KR101284013B1 - Smartphone Malicious Application Detect System and Method based on Client Program - Google Patents

Smartphone Malicious Application Detect System and Method based on Client Program Download PDF

Info

Publication number
KR101284013B1
KR101284013B1 KR20110147127A KR20110147127A KR101284013B1 KR 101284013 B1 KR101284013 B1 KR 101284013B1 KR 20110147127 A KR20110147127 A KR 20110147127A KR 20110147127 A KR20110147127 A KR 20110147127A KR 101284013 B1 KR101284013 B1 KR 101284013B1
Authority
KR
South Korea
Prior art keywords
application
smartphone
malicious
analysis
analysis target
Prior art date
Application number
KR20110147127A
Other languages
Korean (ko)
Other versions
KR20130078279A (en
Inventor
심기창
Original Assignee
(주)이지서티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)이지서티 filed Critical (주)이지서티
Priority to KR20110147127A priority Critical patent/KR101284013B1/en
Publication of KR20130078279A publication Critical patent/KR20130078279A/en
Application granted granted Critical
Publication of KR101284013B1 publication Critical patent/KR101284013B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Abstract

The present invention relates to a smart phone malicious application detection method and system, the method according to the invention receiving the signature information of the analysis target application from the user smartphone, collecting the installation file of the analysis target application based on the signature information And installing the image file of the smartphone operating system modified to output the dynamic analysis target log on the test smartphone, and installing the analysis target application using the collected application installation files on the test smartphone. And performing a dynamic analysis. According to the present invention, there is an advantage in that it is possible to detect newly emerged or modified malicious applications early by performing both static and dynamic analysis. In particular, malicious behavior available APIs and API call patterns can effectively detect the possibility of malicious behavior of the application.

Description

        Smartphone Malicious Application Detect System and Method based on Client Program}

        The present invention relates to a system and method for detecting malicious applications, and more particularly, to a system and method for detecting malicious applications in a smartphone by performing both static and dynamic analysis based on a client program.

Recently, with the spread of smart phones, the problem of malicious applications targeting smart phones is getting serious. Various categories of applications, such as game apps, media play apps, and wallpaper selection apps, have been shown to be malicious.

These malicious applications are installed so that the smartphone user does not recognize, most of the malicious behavior of the application collects information such as the phone number and name of the phone number in the personal address book, the location information of the individual using the smartphone GPS information Collection of personal information, such as collecting personal information such as collecting in real time, credit card information stored on smartphones and collecting personal information when using applications requiring payment, and collecting photo and video content information stored on smartphones And malicious activities, and malicious activities such as denial of service and delay.

In order to detect malicious applications, there may be static analysis that analyzes through known information and dynamic analysis that detects malicious behavior by monitoring actual application execution. However, most of the technologies developed for the current malware detection have limitations in detecting mobile malicious codes with a detection method through static analysis, which is a signature DB method that utilizes the characteristics of malicious codes already known as existing PC-based vaccine programs. In particular, the analysis of malicious behaviors of applications distributed according to the recent usage of smartphones is not yet technically organized due to the different relationship from the existing PC operating systems (Windows, Mac OS, etc.) and development methods.

Accordingly, an object of the present invention is to provide a system and method for detecting malicious applications in a smartphone by performing both static and dynamic analysis based on a client program.

Malicious application detection method according to an embodiment of the present invention for solving the technical problem, the step of receiving the signature information of the analysis target application from the user smartphone, collecting the installation file of the analysis target application based on the signature information And installing the image file of the smartphone operating system modified to output the dynamic analysis target log on the test smartphone, and installing the analysis target application using the collected application installation files on the test smartphone. And performing a dynamic analysis.

The signature information of the analysis target application may include at least one of an MD5 hash value, SHA1, an application package name, and an application installation file download location information of the analysis target application.

The method may further include extracting malicious behavior available APIs from the collected application installation files and performing a static analysis.

The performing of the static analysis may include extracting the application installation file and extracting an executable file, performing disassembly and decompilation of the extracted executable file, and disassembling and decompiling the executable file. It may include the step of extracting the malicious behavior available API from the code obtained through.

The method may further include generating an analysis result including contents of malicious behavior related to the extracted malicious behavior available API.

The method may further include generating an analysis result including contents of malicious behavior related to the extracted malicious behavior available API combination information.

The performing of the dynamic analysis may include installing an image file of the modified smartphone operating system on the test smartphone, installing the analysis target application using the collected application installation file, and installing the analysis. And executing a target application on the test smartphone, and collecting a log analysis result including function information and function coverage executed during the application execution.

The method may further include generating an analysis result including contents of malicious behavior by the API call pattern determined based on the log analysis result.

The method may further include transmitting a malicious application detection result to the user smartphone based on the analysis result.

The modified smartphone operating system image file may include a Dalvik VM into which a function for outputting a dynamic analysis target log including an API call log is inserted.

A computer-readable medium according to another embodiment of the present invention records a program for causing a computer to execute any one of the above methods.

Smartphone malicious application detection system according to another embodiment of the present invention for solving the above technical problem, collecting the installation files of the analysis target application based on the signature information of the analysis target application provided from the user smartphone, The image file of the smartphone operating system modified to output the analysis target log is installed on the test smartphone, and the analysis target application is installed and the dynamic analysis is performed using the collected application installation files on the test smartphone. Includes an analytics server.

The analysis server may perform a static analysis by extracting the malicious activity available API from the collected application installation files (API), decompress the application installation file and extract the executable file And a static analysis module that disassembles and decompiles the extracted executable file and extracts the malicious behavior available API from the code obtained through the disassembly and decompilation.

The static analysis module may generate an analysis result including the malicious behavior contents related to the extracted malicious behavior available API, and generate an analysis result including the malicious behavior contents related to the extracted malicious behavior available API combination information. can do.

The analysis server installs the image file of the modified smartphone operating system on the test smartphone, installs the analysis target application by using the collected application installation file, and installs the installed analysis target application on the test smart phone. A dynamic analysis module for collecting log analysis results including function information and function coverage executed in the course of being executed on the phone may be installed in the test smartphone.

The dynamic analysis module may generate an analysis result including malicious activity content based on the API call pattern identified based on the log analysis result.

The analysis server may transmit a malicious application detection result to the user smartphone based on the analysis result.

According to the present invention, there is an advantage in that it is possible to detect newly emerged or modified malicious applications early by performing both static and dynamic analysis. In particular, malicious behavior available APIs and API call patterns can effectively detect the possibility of malicious behavior of the application.

1 is a block diagram provided to explain a malicious application detection system according to an embodiment of the present invention.
2 is a flowchart provided to explain a malicious application detection method according to an embodiment of the present invention.
3 is a flowchart provided to explain a static analysis method for detecting a malicious application according to an embodiment of the present invention.
4 is a flowchart provided to explain a dynamic analysis method for detecting a malicious application according to an embodiment of the present invention.

Prior to the description of the present invention, the term 'application' used in the present specification means an application used in a smartphone, and a malicious application is installed without the user's knowledge, and personal information is leaked through deletion, modification, and change of information. It means an application that performs a denial of service and delay.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention.

1 is a block diagram provided to explain a malicious application detection system according to an embodiment of the present invention.

Referring to FIG. 1, the malicious application detection system according to the present invention includes an analysis server 100 and a test smartphone 200, and a user smartphone 400 and an app market 500 through a communication network 300. You can connect to to exchange various information and data.

The malicious application detection system obtains application information including signature information about an application newly installed in the user smartphone 400 from the malicious application detection program installed in the user smartphone 400. In addition, the malicious application detection system obtains an installation file for the corresponding application from the application market 500 or the like based on the application information transmitted from the user's smartphone 400, performs static analysis and dynamic analysis, and the result of the user smart. May be provided back to the phone 400.

Here, the malicious application detection program may provide a user with a result of analyzing the malicious status of the newly installed application, and may delete and repair the file when a delete command for the file is input. According to an embodiment, the static analysis may be implemented to be performed in a malicious application detection program installed in the user smartphone 400.

The test smartphone 200 and the user smartphone 400 are intelligent terminals that add computer support functions such as Internet communication and information retrieval to the mobile phone, and install and use an application desired by the user. In particular, the test smartphone 200 according to the present invention is a smartphone for use in connection with the analysis server 100 by a malicious application detection system administrator for detecting malicious applications, and the user smartphone 400 is a malicious application detection program. It can be installed in the form of notifying the user of the detection result of the malicious application, and can perform a treatment action such as deleting the application according to the user's selection.

The communication network 300 may include a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), the Internet, 3G, 4G mobile communication networks, Wi-Fi, Various data communication networks including WIBRO, cable network, and the like may be included, and wired and wireless may be selected, and any communication method may be used.

The malicious application detection system may include an analysis server 100 and a test smartphone 200, and may also include a verifier terminal (not shown) according to an embodiment.

The analysis server 100 may include a static analysis module 110 for detecting malicious applications, a database 120 for storing various information for supporting malicious application detection, and an application collection module 130 for collecting an analysis target application. Can be.

The app collection module 130 obtains an app installation file from the app market 500 using the app package name transmitted from the malicious app detection program, or based on the app download location information included in the app information and transmitted, the app installation file. Can be obtained.

The database 120 may store signature information (MD5 hash value, SHA1, application package name, etc.) for an application that is already registered as malicious. In addition, the database 120 may predefine and store information about APIs (hereinafter, malicious use available APIs) available for malicious behavior among APIs (APIs) used in the smartphone operating system. Malicious behavior available API can be selected by the operator of the malicious application detection system, and can be changed.

APIs such as those shown in Table 1 below used in Android can be used to leak personal information.

API Explanation getDeviceId Get the device unique number (IMEI) value getSubseriverId Get the subscriber identification number (IMSI) value openFileOutput Open and write file openFileInput Function to open and read a file isWifiEnabled Make sure your device is currently connected to Wi-Fi getLatitude, getLongitude Function to get GPS information getContentResolver Functions related to content provider access openConnection Internet connection request function setRequestMethod Function to set how to use when connecting to the Internet sendTextMessage Function to perform SMS transmission getMessageBody Function to read saved SMS setLatestEventInfo Notification write function getInstalledApplications Check the applications currently installed on your smartphone

Meanwhile, the database 120 may include configuration information (hereinafter, referred to as malicious behavior available API combination information) in which APIs available for malicious behavior are combined. In practice, malicious behavior is not solely caused by one of the malicious behavior available APIs, but malicious behavior is often performed by a combination of malicious behavior available APIs. Therefore, by comparing the malicious behavior available API combination information with the API extracted from the actual application can be implemented to identify the possibility of the malicious behavior of the application. Of course, it is desirable to implement the final judgment through the verification of the verifier to increase the accuracy.

The static analysis module 110 compares the application signature information (MD5 hash value, SHA1, application package name, etc.) transmitted by the malicious application detection program of the user smartphone 400 with signature information of the malicious application stored in the database 120. You can determine whether the application is malicious. Of course, according to the embodiment, the signature information may be obtained from the app installation file acquired by the app collection module 130 and compared with the signature information of the malicious application stored in the database 120 to determine whether the corresponding application is malicious.

The static analysis module 110 may perform a function of parsing and providing a disassembled and decompiled code obtained by disassembling and decompiling an executable file extracted from an application installation file in a form that a verifier can recognize. In more detail, the static analysis module 110 parses the disassembly and decompile code to detect a predefined malicious action available API, and detects the API function name detected, a brief description of the function, the function is disassembled and decompiled code. You can generate a static analysis result that contains the result of what line was executed (where the function ran).

In particular, the static analysis module 110 according to the present invention, when a malicious activity available API registered in the database 120 is detected among the extracted APIs by parsing and disassembling and decompiling code, the user's smart phone 400 It can be sent to the malicious application detection program so that the user can check the malicious possibility of the application. At this time, it can also be informed about what malicious behavior can be used for the detected API, for example, leakage of personal information.

Meanwhile, according to an embodiment, the static analysis module 110 compares the detected malicious behavior available API with the malicious behavior available API combination information stored in the database 120, and preliminarily determines whether the malicious behavior of the corresponding application is possible. It may be implemented so that the user can confirm by passing this to the malicious application detection program of the smartphone 400. This can lower the false positive rate than simply judging by one malicious behavior-enabled API. Therefore, the user can change the operation mode setting of the malicious application detection program to select whether to be notified when one malicious action available API is detected or to be notified when a combination of malicious action available APIs is detected.

The analysis server 100 installs an image file of the smartphone operating system modified to output a dynamic analysis target log on the test smartphone 200, and then executes the dynamic analysis module 210 on the test smartphone 200. Dynamic analysis results can be provided. The image file of the modified smartphone operating system may include a Dalvik VM in which a function for outputting a dynamic analysis target log including an API call log is inserted. In addition, the operation of installing the modified smartphone operating system image file on the test smartphone 200 is preferably performed every time a dynamic analysis of a new application. This allows dynamic analysis to be performed in a clean environment.

The test smartphone 200 is a smartphone used by a malicious application detection system administrator for malicious application detection. The test smartphone 200 has a dynamic analysis module 210 and a dynamic analysis target application installed in a state where an image file of a smartphone operating system modified to output a dynamic analysis target log is installed. Thereafter, the dynamic analysis module 210 installed in the test smartphone 200 may perform dynamic analysis on the malicious behavior detection target application and provide the result to the analysis server 100. According to an embodiment, an image file of a smartphone operating system is installed on a smartphone emulator such as an Android emulator, an iPhone emulator, or the like on a server 100 or a PC (not shown) without using the test smartphone 200. It may also be implemented to perform dynamic analysis afterwards.

The dynamic analysis module 210 collects and reports a log analysis result including function information and function coverage executed while executing a dynamic analysis target application in a state where an image file of a smartphone operating system is installed. The dynamic analysis module 210 may use the Dalvik Debug Monitoring Service (DDMS), through which memory usage statistics of the process, detailed memory information, memory leak point, thread list and state of the connected process are allocated, and memory allocation at the desired time. You can see information, whether a specific function is executed, function coverage history, and Android log. In other words, the dynamic analysis application can be executed to monitor the changing environment (file system, registry, network, etc.). The dynamic analysis module 210 may be implemented as an application executable on the test smartphone 200, for example, an Android smartphone, as an Android application. The analysis server 100 may store the analysis result as a text file. You can report to

The application market 500 may include an illegal site called black market as well as an official site providing an application software download service such as an Android market, an app store, and the like. The malicious application detection system is malicious through the application market 500. You can collect the application to detect the behavior. Of course, it is possible to collect applications stored in the user's computer through P2P, and it is also possible to collect malicious target detection applications by other methods.

The user smartphone 400 may be installed and executed by a malicious application detection program provided by the malicious application detection system. Preferably, the malicious application detection program operates in the background and whenever the new application is installed in the user's smart phone 400, the signature information of the corresponding application may be extracted and provided to the analysis server 100. In addition, according to a malicious application detection result provided from the analysis server 100, the operation of deleting the corresponding application may be performed.

2 to 4 will be described in detail for the malicious application detection method according to an embodiment of the present invention.

2 is a flowchart provided to explain a malicious application detection method according to an embodiment of the present invention, Figure 3 is a flow chart provided to explain a static analysis method for malicious application detection according to an embodiment of the present invention. 4 is a flowchart provided to explain a dynamic analysis method for detecting a malicious application according to an embodiment of the present invention.

Referring to FIG. 2, first, the user smartphone 400 may receive and install a malicious application detection program from a download server (not shown) operated by an application market or a malicious application detection system (S210).

And if there is an attempt to install a new application on the user's smartphone (400) (S215-Y), the malicious application detection program to obtain the signature information (MD5 hash value, SHA1, application package name, etc.) for the application in the application installation file Extract and transmit to the analysis server 100 (S220). According to an embodiment, in step S220, the malicious application detection program may provide the analysis server 100 with download location information about the application installation file.

Then, the analysis server 100 determines whether the malicious application by comparing the application signature information transmitted from the user smartphone 400 with the signature information of the malicious application registered in the database 120 (S230). If it is determined that the malicious application in step (S230) (S230-Y) it can provide a malicious application detection result to the user smart phone 400 (S270).

On the other hand, if it is determined that the malicious application in step (S230) (S230-N), the analysis server 100 collects the installation files of the analysis target application from the app market 600, etc. through the app collection module 130 ( S240).

Next, the analysis server 100 performs a static analysis operation for the application installation file through the static analysis module 110 (S250).

Referring to FIG. 3, the static analysis step S250 is described in detail. The static analysis module 110 decompresses an application installation file (eg, an APK file in the case of Android) (S251). The static analysis module 110 extracts an executable file (for example, a DEX file in the case of Android) from the extracted application installation file (S252).

Next, the static analysis module 110 performs disassembly and decompilation on the executable file to obtain disassembly and decompile code (S253). The static analysis module 110 then parses the disassembly and decompile code to extract a predefined malicious behavior available API (S254). In addition, the static analysis module 110 may generate a static analysis result including the malicious behavior content related to the extracted malicious behavior available API (S255). For example, the extracted API may generate a static analysis result including information on whether personal information is leaked, induces abnormal charging, or abnormally operates a smartphone. Meanwhile, according to an embodiment, the static analysis module 110 compares the analysis result of the malicious behavior available API configuration extracted in step S254 with the malicious behavior available API combination information stored in the database 120 to determine the static analysis result. It can also be included. That is, a static analysis result including malicious content related to the malicious behavior available API combination may be generated.

In addition, the static analysis module 110 provides a user with an analysis result including a function name for the API extracted in step S254, a brief description of the function, and a line where the function was performed in disassembly and decompile code. It can also be written in a form that can be easily identified. The analysis result thus prepared may be reported to the analysis server 100 and transmitted to the verifier to be used as data for determining whether the application is malicious. Meanwhile, according to an exemplary embodiment, the static analysis module 110 may perform the step S230 of determining whether the malicious application is in comparison with the signature information.

The analysis server 100 may provide a malicious application detection result including the static analysis result generated in step S255 to the user smartphone 400 (S270). After the static analysis is performed (S250), the malicious application detection system may perform a dynamic analysis of the malicious behavior detection target application (S260). According to an embodiment, the static analysis performing step S250 and the dynamic analysis performing step S260 may be performed simultaneously or in a reversed order.

Referring to FIG. 4, the dynamic analysis step (S260) will be described in detail. First, the analysis server 100 installs an image file of the smartphone operating system modified to output a dynamic analysis target log on the test smartphone 200 ( S261). The operation of installing the modified smartphone operating system image file on the test smartphone 200 is preferably performed every time a dynamic analysis of a new application. This allows dynamic analysis to be performed in a clean environment.

Next, the analysis server 100 installs the dynamic analysis module 210 to the test smartphone 200 (S263). The dynamic analysis module 210 may be implemented and installed as an application executable in the test smartphone 200. Next, the analysis server 100 installs the analysis target application on the test smartphone 200 (S265). The analysis target app installed in step S265 is an app collected in step S240 through the app collection module 130.

Afterwards, the dynamic analysis module 210 executes the analysis target application installed in the test smartphone 200 (S266). In addition, the dynamic analysis module 210 collects log analysis results including function information and function coverage executed while executing the malicious behavior detection target application (S267). Based on the log analysis result collected in step S267, the API call pattern identified is compared with the API call pattern in the application that performs the malicious behavior registered in the database 120 in advance to determine whether the malicious behavior is possible, The dynamic analysis result including the malicious behavior content by the API call pattern may be generated (S268).

Referring back to FIG. 2, the analysis server 100 aggregates the static analysis result and the dynamic analysis result and provides the malicious application detection result to the user smartphone 400 (S270). The malicious application detection result may preferably include malicious content. The application may simply include information indicating that the analysis target application may be malicious.

Then, the malicious application detection program of the user's smartphone 400 may present a malicious application detection result delivered from the analysis server 100 and receive a command on whether to delete the malicious application from the user (S280).

Finally, the malicious application detection program deletes the corresponding application when a delete command is input from the user (S290). Meanwhile, according to the exemplary embodiment, the malicious application may be automatically deleted regardless of the user's selection. However, it is preferable to implement the user to receive confirmation of the user.

In the above-described embodiment, the malicious application detection program provides the signature information of the newly installed application on the user's smart phone 400 to the analysis server 100 and determines whether the analysis server 100 is malicious for the corresponding application. Although it was described as receiving the result and displaying the user and deleting the corresponding application, the present invention is not limited thereto, and the malicious application detection program includes a function of the static analysis module 110 operating in the analysis server 100. It can also be implemented. In this case, malicious application signature information, malicious behavior available API information, API configuration combination information, and the like necessary for the static analysis operation may be provided to the user smartphone 400 in advance.

Embodiments of the present invention include a computer-readable medium having program instructions for performing various computer-implemented operations. This medium records a program for executing the malicious application detection method described above. The medium may include program instructions, data files, data structures, etc., alone or in combination. Examples of such media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD and DVD, programmed instructions such as floptical disk and magneto-optical media, ROM, RAM, And a hardware device configured to store and execute the program. Or such medium may be a transmission medium, such as optical or metal lines, waveguides, etc., including a carrier wave that transmits a signal specifying a program command, data structure, or the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.

Although the preferred embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of right.

Claims (21)

Receiving the signature information of the analysis target application that is attempted to install on the user smartphone from the user smartphone,
Collecting an installation file of an analysis target application based on the signature information,
Installing the image file of the smartphone operating system modified to output the log to be analyzed on the test smartphone,
Installing the analysis target application using the collected application installation files on the test smartphone and performing dynamic analysis; and
And extracting malicious behavior available apis (APIs) from the collected application installation files to perform a static analysis,
The signature information of the analysis target application,
At least one of the MD5 hash value, SHA1 and the application package name and the application installation file download location information of the analysis target application,
Performing the dynamic analysis,
Installing an image file of the modified smartphone operating system on the test smartphone,
Installing the analysis target application by using the collected application installation file;
Executing the installed analysis target application on the test smartphone;
Collecting log analysis results including function information and function coverage executed in the application execution process; and
Smart phone malicious application detection method comprising the step of generating an analysis result including the content of malicious behavior by the API call pattern identified on the basis of the log analysis results. delete delete The method of claim 1,
Performing the static analysis,
Extracting the application installation file and extracting an executable file;
Disassembling and decompiling the extracted executable file; and
Smart phone malicious application detection method comprising the step of extracting the malicious behavior available API from the code obtained through the disassembly and decompilation. The method of claim 1,
Smart phone malicious application detection method, characterized in that it further comprises the step of generating an analysis result containing the malicious behavior content associated with the extracted malicious behavior available API. The method of claim 1,
Smart phone malicious application detection method further comprises the step of generating an analysis result including the malicious behavior content associated with the extracted malicious behavior available API combination information. delete delete In any one of claims 1, 4, 5 and 6,
The malicious application detection method of the smart phone, characterized in that further comprising the step of delivering a malicious application detection result based on the analysis result to the user smartphone. The method of claim 1,
The modified smartphone operating system image file is a smartphone malicious application detection method, characterized in that it includes a Dalvik VM inserted a function for the output of the dynamic analysis target log including the API call log. Collects an installation file of the analysis target application based on the signature information of the analysis target application that is attempted to be installed on the user smartphone provided from the user smartphone, and outputs an image file of the smartphone operating system modified to output a dynamic analysis target log. Installed on a test smartphone, using the collected application installation files on the test smartphone to install the analysis target application and perform dynamic analysis, and malicious behavior available from the collected application installation files An analysis server that performs static analysis by extracting an API (Application Program Interface),
The analysis server,
Installing the modified image of the smartphone operating system on the test smartphone, installing the analysis target application using the collected application installation file, and executing the installed analysis target application on the test smartphone Install a dynamic analysis module on the test smartphone to collect log analysis results including function information and function coverage executed in
The dynamic analysis module,
Generate an analysis result including malicious activity contents by the API call pattern identified based on the log analysis result;
The signature information of the analysis target application,
Smartphone malicious application detection system comprising at least one of the MD5 hash value, SHA1 and the application package name and the application installation file download location information of the analysis target application. delete delete In claim 11,
The analysis server,
Extract the application installation file, extract the executable file, perform disassembly and decompilation of the extracted executable file, and extract the malicious activity available API from the code obtained through the disassembly and decompilation. Smartphone malicious application detection system comprising a static analysis module. The method of claim 14,
The static analysis module,
Smartphone malicious application detection system, characterized in that for generating an analysis result including the malicious behavior content associated with the extracted malicious behavior available API. The method of claim 14,
The static analysis module,
Smartphone malicious application detection system, characterized in that for generating an analysis result including the malicious behavior content associated with the combination information of the extracted malicious behavior available API. delete delete The method according to any one of claims 11, 14, 15 and 16,
The analysis server,
Smartphone malicious application detection system, characterized in that for transmitting the malicious application detection results based on the analysis result to the user smartphone. In claim 11,
The modified smartphone operating system image file is a smartphone malicious application detection system, characterized in that it includes a Dalvik VM inserted a function for the output of the dynamic analysis target log including the API call log. A computer readable medium having recorded thereon a program for executing the method of any one of claims 1, 4, 5, 6, and 10 on a computer.
KR20110147127A 2011-12-30 2011-12-30 Smartphone Malicious Application Detect System and Method based on Client Program KR101284013B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR20110147127A KR101284013B1 (en) 2011-12-30 2011-12-30 Smartphone Malicious Application Detect System and Method based on Client Program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR20110147127A KR101284013B1 (en) 2011-12-30 2011-12-30 Smartphone Malicious Application Detect System and Method based on Client Program

Publications (2)

Publication Number Publication Date
KR20130078279A KR20130078279A (en) 2013-07-10
KR101284013B1 true KR101284013B1 (en) 2013-07-26

Family

ID=48991284

Family Applications (1)

Application Number Title Priority Date Filing Date
KR20110147127A KR101284013B1 (en) 2011-12-30 2011-12-30 Smartphone Malicious Application Detect System and Method based on Client Program

Country Status (1)

Country Link
KR (1) KR101284013B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101628837B1 (en) * 2014-12-10 2016-06-10 고려대학교 산학협력단 Malicious application or website detecting method and system
KR20180054390A (en) 2016-11-14 2018-05-24 숭실대학교산학협력단 System and method for detecting malicious of application, recording medium for performing the method

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022025650A1 (en) * 2020-07-29 2022-02-03 시큐차트 비.브이. Application verification system and verification method
KR102180105B1 (en) * 2020-08-13 2020-11-17 최원천 Method and apparatus for determining malicious software for software installed on device
CN112131110A (en) * 2020-09-21 2020-12-25 安徽捷兴信源信息技术有限公司 Multisource heterogeneous data probe method and device of smart phone system
KR20240037647A (en) * 2022-09-15 2024-03-22 시큐차트글로벌 주식회사 System and method for application verification

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Thomas B. et al.,‘An Android Application Sandbox System for Suspicious Software Detection’, IEEE 2010 International Conference on Malicous and Unwanted Software, pages 55-62, 19-20 October, 2010*
Thomas B. et al.,'An Android Application Sandbox System for Suspicious Software Detection', IEEE 2010 International Conference on Malicous and Unwanted Software, pages 55-62, 19-20 October, 2010 *
Tim Vidas et al.,‘Sweetening Android Lemon Markets: Measuring and Curbing Malware in Application Marketplaces’, Technical Report, Carnegie Mellon University, 16 November 2011*
Tim Vidas et al.,'Sweetening Android Lemon Markets: Measuring and Curbing Malware in Application Marketplaces', Technical Report, Carnegie Mellon University, 16 November 2011 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101628837B1 (en) * 2014-12-10 2016-06-10 고려대학교 산학협력단 Malicious application or website detecting method and system
KR20180054390A (en) 2016-11-14 2018-05-24 숭실대학교산학협력단 System and method for detecting malicious of application, recording medium for performing the method

Also Published As

Publication number Publication date
KR20130078279A (en) 2013-07-10

Similar Documents

Publication Publication Date Title
KR101295644B1 (en) System and method for verifying smart phone application
Gamba et al. An analysis of pre-installed android software
US20220174494A1 (en) Determining a security state based on communication with an authenticity server
US11019114B2 (en) Method and system for application security evaluation
KR101284013B1 (en) Smartphone Malicious Application Detect System and Method based on Client Program
JP6188956B2 (en) Malware detection inspection method and apparatus
KR101161493B1 (en) Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform
CN103279706B (en) Intercept the method and apparatus installing Android application program in the terminal
KR20150044490A (en) A detecting device for android malignant application and a detecting method therefor
EP2680182B1 (en) Mobile device and method to monitor a baseband processor in relation to the actions on an application processor
KR20120096983A (en) Malware detection method and mobile terminal therefor
CN104376266B (en) The determination method and device of application software level of security
CN102082802A (en) Behavior-based mobile terminal security protection system and method
KR20080026172A (en) Apparatus and methods for detection and management of unauthorized executable instructions on a wireless device
CN101959193A (en) Information safety detection method and a mobile terminal
CN104809397A (en) Android malicious software detection method and system based on dynamic monitoring
KR20110128632A (en) Method and device for detecting malicious action of application program for smartphone
Seo et al. Analysis on maliciousness for mobile applications
CN103268448A (en) Method and system for dynamically detecting safety of mobile applications
KR101657667B1 (en) Malicious app categorization apparatus and malicious app categorization method
KR101324691B1 (en) System and method for detecting malicious mobile applications
KR101115250B1 (en) Apparatus and method for checking safety of qr code
CN104992116A (en) Monitoring method and system based on intent sniffer
KR20130078278A (en) Smartphone malicious application detect system and method
KR101270497B1 (en) System for collecting and analyzing mobile malware automatically

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20160425

Year of fee payment: 8