KR20150044490A - A detecting device for android malignant application and a detecting method therefor - Google Patents

A detecting device for android malignant application and a detecting method therefor Download PDF

Info

Publication number
KR20150044490A
KR20150044490A KR20130123361A KR20130123361A KR20150044490A KR 20150044490 A KR20150044490 A KR 20150044490A KR 20130123361 A KR20130123361 A KR 20130123361A KR 20130123361 A KR20130123361 A KR 20130123361A KR 20150044490 A KR20150044490 A KR 20150044490A
Authority
KR
South Korea
Prior art keywords
application
malicious
detection
file
detection data
Prior art date
Application number
KR20130123361A
Other languages
Korean (ko)
Inventor
김준섭
황명국
김동원
Original Assignee
(주)이스트소프트
주식회사 이스트시큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)이스트소프트, 주식회사 이스트시큐리티 filed Critical (주)이스트소프트
Priority to KR20130123361A priority Critical patent/KR20150044490A/en
Priority to PCT/KR2014/008560 priority patent/WO2015056885A1/en
Publication of KR20150044490A publication Critical patent/KR20150044490A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Abstract

The present invention relates to a device capable of detecting malicious Android applications and a detection method thereof. More specifically, the device can extract a part of the components of Manifest and Dex files in an application package file to calculate the degree of similarity with a malicious application pattern to detect a malicious application. The present invention can detect the malicious application through analyzing the data structure related to the execution of the application even when a part of the data in the application package file is modified or a malicious code is repackaged with a proper application package.

Description

FIELD OF THE INVENTION [0001] The present invention relates to a detection device and a detection method of a malicious application,

The present invention relates to an apparatus and method for detecting malicious Android malicious applications, and more particularly, to a malicious application by extracting a part of components of an AndroidManifest file and a class file in an application package file, And more particularly, to an apparatus and method for detecting malicious Android applications.

The operating system that controls the operation of smartphones includes Apple's iOS, Google's Android, Nokia's Symbian, RIM's BlackBerry and Microsoft's Windows Mobile. have. Unlike iOS, which distributes applications in a closed fashion only through Apple-owned app stores, smartphones using the Android OS can download applications through multiple paths.

Applications for Android that are spread through various forms of application market include malicious code intended for malicious intent, which can lead to unintended information leakage while the user is using the application.

FIG. 1 is a block diagram illustrating a structure of a smartphone malicious application detection system based on signature information according to the related art, and FIG. 2 is a flowchart illustrating a process of detecting and removing a malicious application using the detection system of FIG.

1, the malicious application detection system of the related art includes an analysis server 100 and a test smartphone 200 and is connected to the user smartphone 400 and the application market 500 through the communication network 300 And exchanges information and data.

The malicious application detection system obtains application information including signature information about an application newly installed in the user smartphone 400 from a malicious application detection program installed in the user smartphone 400. The malicious application detection system obtains the installation file for the application from the application market 500 or the like based on the application information transmitted from the user smartphone 400, performs static analysis and dynamic analysis, Phone 400 again.

Here, the malicious application detection program provides a result of analyzing the maliciousness of the newly installed application to the user, and when the delete command for the file is input, the malicious application deletion process is performed.

The test smartphone 200 and the user smartphone 400 can install and use an application desired by the user. The smartphone for testing 200 is a smartphone connected to the analysis server 100 by a malicious application detection system administrator for detecting a malicious application and the user smartphone 400 is a smart phone in which a malicious application detection program is installed in an application form, Informing the user of the detection result of the application, and performing a treatment such as deleting the application according to the user's selection.

The communication network 300 includes the Internet, mobile communication networks such as 3G and 4G, Wi-Fi, and WIBRO.

The analysis server 100 includes a static analysis module 110 for detecting a malicious application, a database 120 for storing various information for supporting malicious application detection, and an application collection module 130 for collecting applications to be analyzed .

The application collection module 130 acquires the application installation file from the application market 500 using the application package name transmitted from the malicious application detection program or acquires the application installation file from the application installation file .

DB 120 stores signature information (MD5 hash value, SHA1, application package name, etc.) for an application already registered as malicious. Also, the database 120 predefines and stores information on APIs available for malicious actions among application program interfaces (APIs) used in the smartphone operating system.

Referring to FIG. 2, the user smartphone 400 receives malicious application detection programs from a download server operated by an application market or a malicious application detection system (S210).

If an attempt is made to install a new application in the user smartphone 400 in step S215, the malicious application detection program extracts signature information on the application from the application installation file and transmits the extracted signature information to the analysis server 100 in step S220.

Then, the analysis server 100 compares the application signature information transmitted from the user smartphone 400 with the signature information of the malicious application registered in the database 120 to determine whether the application is a malicious application (S230). If it is determined in the previous step S230 that the malicious application is detected (S230-Y), the malicious application detection result may be immediately provided to the user smartphone 400 (S270).

If the malicious application is not determined (S230-N), the analysis server 100 collects the installation file of the analysis target application from the application market 600 through the application collection module 130 (S240).

Next, the analysis server 100 performs a static analysis operation on the application installation file through the static analysis module 110 (S250).

The static analysis module 110 decompresses the application installation file (e.g., the APK file in the case of Android) and extracts an executable file (e.g., DEX file in the case of Android) from the application installation file. And generates a static analysis result including the malicious behavior related to the malicious action available API. For example, a static analysis result is generated that includes the extracted API related to the leakage of personal information, inducing abnormal charges, or abnormally operating the smartphone.

If it is determined that the application is malicious, the analysis server 100 requests the user smartphone 400 to remove the malicious application, thereby detecting and removing the malicious application.

However, existing Android malicious application detection methods such as the conventional technology are not limited to the data such as the package name in the AndroidManifest.xml file, the CRC value in the classes.dex file, SHA-1 value, class name, string, MD5 value of APK file The hash value or the enumerated values are combined and the hash value is taken as the detection pattern. That is, we use a signature-based detection method that uses specific unique values.

Existing signature-based detection techniques are not detected when some of the data in a malicious application file changes or repackages malicious code into a normal application. That is, if a variant of a malicious application occurs, even if the malicious application code is not changed, it is not detected.

KR 10-2013-0078279 A KR 10-2011-0084693 A KR 10-1246623 B1

In order to solve the above problems, the present invention extracts the component and permission information from the AndroidManifest.xml file included in the Android-based application package file, extracts the string data and the class data from the classes.dex file, And a malicious or normal application according to the degree of similarity after the comparison, and to provide a detection device and a detection method of the malicious Android Android application.

The present invention also relates to a method for detecting malicious application of Android, which divides patterns of data included in malicious application into parts and stores them in a database in advance, and gives similarity to patterns of extracted data according to how much patterns of malicious applications are included And an object of the present invention is to provide a device and a detection method.

According to an aspect of the present invention, there is provided a system for detecting a malicious application by analyzing an Android application package (APK), the AndroidManifest.xml file (hereinafter referred to as a 'Manifest file') in the Android application package, A detection data extracting unit 111 for extracting detection data necessary for detecting a malicious code in a Classes.dex file (hereinafter referred to as "Dex file"); A detection data DB 112 for storing the detection data extracted from the manifest file and the Dex file by the detection data extraction unit 111; A detection engine for classifying an application package to be diagnosed as a malicious application when a pattern matching the pattern of the malicious application package is included in the detection data, (113); And a malicious pattern DB (114) for storing a pattern included in an application determined to be malicious, wherein the detection data includes a component and permission information included in the manifest file, a string ) Data and class data.

The component is a code serving as a basic unit of a user interface (UI) of the application, and includes activity information that provides an interface for interaction with a user; Service information, which is a code for a task executed in the background of the application; (OS) as a broadcast receiver, and receiver information for receiving and processing a message generated by the Intent.

According to another embodiment of the present invention, there is provided a method of detecting a malicious application by analyzing an Android application package, wherein a detection data extracting unit (111) extracts detection data necessary for detecting a malicious code from a Manifest file in the Android application package and a Dex file A first step of extracting an image; And a second step of the detection engine 113 classifying the application package to be diagnosed as a malicious application when a pattern matching the pattern of the malicious application package stored in the malicious pattern DB 114 is included in the detection data And the detection data includes a component and permission information included in the manifest file, and string data and class data included in the Dex file.

The component is a code serving as a basic unit of the UI of the application, and includes activity information that provides an interface for interaction with a user; Service information, which is a code for a task executed in the background of the application; Code called by the OS as a broadcast receiver, and receiver information for receiving and processing messages generated by the Intent.

According to the present invention, even when a part of data in an application package file is changed or a malicious code is repackaged in a normal application package, the malicious application can be detected by analyzing the structure of data related to execution of the application.

In addition, the patterns of malicious codes stored in the database can be used for analysis of a large number of application package files, thereby detecting a large number of malicious application packages that have been modified.

FIG. 1 is a block diagram illustrating a structure of a smartphone malicious application detection system based on signature information according to the related art.
FIG. 2 is a flowchart illustrating a process of detecting and removing a malicious application using the detection system of FIG. 1;
3 is a block diagram illustrating a connection state of a detection device according to an embodiment of the present invention;
Fig. Fig. 8 is a block diagram showing the internal structure of the detection device. Fig.
5 is a block diagram showing the structure of a manifest file;
6 is a view showing an actual creation example of the manifest file of FIG. 5;
7 is a block diagram showing a structure of a Dex file;
8 is a view showing an actual production example of the Dex file of Fig.
9 is a flowchart showing an operation procedure of the detection method of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS < Desc / Clms Page number 3 > < Desc / Clms Page number 2 >

FIG. 3 is a block diagram illustrating a connection state of a detection apparatus according to an embodiment of the present invention. FIG. 5 is a block diagram showing the structure of the AndroidManifest file, FIG. 6 is a diagram showing an actual creation example of the AndroidManifest shown in FIG. 5, FIG. 7 is a block diagram showing the structure of the Classes file, Is a diagram showing an actual creation example of the Classes file of Fig.

(Hereinafter referred to as a "detection device") of the present invention is installed in any one of the user terminal 100, the application providing system 300, and the detection server 400.

The user terminal 100 of the present invention means a smart phone or a tablet PC having an Android-based OS installed therein. The detection device 110 installed in the user terminal 100 monitors whether or not a malicious code is included in the Android application installed or used by the user and stops or discontinues the execution of the application containing the malicious code. When the detection device 110 is installed in the user terminal 100, the detection device 110 operates upon installation or execution of the application to detect a malicious code.

The application providing system 300 is a system for providing an application program to the user terminal 100 via an online system and includes an operating system such as a 'play store' operated by Google and a 'Samsung Apps' . The detection device 110 installed in the application providing system 300 checks whether the malicious code is included in the application before distributing the application provided in the system to prevent malicious code from being distributed.

The detection server 400 is a surveillance system existing separately from the user terminal 100 or the application providing system 300, and is generally a system of a company providing a malicious code vaccination program. The detection server 400 collects new applications in real time or periodically to check whether malicious codes are included.

The detection device 110 of the present invention is installed in software, and it is most preferable that the detection device 110 operates in the user terminal 100 in which the application is installed and executed.

The user terminal 100 is connected to the application providing system 300 or the detection server 400 through a communication network 200 such as a 3G or 4G mobile communication network or a wired or wireless Internet.

The detection device 110 extracts data used for malicious code detection in the application, analyzes the execution pattern of the program included in the extracted data, and analyzes whether the malicious code operates in the same manner as the malicious code. As a result of the analysis, an application that performs the same operation as a malicious code pattern is searched and classified as a malicious application, and the malicious application is classified as a normal application.

The detection apparatus 110 includes a detection data extraction unit 111, a detection data DB 112, a detection engine 113, and a malicious pattern DB 114.

The detection data extracting unit 111 extracts malicious codes from the AndroidManifest.xml file (hereinafter referred to as 'Manifest file') and the Classes.dex file (hereinafter referred to as 'Dex file') inside the Android application package (APK) And extracts the detection data that is helpful to the user. The detection data is a part that does not change even when the application package is modified or repackaged, and the details will be described later.

The detection data DB 112 stores the detection data extracted from the Manifest file and the Dex file by the detection data extraction unit 111 and transmits the detection data to the detection engine 113 for analysis of the malicious code.

The detection engine 113 determines whether malicious code is included using the extracted detection data, and calls the pattern of the malicious APK stored in the malicious pattern DB 114 to calculate the match degree. If they are found to have the same pattern as a malicious APK above a certain level, they are classified as malicious applications. For analysis of the detection engine 113, the malicious pattern DB 114 stores data on execution patterns of malicious codes already classified as malicious application packages by another detection system.

Detection data required for analysis of the detection device 110 is extracted from the manifest file and the Dex file.

In order to extract the detection data, the application package to be analyzed is first loaded, and the application package is decompressed (decompiled) to extract the manifest file and the Dex file. The extraction of the manifest file and the Dex file may be performed by the detection apparatus 110 or may be executed by a separate system. The extracted Manifest file and Dex file are transmitted to the detection apparatus 110 to analyze the application.

A manifest file is a file that contains information about what kind of activity an application performs and what permissions it needs, such as the version and name of the project, and application information such as execution rights. As shown in FIG. 5, the manifest file includes package name, component, and permission information.

The package name is a part of the unique name of the application package. In the Android app market, there can be only one application having a specific package name (1 in FIG. 6).

The component includes activity information, service information, and receiver information.

The activity information is a code serving as a basic unit of a user interface (UI) of an application, and provides an interface for interaction with a user (see (2) in FIG. 6).

The service information is a code for a task to be executed in the background of the application, and is a part that is not exposed to the user ((3) in FIG. 6).

The receiver information is a code called by the OS as a broadcast receiver, and is a code for receiving and processing a message generated by the Intent. The receiver information responds to a specific event such as SMS reception (④ in FIG. 6).

The permission information defines an authority for an action to be performed when an application is executed (see (5) in FIG. 6). In order to perform an action such as SMS reception while an application is running, Record it in the Manifest file.

Among them, the detection data extraction unit 111 extracts the component and permission information, and transmits the extracted component and permission information to the detection engine 113. The component extracts the action fields and attribute values defined in each field.

On the other hand, Dex file is an executable file created by compiled Java class and is a file that converts Java class file into Byte Code so that it can be recognized by Dalvik Virtual Machine of Android terminal . The Dalvik virtual machine loads a specific Java class from a Dex file to execute the desired behavior of the application. As shown in FIG. 7, the Dex file includes a header, a string data, and class data.

The string data is a string used by the application, and exists in the Dex file ((3) in FIG. 8).

The class data is a class list used by the application, and includes a method list (Method List) for each class ((4) in FIG. 8)

This manifest file is decompiled into a text document by the decompiler, and the Dex file is decompiled into a jar file (* .jar) or a Java file (* .java).

The detection data extracting unit 111 extracts data (hereinafter, referred to as 'detection data') to be used for detection of a malicious application from the decomposed Manifest file and the Dex file. The Manifest file extracts the component and permission information, and the Dex file And extracts the string data and the class data.

The extracted detection data (component, permission information, string data, class data) is stored in the detection data DB 112 and provided to the detection engine 113. If the extraction and analysis are performed in real time, the detection data may be directly transmitted from the detection data extraction unit 111 to the detection engine 113.

The detection engine 113 analyzes the transmitted detection data to determine whether a malicious application pattern exists. The malicious application pattern to be compared by the detection engine 113 is stored in the malicious pattern DB 114. [

[Reference Figure 1]

Figure pat00001

[Reference FIG. 1] is an example of a pattern stored in the malicious pattern DB 114, and is composed of components that are compared with the components included in the manifest file and the Dex file. Although one of the representative patterns is illustrated in the present invention, various values exist in an actual application package.

[Reference Figure 2]

Figure pat00002

[Reference Figure 2] is a diagram illustrating a package in which unique values are used for each component of an application. The detection apparatus 110 classifies the detected data as malicious application when the same data or character string is included in the detection data extracted from the application package to be detected. If the degree of identity is below a certain level, or if there is no data at all, it is classified as a normal application.

9 is a flowchart illustrating an operation of the detection method of the present invention.

Referring to FIG. 9, a specific operation process of the detection device 110 of the present invention will be described in order.

First, an application package to be determined as to whether a malicious application package is included is searched (S202). The search subject may be changed according to the installation position of the detection device 110, The installed detection apparatus 110 makes a diagnosis for an application package installed or installed in the user terminal 100. [

(S204). The application package is a compressed file in the ZIP format, and includes a manifest file, a Dex file, metadata, an image, and other files. . Among them, Manifest file and Dex file are detected.

The detection data extraction unit 111 extracts the detection data from the decompressed Manifest file and the Dex file. (S206) The detection data extraction unit 111 extracts the component and permission information from the manifest file, the string data from the Dex file, Extract the class data.

The extracted detection data is stored in a file or memory, and information on the stored location is transmitted to the detection engine 113 (S208)

The detection engine 113 analyzes a pattern included in the extracted detection data to check whether a malicious application pattern exists (S210). The malicious application pattern to be compared is called from the malicious pattern DB 114. [

The detection engine 113 classifies the malicious application as a malicious application when the pattern included in the detection data includes the malicious application pattern. The detection data includes component data, permission information, string data, and class data, and each data may include a plurality of patterns. The detection engine 113 can classify not only the whole method list but also the malicious application if the same pattern exists as a result of partial matching of the method list.

In some cases, malicious applications may be classified as malicious applications if they are found to be completely identical to malicious application patterns, and classified as suspicious applications if not completely identical but partially identical strings are found. If the same pattern as the malicious pattern is not found at all, it can be classified as a normal application.

While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, As will be understood by those skilled in the art. Therefore, it should be understood that the above-described embodiments are to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than the foregoing description, It is intended that all changes and modifications derived from the equivalent concept be included within the scope of the present invention.

100: User terminal 110: Detecting device
111: detection data extraction unit 112: detection data DB
113: detection engine 114: malicious pattern DB
200: communication network 300: application providing system
400: detection server

Claims (4)

A system for detecting malicious applications by analyzing an Android application package (APK)
Extraction of detection data for extracting detection data necessary for detecting malicious code from the AndroidManifest.xml file (hereinafter referred to as 'Manifest file') and Classes.dex file (hereinafter referred to as 'Dex file') in the Android application package (111);
A detection data DB 112 for storing the detection data extracted from the manifest file and the Dex file by the detection data extraction unit 111;
A detection engine for classifying an application package to be diagnosed as a malicious application when a pattern matching the pattern of the malicious application package is included in the detection data, (113);
And a malicious pattern DB (114) for storing a pattern included in an application determined to be malicious,
Wherein the detection data is composed of a component and permission information included in the manifest file, string data included in the Dex file, and class data. The method according to claim 1,
The component
Code serving as a basic unit of a user interface (UI) of the application, activity information for providing an interface for interaction with a user;
Service information, which is a code for a task executed in the background of the application;
Receiver information to be received by an operating system (OS) as a broadcast receiver and to receive and process messages generated by the Intent. A method for analyzing an Android application package to detect malicious applications,
A first step of extracting detection data necessary for detection of a malicious code from a Manifest file in the Android application package and a Dex file by a detection data extracting unit 111;
And a second step of the detection engine 113 classifying the application package to be diagnosed as a malicious application when a pattern matching the pattern of the malicious application package stored in the malicious pattern DB 114 is included in the detection data In addition,
Wherein the detection data comprises a component and permission information included in the manifest file, and string data and class data included in the Dex file. The method of claim 3,
The component
A code serving as a basic unit of the UI of the application, the code including: activity information for providing an interface for interaction with a user;
Service information, which is a code for a task executed in the background of the application;
And receiver information for receiving and processing messages generated by the Intent, the code being called by the OS as a broadcast receiver.
KR20130123361A 2013-10-16 2013-10-16 A detecting device for android malignant application and a detecting method therefor KR20150044490A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR20130123361A KR20150044490A (en) 2013-10-16 2013-10-16 A detecting device for android malignant application and a detecting method therefor
PCT/KR2014/008560 WO2015056885A1 (en) 2013-10-16 2014-09-15 Detection device and detection method for malicious android application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR20130123361A KR20150044490A (en) 2013-10-16 2013-10-16 A detecting device for android malignant application and a detecting method therefor

Publications (1)

Publication Number Publication Date
KR20150044490A true KR20150044490A (en) 2015-04-27

Family

ID=52828289

Family Applications (1)

Application Number Title Priority Date Filing Date
KR20130123361A KR20150044490A (en) 2013-10-16 2013-10-16 A detecting device for android malignant application and a detecting method therefor

Country Status (2)

Country Link
KR (1) KR20150044490A (en)
WO (1) WO2015056885A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101666176B1 (en) * 2015-06-25 2016-10-14 한국전자통신연구원 Apparatus and method for of monitoring application based on android platform
KR101880628B1 (en) 2017-11-27 2018-08-16 한국인터넷진흥원 Method for labeling machine-learning dataset and apparatus thereof
WO2019004502A1 (en) * 2017-06-29 2019-01-03 라인 가부시키가이샤 Application security assessment method and system
WO2019004503A1 (en) * 2017-06-29 2019-01-03 라인 가부시키가이샤 Application vulnerability detection method and system
WO2019103368A1 (en) * 2017-11-27 2019-05-31 주식회사 엔에스에이치씨 Malicious code detection method using big data
KR20190080445A (en) 2017-12-28 2019-07-08 숭실대학교산학협력단 Whitelist construction method for analyzing malicious code, computer readable medium and device for performing the method
KR20190102456A (en) * 2018-02-26 2019-09-04 한국인터넷진흥원 Method for clustering application and apparatus thereof
KR20200071822A (en) 2018-11-30 2020-06-22 단국대학교 산학협력단 System and method for detecting and classifying malware using machine learning and dynamic feature of applications
KR20200095122A (en) * 2019-01-31 2020-08-10 단국대학교 산학협력단 Apparatus and method for feature information extraction and similarity comparison of android app considering obfuscation
KR102226218B1 (en) * 2019-10-29 2021-03-10 단국대학교 산학협력단 Apparatus and method for extracting feature information to identify an application created by cross-platform development framework
US10963563B2 (en) 2017-04-20 2021-03-30 Line Corporation Method and system for evaluating security of application
US11886584B2 (en) 2021-05-28 2024-01-30 AO Kaspersky Lab System and method for detecting potentially malicious changes in applications

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101733633B1 (en) 2016-01-12 2017-05-08 계명대학교 산학협력단 Detecting and tracing method for leaked phone number data in mobile phone through application
CN107392020A (en) * 2017-06-30 2017-11-24 北京奇虎科技有限公司 Database manipulation analysis method, device, computing device and computer-readable storage medium
CN108491327B (en) * 2018-03-26 2020-08-25 中南大学 Android application dynamic Receiver component local denial of service vulnerability detection method
CN111552518B (en) * 2019-01-24 2023-04-07 阿里巴巴集团控股有限公司 Method and device for loading control for starting application
CN109670310B (en) * 2019-01-28 2023-04-18 杭州师范大学 Android malicious software detection method based on semi-supervised K-Means clustering algorithm
CN110851834B (en) * 2019-11-18 2024-02-27 北京工业大学 Android malicious application detection method integrating multi-feature classification
CN111339531B (en) * 2020-02-24 2023-12-19 南开大学 Malicious code detection method and device, storage medium and electronic equipment
CN112565274A (en) * 2020-12-11 2021-03-26 国家计算机网络与信息安全管理中心江苏分中心 Method and system for intelligently identifying malicious APP

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101161493B1 (en) * 2010-01-18 2012-06-29 (주)쉬프트웍스 Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform
KR20130078278A (en) * 2011-12-30 2013-07-10 (주)이지서티 Smartphone malicious application detect system and method
KR101246623B1 (en) * 2012-09-03 2013-03-25 주식회사 안랩 Apparatus and method for detecting malicious applications
KR101256468B1 (en) * 2012-09-11 2013-04-19 주식회사 안랩 Apparatus and method for detecting malicious file

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101666176B1 (en) * 2015-06-25 2016-10-14 한국전자통신연구원 Apparatus and method for of monitoring application based on android platform
US10963563B2 (en) 2017-04-20 2021-03-30 Line Corporation Method and system for evaluating security of application
JP2020531936A (en) * 2017-06-29 2020-11-05 Line株式会社 How and systems to detect application vulnerabilities
WO2019004503A1 (en) * 2017-06-29 2019-01-03 라인 가부시키가이샤 Application vulnerability detection method and system
WO2019004502A1 (en) * 2017-06-29 2019-01-03 라인 가부시키가이샤 Application security assessment method and system
WO2019103368A1 (en) * 2017-11-27 2019-05-31 주식회사 엔에스에이치씨 Malicious code detection method using big data
KR101880628B1 (en) 2017-11-27 2018-08-16 한국인터넷진흥원 Method for labeling machine-learning dataset and apparatus thereof
KR20190080445A (en) 2017-12-28 2019-07-08 숭실대학교산학협력단 Whitelist construction method for analyzing malicious code, computer readable medium and device for performing the method
KR20190102456A (en) * 2018-02-26 2019-09-04 한국인터넷진흥원 Method for clustering application and apparatus thereof
KR20200071822A (en) 2018-11-30 2020-06-22 단국대학교 산학협력단 System and method for detecting and classifying malware using machine learning and dynamic feature of applications
KR20200095122A (en) * 2019-01-31 2020-08-10 단국대학교 산학협력단 Apparatus and method for feature information extraction and similarity comparison of android app considering obfuscation
KR102226218B1 (en) * 2019-10-29 2021-03-10 단국대학교 산학협력단 Apparatus and method for extracting feature information to identify an application created by cross-platform development framework
US11886584B2 (en) 2021-05-28 2024-01-30 AO Kaspersky Lab System and method for detecting potentially malicious changes in applications

Also Published As

Publication number Publication date
WO2015056885A1 (en) 2015-04-23

Similar Documents

Publication Publication Date Title
KR20150044490A (en) A detecting device for android malignant application and a detecting method therefor
KR101402057B1 (en) Analyzing system of repackage application through calculation of risk and method thereof
US9832211B2 (en) Computing device to detect malware
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
CN109154966B (en) Vulnerable application detection
US10181033B2 (en) Method and apparatus for malware detection
US8726387B2 (en) Detecting a trojan horse
US9525706B2 (en) Apparatus and method for diagnosing malicious applications
US20130122861A1 (en) System and method for verifying apps for smart phone
WO2017012241A1 (en) File inspection method, device, apparatus and non-volatile computer storage medium
CN112084497A (en) Method and device for detecting malicious program of embedded Linux system
CN104809397A (en) Android malicious software detection method and system based on dynamic monitoring
JP6000465B2 (en) Process inspection apparatus, process inspection program, and process inspection method
CN108647517B (en) Vulnerability detection system and method for Android mixed application code injection
KR101256468B1 (en) Apparatus and method for detecting malicious file
KR101284013B1 (en) Smartphone Malicious Application Detect System and Method based on Client Program
KR101605783B1 (en) Malicious application detecting method and computer program executing the method
CN109145589B (en) Application program acquisition method and device
KR101657667B1 (en) Malicious app categorization apparatus and malicious app categorization method
KR101270497B1 (en) System for collecting and analyzing mobile malware automatically
CN115552401A (en) Fast application detection method, device, equipment and storage medium
Khanmohammadi et al. Understanding the service life cycle of Android apps: An exploratory study
KR20180054390A (en) System and method for detecting malicious of application, recording medium for performing the method
KR101509034B1 (en) System and method for preventing malicious files syncronization in cloud service
KR20150117336A (en) System and Method for Validating and Installing Application in Android Environment

Legal Events

Date Code Title Description
AMND Amendment
E601 Decision to refuse application
AMND Amendment