KR20160133927A - Apparatus and method for detecting rooting from terminal based on android system - Google Patents

Apparatus and method for detecting rooting from terminal based on android system Download PDF

Info

Publication number
KR20160133927A
KR20160133927A KR1020150067122A KR20150067122A KR20160133927A KR 20160133927 A KR20160133927 A KR 20160133927A KR 1020150067122 A KR1020150067122 A KR 1020150067122A KR 20150067122 A KR20150067122 A KR 20150067122A KR 20160133927 A KR20160133927 A KR 20160133927A
Authority
KR
South Korea
Prior art keywords
malicious
files
processes
file
unit
Prior art date
Application number
KR1020150067122A
Other languages
Korean (ko)
Inventor
신진섭
정용익
손종목
안재환
이동욱
백선엽
이준호
이한수
박용석
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020150067122A priority Critical patent/KR20160133927A/en
Publication of KR20160133927A publication Critical patent/KR20160133927A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems

Abstract

An apparatus and a method for detecting routing are disclosed. The apparatus for detecting routing according to an embodiment of the present invention includes a collection part for collecting processes/files within an Android operating system; a detecting part for detecting malicious processes or malicious files based on commands inside the processes/the files; and a routing determination part for determining whether the Android operating system is routed based on the detected malicious processes/malicious files. So, accurate routing detection can be performed.

Description

[0001] APPARATUS AND METHOD FOR DETECTING ROOTING FROM TERMINAL BASED ON ANDROID SYSTEM [0002]

The present invention relates to a method for detecting a route in a terminal based on an Android system, and more particularly, to a technique for detecting a malicious process or a malicious file by collecting a process or a file executed on the basis of the Android system to determine whether the route is routed.

In addition to the spread of smart devices, banking operations are performed on smart devices, and mobile office environments that perform business operations are established, and important processing using smart devices is performed on smart devices. As a result, malicious attacks limited to existing PCs are spreading to smartphones, and studies for detecting and defending these behaviors are needed, and building an environment for them is becoming important. As a result, Android is making efforts to enhance security by applying SEAndroid based on SELinux (Security Enhancements Linux) to Android. Also, for collecting personal information and performing various malicious actions, the attacker goes through the rooting process to have the super administrator privilege on the Android system, and research is being conducted on how to detect it.

The conventional routing detection method is divided into two types. Root detection inserted at the kernel level through changes to the Android system, and general user privilege routing detection at the Android application level.

In the case of routing detection inserted at the Android kernel level, system call hooking and network packet monitoring are possible, and it is possible to derive a high level of routing detection using this.

In the case of routing detection of general user rights performed by an application, access rights of system resources are restricted, which leads to difficulty in finding a high-level routing detection method such as the above-mentioned routing detection.

Also, when detecting using a process list existing in the past, all root processes other than the Android basic process list provided by Google are detected, and a root process exists for each Android smartphone manufacturer, and there is a possibility of a false alarm.

Often, the method of monitoring events occurring in an application by a pooling method and storing logs is a hindrance to commercialization because it may greatly affect battery consumption due to the characteristics of a portable device.

The easiest way to detect the root is to search for the 'su' file that is installed when installing the rooting app. The system command directories '/ system / bin /' and '/' system / xbin / 'and so on.

There is also a way to circumvent this by looking for a specific string in the 'su' file.

Also, when the vulnerability is exploited to become a super administrator, there is a difficulty in detecting from the normal user privilege.

Korean Laid-Open Patent Application No. 2013-0060188 discloses a technique for receiving the process information on an application initiated on a mobile terminal and comparing routing application information with process information to detect routing application information. Korean Patent No. 1388053 Discloses a technology for detecting an elevation of the administrator privilege of the Android operating system and detecting the presence or absence of malicious code.

However, Korean Patent Publication No. 2103-0060188 and Korean Patent No. 1388053 also fail to initiate routing detection at the instruction level. In particular, only the technology for detecting the elevation of privilege is disclosed, and the parent process of the Android- And does not disclose the routing detection technology considering the relation between the child process and the child process.

Therefore, considering the recent trend of increasing importance of security and explosion of smartphones equipped with the latest Android-based system, there is a need for technology to more effectively detect roots and detect a safe execution environment.

It is an object of the present invention to effectively avoid various methods of bypassing the routing detection by analyzing a file or a process inside the Android system at an instruction level.

It is also an object of the present invention to use routines as well as recently modified files to detect routing.

It is also an object of the present invention to detect the routing in consideration of the basic process of the manufacturer or the communication company as well as the basic process of the Android system.

According to an aspect of the present invention, there is provided a routing detection apparatus comprising: a collection unit for collecting processes / files in an Android operating system; A detecting unit detecting malicious processes or malicious files based on the processes / commands inside the files; And a routing determiner for determining whether the Android operating system is routed based on the detected malicious process / malicious file.

In this case, the detection unit may include a search unit for searching for an executable file corresponding to the processes; A comparison unit for searching for a command part of the executable file and for comparing the command part and the command part of malicious files; And a determination unit for determining that the files are malicious files when the command part of the malicious files exists in the command part.

At this time, if the execution file corresponding to the processes does not exist as a result of searching by the searching unit, the routing determining unit may determine that the Android system is routed.

At this time, if the execution file corresponding to the processes is a file having no read permission as a result of the search by the search unit, the routing determining unit may determine that the Android system is routed.

In this case, the detection unit may include a classification unit that classifies the processes into parent processes and child processes; And a determination unit determining whether the processes are malicious processes based on the UIDs of the parent processes and the UIDs of the child processes.

In this case, if the UID of the parent process is not 0 and the UID of the child processes is 0, the determination unit may determine that the child process is a malicious process.

In this case, the determination unit may further include a database for storing a process list specific to a manufacturer or a process list specific to a communication company.

At this time, if the process is included in the process list stored in the database, the determination unit may determine the process as a normal process.

In this case, the collecting unit may collect files whose last modification time is within a specific time.

In this case, the detection unit may include: a search unit for searching for a command portion of the files; A comparison unit comparing the command part and the command part of the malicious files; And a determination unit for determining that the files are malicious files when the command part of the malicious files exists in the command part.

According to another aspect of the present invention, there is provided a method for detecting a route, comprising: collecting data of processes / files in an Android operating system; Detecting malicious processes or malicious files based on the processes / instructions within the files; And determining whether the Android operating system is routed based on the detected malicious process / malicious file.

In this case, the step of detecting the malicious process or malicious file may include searching an executable file corresponding to the processes. Searching for a command portion of the executable file, and comparing the command portion and the command portion of the malicious files; And if the command portion of the malicious files exists in the command portion, determining that the files are malicious files.

In the step of determining whether or not the route is routed, it may be determined that the Android system is routed when an executable file corresponding to the processes does not exist in the step of searching for the executable file.

In the step of determining whether or not the routing is performed, it may be determined that the Android system is routed when the executable file corresponding to the processes is a file having no read permission.

At this time, the step of detecting the malicious process or malicious file includes classifying the processes into a parent process and a child process. And determining whether the process is a malicious process based on a UID (User Identifier) of the parent process and a UID of the child process.

In this case, when the UID of the parent process is not 0 and the UID of the child process is found to be 0, it may be determined that the child process is a malicious process.

In this case, if the process is a process included in a manufacturer-specific process list or a database in which a process list specific to a communication company is stored, the step of determining whether the malicious process is the malicious process may determine the process as a normal process.

At this time, the collecting of the data may collect files whose last modification time of the files is within a specific time.

In this case, the step of detecting the malicious process or malicious file may include searching for a command portion of the files; Comparing the command portion and the command portion of the malicious files; And detecting the malicious file if the command portion of the malicious file exists in the command portion.

The present invention analyzes the file or process in the Android system at the command level and effectively avoids various methods of bypassing the routing detection, thereby enabling accurate routing detection.

In addition, the present invention can analyze not only the process but also the recently modified file to enable accurate routing detection.

In addition, the present invention can detect not only a basic process of the Android system but also a basic process of a manufacturer or a communication company, thereby drastically reducing a routing detection error.

1 is a block diagram illustrating a routing detection apparatus according to an embodiment of the present invention.
FIG. 2 is a block diagram showing an embodiment of the detector shown in FIG. 1. FIG.
3 is a diagram illustrating a principle of detecting a malicious process in a routing detection apparatus according to an exemplary embodiment of the present invention.
4 is a diagram illustrating a routing detection apparatus according to an exemplary embodiment of the present invention used in a banking mobile application.
FIG. 5 is a diagram showing the routing detection apparatus according to an embodiment of the present invention, collecting the files according to the last modification time of the files. FIG.
6 is a flowchart illustrating a routing detection method according to an exemplary embodiment of the present invention.
FIG. 7 is an operation flowchart showing the malicious file or malicious process detection shown in FIG. 6 in more detail.

The present invention will now be described in detail with reference to the accompanying drawings. Hereinafter, a repeated description, a known function that may obscure the gist of the present invention, and a detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more fully describe the present invention to those skilled in the art. Accordingly, the shapes and sizes of the elements in the drawings and the like can be exaggerated for clarity.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating a routing detection apparatus according to an embodiment of the present invention.

Referring to FIG. 1, a routing detection apparatus according to an embodiment of the present invention includes a collecting unit 110, a detecting unit 120, and a routing determining unit 130.

The collection unit 110 collects data of processes or files in the Android file system.

At this time, the collecting unit 110 may collect processes having a UID (User Identifier) of 0, that is, a root process among the processes executed in the Android file system.

At this time, when the collecting unit 110 collects the processes, it can collect all the processes in the proc directory having information on the process.

At this time, in collecting the file, the collecting unit 110 may collect the file based on the last modification time of the files. For example, the collected files may be collected by the collecting unit 110 after the time of performing the routing detection. A description thereof will be given in Fig.

The detection unit 120 detects malicious processes or malicious files based on data of processes or files.

At this time, the detection unit 120 can search for commands in the files collected by the collection unit 110. [

In this case, the malicious process is detected by a string or a file name in the conventional method for searching for a command in the file. However, in order to cope with various routing detection avoidance methods, Search.

At this time, the detection unit 120 can compare the command part in the file with the command part in the malicious file.

At this time, the command part of malicious files can be called up from a previously learned database and compared.

At this time, the instruction portion of the malicious files may increase the number of instruction portions stored in the database while updating the routing detection device of the present invention.

At this time, the detection unit 120 can detect that the file is a malicious file when a command portion of the malicious file exists in a command in the file.

At this time, the detecting unit 120 searches for an executable file corresponding to the process collected by the collecting unit 110, finds a command part of the executable file, compares the command part of the malicious file, and determines whether the collected process is a malicious process You may. A description thereof will be given in Fig.

At this time, the detection unit 120 may classify the processes into the parent process and the child processes, and may detect that the process is a malicious process based on the UID (User Identifier) of the parent process and the UID of the child process. This is described in FIG.

The routing determining unit 130 determines whether the Android system is routed based on the malicious process or the malicious file.

At this time, the rooting means that the root authority is obtained on the Android operating system running on the mobile device, thereby lifting the restriction hung from the producer or the seller side of the device.

At this time, by performing the routing in the mobile device, the security of the mobile device becomes weak, and the hackers can perform illegal actions in the mobile device in which the routing is performed.

At this time, when the detection unit 120 detects a malicious file or a malicious process, it can detect that the Android system installed in the mobile device is routed.

At this time, if there is no execution file corresponding to the process in the detecting unit 120, it is possible to detect that the Android system installed in the mobile device is routed. This is because malicious processes can erase the executable file corresponding to the running process.

At this time, if the execution file corresponding to the process in the detection unit 120 is a file having no read permission, it can detect that the Android system is routed. Processes or newly added executable files that exist in the / system / bin or / system / xbin folder inside the Android system may not be able to be read properly and are likely to be executable files mostly corresponding to malicious processes.

FIG. 2 is a block diagram showing an embodiment of the detector shown in FIG. 1. FIG.

2, the detection unit 120 includes a search unit 210, a comparison unit 220, and a determination unit 230.

The search unit 210 searches for an executable file corresponding to the processes.

The comparing unit 220 searches for a command portion of the executable file, compares the command portion of the executable file with the command portion of the malicious files, and confirms whether there is a matching syntax.

At this time, the malicious file may be a su (superuser) file existing in the rooted Android system.

At this time, the command portion of the malicious file may be the same as the command portion of the su file existing in the rooted Android system.

At this time, the comparator 220 searches the command portion of the executable file, and can check whether there is a portion coinciding with the command portion of the su file. When the command portion of the executable file is searched, , The executable file can be recognized as a su file.

The determination unit 230 determines that the process is a malicious process when there is a portion in the command portion of the executable file that matches the command portion of the malicious files.

3 is a diagram illustrating a principle of detecting a malicious process in a routing detection apparatus according to an exemplary embodiment of the present invention.

Referring to FIG. 3, FIG. 3 is comprised of normal processes 310, 320, 350 and 360, malicious processes 330, 340 and 370, and a process 380 specific to the manufacturer or carrier.

Referring again to FIG. 3, the processes are classified into a parent process and a child process, which can be performed in the detection unit 120.

In this case, the child process refers to a process newly formed by system call or the like, and the parent process can refer to a process that has generated a child process.

Malicious processes 330 and 340 are processes that are performed when an unknown root daemon is running on the process list.

At this time, the malicious processes 330 and 340 may be executed when a specific routing application is installed, and may be a root process other than a general Android basic process.

At this time, the detection unit 120 may detect malicious processes 330 and 340 and may transmit the detected malicious processes 330 and 340 to the routing determination unit 130.

The malicious process 340 may be a child process of the normal process 350 or a process whose UID is zero.

At this time, if the UID of the parent process is not 0 and the UID of the child process is 0, this is not a normal relationship in the Android-based system. There may be a weak part of the execution of the parent process, and it may be the result of elevating the privilege through malicious behavior in the vulnerable part and forming a child process. For example, the malicious process 340 is a child process of a normal process 350, or a malicious process with a UID of zero.

The manufacturer or carrier specific process 370 may be a process other than the basic process in the Android-based system.

At this time, since the process 370 specific to the manufacturer or the communication company is not a malicious process, it is determined that the process 370 is a process included in a process list stored in a separate database, It is determined that the process is not a malicious process.

4 is a diagram illustrating a routing detection apparatus according to an exemplary embodiment of the present invention used in a banking mobile application.

Referring to FIG. 4, a screen is displayed when a banking mobile application is executed in a mobile device on which routing is performed.

At this time, the routing detection device can determine that the mobile device has been routed.

At this time, the routing detection device may send information to the banking mobile application that the mobile device has been routed.

At this time, the banking mobile application can output on the display of the mobile device that the application can not be used because the mobile device is routed.

FIG. 5 is a diagram showing the routing detection apparatus according to an embodiment of the present invention, collecting the files according to the last modification time of the files. FIG.

Referring to FIG. 5, a list of files 510 through 590 is shown.

The collecting unit 110 may collect all the files 510 to 590 in the Android file system.

At this time, the collection unit 110 may collect a list of files that have been received within a predetermined time from the files 510 to 590 in the Android file system.

At this time, in collecting the file, the collecting unit 110 may collect the file based on the last modification time of the files. For example, the collected files may be collected by the collecting unit 110 after the time of performing the routing detection. For example, the collection unit 110 may collect files that have been received within a certain time in preparation for the time for performing the routing detection.

Referring to FIG. 5, for example, files modified from May 28, 2014, which is June 28, 2014, to perform routing detection, and one month prior to June 28, 2014, 560, 570, 580, and 590) may be collected in the collecting unit 110. FIG.

At this time, the files 530, 540, and 550 modified before May 28, 2014 may not be collected by the collection unit 110.

At this time, the specific time is not limited. The routing detection device can determine a specific time based on the performance of the installed device. For example, if the performance of the device is high, a certain time may be taken as one year, and routing detection may be performed to enable more accurate routing detection. Also, for example, if the performance of the device is rather low, it may be possible to carry out routing detection by performing a specific time period of two weeks and performing less-accurate but faster routing detection.

6 is a flowchart illustrating a routing detection method according to an exemplary embodiment of the present invention.

Referring to FIG. 6, a process or a file inside the Android system is collected (S610).

At this time, among the processes executed in the Android file system, it is possible to collect processes having a UID (User Identifier) of 0, that is, a root process.

At this point, you can collect all the processes from the proc directory that contains information about the process.

At this time, the file can be collected based on the last modification time of the files. For example, the collected files may be collected by the collecting unit 110 after the time of performing the routing detection. This is described in FIG.

Further, a malicious process and a malicious file are detected (S620).

At this time, it is possible to search for a command in the file collected by the collecting unit 110.

In this case, the malicious process is detected by a string or a file name in the conventional method for searching for a command in the file. However, in order to cope with various routing detection avoidance methods, Search.

At this time, the commands inside the file and the command part of the malicious file can be compared.

At this time, the command part of malicious files can be called up from a previously learned database and compared.

At this time, the instruction portion of the malicious files may increase the number of instruction portions stored in the database while updating the routing detection device of the present invention.

At this time, when a command portion of a malicious file exists in a command in the file, it can be detected that the file is a malicious file.

At this time, an executable file corresponding to the process collected by the collecting unit 110 may be searched for, and a command part of the executable file may be searched to compare the command part of the malicious file to detect whether the collected process is a malicious process. A description thereof will be given in Fig.

At this time, the processes may be classified as a parent process and a child process, and a process may be detected as a malicious process based on the UID (User Identifier) of the parent process and the UID of the child process. This was described in FIG.

In addition, it is determined whether or not a routing operation has been performed on the Android system (S630).

At this time, the rooting means that the root authority is obtained on the Android operating system running on the mobile device, thereby lifting the restriction hung from the producer or the seller side of the device.

At this time, by performing the routing in the mobile device, the security of the mobile device becomes weak, and the hackers can perform illegal actions in the mobile device in which the routing is performed.

At this time, when a malicious file or a malicious process is detected, it is possible to detect that the Android system installed in the mobile device has been routed.

At this time, if there is no execution file corresponding to the process, it is possible to detect that the Android system installed in the mobile device is routed. This is because malicious processes can erase the executable file corresponding to the running process.

At this time, if the executable corresponding to the process is a file without read permission, it can detect that the Android system has been routed. Processes or newly added executable files that exist in the / system / bin or / system / xbin folder inside the Android system may not be able to be read properly and are likely to be executable files mostly corresponding to malicious processes.

FIG. 7 is an operation flowchart showing the malicious file or malicious process detection shown in FIG. 6 in more detail.

Referring to FIG. 7, it is determined whether the collected data corresponds to a process (S710).

If the collected data corresponds to the process, the path of the file in which the process is executed is searched and the execution file is collected (S720).

In addition, the collected data corresponds to the file or opens the file collected in S720 (S730).

At this time, it is determined whether the file has been opened successfully (S740). If the file is successfully opened, the command in the file is compared with the command in the malicious file (S750).

At this time, the malicious file may be a su (superuser) file existing in the rooted Android system.

At this time, the command portion of the malicious file may be the same as the command portion of the su file existing in the rooted Android system.

If a command in the malicious file exists in the command in the file, the malicious file is determined to be a malicious file (S760, S790).

At this time, the comparator 220 searches the command portion of the executable file, and can check whether there is a portion coinciding with the command portion of the su file. When the command portion of the executable file is searched, , The executable file can be recognized as a su file.

If the file is not opened, it is determined whether or not the file exists first (S770).

At this time, if the file does not exist, the process or file is determined to be a malicious process or a malicious file (S790).

At this time, if there is no execution file corresponding to the process, it is possible to detect that the Android system installed in the mobile device is routed. This is because malicious processes can erase the executable file corresponding to the running process.

At this time, if the file exists, it is determined whether or not the file has a read permission (S780). If the file does not exist, the file is determined to be a malicious file (S790).

At this time, if the executable corresponding to the process is a file without read permission, it can detect that the Android system has been routed. Processes or newly added executable files that exist in the / system / bin or / system / xbin folder inside the Android system may not be able to be read properly and are likely to be executable files mostly corresponding to malicious processes.

Embodiments of the present invention may be implemented in a computer system, such as a computer readable recording medium. 8, the computer system 820-1 includes one or more processors 821, a memory 823, a user input device 826, a user output device 827, And storage 828. In addition, the computer system 820-1 may further include a network interface 829 coupled to the network 830. The processor 821 may be a central processing unit or a semiconductor device that executes the processing instructions stored in the memory 823 or the storage 828. [ Memory 823 and storage 828 may be various types of volatile or non-volatile storage media. For example, the memory may include ROM 824 or RAM 825. [

Thus, embodiments of the invention may be embodied in a computer-implemented method or in a non-volatile computer readable medium having recorded thereon instructions executable by the computer. When computer readable instructions are executed by a processor, the instructions readable by the computer are capable of performing the method according to at least one aspect of the present invention.

As described above, the apparatus and method for routing based on the Android system according to the present invention are not limited to the configuration and method of the embodiments described above, All or some of the embodiments may be selectively combined.

310, 320, 350, 360: normal process
330, 340, 370: malicious process
380: Process unique to manufacturer or carrier
510, 520, 530, 540, 550, 560, 570, 580, 590:

Claims (19)

A collection unit for collecting processes / files within the Android operating system;
A detecting unit detecting malicious processes or malicious files based on the processes / commands inside the files; And
A routing determination unit for determining whether the Android operating system is routed based on the detected malicious process / the malicious file,
Wherein the routing information comprises a plurality of routing information. The method according to claim 1,
The detection unit
A search unit for searching for an executable file corresponding to the processes;
A comparison unit for searching for a command part of the executable file and for comparing the command part and the command part of malicious files; And
When the command part of the malicious files exists in the command part, the judging part judges that the files are malicious files
Wherein the routing information comprises a plurality of routing information. The method of claim 2,
The routing determination unit
Wherein the determining unit determines that the Android system has been routed if an execution file corresponding to the processes does not exist as a result of searching by the searching unit. The method of claim 2,
The routing determination unit
Wherein the determining unit determines that the Android system is routed if the executable file corresponding to the processes is a file having no read permission as a result of searching by the searching unit. The method according to claim 1,
The detection unit
A classifying unit for classifying the processes into parent processes and child processes; And
A determination unit for determining whether the processes are malicious processes based on a UID (User Identifier) of the parent processes and a UID of the child processes;
Wherein the routing information comprises a plurality of routing information. The method of claim 5,
The determination unit
Wherein if the UID of the parent process is not 0 and the UID of the child processes is 0, the process determines whether the child process is a malicious process. The method of claim 5,
The determination unit
A database that stores a manufacturer-specific process list or a carrier-specific process list
Lt; RTI ID = 0.0 > 1, < / RTI > The method of claim 7,
The determination unit
Wherein the determination unit determines that the process is a normal process when the process is a process included in a process list stored in the database. The method according to claim 1,
The collecting unit
And collects files whose last modification time of the files is within a specific time. The method of claim 9,
The detection unit
A search unit for searching for a command portion of the files;
A comparison unit comparing the command part and the command part of the malicious files; And
When the command part of the malicious files exists in the command part, the judging part judges that the files are malicious files
Wherein the routing information comprises a plurality of routing information. Collecting data of processes / files within the Android operating system;
Detecting malicious processes or malicious files based on the processes / instructions within the files; And
Determining whether the Android operating system is routed based on the detected malicious process / malicious file
Wherein the step (c) comprises the steps of: The method of claim 11,
The step of detecting the malicious process or malicious file
Searching an executable file corresponding to the processes;
Searching for a command portion of the executable file, and comparing the command portion and the command portion of the malicious files; And
If the command portion of the malicious files exists in the command portion, determining that the files are malicious files
The method comprising the steps of: The method of claim 12,
The step of determining whether or not the routing
Wherein the step of searching for the executable file determines that the Android system is routed if an executable file corresponding to the processes does not exist. The method of claim 12,
The step of determining whether or not the routing
Wherein the step of searching for the executable file determines that the Android system has been routed if the executable file corresponding to the processes is a file without read permission. The method of claim 11,
The step of detecting the malicious process or malicious file
Classifying the processes into a parent process and a child process; And
Determining whether the process is a malicious process based on a UID (User Identifier) of the parent process and a UID of the child process
The method comprising the steps of: 16. The method of claim 15,
The step of judging whether the malicious process is
Wherein if the UID of the parent process is not 0 and the UID of the child process is found to be 0, the process determines whether the child process is a malicious process. 16. The method of claim 15,
The step of judging whether the malicious process is
Wherein the process is judged as a normal process when the process is a process included in a manufacturer-specific process list or a database storing a process list specific to a communication company. The method of claim 11,
The step of collecting the data
And collecting files whose last modification time is not within a specific time. 19. The method of claim 18,
The step of detecting the malicious process or malicious file
Searching for a command portion of the files;
Comparing the command portion and the command portion of the malicious files; And
If the command portion of the malicious files exists in the command portion, determining that the files are malicious files
The method comprising the steps of:
KR1020150067122A 2015-05-14 2015-05-14 Apparatus and method for detecting rooting from terminal based on android system KR20160133927A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150067122A KR20160133927A (en) 2015-05-14 2015-05-14 Apparatus and method for detecting rooting from terminal based on android system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150067122A KR20160133927A (en) 2015-05-14 2015-05-14 Apparatus and method for detecting rooting from terminal based on android system

Publications (1)

Publication Number Publication Date
KR20160133927A true KR20160133927A (en) 2016-11-23

Family

ID=57541693

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150067122A KR20160133927A (en) 2015-05-14 2015-05-14 Apparatus and method for detecting rooting from terminal based on android system

Country Status (1)

Country Link
KR (1) KR20160133927A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180082217A (en) * 2017-01-10 2018-07-18 삼성전자주식회사 Device and Computer Readable Medium for Detecting Privilege Escalation of Process
KR20210066460A (en) * 2019-11-28 2021-06-07 네이버클라우드 주식회사 Method and system for detecting web shell using process information
CN113407940A (en) * 2021-06-21 2021-09-17 成都欧珀通信科技有限公司 Script detection method and device, storage medium and computer equipment
KR20230051949A (en) * 2021-10-12 2023-04-19 한전케이디엔주식회사 Method for managing rooting information using blockchain

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180082217A (en) * 2017-01-10 2018-07-18 삼성전자주식회사 Device and Computer Readable Medium for Detecting Privilege Escalation of Process
WO2018131831A1 (en) * 2017-01-10 2018-07-19 삼성전자 주식회사 Electronic device detecting privilege escalation of process, and storage medium
US11392674B2 (en) 2017-01-10 2022-07-19 Samsung Electronics Co., Ltd. Electronic device detecting privilege escalation of process, and storage medium
KR20210066460A (en) * 2019-11-28 2021-06-07 네이버클라우드 주식회사 Method and system for detecting web shell using process information
US11388182B2 (en) 2019-11-28 2022-07-12 Naver Cloud Corp. Method and system for detecting webshell using process information
CN113407940A (en) * 2021-06-21 2021-09-17 成都欧珀通信科技有限公司 Script detection method and device, storage medium and computer equipment
KR20230051949A (en) * 2021-10-12 2023-04-19 한전케이디엔주식회사 Method for managing rooting information using blockchain

Similar Documents

Publication Publication Date Title
US20210256127A1 (en) System and method for automated machine-learning, zero-day malware detection
US11036858B2 (en) System and method for training a model for detecting malicious objects on a computer system
Ham et al. Linear SVM-based android malware detection for reliable IoT services
KR101051722B1 (en) Monitor program, monitoring method and computer program product for hardware related thereto
US9571509B1 (en) Systems and methods for identifying variants of samples based on similarity analysis
JP5992622B2 (en) Malicious application diagnostic apparatus and method
US9832211B2 (en) Computing device to detect malware
US20140090061A1 (en) System and method for automated machine-learning, zero-day malware detection
EP2975873A1 (en) A computer implemented method for classifying mobile applications and computer programs thereof
Herron et al. Machine learning-based android malware detection using manifest permissions
Bayazit et al. Malware detection in android systems with traditional machine learning models: a survey
Kakavand et al. Application of machine learning algorithms for android malware detection
Zhao et al. Attack tree based android malware detection with hybrid analysis
US11057425B2 (en) Apparatuses for optimizing rule to improve detection accuracy for exploit attack and methods thereof
KR20160133927A (en) Apparatus and method for detecting rooting from terminal based on android system
CN102930207A (en) API log monitoring method and device
KR20170041618A (en) Apparatus and method for monitoring virtual machine based on hypervisor
Su et al. Anomadroid: Profiling android applications' behaviors for identifying unknown malapps
Fereidooni et al. Efficient classification of android malware in the wild using robust static features
Singh et al. “Emerging Trends in Computational Intelligence to Solve Real-World Problems” Android Malware Detection Using Machine Learning
US9646157B1 (en) Systems and methods for identifying repackaged files
KR101605783B1 (en) Malicious application detecting method and computer program executing the method
Ndagi et al. Machine learning classification algorithms for adware in android devices: a comparative evaluation and analysis
Guerra-Manzanares et al. In-depth Feature Selection and Ranking for Automated Detection of Mobile Malware.
Utama et al. Analysis and classification of danger level in android applications using naive Bayes algorithm

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application