KR101284013B1 - Smartphone Malicious Application Detect System and Method based on Client Program - Google Patents
Smartphone Malicious Application Detect System and Method based on Client Program Download PDFInfo
- Publication number
- KR101284013B1 KR101284013B1 KR20110147127A KR20110147127A KR101284013B1 KR 101284013 B1 KR101284013 B1 KR 101284013B1 KR 20110147127 A KR20110147127 A KR 20110147127A KR 20110147127 A KR20110147127 A KR 20110147127A KR 101284013 B1 KR101284013 B1 KR 101284013B1
- Authority
- KR
- South Korea
- Prior art keywords
- application
- smartphone
- malicious
- analysis
- analysis target
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The present invention relates to a smart phone malicious application detection method and system, the method according to the invention receiving the signature information of the analysis target application from the user smartphone, collecting the installation file of the analysis target application based on the signature information And installing the image file of the smartphone operating system modified to output the dynamic analysis target log on the test smartphone, and installing the analysis target application using the collected application installation files on the test smartphone. And performing a dynamic analysis. According to the present invention, there is an advantage in that it is possible to detect newly emerged or modified malicious applications early by performing both static and dynamic analysis. In particular, malicious behavior available APIs and API call patterns can effectively detect the possibility of malicious behavior of the application.
Description
The present invention relates to a system and method for detecting malicious applications, and more particularly, to a system and method for detecting malicious applications in a smartphone by performing both static and dynamic analysis based on a client program.
Recently, with the spread of smart phones, the problem of malicious applications targeting smart phones is getting serious. Various categories of applications, such as game apps, media play apps, and wallpaper selection apps, have been shown to be malicious.
These malicious applications are installed so that the smartphone user does not recognize, most of the malicious behavior of the application collects information such as the phone number and name of the phone number in the personal address book, the location information of the individual using the smartphone GPS information Collection of personal information, such as collecting personal information such as collecting in real time, credit card information stored on smartphones and collecting personal information when using applications requiring payment, and collecting photo and video content information stored on smartphones And malicious activities, and malicious activities such as denial of service and delay.
In order to detect malicious applications, there may be static analysis that analyzes through known information and dynamic analysis that detects malicious behavior by monitoring actual application execution. However, most of the technologies developed for the current malware detection have limitations in detecting mobile malicious codes with a detection method through static analysis, which is a signature DB method that utilizes the characteristics of malicious codes already known as existing PC-based vaccine programs. In particular, the analysis of malicious behaviors of applications distributed according to the recent usage of smartphones is not yet technically organized due to the different relationship from the existing PC operating systems (Windows, Mac OS, etc.) and development methods.
Accordingly, an object of the present invention is to provide a system and method for detecting malicious applications in a smartphone by performing both static and dynamic analysis based on a client program.
Malicious application detection method according to an embodiment of the present invention for solving the technical problem, the step of receiving the signature information of the analysis target application from the user smartphone, collecting the installation file of the analysis target application based on the signature information And installing the image file of the smartphone operating system modified to output the dynamic analysis target log on the test smartphone, and installing the analysis target application using the collected application installation files on the test smartphone. And performing a dynamic analysis.
The signature information of the analysis target application may include at least one of an MD5 hash value, SHA1, an application package name, and an application installation file download location information of the analysis target application.
The method may further include extracting malicious behavior available APIs from the collected application installation files and performing a static analysis.
The performing of the static analysis may include extracting the application installation file and extracting an executable file, performing disassembly and decompilation of the extracted executable file, and disassembling and decompiling the executable file. It may include the step of extracting the malicious behavior available API from the code obtained through.
The method may further include generating an analysis result including contents of malicious behavior related to the extracted malicious behavior available API.
The method may further include generating an analysis result including contents of malicious behavior related to the extracted malicious behavior available API combination information.
The performing of the dynamic analysis may include installing an image file of the modified smartphone operating system on the test smartphone, installing the analysis target application using the collected application installation file, and installing the analysis. And executing a target application on the test smartphone, and collecting a log analysis result including function information and function coverage executed during the application execution.
The method may further include generating an analysis result including contents of malicious behavior by the API call pattern determined based on the log analysis result.
The method may further include transmitting a malicious application detection result to the user smartphone based on the analysis result.
The modified smartphone operating system image file may include a Dalvik VM into which a function for outputting a dynamic analysis target log including an API call log is inserted.
A computer-readable medium according to another embodiment of the present invention records a program for causing a computer to execute any one of the above methods.
Smartphone malicious application detection system according to another embodiment of the present invention for solving the above technical problem, collecting the installation files of the analysis target application based on the signature information of the analysis target application provided from the user smartphone, The image file of the smartphone operating system modified to output the analysis target log is installed on the test smartphone, and the analysis target application is installed and the dynamic analysis is performed using the collected application installation files on the test smartphone. Includes an analytics server.
The analysis server may perform a static analysis by extracting the malicious activity available API from the collected application installation files (API), decompress the application installation file and extract the executable file And a static analysis module that disassembles and decompiles the extracted executable file and extracts the malicious behavior available API from the code obtained through the disassembly and decompilation.
The static analysis module may generate an analysis result including the malicious behavior contents related to the extracted malicious behavior available API, and generate an analysis result including the malicious behavior contents related to the extracted malicious behavior available API combination information. can do.
The analysis server installs the image file of the modified smartphone operating system on the test smartphone, installs the analysis target application by using the collected application installation file, and installs the installed analysis target application on the test smart phone. A dynamic analysis module for collecting log analysis results including function information and function coverage executed in the course of being executed on the phone may be installed in the test smartphone.
The dynamic analysis module may generate an analysis result including malicious activity content based on the API call pattern identified based on the log analysis result.
The analysis server may transmit a malicious application detection result to the user smartphone based on the analysis result.
According to the present invention, there is an advantage in that it is possible to detect newly emerged or modified malicious applications early by performing both static and dynamic analysis. In particular, malicious behavior available APIs and API call patterns can effectively detect the possibility of malicious behavior of the application.
1 is a block diagram provided to explain a malicious application detection system according to an embodiment of the present invention.
2 is a flowchart provided to explain a malicious application detection method according to an embodiment of the present invention.
3 is a flowchart provided to explain a static analysis method for detecting a malicious application according to an embodiment of the present invention.
4 is a flowchart provided to explain a dynamic analysis method for detecting a malicious application according to an embodiment of the present invention.
Prior to the description of the present invention, the term 'application' used in the present specification means an application used in a smartphone, and a malicious application is installed without the user's knowledge, and personal information is leaked through deletion, modification, and change of information. It means an application that performs a denial of service and delay.
DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention.
1 is a block diagram provided to explain a malicious application detection system according to an embodiment of the present invention.
Referring to FIG. 1, the malicious application detection system according to the present invention includes an
The malicious application detection system obtains application information including signature information about an application newly installed in the user smartphone 400 from the malicious application detection program installed in the user smartphone 400. In addition, the malicious application detection system obtains an installation file for the corresponding application from the
Here, the malicious application detection program may provide a user with a result of analyzing the malicious status of the newly installed application, and may delete and repair the file when a delete command for the file is input. According to an embodiment, the static analysis may be implemented to be performed in a malicious application detection program installed in the user smartphone 400.
The
The
The malicious application detection system may include an
The
The
The
APIs such as those shown in Table 1 below used in Android can be used to leak personal information.
Meanwhile, the
The
The
In particular, the
Meanwhile, according to an embodiment, the
The
The
The
The
The user smartphone 400 may be installed and executed by a malicious application detection program provided by the malicious application detection system. Preferably, the malicious application detection program operates in the background and whenever the new application is installed in the user's smart phone 400, the signature information of the corresponding application may be extracted and provided to the
2 to 4 will be described in detail for the malicious application detection method according to an embodiment of the present invention.
2 is a flowchart provided to explain a malicious application detection method according to an embodiment of the present invention, Figure 3 is a flow chart provided to explain a static analysis method for malicious application detection according to an embodiment of the present invention. 4 is a flowchart provided to explain a dynamic analysis method for detecting a malicious application according to an embodiment of the present invention.
Referring to FIG. 2, first, the user smartphone 400 may receive and install a malicious application detection program from a download server (not shown) operated by an application market or a malicious application detection system (S210).
And if there is an attempt to install a new application on the user's smartphone (400) (S215-Y), the malicious application detection program to obtain the signature information (MD5 hash value, SHA1, application package name, etc.) for the application in the application installation file Extract and transmit to the analysis server 100 (S220). According to an embodiment, in step S220, the malicious application detection program may provide the
Then, the
On the other hand, if it is determined that the malicious application in step (S230) (S230-N), the
Next, the
Referring to FIG. 3, the static analysis step S250 is described in detail. The
Next, the
In addition, the
The
Referring to FIG. 4, the dynamic analysis step (S260) will be described in detail. First, the
Next, the
Afterwards, the
Referring back to FIG. 2, the
Then, the malicious application detection program of the user's smartphone 400 may present a malicious application detection result delivered from the
Finally, the malicious application detection program deletes the corresponding application when a delete command is input from the user (S290). Meanwhile, according to the exemplary embodiment, the malicious application may be automatically deleted regardless of the user's selection. However, it is preferable to implement the user to receive confirmation of the user.
In the above-described embodiment, the malicious application detection program provides the signature information of the newly installed application on the user's smart phone 400 to the
Embodiments of the present invention include a computer-readable medium having program instructions for performing various computer-implemented operations. This medium records a program for executing the malicious application detection method described above. The medium may include program instructions, data files, data structures, etc., alone or in combination. Examples of such media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD and DVD, programmed instructions such as floptical disk and magneto-optical media, ROM, RAM, And a hardware device configured to store and execute the program. Or such medium may be a transmission medium, such as optical or metal lines, waveguides, etc., including a carrier wave that transmits a signal specifying a program command, data structure, or the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.
Although the preferred embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of right.
Claims (21)
Collecting an installation file of an analysis target application based on the signature information,
Installing the image file of the smartphone operating system modified to output the log to be analyzed on the test smartphone,
Installing the analysis target application using the collected application installation files on the test smartphone and performing dynamic analysis; and
And extracting malicious behavior available apis (APIs) from the collected application installation files to perform a static analysis,
The signature information of the analysis target application,
At least one of the MD5 hash value, SHA1 and the application package name and the application installation file download location information of the analysis target application,
Performing the dynamic analysis,
Installing an image file of the modified smartphone operating system on the test smartphone,
Installing the analysis target application by using the collected application installation file;
Executing the installed analysis target application on the test smartphone;
Collecting log analysis results including function information and function coverage executed in the application execution process; and
Smart phone malicious application detection method comprising the step of generating an analysis result including the content of malicious behavior by the API call pattern identified on the basis of the log analysis results.
Performing the static analysis,
Extracting the application installation file and extracting an executable file;
Disassembling and decompiling the extracted executable file; and
Smart phone malicious application detection method comprising the step of extracting the malicious behavior available API from the code obtained through the disassembly and decompilation.
Smart phone malicious application detection method, characterized in that it further comprises the step of generating an analysis result containing the malicious behavior content associated with the extracted malicious behavior available API.
Smart phone malicious application detection method further comprises the step of generating an analysis result including the malicious behavior content associated with the extracted malicious behavior available API combination information.
The malicious application detection method of the smart phone, characterized in that further comprising the step of delivering a malicious application detection result based on the analysis result to the user smartphone.
The modified smartphone operating system image file is a smartphone malicious application detection method, characterized in that it includes a Dalvik VM inserted a function for the output of the dynamic analysis target log including the API call log.
The analysis server,
Installing the modified image of the smartphone operating system on the test smartphone, installing the analysis target application using the collected application installation file, and executing the installed analysis target application on the test smartphone Install a dynamic analysis module on the test smartphone to collect log analysis results including function information and function coverage executed in
The dynamic analysis module,
Generate an analysis result including malicious activity contents by the API call pattern identified based on the log analysis result;
The signature information of the analysis target application,
Smartphone malicious application detection system comprising at least one of the MD5 hash value, SHA1 and the application package name and the application installation file download location information of the analysis target application.
The analysis server,
Extract the application installation file, extract the executable file, perform disassembly and decompilation of the extracted executable file, and extract the malicious activity available API from the code obtained through the disassembly and decompilation. Smartphone malicious application detection system comprising a static analysis module.
The static analysis module,
Smartphone malicious application detection system, characterized in that for generating an analysis result including the malicious behavior content associated with the extracted malicious behavior available API.
The static analysis module,
Smartphone malicious application detection system, characterized in that for generating an analysis result including the malicious behavior content associated with the combination information of the extracted malicious behavior available API.
The analysis server,
Smartphone malicious application detection system, characterized in that for transmitting the malicious application detection results based on the analysis result to the user smartphone.
The modified smartphone operating system image file is a smartphone malicious application detection system, characterized in that it includes a Dalvik VM inserted a function for the output of the dynamic analysis target log including the API call log.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20110147127A KR101284013B1 (en) | 2011-12-30 | 2011-12-30 | Smartphone Malicious Application Detect System and Method based on Client Program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20110147127A KR101284013B1 (en) | 2011-12-30 | 2011-12-30 | Smartphone Malicious Application Detect System and Method based on Client Program |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20130078279A KR20130078279A (en) | 2013-07-10 |
KR101284013B1 true KR101284013B1 (en) | 2013-07-26 |
Family
ID=48991284
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR20110147127A KR101284013B1 (en) | 2011-12-30 | 2011-12-30 | Smartphone Malicious Application Detect System and Method based on Client Program |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101284013B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101628837B1 (en) * | 2014-12-10 | 2016-06-10 | 고려대학교 산학협력단 | Malicious application or website detecting method and system |
KR20180054390A (en) | 2016-11-14 | 2018-05-24 | 숭실대학교산학협력단 | System and method for detecting malicious of application, recording medium for performing the method |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022025650A1 (en) * | 2020-07-29 | 2022-02-03 | 시큐차트 비.브이. | Application verification system and verification method |
KR102180105B1 (en) * | 2020-08-13 | 2020-11-17 | 최원천 | Method and apparatus for determining malicious software for software installed on device |
CN112131110A (en) * | 2020-09-21 | 2020-12-25 | 安徽捷兴信源信息技术有限公司 | Multisource heterogeneous data probe method and device of smart phone system |
KR20240037647A (en) * | 2022-09-15 | 2024-03-22 | 시큐차트글로벌 주식회사 | System and method for application verification |
-
2011
- 2011-12-30 KR KR20110147127A patent/KR101284013B1/en active IP Right Grant
Non-Patent Citations (4)
Title |
---|
Thomas B. et al.,‘An Android Application Sandbox System for Suspicious Software Detection’, IEEE 2010 International Conference on Malicous and Unwanted Software, pages 55-62, 19-20 October, 2010* |
Thomas B. et al.,'An Android Application Sandbox System for Suspicious Software Detection', IEEE 2010 International Conference on Malicous and Unwanted Software, pages 55-62, 19-20 October, 2010 * |
Tim Vidas et al.,‘Sweetening Android Lemon Markets: Measuring and Curbing Malware in Application Marketplaces’, Technical Report, Carnegie Mellon University, 16 November 2011* |
Tim Vidas et al.,'Sweetening Android Lemon Markets: Measuring and Curbing Malware in Application Marketplaces', Technical Report, Carnegie Mellon University, 16 November 2011 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101628837B1 (en) * | 2014-12-10 | 2016-06-10 | 고려대학교 산학협력단 | Malicious application or website detecting method and system |
KR20180054390A (en) | 2016-11-14 | 2018-05-24 | 숭실대학교산학협력단 | System and method for detecting malicious of application, recording medium for performing the method |
Also Published As
Publication number | Publication date |
---|---|
KR20130078279A (en) | 2013-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101295644B1 (en) | System and method for verifying smart phone application | |
Gamba et al. | An analysis of pre-installed android software | |
US20220174494A1 (en) | Determining a security state based on communication with an authenticity server | |
US11019114B2 (en) | Method and system for application security evaluation | |
KR101284013B1 (en) | Smartphone Malicious Application Detect System and Method based on Client Program | |
JP6188956B2 (en) | Malware detection inspection method and apparatus | |
KR101161493B1 (en) | Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform | |
CN103279706B (en) | Intercept the method and apparatus installing Android application program in the terminal | |
KR20150044490A (en) | A detecting device for android malignant application and a detecting method therefor | |
EP2680182B1 (en) | Mobile device and method to monitor a baseband processor in relation to the actions on an application processor | |
KR20120096983A (en) | Malware detection method and mobile terminal therefor | |
CN104376266B (en) | The determination method and device of application software level of security | |
CN102082802A (en) | Behavior-based mobile terminal security protection system and method | |
KR20080026172A (en) | Apparatus and methods for detection and management of unauthorized executable instructions on a wireless device | |
CN101959193A (en) | Information safety detection method and a mobile terminal | |
CN104809397A (en) | Android malicious software detection method and system based on dynamic monitoring | |
KR20110128632A (en) | Method and device for detecting malicious action of application program for smartphone | |
Seo et al. | Analysis on maliciousness for mobile applications | |
CN103268448A (en) | Method and system for dynamically detecting safety of mobile applications | |
KR101657667B1 (en) | Malicious app categorization apparatus and malicious app categorization method | |
KR101324691B1 (en) | System and method for detecting malicious mobile applications | |
KR101115250B1 (en) | Apparatus and method for checking safety of qr code | |
CN104992116A (en) | Monitoring method and system based on intent sniffer | |
KR20130078278A (en) | Smartphone malicious application detect system and method | |
KR101270497B1 (en) | System for collecting and analyzing mobile malware automatically |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20160425 Year of fee payment: 8 |