控件,构成该Activity运行界面所对应的层集;否则针对l的值进行加1更新,并返回步骤B1-2。Step B1-4. Judging whether l is equal to the number L of controls in the layout information of the Activity running interface, if yes, each layer and each control contained in each layer respectively constitute the layer set corresponding to the Activity running interface; otherwise, for The value of l is updated by adding 1, and returns to step B1-2. 5.根据权利要求3或4所述一种基于界面布局的Android仿冒应用检测方法,其特征在于:所述步骤C包括如下步骤C1至步骤C3;5. a kind of Android counterfeit application detection method based on interface layout according to claim 3 or 4, is characterized in that: described step C comprises following steps C1 to step C3; 步骤C1.构建正版Android应用中各个Activity运行界面分别与待测Android应用中各个Activity运行界面之间的两两组合,作为各个Activity组,并进入步骤C2;Step C1. Build a pairwise combination of each Activity running interface in the genuine Android application and each Activity running interface in the Android application to be tested, as each Activity group, and enter Step C2; 步骤C2.分别针对各个Activity组,获得Activity组中两个Activity运行界面分别所对应层集中层数量的差值的绝对值a,以及获得该Activity组中两个Activity运行界面分别所对应独立层集中重叠层属性为true的独立层数量的差值的绝对值b,然后判断a大于预设第一阈值或者b大于预设第二阈值是否成立,是则删除该Activity组,否则将该Activity组定义为初选Activity组;然后进入步骤C3;Step C2. For each Activity group, obtain the absolute value a of the difference between the number of layers in the layer concentration layer corresponding to the two Activity running interfaces in the Activity group, and obtain the independent layer concentration corresponding to the two Activity running interfaces in the Activity group. The absolute value b of the difference between the number of independent layers whose overlapping layer attribute is true, and then judge whether a is greater than the preset first threshold or whether b is greater than the preset second threshold. If yes, delete the Activity group, otherwise define the Activity group Select the Activity group for the primary; then go to step C3; 步骤C3.分别针对各个初选Activity组,应用LMgist算法获得初选Activity组两个Activity运行界面的截图的空间包络特征向量,并计算获得该两个空间包络特征向量之间的余弦相似距离,判断该余弦相似距离是否大于预设第三阈值,是则将该初选Activity组定义为待分析Activity组,否则删除该初选Activity组。Step C3. For each primary selection Activity group, apply the LMgist algorithm to obtain the spatial envelope feature vectors of the screenshots of the two Activity running interfaces of the primary selection Activity group, and calculate and obtain the cosine similarity distance between the two spatial envelope feature vectors. , judging whether the cosine similarity distance is greater than the preset third threshold, and if so, define the primary selection activity group as the to-be-analyzed activity group, otherwise delete the primary selection activity group. 6.根据权利要求1所述一种基于界面布局的Android仿冒应用检测方法,其特征在于:所述步骤D中,根据正版Android应用与待测Android应用中各Activity运行界面分别对应预设各类型特征的类型特征向量,分别针对各个待分析Activity组,执行如下操作,获得待分析Activity组分别对应预设各类型特征的特征相似度,进而获得各个待分析Activity组分别对应预设各类型特征的特征相似度,然后进入步骤E;6. A kind of Android counterfeit application detection method based on interface layout according to claim 1, it is characterized in that: in described step D, according to each Activity running interface in genuine Android application and Android application to be tested corresponds to preset each type respectively The type feature vector of the feature, respectively, for each Activity group to be analyzed, perform the following operations to obtain the feature similarity of the Activity group to be analyzed corresponding to the preset features of each type, and then obtain the Activity group to be analyzed corresponding to the preset features of each type. feature similarity, and then enter step E; 操作:分别针对预设各个类型特征,根据待分析Activity组中两个Activity运行界面分别对应类型特征的类型特征向量fA、fB,按如下公式:Operation: For each preset type feature respectively, according to the type feature vectors f A and f B of the type features corresponding to the two Activity running interfaces in the Activity group to be analyzed, according to the following formula:
Figure FDA0003289364530000041
Figure FDA0003289364530000041
 获得该待分析Activity组对应该类型特征的特征相似度SIM(fA,fB),其中,I表示该待分析Activity组中其中一个Activity运行界面对应该类型特征的类型特征向量fA中的特征元素个数,J表示该待分析Activity组中另一个Activity运行界面对应该类型特征的类型特征向量fB中的特征元素个数,CA,i表示该待分析Activity组中其中一个Activity运行界面对应该类型特征的类型特征向量fA中的第i个特征元素,CB,j表示该待分析Activity组中另一个Activity运行界面对应该类型特征的类型特征向量fB中的第j个特征元素,且SIM(CA,i,CB,j)按如下计算获得:Obtain the feature similarity SIM(f A , f B ) of the type of feature corresponding to the Activity group to be analyzed, wherein I represents the type feature vector f A of the type feature vector f A of the Activity running interface corresponding to the type of feature in the Activity group to be analyzed. The number of feature elements, J represents the number of feature elements in the type feature vector f B corresponding to the type of feature of another Activity running interface in the Activity group to be analyzed, C A, i represents the running of one of the Activity in the Activity group to be analyzed The interface corresponds to the ith feature element in the type feature vector f A of the type feature, C B, j represents the jth element in the type feature vector f B corresponding to the type feature vector f B of another Activity running interface in the Activity group to be analyzed feature elements, and SIM(C A, i , C B, j ) is calculated as follows:
Figure FDA0003289364530000042
Figure FDA0003289364530000042
 进而获得该待分析Activity组分别对应预设各类型特征的特征相似度。Then, the feature similarity corresponding to the preset features of each type of the activity group to be analyzed is obtained. 7.根据权利要求1或3或6所述一种基于界面布局的Android仿冒应用检测方法,其特征在于:所述预设各类型特征向量包括文本特征向量,所述步骤B4中,遍历该Activity运行界面所对应独立层集中的各个独立层,将独立层中所包含各控件的text或content-desc的文本保存于该独立层所对应的文本特征集中,进而获得各个独立层分别所对应的文本特征集,由各个文本特征集组合构成该Activity运行界面所对应的文本特征向量。7. The method for detecting counterfeit Android applications based on interface layout according to claim 1, 3 or 6, wherein the preset feature vectors of various types include text feature vectors, and in step B4, traverse the Activity Run each independent layer in the independent layer set corresponding to the interface, save the text or content-desc text of each control contained in the independent layer in the text feature set corresponding to the independent layer, and then obtain the text corresponding to each independent layer. Feature set, the text feature vector corresponding to the Activity running interface is composed of the combination of each text feature set. 8.根据权利要求1或3或6所述一种基于界面布局的Android仿冒应用检测方法,其特征在于:所述预设各类型特征向量包括控件类型特征向量,所述步骤B4中,遍历该Activity运行界面所对应独立层集中的各个独立层,将独立层中所包含各控件的class属性的文本保存于该独立层所对应的控件类型特征集中,进而获得各个独立层分别所对应的控件类型特征集,由各个控件类型特征集组合构成该Activity运行界面所对应的控件类型特征向量。8. A kind of Android counterfeit application detection method based on interface layout according to claim 1 or 3 or 6, is characterized in that: described preset each type characteristic vector comprises control type characteristic vector, in described step B4, traverse this For each independent layer in the independent layer set corresponding to the Activity running interface, save the text of the class attribute of each control contained in the independent layer in the control type feature set corresponding to the independent layer, and then obtain the control type corresponding to each independent layer. The feature set is composed of the feature sets of each control type to form the feature vector of the control type corresponding to the running interface of the Activity. 9.根据权利要求1或3或6所述一种基于界面布局的Android仿冒应用检测方法,其特征在于:所述预设各类型特征向量包括控件ID特征向量,所述步骤B4中,遍历该Activity运行界面所对应独立层集中的各个独立层,将独立层中所包含各控件的resource-id属性的文本保存于该独立层所对应的控件ID特征集中,进而获得各个独立层分别所对应的控件ID特征集,由各个控件ID特征集组合构成该Activity运行界面所对应的控件ID特征向量。9. A kind of Android counterfeit application detection method based on interface layout according to claim 1 or 3 or 6, is characterized in that: described preset each type characteristic vector comprises control ID characteristic vector, in described step B4, traverse this For each independent layer in the independent layer set corresponding to the Activity running interface, save the text of the resource-id attribute of each control contained in the independent layer in the control ID feature set corresponding to the independent layer, and then obtain the corresponding data of each independent layer. The control ID feature set is composed of each control ID feature set to form the control ID feature vector corresponding to the Activity running interface.
CN202111158960.7A 2021-09-30 2021-09-30 A method for detecting counterfeit Android applications based on interface layout Active CN113918944B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111158960.7A CN113918944B (en) 2021-09-30 2021-09-30 A method for detecting counterfeit Android applications based on interface layout

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111158960.7A CN113918944B (en) 2021-09-30 2021-09-30 A method for detecting counterfeit Android applications based on interface layout

Publications (2)

Publication Number Publication Date
CN113918944A true CN113918944A (en) 2022-01-11
CN113918944B CN113918944B (en) 2025-01-10

Family

ID=79237430

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111158960.7A Active CN113918944B (en) 2021-09-30 2021-09-30 A method for detecting counterfeit Android applications based on interface layout

Country Status (1)

Country Link
CN (1) CN113918944B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115225930A (en) * 2022-07-25 2022-10-21 广州博冠信息科技有限公司 Processing method and device for live interactive application, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273546A (en) * 2017-07-14 2017-10-20 北京邮电大学 Counterfeit application detection method and system
US20180144132A1 (en) * 2016-11-18 2018-05-24 Sichuan University Kind of android malicious code detection method on the base of community structure analysis
CN108898013A (en) * 2018-06-14 2018-11-27 南京大学 A kind of Android application interface similarity-rough set method dividing feature vector based on layout

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180144132A1 (en) * 2016-11-18 2018-05-24 Sichuan University Kind of android malicious code detection method on the base of community structure analysis
CN107273546A (en) * 2017-07-14 2017-10-20 北京邮电大学 Counterfeit application detection method and system
CN108898013A (en) * 2018-06-14 2018-11-27 南京大学 A kind of Android application interface similarity-rough set method dividing feature vector based on layout

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
付雄 等: "《基于界面相似度的Android仿冒应用检测研究》", 《计算机科学》, 15 June 2023 (2023-06-15), pages 1 - 7 *
刘永明;杨婧;: "基于图像相似性的Android钓鱼恶意应用检测方法", 计算机系统应用, no. 12, 15 December 2014 (2014-12-15) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115225930A (en) * 2022-07-25 2022-10-21 广州博冠信息科技有限公司 Processing method and device for live interactive application, electronic equipment and storage medium
CN115225930B (en) * 2022-07-25 2024-01-09 广州博冠信息科技有限公司 Live interaction application processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113918944B (en) 2025-01-10

Similar Documents

Publication Publication Date Title
CN108304720B (en) Android malicious program detection method based on machine learning
He et al. Learning to fuzz from symbolic execution with application to smart contracts
Moonsamy et al. Mining permission patterns for contrasting clean and malicious android applications
CN105184160B (en) A kind of method of the Android phone platform application program malicious act detection based on API object reference relational graphs
US10387627B2 (en) Systems and methods for analyzing software
CN111639337B (en) Unknown malicious code detection method and system for massive Windows software
Ullah et al. Clone detection in 5G-enabled social IoT system using graph semantics and deep learning model
Cimitile et al. Formal methods meet mobile code obfuscation identification of code reordering technique
CN106055479B (en) A kind of Android application software testing method based on compulsory execution
Arslan AndroAnalyzer: android malicious software detection based on deep learning
CN104680065A (en) Virus detection method, virus detection device and virus detection equipment
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
Li et al. Large-scale third-party library detection in android markets
Pirch et al. Tagvet: Vetting malware tags using explainable machine learning
CN112527674A (en) Safety evaluation method, device, equipment and storage medium of AI (Artificial Intelligence) framework
CN113158251A (en) Application privacy disclosure detection method, system, terminal and medium
Lee et al. Understanding {iOS-based} crowdturfing through hidden {UI} analysis
Chew et al. ESCAPADE: Encryption-type-ransomware: System call based pattern detection
Hu et al. Robust app clone detection based on similarity of ui structure
CN113918944A (en) An Android counterfeit application detection method based on interface layout
CN113901463B (en) Concept drift-oriented interpretable Android malicious software detection method
CN117009972A (en) Vulnerability detection method, vulnerability detection device, computer equipment and storage medium
CN114462040A (en) Malicious software detection model training method, malicious software detection method and malicious software detection device
Lomborg et al. Monitoring infrastructural power: Methodological challenges in studying mobile infrastructures for datafication
CN118643492A (en) Data generation method, device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant