CN115859292A - Fraud-related APP detection system, judgment method and storage medium - Google Patents
Fraud-related APP detection system, judgment method and storage medium Download PDFInfo
- Publication number
- CN115859292A CN115859292A CN202310136195.1A CN202310136195A CN115859292A CN 115859292 A CN115859292 A CN 115859292A CN 202310136195 A CN202310136195 A CN 202310136195A CN 115859292 A CN115859292 A CN 115859292A
- Authority
- CN
- China
- Prior art keywords
- fraud
- app
- feature
- related app
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The utility model provides a wade fraud APP detecting system for whether the last application APP of detection smart machine wades the fraud, anti-fraud control test module includes: anti-fraud monitoring test module, anti-fraud monitoring test module includes: the mobile application rapid development platform development judgment module, a fraud-related APP code feature library, a feature analysis module and a fraud-related APP feature library; analyzing the smali code of a sample to be detected, and finding out an APP developed based on a mobile application rapid development platform; and if the matching degree of the static resource and the fraud-related APP feature library exceeds a feature matching degree set value, judging that the APP is a fraud-related APP. The method comprises the steps of locking an APP developed based on a mobile application rapid development platform through an APP code feature library, and locking a fraud-related APP based on static resource features.
Description
Technical Field
The application belongs to the technical field of computer security, and particularly relates to a fraud-related APP detection system, a judgment method and a storage medium.
Background
The image matching means: the homonymous points are identified between two or more images by a certain matching algorithm. There are many methods for image matching, and the image matching algorithms can be classified into 3 types: a grey scale based matching algorithm, a feature based matching algorithm, a relationship based matching algorithm.
(1) A template matching algorithm based on gray scale: template Matching (Blocking Matching) is based on finding a sub-image similar to a template image into another image from a known template image. The matching algorithm based on gray scale is also called correlation matching algorithm, and a spatial two-dimensional sliding template is used for matching, and different matching algorithms are mainly embodied in the aspect of selection of correlation criteria.
(2) Feature-based matching algorithms: firstly, extracting the features of the images, then generating a feature descriptor, and finally matching the features of the two images according to the similarity of the descriptor. The features of the image may be mainly classified into points, lines (edges), regions (faces), and the like, or may be classified into local features and global features.
(3) A relationship-based matching algorithm: the semantic network is established and is the application of the artificial intelligence field in image processing.
In recent years, fraud using APP has become one of the main criminal means of the telecommunication phishing case. Among them, the phishing APPs such as network concurrent bill-reading and fast loan are more, and especially some APPs imitating various banks and financial platforms have greater confusion and deception.
Such fraud-related APPs are usually implemented by using "third-party mobile application rapid development platform framework code + integrated H5 website domain name", and the development cost is extremely low. Meanwhile, the fraud-related APP is mainly scam through an integrated H5 website page, malicious static codes are almost absent, sensitive permission is absent, malicious behaviors such as sending short messages and reading address lists are absent, and common mobile phone malicious application detection technologies based on static codes and dynamic behavior analysis cannot effectively identify the fraud-related APP.
The method for developing the APP by using the third-party mobile application rapid development platform framework code and the integrated H5 website domain name has the advantages of high speed and low cost, can manufacture the APP in batches, and is a great challenge in the technical field of computer security how to rapidly detect the massive APPs.
Disclosure of Invention
The APP is developed by using the third-party mobile application rapid development platform framework code and the integrated H5 website domain name, the speed is high, the cost is low, the main cost is in static resource manufacturing, developers can repeatedly use static resources, the cost can be greatly reduced, and batch or simply copied fraud-related APPs can be detected through the characteristics of the static resources. In order to solve the problems, the method and the device quickly lock the type of APP through the fraud-related APP code feature library and then quickly detect the fraud-related APP through a static resource identification technology.
The technical scheme that this application solved above-mentioned technical problem and provided is a wade APP detecting system for whether the last application APP of detection smart machine wades the fraud, include: anti-fraud monitoring test module, anti-fraud monitoring test module includes: the mobile application rapid development platform development judgment module, a fraud-related APP code feature library, a feature analysis module and a fraud-related APP feature library; a mobile application rapid development platform development judgment module decompiles an installation package file of an APP to be checked to obtain a smali code and a static resource file; matching a fraud-related APP code feature library based on the smali codes, analyzing the smali codes of the sample to be detected, and finding out the APP developed based on the mobile application rapid development platform; and the characteristic analysis module analyzes the characteristic information of the static resource file of the APP, and if the matching degree of the characteristic and the fraud-related APP characteristic library exceeds a set value of the characteristic matching degree, the APP is judged to be a fraud-related APP.
It may also be that the above-mentioned fraud-related APP feature library initial value is input by manual judgment.
It is also possible that the set value of the feature matching degree is equal to the percentage of the number of the static resources to the total number of the static resources in the matching, and the set value of the feature matching degree is greater than 50%.
The characteristic information analysis may be MD5 code analysis of the static resource files, and the MD5 characteristic codes of all the static resource files determined as fraud-related APPs are added to the fraud-related APP characteristic library.
The fraud-related APP feature library can be used for weighting the MD5 feature codes which are matched and hit to obtain a weighted value; and calculating the matching degree of the total static resources by using the weighted value.
The characteristic analysis module may further include a fraud-related APP characteristic library comparison module; and the fraud-related APP feature library comparison module is used for carrying out static resource information analysis on the static resource files of the APP on the detection intelligent equipment.
The characteristic analysis module may further include a fraud-related APP network determination control module; the APP network judgment control module sends the static resources or the static resource characteristic information to the fraud-related APP judgment server for judgment.
The fraud-related APP feature library may further include MD5 feature codes of fraud-related static resources, and the feature analysis module performs matching calculation according to the MD5 feature codes.
The fraud-related APP feature library may include picture feature information of picture resources in fraud-related static resources, the feature analysis module performs matching calculation according to the picture feature information, collects matching degrees of all pictures, calculates an overall matching degree of the picture resources, and determines that the fraud-related APP is determined if the overall matching degree is greater than a set value; the picture resource matching calculation algorithm comprises a gray-scale-based matching algorithm, a feature-based matching algorithm and/or a relationship-based matching algorithm.
Or, the picture resources determined as the fraud-related APP are saved in the fraud-related APP feature library, and only 1 part of the pictures with the matching degree higher than the set value is reserved
A server for judging fraud-related APP comprises a fraud-related APP feature library and a fraud-related APP feature library comparison module, wherein the fraud-related APP feature library comparison module compares all received static resource feature information of an APP with the fraud-related APP feature library, and if the matching degree of the static resource and the fraud-related APP feature library exceeds a feature matching degree set value, the APP is judged to be a fraud-related APP.
The fraud-related APP feature library comprises picture feature information of picture resources in fraud-related static resources, and the fraud-related APP feature library comparison module performs matching calculation according to the picture resource feature information; the matching calculation algorithm includes a grayscale-based matching algorithm, a feature-based matching algorithm, and/or a relationship-based matching algorithm.
It is also possible that the set value of the feature matching degree is equal to the percentage of the number of the static resources to the total number of the static resources in the matching, and the set value of the feature matching degree is greater than 50%.
Or, adding all picture resources determined as fraud-related APPs into the fraud-related APP feature library; for pictures with matching degrees higher than the set value, only 1 part is reserved.
A fraud-related APP detection and judgment method is used for detecting whether an application APP running on a smart device is fraud-related or not, and comprises the following steps:
step 100: judging whether the sample is developed based on a mobile application rapid development platform or not to obtain resource characteristic information;
step 200: and judging whether the sample is a fraud-related APP or not according to the resource characteristic information and the matching degree of the fraud-related APP characteristic library.
Further, the step 100 may include:
step 110: decompiling an APK sample to be checked to obtain a smali code and a resource file;
step 120: and analyzing the smali codes of the sample to be detected based on the smali code matching feature library, and judging whether the sample is developed based on a mobile application rapid development platform.
Further, the step 200 may include:
step 210: extracting a static resource file list after decompiling, and calculating the MD5 value of each resource file;
step 220: comparing the static resource characteristics of the sample to be detected with the fraud-related APP characteristic library to calculate the matching degree, wherein the matching degree is larger than a threshold value or not;
step 230: and judging that the phishing APP is involved, and recording the MD5 value into a phishing APP feature library.
Further, the step 200 may include:
step 230: extracting a static resource file list after decompiling, and extracting picture characteristics of all pictures;
step 231: comparing all the picture characteristic information with the fraud-related APP characteristic library;
step 240: judging whether the picture feature comparison exceeds a threshold value or not, and judging as an APP involved in fraud if the picture feature comparison exceeds the threshold value;
step 250: if the fraud-related APP is determined, adding all picture resources determined as the fraud-related APP into the fraud-related APP feature library; for pictures with matching degree higher than the set value, only 1 part is reserved.
A readable storage medium, on which a computer program is stored, which when executed by a processor implements the above-mentioned fraud-related APP detection determination method.
One of the technical effects of the technical scheme is as follows: by means of the characteristics of the static resources, batch or simply copied fraud-related APPs can be detected.
The second technical effect of the technical scheme is as follows: and through the number of the successfully matched static resources, the calculation formula is simple and efficient.
The third technical effect of the technical scheme is as follows: through to matching successful APP, join all static resources and involve in the APP characteristic storehouse, can improve the success probability of follow-up matching, involve in the APP characteristic storehouse just can automatic maintenance.
The fourth technical effect of the technical scheme is as follows: each time the matching is successful, the weight is added once more, and the success rate of subsequent matching is higher.
The fifth technical effect of the technical scheme is as follows: by adopting the APP judgment server, all the static resource characteristics of the fraud-related APP can be collected into a unified library, the judgment accuracy is improved, and meanwhile, the characteristics can be automatically amplified.
The sixth technical effect of the technical scheme is as follows: the value of MD5 is the same for the same static resource, and screening can be detected quickly based on the D5 signature.
The seventh technical effect of the technical scheme is as follows: static resources which are simply amplified or reduced and are subjected to color modification can be found out, and in the anti-fraud APP judgment server, the static resource matching can be processed by utilizing the cloud computing capacity, and massive matching calculation can be processed;
the eighth technical effect of the technical scheme is as follows: the image resources are partially modified to cause the MD5 feature codes to be inconsistent, but the image resources with modified colors can be found out through matching calculation of the image resource feature information, the image resources with modified colors can be simply amplified or reduced, in the anti-fraud APP judgment server, the image resource matching can be processed by utilizing the cloud computing capability, and the massive matching calculation can be processed
The ninth technical effect of the technical scheme is as follows: for the pictures with the matching degree higher than the set value, only 1 part of pictures is reserved, the number of the pictures is prevented from being increased suddenly after the pictures are simply modified, and the picture data explosion library stored in the APP-involved feature library can be prevented.
Drawings
FIG. 1 is a schematic block diagram of a fraud-related APP detection system;
FIG. 2 is a schematic block diagram of an anti-fraud monitoring test module internal block diagram scheme 1;
FIG. 3 is an internal block diagram scheme 2 of anti-fraud monitoring and testing module and fraud-related APP determination server
A schematic block diagram;
FIG. 4 is a main flowchart of a method for detecting and determining a fraud-related APP;
FIG. 5 is a flow chart of a method for detecting and determining fraud-related APP;
FIG. 6 is a flow chart of a method for detecting and determining fraud-related APP;
FIG. 7 is a flowchart of a method for detecting and determining fraud-related APP;
FIG. 8 is a sub-diagram of a program flow of a detection and determination method for a fraud-related APP;
FIG. 9 shows the result of matching MD5 signatures for static resources involving fraud APP.
Detailed Description
The present disclosure is described in further detail below with reference to the attached drawings.
It should be noted that the following description is of the preferred embodiments of the present invention and should not be construed as limiting the invention in any way. The description of the preferred embodiments of the present invention is made merely for the purpose of illustrating the general principles of the invention. The embodiments described in this application are only a few embodiments, not all embodiments, of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present application, it is to be understood that the terms "central," "longitudinal," "lateral," "length," "width," "thickness," "up," "down," "front," "back," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," "clockwise," "counterclockwise," and the like are used in the indicated orientations and positional relationships based on the orientation or positional relationship shown in the drawings, and are used for convenience of description and simplicity of description only, and do not indicate or imply that the referenced apparatus or element must have a particular orientation, be constructed and operated in a particular orientation, and thus are not to be construed as limiting the present invention. Furthermore, the terms "first", "second", and technical features numbered with Arabic numerals 1, 2, 3, etc., and such numbers "A" and "B" are used for descriptive purposes only and are not intended to represent temporal or spatial order; and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features that are defined as "first" and "second," and are numbered with numerals such as the arabic numerals 1, 2, 3, etc., may explicitly or implicitly include one or more of the features. In the description of the present invention, "a plurality" means two or more unless specifically limited otherwise.
Referring to fig. 1, fig. 2 is a system for detecting a fraud-related APP on a smart device, including: anti-fraud monitoring test module, anti-fraud monitoring test module includes: the mobile application rapid development platform development judgment module, a fraud-related APP code feature library, a feature analysis module and a fraud-related APP feature library; a mobile application rapid development platform development judgment module decompiles an installation package file of an APP to be checked to obtain a smali code and a static resource file; matching a fraud-related APP code feature library based on the smali codes, analyzing the smali codes of the sample to be detected, and finding out the APP developed based on the mobile application rapid development platform; and the characteristic analysis module analyzes the static resource information of the APP static resource file, and if the matching degree of the characteristics and the fraud-related APP characteristic library exceeds a characteristic matching degree set value, the APP is judged to be a fraud-related APP.
The APP is developed by using the third-party mobile application rapid development platform framework code and the integrated H5 website domain name, the speed is high, the cost is low, the APP can be manufactured in batches, the main cost is in static resource manufacturing, developers can repeatedly use static resources, the cost can be greatly reduced, and batch or simply copied fraud-related APPs can be detected through the characteristics of the static resources.
The set value of the characteristic matching degree is equal to the percentage of the number of the static resources and the total number of the static resources on matching, and the set value of the characteristic matching degree is more than 50%.
And through the number of the successfully matched static resources, the calculation formula is simple and efficient.
The characteristic information analysis is MD5 code analysis of the static resource files, and MD5 characteristic codes of all the static resource files which are judged to be fraud-related APPs are added into a fraud-related APP characteristic library.
One fraud-related APP may match half of the static resources, but the other half of the static resources are not in the feature library, and by adding all the static resources into the fraud-related APP feature library to the APP successfully matched, the success probability of the subsequent matching can be improved, and the fraud-related APP feature library can be automatically maintained.
Weighting the MD5 feature codes hit by matching in the fraud-related APP feature library to obtain a weighted value; and calculating the matching degree of the total static resources by using the weighted value.
The hit static resource is weighted, the matching weight of the static resource can be improved, for example, the static resource directly falsely uses an icon of a bank, the static resource appears in a plurality of APPs, the weight is added once when the matching is successful each time, and the success rate of the subsequent matching is higher.
In order to express the matching degree by percentage, the initial value of the static resource may be preset to be 1 by the percentage of the sum of the weights of the static resources on the matching to the sum of the weights of all the static resources, and the calculated value is also the percentage.
Referring to fig. 2, the feature analysis module includes a fraud-related APP feature library comparison module; and the fraud-related APP feature library comparison module is used for carrying out static resource information analysis on the static resource files of the APP on the detection intelligent equipment.
As shown in fig. 3, the characteristic analysis module may further include a fraud-related APP network judgment control module; the APP network judgment control module sends the static resources or the static resource characteristic information to the fraud-related APP judgment server for judgment.
By adopting the APP judgment server, all the static resource characteristics of the fraud-related APP can be collected into a unified library, the judgment accuracy is improved, and meanwhile, the characteristics can be automatically amplified.
As shown in fig. 9, the fraud-related APP feature library may include MD5 feature codes of fraud-related static resources, and the feature analysis module performs matching calculation according to the MD5 feature codes.
In different APPs, the names of static resources may be different, but the values of MD5 of the same static resource are the same, and screening can be quickly detected based on the D5 signature.
The fraud-related APP feature library may include picture feature information of picture resources in fraud-related static resources, the feature analysis module performs matching calculation according to the picture feature information, collects matching degrees of all pictures, calculates an overall matching degree of the picture resources, and determines that the fraud-related APP is determined if the overall matching degree is greater than a set value; the picture resource matching calculation algorithm comprises a gray-scale-based matching algorithm, a feature-based matching algorithm and/or a relationship-based matching algorithm.
Or, the picture resources determined as the fraud-related APP are saved in the fraud-related APP feature library, and only 1 part of the pictures with the matching degree higher than the set value is reserved
If the fraud-related APP performs partial modification on the same picture resource in order to avoid MD5 feature code detection, so that the MD5 feature codes are inconsistent, but the picture resource subjected to simple amplification or reduction and color modification can be found out by performing matching calculation on the picture resource feature information, and in the anti-fraud APP judgment server, the picture resource matching can be processed by utilizing cloud computing capability, so that massive matching calculation can be processed.
As shown in fig. 3, a fraud-related APP determination server includes: the fraud-related APP feature library comparison module compares all received static resource feature information of an APP with the fraud-related APP feature library, and if the matching degree of the static resource and the fraud-related APP feature library exceeds a feature matching degree set value, the APP is judged to be a fraud-related APP.
The fraud-related APP feature library comprises picture feature information of picture resources in fraud-related static resources, and the fraud-related APP feature library comparison module performs matching calculation according to the picture resource feature information; the matching calculation algorithm includes a grayscale-based matching algorithm, a feature-based matching algorithm, and/or a relationship-based matching algorithm.
The set value of the feature matching degree may be equal to the percentage of the number of the static resources to the total number of the static resources in the matching, and the set value of the feature matching degree is greater than 50%.
If the matching of the picture resources is performed, the set value of the feature matching degree is set to be smaller, the matching degree of one picture is output as a percentage, if the matching of one picture is successful for 3 times, the matching degree of the current time is the matching degree x 3, all the picture resources in one APP, the set initial value of no matching hit in the APP picture resource feature library is 1, the hit value is the number of times of the matching degree x hit, the sum of the hit matching degrees is compared with the matching degrees of all the picture resources, and the calculated result is also the percentage.
Adding all picture resources determined as fraud-related APPs into a fraud-related APP feature library; and for the pictures with the matching degree higher than the set value, only 1 part of pictures is reserved, and all picture resources which are determined as fraud-related APPs are added into the fraud-related APP feature library. Some image matching algorithms require the original images of the images to be calculated, and the original images need to be recorded.
In order to prevent the number of pictures from increasing suddenly after the pictures are simply modified, for the fraud-related APP successfully matched, if the picture is in the feature library and has a picture with a higher matching degree, the new picture does not need to be stored repeatedly, and the picture database stored in the fraud-related APP feature library can be prevented from exploding.
As shown in fig. 4 to 8, a method for detecting and determining a fraud-related APP, which is used to detect whether an APP running on a smart device is fraud-related, includes:
step 100: judging whether a sample is developed based on a mobile application rapid development platform or not to obtain resource characteristic information;
step 200: and judging whether the sample is a fraud-related APP or not according to the resource characteristic information and the matching degree of the fraud-related APP characteristic library.
In the aforementioned method for detecting and determining fraud-related APPs, step 100 includes:
step 110: decompiling APK samples to be checked to obtain a smali code and a resource file;
step 120: and analyzing the smali codes of the sample to be detected based on the smali code matching feature library, and judging whether the sample is developed based on a mobile application rapid development platform.
In the above method for detecting and determining fraud-related APPs, step 200 includes:
step 210: extracting a static resource file list after decompiling, and calculating the MD5 value of each resource file;
step 220: comparing the static resource characteristics of the sample to be detected with the fraud-related APP characteristic library to calculate the matching degree, wherein the matching degree is larger than a threshold value or not;
step 230: and judging as a fraud-related APP, and recording the MD5 value into a fraud-related APP feature library.
The above step 200 includes:
step 230: extracting a static resource file list after decompiling, and extracting picture characteristics of all pictures;
step 231: comparing all the picture characteristic information with the fraud-related APP characteristic library;
step 240: judging whether the picture feature comparison exceeds a threshold value or not, and judging as a fraud-related APP if the picture feature comparison exceeds the threshold value;
step 250: and if the fraud-related APP is determined, the static resource features and/or the static resources are recorded into a fraud-related APP feature library.
A readable storage medium having stored thereon a computer program for executing any one of the above-mentioned fraud-related APP detection determination methods by a processor.
As shown in fig. 8, in the initial stage, a fraud-related APP sample can be found manually as seed feature data, and the steps include:
manually finding out fraud-related APP samples;
decompiling a fraud-related APK sample to obtain a smali code and/or a static resource file;
extracting a static resource file list after decompiling, calculating the MD5 value of each static resource file, and acquiring a static resource file MD5 value list;
and recording the MD5 value and the characteristics of the static resources into a fraud-related APP characteristic library to form the fraud-related APP characteristic library.
For some image recognition algorithms, matching calculation can be performed according to the characteristic values of the static resources, the characteristic values can be recorded, and for the algorithm requiring the matching calculation of the original static resources, the whole static resources need to be recorded into the fraud-related APP characteristic library.
While the invention has been illustrated and described in terms of a preferred embodiment and several alternatives, the invention is not limited by the specific description in this specification. Other additional alternative or equivalent components may also be used in the practice of the present invention.
Claims (18)
1. The utility model provides a wade fraud APP detecting system for whether the last application APP of detection smart machine wades the fraud, its characterized in that includes: anti-fraud monitoring test module, anti-fraud monitoring test module includes: the mobile application rapid development platform development judgment module, a fraud-related APP code feature library, a feature analysis module and a fraud-related APP feature library;
a mobile application rapid development platform development judgment module decompiles an installation package file of an APP to be checked to obtain a smali code and a static resource file; matching a fraud-related APP code feature library based on the smali codes, analyzing the smali codes of the samples to be detected, and finding out the APPs developed based on the mobile application rapid development platform;
and the characteristic analysis module analyzes the characteristic information of the static resource file of the APP, and if the matching degree of the characteristic and the fraud-related APP characteristic library exceeds a set value of the characteristic matching degree, the APP is judged to be a fraud-related APP.
2. The fraud-related APP detection system of claim 1, wherein the fraud-related APP feature library initial value is input by manual decision.
3. The fraud APP detection system of claim 1, wherein the match score setting is equal to a percentage of a number and a total number on matches, the match score setting being greater than 50%.
4. The fraud-related APP detection system of claim 1, wherein the characteristic information analysis is MD5 code analysis of static resource files, and MD5 characteristic codes of all static resource files determined as fraud-related APPs are added to a fraud-related APP characteristic library.
5. The fraud-related APP detection system of claim 4, wherein the fraud-related APP feature library weights MD5 feature codes of matching hits to obtain weighted values; and calculating the matching degree of the total static resources by using the weighted value.
6. The fraud-related APP detection system of claim 1, wherein said feature analysis module comprises a fraud-related APP feature library comparison module; and the fraud-related APP feature library comparison module performs information analysis on the static resource file of the APP on the detection intelligent equipment.
7. The fraud-related APP detection system of claim 1, wherein said feature analysis module comprises a fraud-related APP network decision control module; the APP network judgment control module sends the static resources or the static resource characteristic information to the fraud-related APP judgment server for judgment.
8. The fraud-related APP detection system of claim 1, wherein the fraud-related APP feature library comprises picture feature information of picture resources in fraud-related static resources, the feature analysis module collects matching degrees of all pictures according to the picture feature information matching calculation, calculates an overall matching degree of the picture resources, and determines the fraud-related APP if the overall matching degree is greater than a set value; the picture resource matching calculation algorithm comprises a gray-scale-based matching algorithm, a feature-based matching algorithm and/or a relationship-based matching algorithm.
9. The system of claim 8, wherein the picture resources determined as a fraud-related APP are stored in a fraud-related APP feature library, and only 1 copy of the pictures with matching degrees higher than a predetermined value is reserved.
10. A fraud-related APP determination server, comprising: the method comprises the steps of involving a fraud APP characteristic library and a fraud APP characteristic library comparison module, wherein the fraud APP characteristic library comparison module compares received static resource characteristic information of an APP with a fraud APP characteristic library, and if the matching degree of the static resource and the fraud APP characteristic library exceeds a characteristic matching degree set value, the APP is judged to be a fraud APP.
11. The fraud-related APP determination server of claim 10, wherein the fraud-related APP feature library comprises picture feature information of picture resources in fraud-related static resources, and the fraud-related APP feature library comparison module performs matching calculation according to the picture resource feature information; the matching calculation algorithm includes a grayscale-based matching algorithm, a feature-based matching algorithm, and/or a relationship-based matching algorithm.
12. The fraud-related APP determination server of claim 10, wherein the feature matching degree setting value is equal to a percentage of a number of static resources to a total number of static resources on matching, and the feature matching degree setting value is greater than 50%.
13. The fraud-related APP determination server of claim 11, wherein all picture resources determined as fraud-related APPs are added to a fraud-related APP feature library; for pictures with matching degrees higher than the set value, only 1 part is reserved.
14. A fraud-related APP detection and judgment method is used for detecting whether an application APP running on a smart device is fraud-related or not, and is characterized by comprising the following steps:
step 100: judging whether the sample is developed based on a mobile application rapid development platform or not to obtain resource characteristic information;
step 200: and judging whether the sample is a fraud-related APP or not according to the resource characteristic information and the matching degree of the fraud-related APP characteristic library.
15. The fraud-related APP detection and determination method of claim 14, wherein said step 100 comprises:
step 110: decompiling an APK sample to be checked to obtain a smali code and a resource file;
step 120: and analyzing the smali codes of the sample to be detected based on the smali code matching feature library, and judging whether the sample is developed based on a mobile application rapid development platform.
16. The fraud-related APP detection determination method of claim 14, wherein said step 200 comprises:
step 210: extracting a static resource file list after decompiling, and calculating the MD5 value of each resource file;
step 220: comparing the static resource characteristics of the sample to be detected with the fraud-related APP characteristic library to calculate the matching degree, wherein the matching degree is larger than a threshold value or not;
step 230: and judging as a fraud-related APP, and recording the MD5 value into a fraud-related APP feature library.
17. The fraud-related APP detection and determination method of claim 14, wherein said step 200 comprises:
step 230: extracting a static resource file list after decompiling, and extracting picture characteristics of all pictures;
step 231: comparing all the picture characteristic information with the picture characteristic library of the fraud-related APP;
step 240: judging whether the picture feature comparison exceeds a threshold value or not, and judging as a fraud-related APP if the picture feature comparison exceeds the threshold value;
step 250: if the fraud-related APP is determined, adding all picture resources determined as the fraud-related APP into the fraud-related APP feature library; for pictures with matching degrees higher than the set value, only 1 part is reserved.
18. A readable storage medium having stored thereon a computer program, characterized in that,
the program, when executed by a processor, implements a fraud-related APP detection determination method as recited in any one of claims 14 to 17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310136195.1A CN115859292B (en) | 2023-02-20 | 2023-02-20 | Fraud-related APP detection system, fraud-related APP judgment method and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310136195.1A CN115859292B (en) | 2023-02-20 | 2023-02-20 | Fraud-related APP detection system, fraud-related APP judgment method and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115859292A true CN115859292A (en) | 2023-03-28 |
| CN115859292B CN115859292B (en) | 2023-05-09 |
Family
ID=85658446
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310136195.1A Active CN115859292B (en) | 2023-02-20 | 2023-02-20 | Fraud-related APP detection system, fraud-related APP judgment method and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115859292B (en) |
Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102222183A (en) * | 2011-04-28 | 2011-10-19 | 奇智软件(北京)有限公司 | Mobile terminal software package safety detection method and system thereof |
| CN103440455A (en) * | 2011-04-28 | 2013-12-11 | 北京奇虎科技有限公司 | Mobile terminal software package safety detection method and system |
| CN103473346A (en) * | 2013-09-24 | 2013-12-25 | 北京大学 | Android re-packed application detection method based on application programming interface |
| US20140137264A1 (en) * | 2012-11-09 | 2014-05-15 | Nokia Corporation | Method and apparatus for privacy-oriented code optimization |
| CN106295348A (en) * | 2015-05-29 | 2017-01-04 | 阿里巴巴集团控股有限公司 | The leak detection method of application program and device |
| CN107832619A (en) * | 2017-10-10 | 2018-03-23 | 电子科技大学 | Vulnerability of application program automatic excavating system and method under Android platform |
| US20180173502A1 (en) * | 2016-12-21 | 2018-06-21 | Aon Global Operations Ltd (Singapore Branch) | Methods, Systems, and Portal Using Software Containers for Accelerating Aspects of Data Analytics Application Development and Deployment |
| CN108241802A (en) * | 2016-12-27 | 2018-07-03 | 卓望数码技术(深圳)有限公司 | A kind of Android platform privacy for polymerizeing multidimensional steals class application automatic identifying method |
| CN112100072A (en) * | 2020-09-16 | 2020-12-18 | 广州虎牙科技有限公司 | Static detection method, device, equipment and medium for application program codes |
| CN113254844A (en) * | 2021-07-07 | 2021-08-13 | 成都无糖信息技术有限公司 | Phishing website identification method and system based on knowledge graph and picture characteristics |
| CN113360905A (en) * | 2021-05-26 | 2021-09-07 | 上海蛮犀科技有限公司 | Automatic safety detection method for mobile application |
| CN113536325A (en) * | 2021-09-14 | 2021-10-22 | 杭州振牛信息科技有限公司 | Digital information risk monitoring method and device |
| CN113760770A (en) * | 2021-09-14 | 2021-12-07 | 上海观安信息技术股份有限公司 | Anti-debugging method and system based on automatic static resource detection |
| CN113918949A (en) * | 2021-12-13 | 2022-01-11 | 北京赋乐科技有限公司 | Recognition method of fraud APP based on multi-mode fusion |
| CN114579711A (en) * | 2022-03-16 | 2022-06-03 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for identifying fraud application program |
| CN114996708A (en) * | 2022-08-08 | 2022-09-02 | 中国信息通信研究院 | Method and device for studying and judging fraud-related mobile phone application, electronic equipment and storage medium |
| CN115292674A (en) * | 2022-08-08 | 2022-11-04 | 重庆邮电大学 | Fraud application detection method and system based on user comment data |
| CN115688107A (en) * | 2022-12-28 | 2023-02-03 | 卓望数码技术(深圳)有限公司 | Fraud-related APP detection system and method |
-
2023
- 2023-02-20 CN CN202310136195.1A patent/CN115859292B/en active Active
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102222183A (en) * | 2011-04-28 | 2011-10-19 | 奇智软件(北京)有限公司 | Mobile terminal software package safety detection method and system thereof |
| CN103440455A (en) * | 2011-04-28 | 2013-12-11 | 北京奇虎科技有限公司 | Mobile terminal software package safety detection method and system |
| US20140137264A1 (en) * | 2012-11-09 | 2014-05-15 | Nokia Corporation | Method and apparatus for privacy-oriented code optimization |
| CN103473346A (en) * | 2013-09-24 | 2013-12-25 | 北京大学 | Android re-packed application detection method based on application programming interface |
| CN106295348A (en) * | 2015-05-29 | 2017-01-04 | 阿里巴巴集团控股有限公司 | The leak detection method of application program and device |
| US20180173502A1 (en) * | 2016-12-21 | 2018-06-21 | Aon Global Operations Ltd (Singapore Branch) | Methods, Systems, and Portal Using Software Containers for Accelerating Aspects of Data Analytics Application Development and Deployment |
| CN108241802A (en) * | 2016-12-27 | 2018-07-03 | 卓望数码技术(深圳)有限公司 | A kind of Android platform privacy for polymerizeing multidimensional steals class application automatic identifying method |
| CN107832619A (en) * | 2017-10-10 | 2018-03-23 | 电子科技大学 | Vulnerability of application program automatic excavating system and method under Android platform |
| CN112100072A (en) * | 2020-09-16 | 2020-12-18 | 广州虎牙科技有限公司 | Static detection method, device, equipment and medium for application program codes |
| CN113360905A (en) * | 2021-05-26 | 2021-09-07 | 上海蛮犀科技有限公司 | Automatic safety detection method for mobile application |
| CN113254844A (en) * | 2021-07-07 | 2021-08-13 | 成都无糖信息技术有限公司 | Phishing website identification method and system based on knowledge graph and picture characteristics |
| CN113536325A (en) * | 2021-09-14 | 2021-10-22 | 杭州振牛信息科技有限公司 | Digital information risk monitoring method and device |
| CN113760770A (en) * | 2021-09-14 | 2021-12-07 | 上海观安信息技术股份有限公司 | Anti-debugging method and system based on automatic static resource detection |
| CN113918949A (en) * | 2021-12-13 | 2022-01-11 | 北京赋乐科技有限公司 | Recognition method of fraud APP based on multi-mode fusion |
| CN114579711A (en) * | 2022-03-16 | 2022-06-03 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for identifying fraud application program |
| CN114996708A (en) * | 2022-08-08 | 2022-09-02 | 中国信息通信研究院 | Method and device for studying and judging fraud-related mobile phone application, electronic equipment and storage medium |
| CN115292674A (en) * | 2022-08-08 | 2022-11-04 | 重庆邮电大学 | Fraud application detection method and system based on user comment data |
| CN115688107A (en) * | 2022-12-28 | 2023-02-03 | 卓望数码技术(深圳)有限公司 | Fraud-related APP detection system and method |
Non-Patent Citations (4)
| Title |
|---|
| 吴兴茹;何永忠;: "基于函数调用图的Android重打包应用检测" * |
| 吴兴茹;何永忠;: "基于函数调用图的Android重打包应用检测", 计算机工程 * |
| 魏瑾;李伟华;潘炜;: "基于知识图谱的智能决策支持技术及应用研究" * |
| 魏瑾;李伟华;潘炜;: "基于知识图谱的智能决策支持技术及应用研究", 计算机技术与发展 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115859292B (en) | 2023-05-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10867038B2 (en) | System and method of detecting malicious files with the use of elements of static analysis | |
| US9798981B2 (en) | Determining malware based on signal tokens | |
| CN109816200B (en) | Task pushing method, device, computer equipment and storage medium | |
| CN107203765B (en) | Sensitive image detection method and device | |
| CN111832019A (en) | Malicious code detection method based on generation countermeasure network | |
| CN109922065B (en) | Quick identification method for malicious website | |
| CN111368289B (en) | Malicious software detection method and device | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN111641588A (en) | Webpage analog input detection method and device, computer equipment and storage medium | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN113221032A (en) | Link risk detection method, device and storage medium | |
| CN112632609A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN112784269A (en) | Malicious software detection method and device and computer storage medium | |
| CN113468524B (en) | RASP-based machine learning model security detection method | |
| Mpanti et al. | A graph-based model for malicious software detection exploiting domination relations between system-call groups | |
| CN114297735A (en) | Data processing method and related device | |
| CN115688107B (en) | Fraud-related APP detection system and method | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| CN114513341B (en) | Malicious traffic detection method, malicious traffic detection device, terminal and computer readable storage medium | |
| CN115859292B (en) | Fraud-related APP detection system, fraud-related APP judgment method and storage medium | |
| Shi et al. | SFCGDroid: android malware detection based on sensitive function call graph | |
| CN112347479B (en) | False alarm correction method, device, equipment and storage medium for malicious software detection | |
| CN115455386A (en) | Operation behavior identification method and device | |
| CN110795705B (en) | Track data processing method, device and equipment and storage medium | |
| CN114510720A (en) | Android malicious software classification method based on feature fusion and NLP technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |