WO2014048194A1 - Android malicious application program detection method, system and device - Google Patents

Android malicious application program detection method, system and device Download PDF

Info

Publication number
WO2014048194A1
WO2014048194A1 PCT/CN2013/082152 CN2013082152W WO2014048194A1 WO 2014048194 A1 WO2014048194 A1 WO 2014048194A1 CN 2013082152 W CN2013082152 W CN 2013082152W WO 2014048194 A1 WO2014048194 A1 WO 2014048194A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
module
server
malicious behavior
sensitive
Prior art date
Application number
PCT/CN2013/082152
Other languages
French (fr)
Chinese (zh)
Inventor
巫妍
程绍银
蒋凡
Original Assignee
中兴通讯股份有限公司
中国科学技术大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201210376003.6A external-priority patent/CN102938040B/en
Application filed by 中兴通讯股份有限公司, 中国科学技术大学 filed Critical 中兴通讯股份有限公司
Publication of WO2014048194A1 publication Critical patent/WO2014048194A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the invention relates to a malicious application detection technology, and in particular to an Android (Android) malicious application detection method, system and device. Background technique
  • Android has attracted a large number of application developers. Since there are a large amount of user privacy information stored in the smartphone, a large number of malicious applications are attracted to the application market to steal the user's private information. In addition, the supervision and management systems and detection methods of the various application markets are still not perfect. The maliciousness of the application is screened, so that the user's private information is leaked a lot, and the user of the application suffers a great loss.
  • An Android malicious application is software that installs and runs on a user's computer or other terminal without explicitly prompting the user or without the user's permission, infringing the legitimate rights and interests of the user.
  • the main malicious behaviors include: malicious deduction, privacy theft, remote control, malicious transmission, tariff consumption, system damage, deception fraud, rogue behavior, etc.
  • the dynamic detection method mainly performs real-time detection on the installed application by modifying the Android emulator kernel or uses the symbol execution method to make the application run according to the specified path, thereby obtaining the malicious behavior of the application.
  • the static analysis method mainly analyzes related files in the Android installation package (AndroidPackage, APK), such as AndroidManifest.xml, Dalvik bytecode file, etc., and extracts some information as key features, and uses feature matching to complete the detection.
  • the dynamic detection method relies on specific trigger conditions and cannot detect all execution paths in a short time.
  • the feature matching based method relies on the signature database and the acquisition of signatures. Basically, it relies on manual analysis and the workload is huge. Summary of the invention
  • the main purpose of the embodiments of the present invention is to provide an Android malicious application detection method, system, and device, which can implement the detection of the Android malicious application without relying on the manual analysis of the feature code, thereby greatly reducing the technical staff. The amount of work.
  • the embodiment of the present invention provides a method for detecting an Android malicious application, and the method includes:
  • the server simulates executing the Android application, and matches the sensitive feature information of the system function called by the application with the sensitive feature information stored in the rule base, and marks the variable of the successfully matched system function as sensitive data;
  • the function containing the sensitive data is matched with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the function parameters matching the success are marked as malicious behavior.
  • the method further includes:
  • the server After the execution of the simulated Android application is completed, the server generates a detailed description of the dangerous behavior based on the result of matching with the malicious behavior detection rule base, outputs a detection report, and reports the detection result to the client.
  • the method further includes:
  • the client sends the APK file of the Android application to be tested to the server, and the server decompresses the APK file, and extracts the Dalvik bytecode file and the AndroidManifest.xml in the APK file.
  • the method further includes:
  • the server disassembles the Dalvik bytecode file, and constructs a program structure according to the Dalvik bytecode file information, including: an instruction structure, a basic structure, a function structure, a class structure, a function Number call graph, control flow graph;
  • the server parses the AndroidManifest.xml configuration file to obtain the entry function name, and finds the corresponding function structure from the constructed program structure as an entry function for the simulation execution.
  • the server emulating execution of the Android application comprises:
  • the server starts from the entry function, simulates the call sequence of the function and the execution order of the instructions in the function according to the constructed program structure, and simulates the execution of each instruction in order according to the execution order of the instructions.
  • the method further includes:
  • the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual calling object of the dynamic mechanism function, and finds the relevant response function according to the current object.
  • the embodiment of the present invention further provides a server, where the server includes: a communication module, a flow sensitivity analysis module, a sensitive data introduction rule base, and a malicious behavior detection rule base; wherein:
  • the communication module is configured to receive an APK file sent by the client, and send the APK file to the flow sensitive analysis module;
  • the flow sensitivity analysis module is configured to simulate execution of the Android application according to the received APK file, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base, and The variable matching the successful system function is marked as sensitive data; it is also configured to match the function parameter containing the sensitive data with the detection rule of the malicious behavior stored in the malicious behavior detection rule base, and mark the successfully matched function parameter as a malicious behavior;
  • the sensitive data is introduced into a rule base and configured to store sensitive feature information
  • the malicious behavior detection rule base is configured to store malicious behavior feature information.
  • the server further comprises: a dangerous behavior reporting module, configured to simulate the execution of the Android application, and generate a risk according to a result matching the malicious behavior detection rule base A detailed description of the behavior, output a test report, and send the test report to the client via the communication module.
  • a dangerous behavior reporting module configured to simulate the execution of the Android application, and generate a risk according to a result matching the malicious behavior detection rule base A detailed description of the behavior, output a test report, and send the test report to the client via the communication module.
  • the server further includes: a decompression module, a program structure construction module, and an entry function parsing module;
  • the decompression module is configured to decompress the APK file sent by the client, and extract the
  • the Dalvik bytecode file is sent to the program structure building module, and the AndroidManifest.xml configuration file is sent to the entry function parsing module;
  • the program structure construction module is configured to disassemble the Dalvik bytecode file, and construct a program structure according to the information of the Dalvik bytecode file, and send the constructed program structure to the flow sensitivity analysis module;
  • the entry function parsing module is configured to parse the AndroidManifest.xml configuration file to obtain an entry function name, and find a corresponding function structure from the constructed program structure as an entry function for starting analysis, and send the obtained entry function to The flow sensitive analysis module.
  • the flow sensitivity analysis module comprises: a matching module and a malicious behavior detecting module; wherein:
  • the matching module is configured to send sensitive feature information and sensitive data of a system function called by an Android application?
  • the sensitive feature information in the I-input rule base is matched, the variable of the successfully matched system function is marked as sensitive data, and the matched data is sent to the malicious behavior detecting module to perform malicious behavior detection;
  • the malicious behavior detecting module is configured to match the function parameter containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, mark the successfully matched function parameter as a malicious behavior, and send the matching result to the Dangerous Behavior Reporting Module.
  • the flow sensitivity analysis module further includes an instruction simulation module configured to construct a program structure according to the program structure, a call sequence of the simulation function, and a command execution of the function.
  • the order of the lines begins with the entry function obtained by the entry function parsing module, simulating the execution of each instruction in sequence.
  • the flow sensitivity analysis module further includes: a program state collection module and a dynamic mechanism connection module; wherein:
  • the program state collection module is configured to collect program state information of the function variable during the simulation execution of the instruction, and send the program state information of the collected function variable to the dynamic mechanism connection module;
  • the dynamic mechanism connection module is configured to collect program state information of the function variable collected by the module according to the program state, determine the actual call object of the dynamic mechanism function, and find the relevant response function according to the current object.
  • the embodiment of the present invention further provides an Android malicious application detection system, where the system includes: a client and a server according to an embodiment of the present invention;
  • the client is configured to send the APK file of the Android application to be tested to the server; and is configured to receive the detection report sent by the server, and report the detection result to the user.
  • the technical solution provided by the embodiment of the present invention matches the sensitive feature information of the system function invoked by the application with the sensitive feature information stored in the rule base by simulating the execution application, and tags the variable of the successfully matched system function. For sensitive data; match the function containing sensitive data with the malicious behavior feature information stored in the malicious behavior detection rule base, and mark the successfully matched function parameters as malicious behavior.
  • the technical solution of the embodiment of the present invention does not depend on the signature database obtained by manual analysis, which greatly reduces the workload of the technician; and does not depend on a specific trigger condition, and can complete all execution paths in a short time, which can be accurate Promptly detect malicious behavior of the application.
  • FIG. 1 is a schematic flowchart of a method for detecting a malicious application of an Android according to a first embodiment of the present invention
  • FIG. 2 is a schematic diagram of a composition of an Android malicious application detection system according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic flowchart of a method for detecting an Android malicious application according to Embodiment 2 of the present invention.
  • the server simulates executing the Android application, and matches the sensitive feature information of the system function called by the application with the sensitive feature information stored in the rule base, and the variable of the system function that matches the success is matched. Marked as sensitive data; Match the function containing sensitive data with the malicious behavior feature information stored in the malicious behavior detection rule base, and mark the function parameters that match successfully as malicious behavior.
  • FIG. 1 is a schematic flowchart of a method for detecting a malicious application of an Android according to Embodiment 1 of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step 11 The server simulates the execution of the Android application based on the APK file of the Android application sent from the client.
  • the client sends the APK file of the Android application to be tested to the server.
  • the server can extract the APK file through software such as WinRAR, APKTOOL.jar, etc., and extract the Dalvik bytecode file inside the file and AndroidManifest.xml configuration file.
  • the server simulates the execution of the Android application according to the APK file of the Android application sent by the client, including:
  • the server disassembles the Dalvik bytecode file and constructs the program structure based on the Dalvik bytecode file information, including: instruction structure, basic structure, function structure, class structure, function call graph, control flow graph, and so on.
  • the server parses the AndroidManifest.xml configuration file to get the entry function name, such as extracting the value of the "android: name" field in the activity, service, receiver, provider, etc. as the entry function name, and finding the corresponding function from the built program structure.
  • Structure as an entry function for simulation execution.
  • the server starts from the entry function, simulates the call sequence of the function and the execution order of the instructions within the function according to the constructed program structure, and simulates the execution of each instruction in turn according to the execution order of the instructions.
  • the execution order of the instructions in the function is generated according to the control flow graph, and the traversal algorithm of the graph is used to ensure that each basic block is executed at least once; for the branch, each branch is guaranteed to be executed;
  • the loop ensures that the instruction of the loop body part is executed at least once; for the inter-process analysis stage, the call sequence of the function is generated according to the function call graph, and the function that should actually be called is calculated according to the parameter type of the function call point.
  • the calling sequence of the function may be specifically analyzed by using the semantic information of the function parameter, such as according to the function calling instruction, according to the frequency of use of the function from high to low, first determining whether the function is a virtual function or an interface calling function, when judging If the result is YES, the function actually called is searched according to the type of the this parameter; when the result of the judgment is no, it is continued to judge whether the function is a function implemented by the user; when the function is determined to be a user implementation If the judgment result of the function is YES, it is executed internally by the called function, and the instruction execution sequence of the called function is calculated; when the judgment result of whether the function is a user-implemented function is negative, the judgment is continued.
  • the function is a dynamic mechanism function; when the judgment result of determining whether the function is a dynamic mechanism function is YES, then the function corresponding to the search is entered, and the execution is sequentially performed, otherwise the analysis ends.
  • the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual calling object of the dynamic mechanism function, and finds the relevant response function according to the current object.
  • the program state information of the collection function variable includes collecting type information and value information of each variable; for some dynamic mechanism related functions, such as an interface calling function, a virtual function, etc., using program state information of the collected variable , to determine the actual call object, to find the relevant response function according to the actual call object.
  • Step 12 During the simulation execution of the Android application, the server matches the sensitive feature information of the system function called by the Android application with the sensitive feature information stored in the rule base, and matches the variable of the successfully matched system function. For sensitive data.
  • the sensitive data introduction rule base mainly records matching rules of sensitive data, where the sensitive data refers to some data related to user privacy or system security, such as a user's address book, geographic location, mobile device number, etc.;
  • the data import rule library records the library function information that introduces sensitive data into the program, including the function name, the class name of the function, the number of parameters of the function, the type of sensitive data introduced, whether the function is a static function, or a list of parameters. Information such as the pollution status of each parameter.
  • the malicious behavior in the application to be detected includes: sending a short message of a fixed content to a fixed number, and ordering a service provider (SP) service without unknowingly consuming the user fee; opening a fixed unified resource Locator (Universal Resource Locator, URL) to consume user fees; execute fixed system commands to modify or delete user files.
  • the short message, the fixed number, the fixed URL, and the fixed system command of the fixed content introduce the parameters of the dangerous function in the form of sensitive data of the fixed string in the application code to be detected.
  • the function call is identified as sensitive data. For further testing, determine if the function call is malicious.
  • Step 13 The server matches the function containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and marks the successfully matched function parameter as a malicious behavior.
  • the malicious behavior detection rule base mainly records detection rules for malicious behaviors.
  • the triggering of malicious behavior is generally caused by some system functions that communicate with external sources, such as connecting to the network, sending text messages, and so on. If the call point of these functions is found to contain sensitive data, it means that malicious behavior is found; the malicious behavior detection rule base mainly includes malicious behavior names, Information such as malicious behavior types, sensitive data type lists, and dangerous function type lists.
  • step 12 if the sensitive feature information of the system function to be detected by the application to be detected matches the sensitive feature information stored in the sensitive data import rule base, determining that the system function call meets the preliminary feature of the malicious behavior, namely: sending the fixed content
  • the SMS sends a fixed number, opens a fixed URL, or executes a fixed system command, and the fixed content SMS, fixed number, fixed URL, and fixed system commands introduce dangerous function parameters in the form of sensitive data to implement sensitive behavior.
  • the server matches the malicious feature information of the called system function in the sensitive behavior of the application to be detected with the malicious behavior feature information stored in the malicious behavior detection rule base to further determine whether the sensitive behavior is malicious behavior. , that is: whether to send a fixed content SMS to a fixed number, whether to order a service to the SP, to consume user fees; whether to open a fixed URL, whether to open the Internet Protocol (IP) address, to cause users Consumption of tariffs; whether to perform a fixed system command, causing loss to the user's files. If so, the function call is identified as a malicious act, and the application to be detected is determined to be a malicious application.
  • IP Internet Protocol
  • a malicious behavior detection report is generated, which details the triggering process of the current malicious behavior, the sensitive data of the operation, and the harm caused, and classifies according to the dangerous behavior according to the detected dangerous behavior. And calculating the degree of danger and the possible harm, outputting the program information such as the calling path of the dangerous behavior, and sending the detection report to the client; wherein the report can be graphically and extensible markup language (Extensible Markup Language) , XML) and other forms of representation.
  • Extensible Markup Language Extensible Markup Language
  • FIG. 2 is a schematic diagram of the composition of the Android malicious application detection system according to the first embodiment of the present invention.
  • the system includes: a client 11 and a server 12; wherein: the client 11 is configured as Sending the APK file of the Android application to be tested to the server 12;
  • the server 12 is configured to simulate the execution of the Android application according to the APK file sent by the client 11, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base.
  • the variables matching the successful system functions are marked as sensitive data; the function parameters containing the sensitive data are matched with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the successfully matched function parameters are marked as malicious behaviors.
  • the server 12 is further configured to send a detection report to the client after the simulation is completed.
  • the client 11 is further configured to receive a detection report sent by the server 12 and report the detection result to the user.
  • the first embodiment of the present invention further provides a server.
  • the server 12 includes: a communication module 121, a flow sensitivity analysis module 123, a sensitive data import rule base 124, and a malicious behavior detection rule base. 125; where:
  • the communication module 121 is configured to receive the APK file sent by the client 11 and send the APK file to the flow sensitive analysis module 123;
  • the flow sensitivity analysis module 123 is configured to simulate execution of the Android application according to the received APK file, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base 124. Also configured to match the function parameters containing the sensitive data with the detection rules of the malicious behavior stored in the malicious behavior detection rule base 125, and mark the successfully matched function parameters as malicious behavior;
  • the sensitive data introduction rule base 124 is configured to store sensitive feature information
  • the malicious behavior detection rule base 125 is configured to store malicious behavior feature information.
  • the server 12 further includes a risk behavior reporting module 122 configured to generate a detailed description of the dangerous behavior according to the result of matching with the malicious behavior detection rule base 125 after the execution of the Android application is simulated by the flow sensitivity analysis module 123. Output test report, and will The detection is sent to the client 11 via the communication module 121.
  • a risk behavior reporting module 122 configured to generate a detailed description of the dangerous behavior according to the result of matching with the malicious behavior detection rule base 125 after the execution of the Android application is simulated by the flow sensitivity analysis module 123.
  • Output test report, and will The detection is sent to the client 11 via the communication module 121.
  • the server 12 further includes: a decompression module 128, a program structure building module 126, and an entry function parsing module 127; wherein:
  • the decompression module 128 is configured to decompress an APK file sent by the client, extract a Dalvik bytecode file in the APK file, and an AndroidManifest.xml configuration file, and send the Dalvik bytecode file to the The program structure building module 126, the AndroidManifest.xml configuration file is sent to the entry function parsing module 127;
  • the program structure construction module 126 is configured to disassemble the Dalvik bytecode file, and construct a program structure according to the information of the Dalvik bytecode file, and send the constructed program structure to the flow sensitivity analysis module. 123;
  • the entry function parsing module 127 is configured to parse the AndroidManifest.xml configuration file to obtain an entry function name, and find a corresponding function structure from the constructed program structure as an entry function for starting analysis, and send the obtained entry function.
  • the flow sensitive analysis module 123 is provided.
  • the flow sensitivity analysis module 123 includes: a matching module 1231 and a malicious behavior detecting module 1232; wherein:
  • the matching module 1231 is configured to match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information in the sensitive data import rule base 124, and mark the variable of the successfully matched system function as sensitive data, which will match The subsequent data is sent to the malicious behavior detecting module 1232 for malicious behavior detection;
  • the malicious behavior detecting module 1232 is configured to match the function parameter containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detecting rule base 125, mark the successfully matched function parameter as a malicious behavior, and send the matching result to the The risk behavior reporting module 122.
  • the flow sensitivity analysis module 123 further includes an instruction simulation module 1235 configured to According to the program structure constructed by the program structure construction module 126, the calling sequence of the simulation function and the execution order of the instructions within the function start from the entry function obtained by the entry function parsing module 127, and the execution of each instruction is simulated in order.
  • an instruction simulation module 1235 configured to According to the program structure constructed by the program structure construction module 126, the calling sequence of the simulation function and the execution order of the instructions within the function start from the entry function obtained by the entry function parsing module 127, and the execution of each instruction is simulated in order.
  • the flow sensitivity analysis module 123 further includes: a program state collection module 1234 and a dynamic mechanism connection module 1233; wherein:
  • the program state collection module 1234 is configured to collect program state information of the function variable during the simulation execution of the instruction, and send the program state information of the collected function variable to the dynamic mechanism connection module 1233;
  • the dynamic mechanism connection module 1233 is configured to determine the actual call object of the dynamic mechanism function according to the program state information of the variable collected by the program state collection module 1234, and search for the relevant function according to the current object.
  • the dangerous behavior reporting module 122, the decompression module 128, the program structure building module 126, the entry function parsing module 127, and the flow sensitivity analyzing module 123 and the submodules thereof in the server 12 include: a matching module 1231, a malicious behavior detecting module 1232.
  • the program state collection module 1234, the dynamic mechanism connection module 1233, and the command simulation module 1235 may be implemented by a central processing unit (CPU) in the server, or a digital signal processor (DSP).
  • the rule base 124 and the malicious behavior detection rule base 125 can be implemented by a memory or a storage database in practical applications.
  • FIG. 3 is a schematic flowchart of a method for detecting an Android malicious application according to Embodiment 2 of the present invention. As shown in FIG. 3, the method includes the following steps: Step 301: The client sends the APK file of the Android application to be tested to the server, and the server extracts the APK file, and extracts the Dalvik bytecode file and the AndroidManifest.xml configuration file.
  • the server decompresses the APK file by using decompression software such as WinRAR, and the APKTOOL.jar tool;
  • the AndroidManifest.xml configuration file is an encrypted file, and can be decrypted by using AXMLPrinter2.jar, APKTOOL.jar, and the like.
  • Step 302 The server disassembles the Dalvik bytecode file and constructs a program structure according to the disassembled Dalvik bytecode file information.
  • the extracted Dalvik bytecode file may be disassembled by using a disassembly tool such as smali, IDA pro, etc.;
  • the structure of the Dalvik bytecode file according to the disassembled constructor includes an instruction structure, a basic structure, and a function structure. , class structure, function call graphs, control flow graphs, and more.
  • Step 303 The server parses the AndroidManifest.xml configuration file to obtain the entry function name, and finds the corresponding function structure from the constructed program structure, as an entry function of the simulation execution.
  • the AndroidManifest.xml configuration file records detailed information related to the application running, and parses the AndroidManifest.xml configuration file to extract the value of the "android: name" field in the activity, service, receiver, provider, etc. as an entry.
  • the function name find the corresponding function structure from the constructed program structure, as the entry function of the simulation execution, taking InitOnlineActivity as an example, the corresponding entry function is:
  • Step 304 The server starts from the entry function, according to the constructed program structure, simulates the calling sequence of the function and the execution order of the instructions in the function, and simulates the execution of each instruction in order according to the execution order of the instruction;
  • the execution order of the instructions in the function is generated according to the control flow graph, and the traversal algorithm of the graph is used to ensure that each basic block is executed at least once; for the branch, each branch is guaranteed to be executed; , the instruction of the loop body part is guaranteed to be executed at least once;
  • the call sequence of the function is generated according to the function call graph, and the function that should be called is calculated according to the parameter type of the function call point;
  • the calling sequence of the function may be specifically analyzed by using the semantic information of the function parameter, for example, according to the function calling instruction, first determining whether the function is a virtual function or an interface calling function, and when the result of the judgment is yes, according to the this parameter
  • the type finds the function actually called; when the result of the judgment is no, it continues to determine whether the function is a user-implemented function; when the judgment determines whether the function is a user-implemented function, the result of the determination is yes, then
  • the called function is internally executed, and the instruction execution module is used to calculate the instruction execution sequence of the called function; when it is determined whether the function is a user-implemented function, the determination result is no, then it is continued to determine whether the function is a dynamic mechanism.
  • the function when the judgment of whether the function is a dynamic mechanism function is YES, the dynamic mechanism connection module is entered to find a corresponding function, and the execution is sequentially performed, otherwise the analysis ends.
  • Step 305 During the execution of the simulation instruction, the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual call object of the dynamic mechanism function, and finds the relevant response function according to the actual call object.
  • the program status information of the server collecting the function variable includes collecting type information and value information of each variable; for some functions related to the dynamic mechanism, such as an interface calling function, a virtual function, etc.
  • the program state information of the collected variables the actual calling object is judged, and the relevant response function is searched according to the actual calling object.
  • Step 306 The server matches the sensitive feature information of the system function called by the Android application with the sensitive feature information stored in the rule base during the execution of the simulated Android application, and marks the variable of the successfully matched system function as Sensitive data.
  • the obtained system object of the TelephonyManager is saved in the vO variable; when executing to the fourth line of code
  • getDeviceId() function reads the device number information of the user equipment, all the library function information related to reading the user's privacy is recorded in the sensitive data import rule base, and the getDeviceld rule in the sensitive data introduction rule base is as follows Shown as follows:
  • the function name is named getDeviceld, and the function class name is TelephonyManager. Therefore, when executing the fourth line of code, it is found that the current function satisfies a certain item in the rule base of sensitive data. Rule, according to the description of the rule, the return value of the current function needs to be marked as sensitive data, so when executing the code to the fifth line, The variable vl contains sensitive data and is marked as sensitive.
  • Step 307 The server matches the function containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and marks the successfully matched function parameter as a malicious behavior.
  • the malicious behavior detection rule base stores a detection rule of malicious behavior, and if one of the rules is satisfied, the detected function parameter is marked as a malicious behavior.
  • the partial code segment of the transmitted user privacy data that matches the malicious behavior detection rule base is as follows:
  • the URL system object is generated and stored in the v9 variable, and the object can communicate with the network server; when executing to the second line
  • the vl5 variable is found to contain sensitive data, and then the information contained in the vl5 variable is stored in v9, which is the device number information in the above example; when the third line is executed, the current function is detected to satisfy the malicious behavior detection rule.
  • a rule in the library, the openConnection rule in the malicious behavior detection rule base is as follows:
  • the function name is openConnection
  • the function class name is URL.
  • Step 308 After the server simulates execution of the Android application, the detection report is output according to the matching result, and the detection report is sent to the client.
  • a malicious behavior detection report describe in detail the triggering process of the current malicious behavior, the sensitive data of the operation and the harm caused, classify according to the detected dangerous behavior according to the dangerous behavior category, and calculate The degree of danger and its possible hazards, the program information such as the calling path of the dangerous behavior is output; after the detection is completed, the time spent detecting, the number of detected instructions, the number of functions detected, the command coverage, and the function are also output. Statistics such as coverage.
  • the above information is finally represented in various forms such as graphical, XML, etc.
  • the resulting generated detection report is sent by the server to the client.
  • the embodiment of the present invention simulates an execution application program, and the sensitive feature information of the system function called by the application program is matched with the sensitive feature information stored in the rule base, and the variable of the successfully matched system function is marked as sensitive data;
  • the function of the sensitive data matches the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the function parameters matching the success are marked as malicious behavior.
  • the technical solution of the embodiment of the present invention does not depend on the signature database obtained by manual analysis, which greatly reduces the workload of the technician; and does not depend on a specific trigger condition, and can complete all execution paths in a short time, which can be accurate Promptly detect malicious behavior of the application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Disclosed in an embodiment of the present invention are an Android malicious application program detection method, system and device, the detection method comprising: a server simulates the execution of an Android application program, matches the sensitive characteristic information of a system function invoked by the Android application program with the sensitive characteristic information stored in a sensitive data introduction rule base, and marks the variable of the successfully matched system function as sensitive data; the server matches the function containing the sensitive data with the malicious behavior characteristic information stored in a malicious behavior detection rule base, and marks the successfully matched function parameter as a malicious behavior. The technical solution in the embodiment of the present invention can detect an Android malicious application program without relying on human analysis of characteristic code, thus reducing the workload of technical personnel.

Description

Android恶意应用程序检测方法、 系统及设备 技术领域  Android malicious application detection method, system and device
本发明涉及恶意应用程序检测技术, 具体涉及一种安卓 (Android ) 恶 意应用程序检测方法、 系统及设备。 背景技术  The invention relates to a malicious application detection technology, and in particular to an Android (Android) malicious application detection method, system and device. Background technique
Android系统作为一种开源的智能手机操作系统, 吸引了大量应用程序 开发者。 由于智能手机中存有大量的用户隐私信息, 因此吸引了大量的恶 意应用程序涌入应用程序市场, 窃取用户的隐私信息; 加之各个应用程序 市场的监督管理制度和检测方法尚不完善, 无法对应用程序的恶意性进行 甄別, 因此使用户隐私信息大量外泄, 给应用程序的使用者蒙受很大损失。  As an open source smartphone operating system, Android has attracted a large number of application developers. Since there are a large amount of user privacy information stored in the smartphone, a large number of malicious applications are attracted to the application market to steal the user's private information. In addition, the supervision and management systems and detection methods of the various application markets are still not perfect. The maliciousness of the application is screened, so that the user's private information is leaked a lot, and the user of the application suffers a great loss.
Android 恶意应用程序是指在未明确提示用户或未经用户许可的情况 下, 在用户计算机或其他终端上安装运行, 侵犯用户合法权益的软件。 主 要恶意行为包括: 恶意扣费、 隐私窃取、 远程控制、 恶意传播、 资费消耗、 系统破坏、 诱骗欺诈、 流氓行为等。  An Android malicious application is software that installs and runs on a user's computer or other terminal without explicitly prompting the user or without the user's permission, infringing the legitimate rights and interests of the user. The main malicious behaviors include: malicious deduction, privacy theft, remote control, malicious transmission, tariff consumption, system damage, deception fraud, rogue behavior, etc.
目前针对恶意应用程序的检测方法主要有两种: 动态检测方法与静态 检测方法。动态检测方法主要通过修改 Android模拟器内核对安装的应用程 序进行实时检测或者使用符号执行的方法使应用程序按照指定的路径运 行, 从而得到应用程序的恶意行为。 静态分析方法主要是通过分析安卓安 装包 ( AndroidPackage, APK ) 中的有关文件, 比如 AndroidManifest. xml、 Dalvik 字节码文件等, 从中抽取部分信息作为关键特征, 采用特征匹配的 方式完成检测。  At present, there are two main detection methods for malicious applications: dynamic detection methods and static detection methods. The dynamic detection method mainly performs real-time detection on the installed application by modifying the Android emulator kernel or uses the symbol execution method to make the application run according to the specified path, thereby obtaining the malicious behavior of the application. The static analysis method mainly analyzes related files in the Android installation package (AndroidPackage, APK), such as AndroidManifest.xml, Dalvik bytecode file, etc., and extracts some information as key features, and uses feature matching to complete the detection.
动态检测方法依赖于特定的触发条件, 无法在短时间内检测完成所有 的执行路径; 基于特征匹配的方式依赖于特征码数据库, 而特征码的获取 基本上是靠人工分析的方式, 工作量巨大。 发明内容 The dynamic detection method relies on specific trigger conditions and cannot detect all execution paths in a short time. The feature matching based method relies on the signature database and the acquisition of signatures. Basically, it relies on manual analysis and the workload is huge. Summary of the invention
有鉴于此,本发明实施例的主要目的在于提供一种 Android恶意应用程 序检测方法、 系统及设备, 可在不依赖人工分析特征码的前提下实现 Android恶意应用程序的检测, 大大减少了技术人员的工作量。  In view of this, the main purpose of the embodiments of the present invention is to provide an Android malicious application detection method, system, and device, which can implement the detection of the Android malicious application without relying on the manual analysis of the feature code, thereby greatly reducing the technical staff. The amount of work.
为达到上述目的, 本发明实施例的技术方案是这样实现的: 本发明实施例提供了一种 Android恶意应用程序检测方法,所述方法包 括:  To achieve the above objective, the technical solution of the embodiment of the present invention is implemented as follows: The embodiment of the present invention provides a method for detecting an Android malicious application, and the method includes:
服务器模拟执行 Android应用程序,将应用程序调用的系统函数的敏感 特征信息与敏感数据引入规则库中存储的敏感特征信息进行匹配, 将匹配 成功的系统函数的变量标记为敏感数据;  The server simulates executing the Android application, and matches the sensitive feature information of the system function called by the application with the sensitive feature information stored in the rule base, and marks the variable of the successfully matched system function as sensitive data;
将含有敏感数据的函数与恶意行为检测规则库中存储的恶意行为特征 信息进行匹配, 将匹配成功的函数参数标记为恶意行为。  The function containing the sensitive data is matched with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the function parameters matching the success are marked as malicious behavior.
优选地, 所述方法还包括:  Preferably, the method further includes:
模拟 Android应用程序的执行结束后,服务器根据与恶意行为检测规则 库匹配的结果生成危险行为的详细说明, 输出检测报告, 并向客户端报告 检测结果。  After the execution of the simulated Android application is completed, the server generates a detailed description of the dangerous behavior based on the result of matching with the malicious behavior detection rule base, outputs a detection report, and reports the detection result to the client.
优选地,所述服务器模拟 Android应用程序的执行之前,所述方法还包 括:  Preferably, before the server simulates execution of the Android application, the method further includes:
客户端将待测的 Android应用程序的 APK文件发送给服务器, 服务器 解压所述 APK文件, 提取出所述 APK文件中的 Dalvik 字节码文件和 AndroidManifest. xml酉己置 l牛。  The client sends the APK file of the Android application to be tested to the server, and the server decompresses the APK file, and extracts the Dalvik bytecode file and the AndroidManifest.xml in the APK file.
优选地, 所述方法还包括:  Preferably, the method further includes:
服务器反汇编所述 Dalvik字节码文件, 并根据所述 Dalvik字节码文件 信息构建程序结构, 包括: 指令结构、 基本结构、 函数结构、 类结构、 函 数调用图、 控制流图; The server disassembles the Dalvik bytecode file, and constructs a program structure according to the Dalvik bytecode file information, including: an instruction structure, a basic structure, a function structure, a class structure, a function Number call graph, control flow graph;
服务器解析所述 AndroidManifest. xml配置文件获取入口函数名, 并从 构建的程序结构中找出对应的函数结构, 作为模拟执行的入口函数。  The server parses the AndroidManifest.xml configuration file to obtain the entry function name, and finds the corresponding function structure from the constructed program structure as an entry function for the simulation execution.
优选地, 所述服务器模拟执行 Android应用程序包括:  Preferably, the server emulating execution of the Android application comprises:
服务器从入口函数开始, 根据构建出的程序结构, 模拟函数的调用序 列和函数内指令的执行顺序, 并按指令的执行顺序, 按顺序模拟每条指令 的执行。  The server starts from the entry function, simulates the call sequence of the function and the execution order of the instructions in the function according to the constructed program structure, and simulates the execution of each instruction in order according to the execution order of the instructions.
优选地, 所述方法还包括:  Preferably, the method further includes:
在模拟指令的执行过程中, 服务器收集函数变量的程序状态信息, 并 利用收集到的变量的程序状态信息, 判断动态机制函数实际的调用对象, 根据当前对象查找相关响应函数。  During the execution of the simulation instruction, the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual calling object of the dynamic mechanism function, and finds the relevant response function according to the current object.
本发明实施例还提供了一种服务器, 所述服务器包括: 通讯模块、 流 敏感分析模块、 敏感数据引入规则库和恶意行为检测规则库; 其中:  The embodiment of the present invention further provides a server, where the server includes: a communication module, a flow sensitivity analysis module, a sensitive data introduction rule base, and a malicious behavior detection rule base; wherein:
所述通讯模块, 配置为接收客户端发来的 APK文件, 并将所述 APK 文件发送给流敏感分析模块;  The communication module is configured to receive an APK file sent by the client, and send the APK file to the flow sensitive analysis module;
所述流敏感分析模块, 配置为根据收到的 APK文件模拟 Android应用 程序的执行,将 Android应用程序调用的系统函数的敏感特征信息与敏感数 据引入规则库中存储的敏感特征信息进行匹配, 将匹配成功的系统函数的 变量标记为敏感数据; 还配置为将含有敏感数据的函数参数与恶意行为检 测规则库中存储的恶意行为的检测规则进行匹配, 将匹配成功的函数参数 标记为恶意行为;  The flow sensitivity analysis module is configured to simulate execution of the Android application according to the received APK file, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base, and The variable matching the successful system function is marked as sensitive data; it is also configured to match the function parameter containing the sensitive data with the detection rule of the malicious behavior stored in the malicious behavior detection rule base, and mark the successfully matched function parameter as a malicious behavior;
所述敏感数据引入规则库, 配置为存储敏感特征信息;  The sensitive data is introduced into a rule base and configured to store sensitive feature information;
所述恶意行为检测规则库, 配置为存储恶意行为特征信息。  The malicious behavior detection rule base is configured to store malicious behavior feature information.
优选地, 所述服务器还包括: 危险行为报告模块, 配置为模拟 Android 应用程序的执行结束后, 根据与恶意行为检测规则库匹配的结果生成危险 行为的详细说明, 输出检测报告, 同时将检测报告经通讯模块发送给客户 端。 Preferably, the server further comprises: a dangerous behavior reporting module, configured to simulate the execution of the Android application, and generate a risk according to a result matching the malicious behavior detection rule base A detailed description of the behavior, output a test report, and send the test report to the client via the communication module.
优选地, 所述服务器还包括: 解压模块、 程序结构构建模块和入口函 数解析模块;  Preferably, the server further includes: a decompression module, a program structure construction module, and an entry function parsing module;
所述解压模块, 配置为解压所述客户端发送的 APK文件, 提取出所述 The decompression module is configured to decompress the APK file sent by the client, and extract the
APK文件中的 Dalvik字节码文件和 AndroidManifest. xml配置文件, 将所 述 Dalvik 字节码文件发送给所述程序结构构建模块, 将所述 AndroidManifest. xml配置文件发送给所述入口函数解析模块; a Dalvik bytecode file in the APK file and an AndroidManifest.xml configuration file, the Dalvik bytecode file is sent to the program structure building module, and the AndroidManifest.xml configuration file is sent to the entry function parsing module;
所述程序结构构建模块, 配置为反汇编所述 Dalvik字节码文件, 并根 据所述 Dalvik字节码文件的信息构建程序结构, 并将构建好的程序結构发 送给所述流敏感分析模块;  The program structure construction module is configured to disassemble the Dalvik bytecode file, and construct a program structure according to the information of the Dalvik bytecode file, and send the constructed program structure to the flow sensitivity analysis module;
所述入口函数解析模块, 配置为解析所述 AndroidManifest. xml配置文 件获取入口函数名, 并从构建的程序结构中找出对应的函数结构作为开始 分析的入口函数, 并将获得的入口函数发送给所述流敏感分析模块。  The entry function parsing module is configured to parse the AndroidManifest.xml configuration file to obtain an entry function name, and find a corresponding function structure from the constructed program structure as an entry function for starting analysis, and send the obtained entry function to The flow sensitive analysis module.
优选地, 所述流敏感分析模块包括: 匹配模块和恶意行为检测模块; 其中:  Preferably, the flow sensitivity analysis module comprises: a matching module and a malicious behavior detecting module; wherein:
所述匹配模块,配置为将 Android应用程序调用的系统函数的敏感特征 信息与敏感数据? I入规则库中的敏感特征信息进行匹配, 将匹配成功的系 统函数的变量标记为敏感数据, 将匹配后的数据送入恶意行为检测模块进 行恶意行为检测;  The matching module is configured to send sensitive feature information and sensitive data of a system function called by an Android application? The sensitive feature information in the I-input rule base is matched, the variable of the successfully matched system function is marked as sensitive data, and the matched data is sent to the malicious behavior detecting module to perform malicious behavior detection;
所述恶意行为检测模块, 配置为将含有敏感数据的函数参数与恶意行 为检测规则库中存储的恶意行为特征信息进行匹配, 将匹配成功的函数参 数标记为恶意行为, 将匹配结果发送至所述危险行为报告模块。  The malicious behavior detecting module is configured to match the function parameter containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, mark the successfully matched function parameter as a malicious behavior, and send the matching result to the Dangerous Behavior Reporting Module.
优选地, 所述流敏感分析模块还包括指令模拟模块, 配置为根据程序 结构构建模块构建出的程序结构, 模拟函数的调用序列和函数内指令的执 行顺序, 从入口函数解析模块获得的入口函数开始, 按顺序模拟每条指令 的执行。 Preferably, the flow sensitivity analysis module further includes an instruction simulation module configured to construct a program structure according to the program structure, a call sequence of the simulation function, and a command execution of the function. The order of the lines begins with the entry function obtained by the entry function parsing module, simulating the execution of each instruction in sequence.
优选地, 所述流敏感分析模块还包括: 程序状态收集模块和动态机制 连接模块; 其中:  Preferably, the flow sensitivity analysis module further includes: a program state collection module and a dynamic mechanism connection module; wherein:
所述程序状态收集模块, 配置为在指令的模拟执行过程中, 收集函数 变量的程序状态信息, 并将收集到的函数变量的程序状态信息发送给动态 机制连接模块;  The program state collection module is configured to collect program state information of the function variable during the simulation execution of the instruction, and send the program state information of the collected function variable to the dynamic mechanism connection module;
所述动态机制连接模块, 配置为根据程序状态收集模块收集到的函数 变量的程序状态信息, 判断动态机制函数实际的调用对象, 根据当前对象 查找相关响应函数。  The dynamic mechanism connection module is configured to collect program state information of the function variable collected by the module according to the program state, determine the actual call object of the dynamic mechanism function, and find the relevant response function according to the current object.
本发明实施例还提供了一种 Android恶意应用程序检测系统,所述系统 包括: 客户端和本发明实施例所述的服务器;  The embodiment of the present invention further provides an Android malicious application detection system, where the system includes: a client and a server according to an embodiment of the present invention;
所述客户端, 配置为将待测的 Android应用程序的 APK文件发送给服 务器; 还配置为接收服务器发送的检测报告, 向用户报告检测结果。  The client is configured to send the APK file of the Android application to be tested to the server; and is configured to receive the detection report sent by the server, and report the detection result to the user.
本发明实施例提供的技术方案, 通过模拟执行应用程序, 将应用程序 调用的系统函数的敏感特征信息与敏感数据引入规则库中存储的敏感特征 信息进行匹配, 将匹配成功的系统函数的变量标记为敏感数据; 将含有敏 感数据的函数与恶意行为检测规则库中存储的恶意行为特征信息进行匹 配, 将匹配成功的函数参数标记为恶意行为。 本发明实施例的技术方案不 依赖于人工分析获得的特征码数据库, 大大减少了技术人员的工作量; 不 依赖于特定的触发条件, 在短时间内便可检测完成所有的执行路径, 可准 确及时的对应用程序进行恶意行为检测。 附图说明  The technical solution provided by the embodiment of the present invention matches the sensitive feature information of the system function invoked by the application with the sensitive feature information stored in the rule base by simulating the execution application, and tags the variable of the successfully matched system function. For sensitive data; match the function containing sensitive data with the malicious behavior feature information stored in the malicious behavior detection rule base, and mark the successfully matched function parameters as malicious behavior. The technical solution of the embodiment of the present invention does not depend on the signature database obtained by manual analysis, which greatly reduces the workload of the technician; and does not depend on a specific trigger condition, and can complete all execution paths in a short time, which can be accurate Promptly detect malicious behavior of the application. DRAWINGS
图 1为本发明实施例一的 Android恶意应用程序检测方法流程示意图; 图 2为本发明实施例一的 Android恶意应用程序检测系统组成示意图; 图 3为本发明实施例二的 Android恶意应用程序检测方法流程示意图。 具体实施方式 1 is a schematic flowchart of a method for detecting a malicious application of an Android according to a first embodiment of the present invention; FIG. 2 is a schematic diagram of a composition of an Android malicious application detection system according to Embodiment 1 of the present invention; FIG. 3 is a schematic flowchart of a method for detecting an Android malicious application according to Embodiment 2 of the present invention. detailed description
本发明实施例的基本思想是: 服务器模拟执行 Android应用程序,将应 用程序调用的系统函数的敏感特征信息与敏感数据引入规则库中存储的敏 感特征信息进行匹配, 将匹配成功的系统函数的变量标记为敏感数据; 将 含有敏感数据的函数与恶意行为检测规则库中存储的恶意行为特征信息进 行匹配, 将匹配成功的函数参数标 i己为恶意行为。  The basic idea of the embodiment of the present invention is: The server simulates executing the Android application, and matches the sensitive feature information of the system function called by the application with the sensitive feature information stored in the rule base, and the variable of the system function that matches the success is matched. Marked as sensitive data; Match the function containing sensitive data with the malicious behavior feature information stored in the malicious behavior detection rule base, and mark the function parameters that match successfully as malicious behavior.
下面结合附图及具体实施例对本发明作优选地详细说明。  The invention will now be described in greater detail with reference to the drawings and specific embodiments.
图 1为本发明实施例一的 Android恶意应用程序检测方法流程示意图, 如图 1所示, 所述方法包括以下步骤:  FIG. 1 is a schematic flowchart of a method for detecting a malicious application of an Android according to Embodiment 1 of the present invention. As shown in FIG. 1, the method includes the following steps:
步骤 11: 服务器根据客户端发来的 Android应用程序的 APK文件模拟 Android应用程序的执行。  Step 11: The server simulates the execution of the Android application based on the APK file of the Android application sent from the client.
这里, 客户端将待测的 Android应用程序的 APK文件发送给服务器, 服务器收到 APK文件后, 可以通过如 WinRAR、 APKTOOL. jar等软件解 压 APK文件,提取出文件内部的 Dalvik字节码文件和 AndroidManifest. xml 配置文件。  Here, the client sends the APK file of the Android application to be tested to the server. After receiving the APK file, the server can extract the APK file through software such as WinRAR, APKTOOL.jar, etc., and extract the Dalvik bytecode file inside the file and AndroidManifest.xml configuration file.
这里, 所述服务器根据客户端发来的 Android应用程序的 APK文件模 拟 Android应用程序的执行包括:  Here, the server simulates the execution of the Android application according to the APK file of the Android application sent by the client, including:
服务器反汇编 Dalvik字节码文件, 并根据 Dalvik字节码文件信息构建 程序结构, 包括: 指令结构、 基本结构、 函数结构、 类结构、 函数调用图、 控制流图等等。  The server disassembles the Dalvik bytecode file and constructs the program structure based on the Dalvik bytecode file information, including: instruction structure, basic structure, function structure, class structure, function call graph, control flow graph, and so on.
服务器解析 AndroidManifest. xml 配置文件获取入口函数名, 如提取 activity、 service、 receiver, provider等标签中的 "android: name" 字段的值 作为入口函数名, 并从构建的程序结构中找出对应的函数结构, 作为模拟 执行的入口函数。 服务器从入口函数开始, 根据构建出的程序结构, 模拟函数的调用序 列和函数内指令的执行顺序, 并按指令的执行顺序, 依次模拟每条指令的 执行。 The server parses the AndroidManifest.xml configuration file to get the entry function name, such as extracting the value of the "android: name" field in the activity, service, receiver, provider, etc. as the entry function name, and finding the corresponding function from the built program structure. Structure, as an entry function for simulation execution. The server starts from the entry function, simulates the call sequence of the function and the execution order of the instructions within the function according to the constructed program structure, and simulates the execution of each instruction in turn according to the execution order of the instructions.
其中, 对于过程内分析阶段, 所述函数内指令的执行顺序根据控制流 图生成, 釆用图的遍历算法, 保证每个基本块至少被执行一次; 对于分支, 保证每个分支都会执行; 对于循环, 保证循环体部分的指令至少执行一次; 对于过程间分析阶段, 所述函数的调用序列根据函数调用图生成, 并根据 函数调用点的参数类型, 计算实际应该被调用的函数。  Wherein, for the in-process analysis phase, the execution order of the instructions in the function is generated according to the control flow graph, and the traversal algorithm of the graph is used to ensure that each basic block is executed at least once; for the branch, each branch is guaranteed to be executed; The loop ensures that the instruction of the loop body part is executed at least once; for the inter-process analysis stage, the call sequence of the function is generated according to the function call graph, and the function that should actually be called is calculated according to the parameter type of the function call point.
其中, 所述函数的调用序列可利用函数参数的语义信息进行具体分析, 如根据函数调用指令, 依据函数的使用频率从高到低排列, 首先判断函数 是否为虚函数或接口调用函数, 当判断的结果为是时, 则根据 this参数的 类型查找实际调用的函数; 当判断的结果为否时, 则继续判断所述函数是 否为用户实现的函数; 当所述判断所述函数是否为用户实现的函数的判断 结果为是时, 则进入被调函数内部执行, 计算出被调函数的指令执行序列; 当所述判断所述函数是否为用户实现的函数的判断结果为否时, 则继续判 断所述函数是否为动态机制函数; 当所述判断所述函数是否为动态机制函 数的判断结果为是时, 则进入查找对应的函数, 并依次进入执行, 否则分 析结束。  The calling sequence of the function may be specifically analyzed by using the semantic information of the function parameter, such as according to the function calling instruction, according to the frequency of use of the function from high to low, first determining whether the function is a virtual function or an interface calling function, when judging If the result is YES, the function actually called is searched according to the type of the this parameter; when the result of the judgment is no, it is continued to judge whether the function is a function implemented by the user; when the function is determined to be a user implementation If the judgment result of the function is YES, it is executed internally by the called function, and the instruction execution sequence of the called function is calculated; when the judgment result of whether the function is a user-implemented function is negative, the judgment is continued. Whether the function is a dynamic mechanism function; when the judgment result of determining whether the function is a dynamic mechanism function is YES, then the function corresponding to the search is entered, and the execution is sequentially performed, otherwise the analysis ends.
在模拟指令的执行过程中, 服务器收集函数变量的程序状态信息, 并 利用收集到的变量的程序状态信息, 判断动态机制函数实际的调用对象, 根据当前对象查找相关响应函数。  During the execution of the simulation instruction, the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual calling object of the dynamic mechanism function, and finds the relevant response function according to the current object.
这里, 所述收集函数变量的程序状态信息包括收集每个变量的类型信 息和值信息; 对于一些动态机制有关的函数, 如接口调用函数、 虚函数等 等, 利用收集到的变量的程序状态信息, 判断实际的调用对象, 才艮据实际 调用对象查找相关响应函数。 步骤 12: 在 Android应用程序模拟执行的过程中, 服务器将 Android 应用程序调用的系统函数的敏感特征信息与敏感数据引入规则库中存储的 敏感特征信息进行匹配, 将匹配成功的系统函数的变量标记为敏感数据。 Here, the program state information of the collection function variable includes collecting type information and value information of each variable; for some dynamic mechanism related functions, such as an interface calling function, a virtual function, etc., using program state information of the collected variable , to determine the actual call object, to find the relevant response function according to the actual call object. Step 12: During the simulation execution of the Android application, the server matches the sensitive feature information of the system function called by the Android application with the sensitive feature information stored in the rule base, and matches the variable of the successfully matched system function. For sensitive data.
这里, 所述敏感数据引入规则库主要记录了敏感数据的匹配规则, 所 述敏感数据是指涉及用户隐私或系统安全的一些数据, 例如用户的通讯录、 地理位置、 移动设备号等信息; 敏感数据引入规则库中记录着将敏感数据 引入到程序的库函数信息, 包括函数名、 函数所在类名、 函数的参数个数、 敏感数据引入类型、 该函数是否为静态函数、 形参列表中的各个参数的污 染状态等信息。  Here, the sensitive data introduction rule base mainly records matching rules of sensitive data, where the sensitive data refers to some data related to user privacy or system security, such as a user's address book, geographic location, mobile device number, etc.; The data import rule library records the library function information that introduces sensitive data into the program, including the function name, the class name of the function, the number of parameters of the function, the type of sensitive data introduced, whether the function is a static function, or a list of parameters. Information such as the pollution status of each parameter.
所述待检测应用程序中的恶意行为包括: 发送固定内容的短信给固定 号码, 在用户不知情的情况下订购服务器提供商( Service Provider, SP )服 务, 以消耗用户资费; 打开固定的统一资源定位符 (Universal Resource Locator, URL ), 以消耗用户资费; 执行固定的系统命令, 以修改或删除用 户文件。 其中, 所述固定内容的短信、 固定号码、 固定 URL和固定系统命 令在待检测应用程序代码中以固定字符串的敏感数据形式引入危险函数的 参数。 如此, 在模拟执行待检测应用程序时, 若待检测应用程序调用函数 的敏感特征信息与敏感数据引入规则库中存储的某个危险函数的敏感特征 信息匹配, 则标识该函数调用为敏感数据, 以进行进一步检测, 确定该函 数调用是否为恶意行为。  The malicious behavior in the application to be detected includes: sending a short message of a fixed content to a fixed number, and ordering a service provider (SP) service without unknowingly consuming the user fee; opening a fixed unified resource Locator (Universal Resource Locator, URL) to consume user fees; execute fixed system commands to modify or delete user files. The short message, the fixed number, the fixed URL, and the fixed system command of the fixed content introduce the parameters of the dangerous function in the form of sensitive data of the fixed string in the application code to be detected. In this manner, when the application to be detected is simulated, if the sensitive feature information of the application calling function to be detected matches the sensitive feature information of a dangerous function stored in the sensitive data import rule library, the function call is identified as sensitive data. For further testing, determine if the function call is malicious.
步驟 13: 服务器将含有敏感数据的函数与恶意行为检测规则库中存储 的恶意行为特征信息进行匹配, 将匹配成功的函数参数标记为恶意行为。  Step 13: The server matches the function containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and marks the successfully matched function parameter as a malicious behavior.
这里, 所述恶意行为检测规则库主要记录了对恶意行为的检测规则。 恶意行为的触发一般是由一些和外部通信的系统函数引起的, 比如连接网 络、 发送短信等。 如果在这些函数的调用点发现其参数中含有敏感数据时, 则意味着发现了恶意行为; 恶意行为检测规则库中主要包括恶意行为名称、 恶意行为类型、 敏感数据类型列表、 危险函数类型列表等信息。 Here, the malicious behavior detection rule base mainly records detection rules for malicious behaviors. The triggering of malicious behavior is generally caused by some system functions that communicate with external sources, such as connecting to the network, sending text messages, and so on. If the call point of these functions is found to contain sensitive data, it means that malicious behavior is found; the malicious behavior detection rule base mainly includes malicious behavior names, Information such as malicious behavior types, sensitive data type lists, and dangerous function type lists.
步骤 12中, 若待检测应用程序调用的系统函数的敏感特征信息与敏感 数据引入规则库中存储的敏感特征信息匹配, 则确定所述系统函数调用符 合恶意行为的初步特征, 即: 发送固定内容的短信给固定号码、 打开固定 的 URL或执行固定的系统命令, 且所述固定内容的短信、 固定号码、 固定 URL和固定系统命令以敏感数据的形式引入危险函数参数, 来实施敏感行 为。  In step 12, if the sensitive feature information of the system function to be detected by the application to be detected matches the sensitive feature information stored in the sensitive data import rule base, determining that the system function call meets the preliminary feature of the malicious behavior, namely: sending the fixed content The SMS sends a fixed number, opens a fixed URL, or executes a fixed system command, and the fixed content SMS, fixed number, fixed URL, and fixed system commands introduce dangerous function parameters in the form of sensitive data to implement sensitive behavior.
本步骤中, 服务器将待检测应用程序所述敏感行为中被调用系统函数 的恶意特征信息与恶意行为检测规则库中存储的恶意行为特征信息进行匹 配, 以进一步确定所述敏感行为是否为恶意行为, 即: 是否为发送固定内 容的短信给固定号码, 是否为向 SP订购服务, 以消耗用户资费; 是否为打 开固定的 URL, 是否为打开网络互联网协议(Internet Protocol, IP )地址, 以造成用户资费的消耗; 是否为执行固定的系统命令, 对用户的文件造成 损失。 若是, 则标识该函数调用为恶意行为, 确定待检测应用程序为恶意 应用程序。  In this step, the server matches the malicious feature information of the called system function in the sensitive behavior of the application to be detected with the malicious behavior feature information stored in the malicious behavior detection rule base to further determine whether the sensitive behavior is malicious behavior. , that is: whether to send a fixed content SMS to a fixed number, whether to order a service to the SP, to consume user fees; whether to open a fixed URL, whether to open the Internet Protocol (IP) address, to cause users Consumption of tariffs; whether to perform a fixed system command, causing loss to the user's files. If so, the function call is identified as a malicious act, and the application to be detected is determined to be a malicious application.
这里,服务器模拟 Android应用程序的执行结束后,生成恶意行为检测 报告, 详细描述当前恶意行为的触发流程、 操作的敏感数据和带来的危害, 根据检测到的危险行为按照危险行为类别进行分类, 并计算出危险程度及 其可能带来的危害, 输出该危险行为的调用路径等程序信息, 并向客户端 发送该检测报告; 其中, 所述报告可以图形化、 可扩展标记语言(Extensible Markup Language, XML)等多种形式表示。  Here, after the server simulates the execution of the Android application, a malicious behavior detection report is generated, which details the triggering process of the current malicious behavior, the sensitive data of the operation, and the harm caused, and classifies according to the dangerous behavior according to the detected dangerous behavior. And calculating the degree of danger and the possible harm, outputting the program information such as the calling path of the dangerous behavior, and sending the detection report to the client; wherein the report can be graphically and extensible markup language (Extensible Markup Language) , XML) and other forms of representation.
基于上述方法,图 2为本发明实施例一的 Android恶意应用程序检测系 统组成示意图,如图 2所示, 所述系统包括: 客户端 11和服务器 12; 其中: 所述客户端 11, 配置为将待测的 Android应用程序的 APK文件发送给 服务器 12; 所述服务器 12, 配置为根据客户端 11发来的 APK文件模拟 Android 应用程序的执行,将 Android应用程序调用的系统函数的敏感特征信息与敏 感数据引入规则库中存储的敏感特征信息进行匹配, 将匹配成功的系统函 数的变量标记为敏感数据; 同时将含有敏感数据的函数参数与恶意行为检 测规则库中存储的恶意行为特征信息进行匹配, 将匹配成功的函数参数标 记为恶意行为。 FIG. 2 is a schematic diagram of the composition of the Android malicious application detection system according to the first embodiment of the present invention. As shown in FIG. 2, the system includes: a client 11 and a server 12; wherein: the client 11 is configured as Sending the APK file of the Android application to be tested to the server 12; The server 12 is configured to simulate the execution of the Android application according to the APK file sent by the client 11, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base. The variables matching the successful system functions are marked as sensitive data; the function parameters containing the sensitive data are matched with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the successfully matched function parameters are marked as malicious behaviors.
所述服务器 12, 还配置为模拟执行结束后, 将检测报告发送给客户端 The server 12 is further configured to send a detection report to the client after the simulation is completed.
11 ; 11 ;
所述客户端 11 , 还配置为接收服务器 12发来的检测报告, 向用户报告 检测結果。  The client 11 is further configured to receive a detection report sent by the server 12 and report the detection result to the user.
基于上述系统, 本发明实施例一还提供了一种服务器, 如图 2所示, 所述服务器 12包括: 通讯模块 121、 流敏感分析模块 123、 敏感数据引入 规则库 124和恶意行为检测规则库 125; 其中:  Based on the above system, the first embodiment of the present invention further provides a server. As shown in FIG. 2, the server 12 includes: a communication module 121, a flow sensitivity analysis module 123, a sensitive data import rule base 124, and a malicious behavior detection rule base. 125; where:
所述通讯模块 121, 配置为接收客户端 11发来的 APK文件, 并将所述 APK文件发送给流敏感分析模块 123;  The communication module 121 is configured to receive the APK file sent by the client 11 and send the APK file to the flow sensitive analysis module 123;
所述流敏感分析模块 123, 配置为根据收到的 APK文件模拟 Android 应用程序的执行,将 Android应用程序调用的系统函数的敏感特征信息与敏 感数据引入规则库 124 中存储的敏感特征信息进行匹配; 还配置为将含有 敏感数据的函数参数与恶意行为检测规则库 125 中存储的恶意行为的检测 规则进行匹配, 将匹配成功的函数参数标记为恶意行为;  The flow sensitivity analysis module 123 is configured to simulate execution of the Android application according to the received APK file, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base 124. Also configured to match the function parameters containing the sensitive data with the detection rules of the malicious behavior stored in the malicious behavior detection rule base 125, and mark the successfully matched function parameters as malicious behavior;
所述敏感数据引入规则库 124, 配置为存储敏感特征信息;  The sensitive data introduction rule base 124 is configured to store sensitive feature information;
所述恶意行为检测规则库 125, 配置为存储恶意行为特征信息。  The malicious behavior detection rule base 125 is configured to store malicious behavior feature information.
优选地, 所述服务器 12还包括危险行为报告模块 122, 配置为待流敏 感分析模块 123模拟 Android应用程序的执行结束后,根据与恶意行为检测 规则库 125 匹配的结果生成危险行为的详细说明, 输出检测报告, 同时将 检测 告经通讯模块 121发送给客户端 11。 Preferably, the server 12 further includes a risk behavior reporting module 122 configured to generate a detailed description of the dangerous behavior according to the result of matching with the malicious behavior detection rule base 125 after the execution of the Android application is simulated by the flow sensitivity analysis module 123. Output test report, and will The detection is sent to the client 11 via the communication module 121.
优选地, 所述服务器 12还包括: 解压模块 128、程序结构构建模块 126 和入口函数解析模块 127; 其中:  Preferably, the server 12 further includes: a decompression module 128, a program structure building module 126, and an entry function parsing module 127; wherein:
所述解压模块 128, 配置为解压所述客户端发送的 APK文件, 提取出 所述 APK文件中的 Dalvik字节码文件和 AndroidManifest. xml配置文件, 将所述 Dalvik 字节码文件发送给所述程序结构构建模块 126, 将所述 AndroidManifest. xml配置文件发送给所述入口函数解析模块 127;  The decompression module 128 is configured to decompress an APK file sent by the client, extract a Dalvik bytecode file in the APK file, and an AndroidManifest.xml configuration file, and send the Dalvik bytecode file to the The program structure building module 126, the AndroidManifest.xml configuration file is sent to the entry function parsing module 127;
所述程序结构构建模块 126, 配置为反汇编所述 Dalvik字节码文件, 并根据所述 Dalvik字节码文件的信息构建程序结构, 并将构建好的程序结 构发送给所述流敏感分析模块 123;  The program structure construction module 126 is configured to disassemble the Dalvik bytecode file, and construct a program structure according to the information of the Dalvik bytecode file, and send the constructed program structure to the flow sensitivity analysis module. 123;
所述入口函数解析模块 127, 配置为解析所述 AndroidManifest. xml配 置文件获取入口函数名, 并从构建的程序结构中找出对应的函数结构作为 开始分析的入口函数, 并将获得的入口函数发送给所述流敏感分析模块 123。  The entry function parsing module 127 is configured to parse the AndroidManifest.xml configuration file to obtain an entry function name, and find a corresponding function structure from the constructed program structure as an entry function for starting analysis, and send the obtained entry function. The flow sensitive analysis module 123 is provided.
优选地, 所述流敏感分析模块 123包括: 匹配模块 1231和恶意行为检 测模块 1232; 其中:  Preferably, the flow sensitivity analysis module 123 includes: a matching module 1231 and a malicious behavior detecting module 1232; wherein:
所述匹配模块 1231, 配置为将 Android应用程序调用的系统函数的敏 感特征信息与敏感数据引入规则库 124 中的敏感特征信息进行匹配, 将匹 配成功的系统函数的变量标记为敏感数据, 将匹配后的数据送入恶意行为 检测模块 1232进行恶意行为检测;  The matching module 1231 is configured to match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information in the sensitive data import rule base 124, and mark the variable of the successfully matched system function as sensitive data, which will match The subsequent data is sent to the malicious behavior detecting module 1232 for malicious behavior detection;
所述恶意行为检测模块 1232 , 配置为将含有敏感数据的函数参数与恶 意行为检测规则库 125 中存储的恶意行为特征信息进行匹配, 将匹配成功 的函数参数标记为恶意行为, 将匹配结果发送至所述危险行为报告模块 122。  The malicious behavior detecting module 1232 is configured to match the function parameter containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detecting rule base 125, mark the successfully matched function parameter as a malicious behavior, and send the matching result to the The risk behavior reporting module 122.
优选地, 所述流敏感分析模块 123还包括指令模拟模块 1235, 配置为 根据程序结构构建模块 126构建出的程序结构, 模拟函数的调用序列和函 数内指令的执行顺序, 从入口函数解析模块 127获得的入口函数开始, 按 顺序模拟每条指令的执行。 Preferably, the flow sensitivity analysis module 123 further includes an instruction simulation module 1235 configured to According to the program structure constructed by the program structure construction module 126, the calling sequence of the simulation function and the execution order of the instructions within the function start from the entry function obtained by the entry function parsing module 127, and the execution of each instruction is simulated in order.
优选地, 所述流敏感分析模块 123还包括: 程序状态收集模块 1234和 动态机制连接模块 1233; 其中:  Preferably, the flow sensitivity analysis module 123 further includes: a program state collection module 1234 and a dynamic mechanism connection module 1233; wherein:
所述程序状态收集模块 1234, 配置为在指令的模拟执行过程中, 收集 函数变量的程序状态信息, 并将收集到的函数变量的程序状态信息发送给 动态机制连接模块 1233;  The program state collection module 1234 is configured to collect program state information of the function variable during the simulation execution of the instruction, and send the program state information of the collected function variable to the dynamic mechanism connection module 1233;
所述动态机制连接模块 1233,配置为根据程序状态收集模块 1234收集 到的变量的程序状态信息, 判断动态机制函数实际的调用对象, 根据当前 对象查找相关相应函数。  The dynamic mechanism connection module 1233 is configured to determine the actual call object of the dynamic mechanism function according to the program state information of the variable collected by the program state collection module 1234, and search for the relevant function according to the current object.
其中, 所述服务器 12中的危险行为报告模块 122、 解压模块 128、 程 序结构构建模块 126、入口函数解析模块 127和流敏感分析模块 123及其子 模块, 包括: 匹配模块 1231、 恶意行为检测模块 1232、 程序状态收集模块 1234、 动态机制连接模块 1233和指令模拟模块 1235在实际应用中, 均可 由服务器中的中央处理器(Central Processing Unit, CPU ), 或数字信号处 理器( Digital Signal Processor, DSP )、或可编程门阵列( Field-Programmable Gate Array, FPGA ) 实现; 所述 务器中的通讯模块 121在实际应用中, 均可由收发器或收发天线实现;所述服务器 12中的敏感数据引入规则库 124 和恶意行为检测规则库 125在实际应用中, 均可由存储器或存储数据库实 现。  The dangerous behavior reporting module 122, the decompression module 128, the program structure building module 126, the entry function parsing module 127, and the flow sensitivity analyzing module 123 and the submodules thereof in the server 12 include: a matching module 1231, a malicious behavior detecting module 1232. The program state collection module 1234, the dynamic mechanism connection module 1233, and the command simulation module 1235 may be implemented by a central processing unit (CPU) in the server, or a digital signal processor (DSP). , or a Field-Programmable Gate Array (FPGA) implementation; the communication module 121 in the server can be implemented by a transceiver or a transceiver antenna in practical applications; the sensitive data in the server 12 is introduced The rule base 124 and the malicious behavior detection rule base 125 can be implemented by a memory or a storage database in practical applications.
下面以 com. aijiaoyou. android, sipphone应用程序为例对本发明实施例 进行详细的说明。  The embodiment of the present invention will be described in detail below by taking the com. aijiaoyou. android, sipphone application as an example.
图 3为本发明实施例二的 Android恶意应用程序检测方法流程示意图, 如图 3所示, 包括以下步骤: 步 301: 客户端将待测的 Android应用程序的 APK文件发送给服务器, 服务器解压 APK文件, 提取出 Dalvik字节码文件和 AndroidManifest.xml配置 文件。 FIG. 3 is a schematic flowchart of a method for detecting an Android malicious application according to Embodiment 2 of the present invention. As shown in FIG. 3, the method includes the following steps: Step 301: The client sends the APK file of the Android application to be tested to the server, and the server extracts the APK file, and extracts the Dalvik bytecode file and the AndroidManifest.xml configuration file.
这里, 所述服务器解压 APK文件可采用如 WinRAR等解压缩软件、 APKTOOL.jar工具; 所述 AndroidManifest.xml配置文件为加密文件, 可以釆 用 AXMLPrinter2.jar、 APKTOOL.jar等工具进行解密。  Here, the server decompresses the APK file by using decompression software such as WinRAR, and the APKTOOL.jar tool; the AndroidManifest.xml configuration file is an encrypted file, and can be decrypted by using AXMLPrinter2.jar, APKTOOL.jar, and the like.
步 302: 服务器反汇编 Dalvik字节码文件, 并根据反汇编后的 Dalvik 字节码文件信息构建程序结构。  Step 302: The server disassembles the Dalvik bytecode file and constructs a program structure according to the disassembled Dalvik bytecode file information.
这里, 对提取出的 Dalvik字节码文件可以采用 smali、 IDA pro等反汇编 工具进行反汇编;所述根据反汇编后的 Dalvik字节码文件信息构建程序结构 包括指令结构、 基本结构、 函数结构、 类结构、 函数调用图、 控制流图等 等。  Here, the extracted Dalvik bytecode file may be disassembled by using a disassembly tool such as smali, IDA pro, etc.; the structure of the Dalvik bytecode file according to the disassembled constructor includes an instruction structure, a basic structure, and a function structure. , class structure, function call graphs, control flow graphs, and more.
步骤 303: 服务器解析 AndroidManifest. xml配置文件获取入口函数名, 并从构建的程序结构中找出对应的函数结构, 作为模拟执行的入口函数。  Step 303: The server parses the AndroidManifest.xml configuration file to obtain the entry function name, and finds the corresponding function structure from the constructed program structure, as an entry function of the simulation execution.
这里, 所述 AndroidManifest. xml配置文件记录着和应用程序运行有关 的详细信息,通过解析 AndroidManifest. xml配置文件,提取 activity, service, receiver, provider等标签中的 "android: name" 字段的值作为入口函数名, 从构建的程序结构中找出对应的函数结构, 作为模拟执行的入口函数, 以 InitOnlineActivity为例, 相应的入口函数为:  Here, the AndroidManifest.xml configuration file records detailed information related to the application running, and parses the AndroidManifest.xml configuration file to extract the value of the "android: name" field in the activity, service, receiver, provider, etc. as an entry. The function name, find the corresponding function structure from the constructed program structure, as the entry function of the simulation execution, taking InitOnlineActivity as an example, the corresponding entry function is:
InitOnline Activity. onCreate @VL;  InitOnline Activity. onCreate @VL;
InitOnlineActivity.onStart@V;  InitOnlineActivity.onStart@V;
InitOnlineActivity. onKeyD o wn@ZIL等。  InitOnlineActivity. onKeyD o wn@ZIL and so on.
步骤 304: 服务器从入口函数开始, 根据构建出的程序结构, 模拟函数 的调用序列和函数内指令的执行顺序, 并按指令的执行顺序, 按顺序模拟 每条指令的执行; 这里, 对于过程内分析阶段, 所述函数内指令的执行顺序根据控制流 图生成, 采用图的遍历算法, 保证每个基本块至少被执行一次; 对于分支, 保证每个分支都会执行; 对于循环, 保证循环体部分的指令至少执行一次; 对于过程间分析阶段, 所述函数的调用序列根据函数调用图生成, 并根据 函数调用点的参数类型, 计算实际应该被调用的函数; Step 304: The server starts from the entry function, according to the constructed program structure, simulates the calling sequence of the function and the execution order of the instructions in the function, and simulates the execution of each instruction in order according to the execution order of the instruction; Here, for the in-process analysis phase, the execution order of the instructions in the function is generated according to the control flow graph, and the traversal algorithm of the graph is used to ensure that each basic block is executed at least once; for the branch, each branch is guaranteed to be executed; , the instruction of the loop body part is guaranteed to be executed at least once; for the inter-process analysis stage, the call sequence of the function is generated according to the function call graph, and the function that should be called is calculated according to the parameter type of the function call point;
其中, 所述函数的调用序列可利用函数参数的语义信息进行具体分析, 如根据函数调用指令, 首先判断函数是否为虚函数或接口调用函数, 当判 断的结果为是时, 则根据 this参数的类型查找实际调用的函数; 当判断的结 果为否时, 则继续判断所述函数是否为用户实现的函数; 当所述判断所述 函数是否为用户实现的函数的判断結果为是时, 则进入被调函数内部执行, 使用指令模拟模块计算出被调函数的指令执行序列; 当所述判断所述函数 是否为用户实现的函数的判断结果为否时, 则继续判断所述函数是否是动 态机制函数; 当所述判断所述函数是否为动态机制函数的判断结杲为是时 则进入动态机制连接模块查找对应的函数, 并依次进入执行, 否则分析结 束。  The calling sequence of the function may be specifically analyzed by using the semantic information of the function parameter, for example, according to the function calling instruction, first determining whether the function is a virtual function or an interface calling function, and when the result of the judgment is yes, according to the this parameter The type finds the function actually called; when the result of the judgment is no, it continues to determine whether the function is a user-implemented function; when the judgment determines whether the function is a user-implemented function, the result of the determination is yes, then The called function is internally executed, and the instruction execution module is used to calculate the instruction execution sequence of the called function; when it is determined whether the function is a user-implemented function, the determination result is no, then it is continued to determine whether the function is a dynamic mechanism. The function; when the judgment of whether the function is a dynamic mechanism function is YES, the dynamic mechanism connection module is entered to find a corresponding function, and the execution is sequentially performed, otherwise the analysis ends.
步骤 305: 在模拟指令的执行过程中, 服务器收集函数变量的程序状态 信息, 并利用收集到的变量的程序状态信息, 判断动态机制函数实际的调 用对象, 根据实际调用对象查找相关响应函数。  Step 305: During the execution of the simulation instruction, the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual call object of the dynamic mechanism function, and finds the relevant response function according to the actual call object.
这里, 所述在模拟指令的执行过程中, 服务器收集函数变量的程序状 态信息包括收集每个变量的类型信息和值信息; 对于一些动态机制有关的 函数, 如接口调用函数、 虚函数等等, 利用收集到的变量的程序状态信息, 判断实际的调用对象, 根据实际调用对象查找相关响应函数。  Here, in the execution of the simulation instruction, the program status information of the server collecting the function variable includes collecting type information and value information of each variable; for some functions related to the dynamic mechanism, such as an interface calling function, a virtual function, etc. Using the program state information of the collected variables, the actual calling object is judged, and the relevant response function is searched according to the actual calling object.
步驟 306: 服务器在模拟 Android应用程序执行过程中, 将 Android应用 程序调用的系统函数的敏感特征信息与敏感数据引入规则库中存储的敏感 特征信息进行匹配, 将匹配成功的系统函数的变量标记为敏感数据。 与敏感数据引入规则库信息匹配的部分代码段如下所示: Step 306: The server matches the sensitive feature information of the system function called by the Android application with the sensitive feature information stored in the rule base during the execution of the simulated Android application, and marks the variable of the successfully matched system function as Sensitive data. Some of the code snippets that match the sensitive data import rule base information are as follows:
1: invoke -virtual {this,vl } ,<ref InitOnlineActivity. getSystemService(ref)> 2: move-result-object vO  1: invoke -virtual {this,vl } ,<ref InitOnlineActivity. getSystemService(ref)> 2: move-result-object vO
3: check-cast v0,<t: TelephonyManager>  3: check-cast v0,<t: TelephonyManager>
4: invoke -virtual {vO} ,<ref TelephonyManager .getDeviceId()>4: invoke -virtual {vO} , <ref TelephonyManager .getDeviceId()>
5: move -result-object vl 5: move -result-object vl
这里, 在模拟执行过程中, 当执行到上述代码段时, 其中执行完一至 三行代码得到一个 TelephonyManager的 系 统对象, 将得到 的 TelephonyManager的系统对象保存在 vO变量中; 当执行到第四行代码时, TelephonyManager. getDeviceId()函数读取用户设备的设备号信息, 在敏感数 据引入规则库当中记录着与读取用户隐私相关的所有库函数信息, 所述敏 感数据引入规则库中的 getDeviceld规则如下所示:  Here, in the simulation execution process, when executing to the above code segment, wherein one to three lines of code are executed to obtain a system object of a TelephonyManager, the obtained system object of the TelephonyManager is saved in the vO variable; when executing to the fourth line of code When the TelephonyManager. getDeviceId() function reads the device number information of the user equipment, all the library function information related to reading the user's privacy is recorded in the sensitive data import rule base, and the getDeviceld rule in the sensitive data introduction rule base is as follows Shown as follows:
<Function> <Function>
<FunName> getD e viceId</FunName>  <FunName> getD e viceId</FunName>
<ClassName> TelephonyManager</ClassName>  <ClassName> TelephonyManager</ClassName>
<ParamSize>0</ParamSize>  <ParamSize>0</ParamSize>
< eyParamList>  < eyParamList>
<DefaultType>13</DefaultType>  <DefaultType>13</DefaultType>
</KeyParamList >  </KeyParamList >
<EffectType>0</EffectType>  <EffectType>0</EffectType>
<ReturnType> 1 </ReturnType>  <ReturnType> 1 </ReturnType>
<ReturnTypeName>Default</ReturnTypeName>  <ReturnTypeName>Default</ReturnTypeName>
</Function> </Function>
在上述敏感数据 I入规则库中的 getDeviceld规则中, 定义了函数名为 getDeviceld, 函数类名为 TelephonyManager, 因此当执行到第四行代码时, 发现当前函数满足敏感数据引入规则库当中的某条规则, 根据该规则的描 述, 需将当前函数的返回值标记为敏感数据, 因此在执行到第五行代码时, 变量 vl中包含有敏感数据, 将其标记为敏感数据。 In the getDeviceld rule in the above-mentioned sensitive data I entry rule library, the function name is named getDeviceld, and the function class name is TelephonyManager. Therefore, when executing the fourth line of code, it is found that the current function satisfies a certain item in the rule base of sensitive data. Rule, according to the description of the rule, the return value of the current function needs to be marked as sensitive data, so when executing the code to the fifth line, The variable vl contains sensitive data and is marked as sensitive.
步骤 307: 服务器将含有敏感数据的函数与恶意行为检测规则库中存储 的恶意行为特征信息进行匹配, 将匹配成功的函数参数标记为恶意行为。  Step 307: The server matches the function containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and marks the successfully matched function parameter as a malicious behavior.
这里, 所述恶意行为检测规则库中存储着恶意行为的检测规则, 若满 足其中某条规则, 则将检测的函数参数标记为恶意行为。 所述与恶意行为 检测规则库匹配的发送用户隐私数据的部分代码段如下所示:  Here, the malicious behavior detection rule base stores a detection rule of malicious behavior, and if one of the rules is satisfied, the detected function parameter is marked as a malicious behavior. The partial code segment of the transmitted user privacy data that matches the malicious behavior detection rule base is as follows:
1 : new-instance v9,<t: URL> 1 : new-instance v9, <t: URL>
2: invoke-direct {v9,vl5},<void URL.<init>(ref)>  2: invoke-direct {v9,vl5},<void URL.<init>(ref)>
3: invoke -virtual {v9},<ref URL.openConnection()>  3: invoke -virtual {v9},<ref URL.openConnection()>
4: move -result-object v6 4: move -result-object v6
在模拟执行应用程序过程中, 执行到上述代码段时, 执行完第一行后 生成 URL系统对象, 将其存入 v9变量中, 该对象可以和网络服务器进行网 络通信;执行到第二行时,发现 vl5变量中包含敏感数据的信息, 然后将 vl5 变量中包含的信息存入 v9中, 该信息是上面示例中的设备号信息; 执行到 第三行时检测到当前函数满足恶意行为检测规则库中的一条规则, 所述恶 意行为检测规则库中的 openConnection规则如下所示:  In the process of simulating the execution of the application, when executing the above code segment, after executing the first line, the URL system object is generated and stored in the v9 variable, and the object can communicate with the network server; when executing to the second line The vl5 variable is found to contain sensitive data, and then the information contained in the vl5 variable is stored in v9, which is the device number information in the above example; when the third line is executed, the current function is detected to satisfy the malicious behavior detection rule. A rule in the library, the openConnection rule in the malicious behavior detection rule base is as follows:
<Function> <Function>
<FunName>openConnection</FunName>  <FunName>openConnection</FunName>
<ClassName> URL</C lassName>  <ClassName> URL</C lassName>
< eyParamList>  < eyParamList>
<DefaultType> K/DefaultType>  <DefaultType> K/DefaultType>
<KeyParam>  <KeyParam>
<ParamPos>0</ParamPos>  <ParamPos>0</ParamPos>
<ParamValue> .*(\. apkS ) </ParamValue>  <ParamValue> .*(\. apkS ) </ParamValue>
<SinkType>9</SinkType>  <SinkType>9</SinkType>
</KeyParam>  </KeyParam>
<KeyParam> <ParamPos>0</ParamPos> <KeyParam> <ParamPos>0</ParamPos>
<ParamValue>(http | https ftp file)://.* </ParamValue> <SinkType> 1 </SinkType>  <ParamValue>(http | https ftp file)://.* </ParamValue> <SinkType> 1 </SinkType>
</KeyParam>  </KeyParam>
</KeyParamList >  </KeyParamList >
<IsStatic >0</IsStatic >  <IsStatic >0</IsStatic >
<ParamSize>0</ParamSize >  <ParamSize>0</ParamSize >
<S inkPattern>0</S inkPattern >  <S inkPattern>0</S inkPattern >
</Function> </Function>
在上述恶意行为检测规则库中的 openConnection*则的代码段中, 定义 了函数名为 openConnection, 函数类名为 URL, 根据该规则的描述, 如果当 前函数的第一个参数中含有敏感数据则是一条窃取用户隐私的恶意行为, 由于 v9中含有敏感数据, 故触发了恶意行为, 该恶意行为是将设备号信息 通过网络发送到远程服务器, 需要将当前函数的返回值标记为恶意行为, 因此在执行到所述与恶意行为检测规则库匹配的发送用户隐私数据的部分 代码段的第四行时, 变量 v6中包含有恶意行为, 将其标记为恶意行为。  In the code segment of openConnection* in the above malicious behavior detection rule base, the function name is openConnection, and the function class name is URL. According to the description of the rule, if the first parameter of the current function contains sensitive data, A malicious act that steals user privacy. Because v9 contains sensitive data, it triggers malicious behavior. The malicious behavior is to send the device number information to the remote server through the network. The return value of the current function needs to be marked as malicious. Therefore, When the fourth line of the partial code segment of the transmitted user privacy data matching the malicious behavior detection rule base is executed, the variable v6 contains a malicious behavior, which is marked as a malicious behavior.
步骤 308:服务器模拟 Android应用程序的执行结束后,根据匹配结果输 出检测报告, 并向客户端发送该检测报告。  Step 308: After the server simulates execution of the Android application, the detection report is output according to the matching result, and the detection report is sent to the client.
这里, 对检测到的恶意行为, 生成恶意行为检测报告, 详细描述当前 恶意行为的触发流程、 操作的敏感数据和带来的危害, 根据检测到的危险 行为按照危险行为类别进行分类, 并计算出危险程度及其可能带来的危害, 输出该危险行为的调用路径等程序信息; 检测完成后, 还将输出检测花费 的时间、 检测的指令条数、 检测的函数个数、 指令覆盖率、 函数覆盖率等 统计信息。 以上信息最终以图形化、 XML等多种形式表示, 最后生成的检 测报告由服务器发送给客户端。  Here, for the detected malicious behavior, generate a malicious behavior detection report, describe in detail the triggering process of the current malicious behavior, the sensitive data of the operation and the harm caused, classify according to the detected dangerous behavior according to the dangerous behavior category, and calculate The degree of danger and its possible hazards, the program information such as the calling path of the dangerous behavior is output; after the detection is completed, the time spent detecting, the number of detected instructions, the number of functions detected, the command coverage, and the function are also output. Statistics such as coverage. The above information is finally represented in various forms such as graphical, XML, etc. The resulting generated detection report is sent by the server to the client.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。 凡在本发明的精神和范围之内所作的任何修改、 等同替换和改进 等, 均包含在本发明的保护范围之内。 工业实用性 The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Range of protection. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are included in the scope of the invention. Industrial applicability
本发明实施例模拟执行应用程序, 将应用程序调用的系统函数的敏感 特征信息与敏感数据引入规则库中存储的敏感特征信息进行匹配, 将匹配 成功的系统函数的变量标记为敏感数据; 将含有敏感数据的函数与恶意行 为检测规则库中存储的恶意行为特征信息进行匹配, 将匹配成功的函数参 数标记为恶意行为。 本发明实施例的技术方案不依赖于人工分析获得的特 征码数据库, 大大减少了技术人员的工作量; 不依赖于特定的触发条件, 在短时间内便可检测完成所有的执行路径, 可准确及时的对应用程序进行 恶意行为检测。  The embodiment of the present invention simulates an execution application program, and the sensitive feature information of the system function called by the application program is matched with the sensitive feature information stored in the rule base, and the variable of the successfully matched system function is marked as sensitive data; The function of the sensitive data matches the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the function parameters matching the success are marked as malicious behavior. The technical solution of the embodiment of the present invention does not depend on the signature database obtained by manual analysis, which greatly reduces the workload of the technician; and does not depend on a specific trigger condition, and can complete all execution paths in a short time, which can be accurate Promptly detect malicious behavior of the application.

Claims

权利要求书 claims
1、 一种安卓 (Android )恶意应用程序检测方法, 所述方法包括: 服务器模拟执行 Android应用程序,将应用程序调用的系统函数的敏感 特征信息与敏感数据引入规则库中存储的敏感特征信息进行匹配, 将匹配 成功的系统函数的变量标记为敏感数据; 1. An Android (Android) malicious application detection method, the method includes: The server simulates the execution of the Android application, and introduces the sensitive feature information and sensitive data of the system functions called by the application into the sensitive feature information stored in the rule base. Match, mark the variables of the successfully matched system function as sensitive data;
将含有敏感数据的函数与恶意行为检测规则库中存储的恶意行为特征 信息进行匹配, 将匹配成功的函数参数标记为恶意行为。 Match the functions containing sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and mark the successfully matched function parameters as malicious behaviors.
2、 根据权利要求 1所述的方法, 其中, 所述方法还包括: 2. The method according to claim 1, wherein the method further includes:
模拟 Android应用程序的执行结束后,服务器根据与恶意行为检测规则 库匹配的结果生成危险行为的详细说明, 输出检测报告, 并向客户端报告 检测结果。 After the execution of the simulated Android application is completed, the server generates a detailed description of the dangerous behavior based on the results that match the malicious behavior detection rule library, outputs a detection report, and reports the detection results to the client.
3、 根据权利要求 1所述的方法, 其中, 所述服务器模拟 Android应用 程序的执行之前, 所述方法还包括: 3. The method according to claim 1, wherein before the server simulates the execution of the Android application, the method further includes:
客户端将待测的 Android应用程序的安卓安装包 APK文件发送给服务 器, 服务器解压所述 APK文件, 提取出所述 APK文件中的 Dalvik字节码 文件和 AndroidManifest. xml S己置文件。 The client sends the Android installation package APK file of the Android application to be tested to the server, and the server decompresses the APK file and extracts the Dalvik bytecode file and the AndroidManifest.xml S configuration file in the APK file.
4、 根据权利要求 3所述的方法, 其中, 所述方法还包括: 4. The method according to claim 3, wherein the method further includes:
服务器反汇编所述 DaMk字节码文件, 并根据所述 Dalvik字节码文件 信息构建程序结构, 包括: 指令结构、 基本结构、 函数结构、 类结构、 函 数调用图、 控制流图; The server disassembles the Dalvik bytecode file and constructs a program structure based on the Dalvik bytecode file information, including: instruction structure, basic structure, function structure, class structure, function call graph, and control flow graph;
服务器解析所述 AndroidManifest. xml配置文件获取入口函数名, 并从 构建的程序结构中找出对应的函数结构, 作为模拟执行的入口函数。 The server parses the AndroidManifest.xml configuration file to obtain the entry function name, and finds the corresponding function structure from the constructed program structure as the entry function for simulation execution.
5、根据权利要求 1或 4所述的方法,其中,所述服务器模拟执行 Android 应用程序包括: 5. The method according to claim 1 or 4, wherein the server simulates executing an Android application program including:
服务器从入口函数开始, 根据构建出的程序结构, 模拟函数的调用序 列和函数内指令的执行顺序, 并按指令的执行顺序, 按顺序模拟每条指令 的执行。 The server starts from the entry function and simulates the calling sequence of the function based on the constructed program structure. The execution sequence of the instructions within the column and function, and simulates the execution of each instruction in sequence according to the execution order of the instructions.
6、 根据权利要求 5所述的方法, 其中, 所述方法还包括: 6. The method according to claim 5, wherein the method further includes:
在模拟指令的执行过程中, 服务器收集函数变量的程序状态信息, 并 利用收集到的变量的程序状态信息, 判断动态机制函数实际的调用对象, 根据当前对象查找相关响应函数。 During the execution of the simulation instruction, the server collects the program status information of the function variables, and uses the collected program status information of the variables to determine the actual calling object of the dynamic mechanism function, and find the relevant response function based on the current object.
7、 一种服务器, 所述服务器包括: 通讯模块、 流敏感分析模块、 敏感 数据引入规则库和恶意行为检测规则库; 7. A server, the server includes: a communication module, a flow sensitivity analysis module, a sensitive data introduction rule base and a malicious behavior detection rule base;
所述通讯模块, 配置为接收客户端发来的 APK文件, 并将所述 APK 文件发送给流敏感分析模块; The communication module is configured to receive the APK file sent by the client, and send the APK file to the flow sensitive analysis module;
所述流敏感分析模块, 配置为根据收到的 APK文件模拟 Android应用 程序的执行,将 Android应用程序调用的系统函数的敏感特征信息与敏感数 据引入规则库中存储的敏感特征信息进行匹配, 将匹配成功的系统函数的 变量标记为敏感数据; 还配置为将含有敏感数据的函数参数与恶意行为检 测规则库中存储的恶意行为的检测规则进行匹配, 将匹配成功的函数参数 标己为恶意行为; The flow sensitive analysis module is configured to simulate the execution of the Android application based on the received APK file, match the sensitive feature information of the system function called by the Android application with the sensitive feature information stored in the sensitive data introduction rule base, and The variables of the successfully matched system functions are marked as sensitive data; it is also configured to match the function parameters containing sensitive data with the malicious behavior detection rules stored in the malicious behavior detection rule library, and mark the successfully matched function parameters as malicious behaviors. ;
所述敏感数据引入规则库, 配置为存储敏感特征信息; The sensitive data is introduced into a rule base configured to store sensitive feature information;
所述恶意行为检测规则库 , 配置为存储恶意行为特征信息。 The malicious behavior detection rule base is configured to store malicious behavior characteristic information.
8、 根据权利要求 7所述的服务器, 其中, 所述服务器还包括: 危险行 为报告模块, 配置为模拟 Android应用程序的执行结束后,根据与恶意行为 检测规则库匹配的结果生成危险行为的详细说明, 输出检测报告, 同时将 检测报告经通讯模块发送给客户端。 8. The server according to claim 7, wherein the server further includes: a dangerous behavior reporting module configured to generate details of dangerous behaviors based on results matching the malicious behavior detection rule base after the execution of the simulated Android application is completed. Description: Output the detection report and send the detection report to the client via the communication module.
9、 根据权利要求 7所述的服务器, 其中, 所述服务器还包括: 解压模 块、 程序结构构建模块和入口函数解析模块; 9. The server according to claim 7, wherein the server further includes: a decompression module, a program structure building module and an entry function parsing module;
所述解压模块, 配置为解压所述客户端发送的 APK文件, 提取出所述 APK文件中的 Dalvik字节码文件和 AndroidManifest. xml配置文件, 将所 述 Dalvik 字节码文件发送给所述程序结构构建模块, 将所述 AndroidManifest. xml配置文件发送给所述入口函数解析模块; The decompression module is configured to decompress the APK file sent by the client and extract the Dalvik bytecode file and AndroidManifest.xml configuration file in the APK file, send the Dalvik bytecode file to the program structure building module, and send the AndroidManifest.xml configuration file to the entry function parsing module;
所述程序结构构建模块, 配置为反汇编所述 Dalvik字节码文件, 并根 据所述 Dalvik字节码文件的信息构建程序结构, 并将构建好的程序结构发 送给所述流敏感分析模块; The program structure building module is configured to disassemble the Dalvik bytecode file, construct a program structure based on the information of the Dalvik bytecode file, and send the constructed program structure to the flow-sensitive analysis module;
所述入口函数解析模块, 配置为解析所述 AndroidManifest. xml配置文 件获取入口函数名, 并从构建的程序结构中找出对应的函数结构作为开始 分析的入口函数, 并将获得的入口函数发送给所述流敏感分析模块。 The entry function parsing module is configured to parse the AndroidManifest.xml configuration file to obtain the entry function name, find the corresponding function structure from the built program structure as the entry function to start analysis, and send the obtained entry function to The flow-sensitive analysis module.
10、 根据权利要求 7至 9任一项所述的服务器, 其中, 所述流敏感分 析模块包括: 匹配模块和恶意行为检测模块; 10. The server according to any one of claims 7 to 9, wherein the flow sensitivity analysis module includes: a matching module and a malicious behavior detection module;
所述匹配模块,配置为将 Android应用程序调用的系统函数的敏感特征 信息与敏感数据? I入规则库中的敏感特征信息进行匹配, 将匹配成功的系 统函数的变量标记为敏感数据, 将匹配后的数据送入恶意行为检测模块进 行恶意行为检测; Is the matching module configured to combine sensitive feature information and sensitive data of system functions called by Android applications? The sensitive feature information in the rule base is matched, the variables of successfully matched system functions are marked as sensitive data, and the matched data are sent to the malicious behavior detection module for malicious behavior detection;
所述恶意行为检测模块, 配置为将含有敏感数据的函数参数与恶意行 为检测规则库中存储的恶意行为特征信息进行匹配, 将匹配成功的函数参 数标记为恶意行为, 将匹配结果发送至所述危险行为报告模块。 The malicious behavior detection module is configured to match function parameters containing sensitive data with malicious behavior characteristic information stored in the malicious behavior detection rule library, mark successfully matched function parameters as malicious behavior, and send the matching results to the Risky Behavior Reporting Module.
11、 根据权利要求 7 所述的服务器, 其中, 所述流敏感分析模块还包 括指令模拟模块, 配置为根据程序结构构建模块构建出的程序结构, 模拟 函数的调用序列和函数内指令的执行顺序, 从入口函数解析模块获得的入 口函数开始, 按顺序模拟每条指令的执行。 11. The server according to claim 7, wherein the flow-sensitive analysis module further includes an instruction simulation module configured to simulate the calling sequence of functions and the execution sequence of instructions within the function according to the program structure constructed by the program structure building module. , starting from the entry function obtained by the entry function parsing module, simulate the execution of each instruction in sequence.
12、 根据权利要求 Ί所述的服务器, 其中, 所述流敏感分析模块还包 括: 程序状态收集模块和动态机制连接模块; 其中: 12. The server according to claim Ί, wherein the flow-sensitive analysis module further includes: a program status collection module and a dynamic mechanism connection module; wherein:
所述程序状态收集模块, 配置为在指令的模拟执行过程中, 收集函数 变量的程序状态信息, 并将收集到的函数变量的程序状态信息发送给动态 机制连接模块; The program status collection module is configured to collect functions during the simulated execution of instructions. Program status information of variables, and send the collected program status information of function variables to the dynamic mechanism connection module;
所述动态机制连接模块, 配置为根据程序状态收集模块收集到的函数 变量的程序状态信息, 判断动态机制函数实际的调用对象, 根据当前对象 查找相关响应函数。 The dynamic mechanism connection module is configured to determine the actual calling object of the dynamic mechanism function based on the program status information of the function variables collected by the program status collection module, and find the relevant response function based on the current object.
13、 一种 Android恶意应用程序检测系统, 所述系统包括: 客户端和权 利要求 7至 12任一项所述的服务器; 13. An Android malicious application detection system, the system includes: a client and the server described in any one of claims 7 to 12;
所述客户端, 配置为将待测的 Android应用程序的 APK文件发送给服 务器; 还配置为接收服务器发送的检测报告, 向用户报告检测结果。 The client is configured to send the APK file of the Android application to be tested to the server; it is also configured to receive the detection report sent by the server and report the detection results to the user.
PCT/CN2013/082152 2012-09-29 2013-08-23 Android malicious application program detection method, system and device WO2014048194A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210376003.6 2012-09-29
CN201210376003.6A CN102938040B (en) 2012-09-29 Android malicious application detection method, system and equipment

Publications (1)

Publication Number Publication Date
WO2014048194A1 true WO2014048194A1 (en) 2014-04-03

Family

ID=47696936

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/082152 WO2014048194A1 (en) 2012-09-29 2013-08-23 Android malicious application program detection method, system and device

Country Status (1)

Country Link
WO (1) WO2014048194A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105550581A (en) * 2015-12-10 2016-05-04 北京奇虎科技有限公司 Malicious code detection method and device
CN106096405A (en) * 2016-04-26 2016-11-09 浙江工业大学 A kind of Android malicious code detecting method abstract based on Dalvik instruction
CN106372511A (en) * 2016-08-24 2017-02-01 北京奇虎测腾安全技术有限公司 Source code detection system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040205411A1 (en) * 2003-03-14 2004-10-14 Daewoo Educational Foundation Method of detecting malicious scripts using code insertion technique
CN102254113A (en) * 2011-06-27 2011-11-23 深圳市安之天信息技术有限公司 Method and system for detecting and intercepting malicious code of mobile terminal
CN102663281A (en) * 2012-03-16 2012-09-12 成都市华为赛门铁克科技有限公司 Method and device for detecting malicious software
CN102938040A (en) * 2012-09-29 2013-02-20 中兴通讯股份有限公司 Malicious Android application program detection method, system and device
CN102945347A (en) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 Method, system and device for detecting Android malicious software

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040205411A1 (en) * 2003-03-14 2004-10-14 Daewoo Educational Foundation Method of detecting malicious scripts using code insertion technique
CN102254113A (en) * 2011-06-27 2011-11-23 深圳市安之天信息技术有限公司 Method and system for detecting and intercepting malicious code of mobile terminal
CN102663281A (en) * 2012-03-16 2012-09-12 成都市华为赛门铁克科技有限公司 Method and device for detecting malicious software
CN102938040A (en) * 2012-09-29 2013-02-20 中兴通讯股份有限公司 Malicious Android application program detection method, system and device
CN102945347A (en) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 Method, system and device for detecting Android malicious software

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105550581A (en) * 2015-12-10 2016-05-04 北京奇虎科技有限公司 Malicious code detection method and device
CN106096405A (en) * 2016-04-26 2016-11-09 浙江工业大学 A kind of Android malicious code detecting method abstract based on Dalvik instruction
CN106096405B (en) * 2016-04-26 2019-07-05 浙江工业大学 A kind of Android malicious code detecting method abstract based on Dalvik instruction
CN106372511A (en) * 2016-08-24 2017-02-01 北京奇虎测腾安全技术有限公司 Source code detection system and method

Also Published As

Publication number Publication date
CN102938040A (en) 2013-02-20

Similar Documents

Publication Publication Date Title
US11798028B2 (en) Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit
Spreitzenbarth et al. Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques
Zhang et al. Towards automatic generation of security-centric descriptions for android apps
Canfora et al. Leila: formal tool for identifying mobile malicious behaviour
US9081961B2 (en) System and method for analyzing malicious code using a static analyzer
Damshenas et al. M0droid: An android behavioral-based malware detection model
CN103186740B (en) A kind of automated detection method of Android malware
Canfora et al. Acquiring and analyzing app metrics for effective mobile malware detection
CN112685737A (en) APP detection method, device, equipment and storage medium
CN102945347A (en) Method, system and device for detecting Android malicious software
Fass et al. Doublex: Statically detecting vulnerable data flows in browser extensions at scale
CN102082802A (en) Behavior-based mobile terminal security protection system and method
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
CN104392177A (en) Android platform based virus forensics system and method
CN112084497A (en) Method and device for detecting malicious program of embedded Linux system
CN110765459A (en) Malicious script detection method and device and storage medium
Faruki et al. Droidanalyst: Synergic app framework for static and dynamic app analysis
CN112688966A (en) Webshell detection method, device, medium and equipment
Li et al. Large-scale third-party library detection in android markets
US20230252136A1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
Chen et al. Detection, traceability, and propagation of mobile malware threats
WO2014048194A1 (en) Android malicious application program detection method, system and device
KR101657667B1 (en) Malicious app categorization apparatus and malicious app categorization method
Cui et al. TraceDroid: A robust network traffic analysis framework for privacy leakage in Android apps
McBride et al. Security analysis of Contiki IoT operating system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13840530

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13840530

Country of ref document: EP

Kind code of ref document: A1