WO2014048194A1 - Procédé, système et dispositif de détection de programmes d'application malveillants android - Google Patents

Procédé, système et dispositif de détection de programmes d'application malveillants android Download PDF

Info

Publication number
WO2014048194A1
WO2014048194A1 PCT/CN2013/082152 CN2013082152W WO2014048194A1 WO 2014048194 A1 WO2014048194 A1 WO 2014048194A1 CN 2013082152 W CN2013082152 W CN 2013082152W WO 2014048194 A1 WO2014048194 A1 WO 2014048194A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
module
server
malicious behavior
sensitive
Prior art date
Application number
PCT/CN2013/082152
Other languages
English (en)
Chinese (zh)
Inventor
巫妍
程绍银
蒋凡
Original Assignee
中兴通讯股份有限公司
中国科学技术大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201210376003.6A external-priority patent/CN102938040B/zh
Application filed by 中兴通讯股份有限公司, 中国科学技术大学 filed Critical 中兴通讯股份有限公司
Publication of WO2014048194A1 publication Critical patent/WO2014048194A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the invention relates to a malicious application detection technology, and in particular to an Android (Android) malicious application detection method, system and device. Background technique
  • Android has attracted a large number of application developers. Since there are a large amount of user privacy information stored in the smartphone, a large number of malicious applications are attracted to the application market to steal the user's private information. In addition, the supervision and management systems and detection methods of the various application markets are still not perfect. The maliciousness of the application is screened, so that the user's private information is leaked a lot, and the user of the application suffers a great loss.
  • An Android malicious application is software that installs and runs on a user's computer or other terminal without explicitly prompting the user or without the user's permission, infringing the legitimate rights and interests of the user.
  • the main malicious behaviors include: malicious deduction, privacy theft, remote control, malicious transmission, tariff consumption, system damage, deception fraud, rogue behavior, etc.
  • the dynamic detection method mainly performs real-time detection on the installed application by modifying the Android emulator kernel or uses the symbol execution method to make the application run according to the specified path, thereby obtaining the malicious behavior of the application.
  • the static analysis method mainly analyzes related files in the Android installation package (AndroidPackage, APK), such as AndroidManifest.xml, Dalvik bytecode file, etc., and extracts some information as key features, and uses feature matching to complete the detection.
  • the dynamic detection method relies on specific trigger conditions and cannot detect all execution paths in a short time.
  • the feature matching based method relies on the signature database and the acquisition of signatures. Basically, it relies on manual analysis and the workload is huge. Summary of the invention
  • the main purpose of the embodiments of the present invention is to provide an Android malicious application detection method, system, and device, which can implement the detection of the Android malicious application without relying on the manual analysis of the feature code, thereby greatly reducing the technical staff. The amount of work.
  • the embodiment of the present invention provides a method for detecting an Android malicious application, and the method includes:
  • the server simulates executing the Android application, and matches the sensitive feature information of the system function called by the application with the sensitive feature information stored in the rule base, and marks the variable of the successfully matched system function as sensitive data;
  • the function containing the sensitive data is matched with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the function parameters matching the success are marked as malicious behavior.
  • the method further includes:
  • the server After the execution of the simulated Android application is completed, the server generates a detailed description of the dangerous behavior based on the result of matching with the malicious behavior detection rule base, outputs a detection report, and reports the detection result to the client.
  • the method further includes:
  • the client sends the APK file of the Android application to be tested to the server, and the server decompresses the APK file, and extracts the Dalvik bytecode file and the AndroidManifest.xml in the APK file.
  • the method further includes:
  • the server disassembles the Dalvik bytecode file, and constructs a program structure according to the Dalvik bytecode file information, including: an instruction structure, a basic structure, a function structure, a class structure, a function Number call graph, control flow graph;
  • the server parses the AndroidManifest.xml configuration file to obtain the entry function name, and finds the corresponding function structure from the constructed program structure as an entry function for the simulation execution.
  • the server emulating execution of the Android application comprises:
  • the server starts from the entry function, simulates the call sequence of the function and the execution order of the instructions in the function according to the constructed program structure, and simulates the execution of each instruction in order according to the execution order of the instructions.
  • the method further includes:
  • the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual calling object of the dynamic mechanism function, and finds the relevant response function according to the current object.
  • the embodiment of the present invention further provides a server, where the server includes: a communication module, a flow sensitivity analysis module, a sensitive data introduction rule base, and a malicious behavior detection rule base; wherein:
  • the communication module is configured to receive an APK file sent by the client, and send the APK file to the flow sensitive analysis module;
  • the flow sensitivity analysis module is configured to simulate execution of the Android application according to the received APK file, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base, and The variable matching the successful system function is marked as sensitive data; it is also configured to match the function parameter containing the sensitive data with the detection rule of the malicious behavior stored in the malicious behavior detection rule base, and mark the successfully matched function parameter as a malicious behavior;
  • the sensitive data is introduced into a rule base and configured to store sensitive feature information
  • the malicious behavior detection rule base is configured to store malicious behavior feature information.
  • the server further comprises: a dangerous behavior reporting module, configured to simulate the execution of the Android application, and generate a risk according to a result matching the malicious behavior detection rule base A detailed description of the behavior, output a test report, and send the test report to the client via the communication module.
  • a dangerous behavior reporting module configured to simulate the execution of the Android application, and generate a risk according to a result matching the malicious behavior detection rule base A detailed description of the behavior, output a test report, and send the test report to the client via the communication module.
  • the server further includes: a decompression module, a program structure construction module, and an entry function parsing module;
  • the decompression module is configured to decompress the APK file sent by the client, and extract the
  • the Dalvik bytecode file is sent to the program structure building module, and the AndroidManifest.xml configuration file is sent to the entry function parsing module;
  • the program structure construction module is configured to disassemble the Dalvik bytecode file, and construct a program structure according to the information of the Dalvik bytecode file, and send the constructed program structure to the flow sensitivity analysis module;
  • the entry function parsing module is configured to parse the AndroidManifest.xml configuration file to obtain an entry function name, and find a corresponding function structure from the constructed program structure as an entry function for starting analysis, and send the obtained entry function to The flow sensitive analysis module.
  • the flow sensitivity analysis module comprises: a matching module and a malicious behavior detecting module; wherein:
  • the matching module is configured to send sensitive feature information and sensitive data of a system function called by an Android application?
  • the sensitive feature information in the I-input rule base is matched, the variable of the successfully matched system function is marked as sensitive data, and the matched data is sent to the malicious behavior detecting module to perform malicious behavior detection;
  • the malicious behavior detecting module is configured to match the function parameter containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, mark the successfully matched function parameter as a malicious behavior, and send the matching result to the Dangerous Behavior Reporting Module.
  • the flow sensitivity analysis module further includes an instruction simulation module configured to construct a program structure according to the program structure, a call sequence of the simulation function, and a command execution of the function.
  • the order of the lines begins with the entry function obtained by the entry function parsing module, simulating the execution of each instruction in sequence.
  • the flow sensitivity analysis module further includes: a program state collection module and a dynamic mechanism connection module; wherein:
  • the program state collection module is configured to collect program state information of the function variable during the simulation execution of the instruction, and send the program state information of the collected function variable to the dynamic mechanism connection module;
  • the dynamic mechanism connection module is configured to collect program state information of the function variable collected by the module according to the program state, determine the actual call object of the dynamic mechanism function, and find the relevant response function according to the current object.
  • the embodiment of the present invention further provides an Android malicious application detection system, where the system includes: a client and a server according to an embodiment of the present invention;
  • the client is configured to send the APK file of the Android application to be tested to the server; and is configured to receive the detection report sent by the server, and report the detection result to the user.
  • the technical solution provided by the embodiment of the present invention matches the sensitive feature information of the system function invoked by the application with the sensitive feature information stored in the rule base by simulating the execution application, and tags the variable of the successfully matched system function. For sensitive data; match the function containing sensitive data with the malicious behavior feature information stored in the malicious behavior detection rule base, and mark the successfully matched function parameters as malicious behavior.
  • the technical solution of the embodiment of the present invention does not depend on the signature database obtained by manual analysis, which greatly reduces the workload of the technician; and does not depend on a specific trigger condition, and can complete all execution paths in a short time, which can be accurate Promptly detect malicious behavior of the application.
  • FIG. 1 is a schematic flowchart of a method for detecting a malicious application of an Android according to a first embodiment of the present invention
  • FIG. 2 is a schematic diagram of a composition of an Android malicious application detection system according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic flowchart of a method for detecting an Android malicious application according to Embodiment 2 of the present invention.
  • the server simulates executing the Android application, and matches the sensitive feature information of the system function called by the application with the sensitive feature information stored in the rule base, and the variable of the system function that matches the success is matched. Marked as sensitive data; Match the function containing sensitive data with the malicious behavior feature information stored in the malicious behavior detection rule base, and mark the function parameters that match successfully as malicious behavior.
  • FIG. 1 is a schematic flowchart of a method for detecting a malicious application of an Android according to Embodiment 1 of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step 11 The server simulates the execution of the Android application based on the APK file of the Android application sent from the client.
  • the client sends the APK file of the Android application to be tested to the server.
  • the server can extract the APK file through software such as WinRAR, APKTOOL.jar, etc., and extract the Dalvik bytecode file inside the file and AndroidManifest.xml configuration file.
  • the server simulates the execution of the Android application according to the APK file of the Android application sent by the client, including:
  • the server disassembles the Dalvik bytecode file and constructs the program structure based on the Dalvik bytecode file information, including: instruction structure, basic structure, function structure, class structure, function call graph, control flow graph, and so on.
  • the server parses the AndroidManifest.xml configuration file to get the entry function name, such as extracting the value of the "android: name" field in the activity, service, receiver, provider, etc. as the entry function name, and finding the corresponding function from the built program structure.
  • Structure as an entry function for simulation execution.
  • the server starts from the entry function, simulates the call sequence of the function and the execution order of the instructions within the function according to the constructed program structure, and simulates the execution of each instruction in turn according to the execution order of the instructions.
  • the execution order of the instructions in the function is generated according to the control flow graph, and the traversal algorithm of the graph is used to ensure that each basic block is executed at least once; for the branch, each branch is guaranteed to be executed;
  • the loop ensures that the instruction of the loop body part is executed at least once; for the inter-process analysis stage, the call sequence of the function is generated according to the function call graph, and the function that should actually be called is calculated according to the parameter type of the function call point.
  • the calling sequence of the function may be specifically analyzed by using the semantic information of the function parameter, such as according to the function calling instruction, according to the frequency of use of the function from high to low, first determining whether the function is a virtual function or an interface calling function, when judging If the result is YES, the function actually called is searched according to the type of the this parameter; when the result of the judgment is no, it is continued to judge whether the function is a function implemented by the user; when the function is determined to be a user implementation If the judgment result of the function is YES, it is executed internally by the called function, and the instruction execution sequence of the called function is calculated; when the judgment result of whether the function is a user-implemented function is negative, the judgment is continued.
  • the function is a dynamic mechanism function; when the judgment result of determining whether the function is a dynamic mechanism function is YES, then the function corresponding to the search is entered, and the execution is sequentially performed, otherwise the analysis ends.
  • the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual calling object of the dynamic mechanism function, and finds the relevant response function according to the current object.
  • the program state information of the collection function variable includes collecting type information and value information of each variable; for some dynamic mechanism related functions, such as an interface calling function, a virtual function, etc., using program state information of the collected variable , to determine the actual call object, to find the relevant response function according to the actual call object.
  • Step 12 During the simulation execution of the Android application, the server matches the sensitive feature information of the system function called by the Android application with the sensitive feature information stored in the rule base, and matches the variable of the successfully matched system function. For sensitive data.
  • the sensitive data introduction rule base mainly records matching rules of sensitive data, where the sensitive data refers to some data related to user privacy or system security, such as a user's address book, geographic location, mobile device number, etc.;
  • the data import rule library records the library function information that introduces sensitive data into the program, including the function name, the class name of the function, the number of parameters of the function, the type of sensitive data introduced, whether the function is a static function, or a list of parameters. Information such as the pollution status of each parameter.
  • the malicious behavior in the application to be detected includes: sending a short message of a fixed content to a fixed number, and ordering a service provider (SP) service without unknowingly consuming the user fee; opening a fixed unified resource Locator (Universal Resource Locator, URL) to consume user fees; execute fixed system commands to modify or delete user files.
  • the short message, the fixed number, the fixed URL, and the fixed system command of the fixed content introduce the parameters of the dangerous function in the form of sensitive data of the fixed string in the application code to be detected.
  • the function call is identified as sensitive data. For further testing, determine if the function call is malicious.
  • Step 13 The server matches the function containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and marks the successfully matched function parameter as a malicious behavior.
  • the malicious behavior detection rule base mainly records detection rules for malicious behaviors.
  • the triggering of malicious behavior is generally caused by some system functions that communicate with external sources, such as connecting to the network, sending text messages, and so on. If the call point of these functions is found to contain sensitive data, it means that malicious behavior is found; the malicious behavior detection rule base mainly includes malicious behavior names, Information such as malicious behavior types, sensitive data type lists, and dangerous function type lists.
  • step 12 if the sensitive feature information of the system function to be detected by the application to be detected matches the sensitive feature information stored in the sensitive data import rule base, determining that the system function call meets the preliminary feature of the malicious behavior, namely: sending the fixed content
  • the SMS sends a fixed number, opens a fixed URL, or executes a fixed system command, and the fixed content SMS, fixed number, fixed URL, and fixed system commands introduce dangerous function parameters in the form of sensitive data to implement sensitive behavior.
  • the server matches the malicious feature information of the called system function in the sensitive behavior of the application to be detected with the malicious behavior feature information stored in the malicious behavior detection rule base to further determine whether the sensitive behavior is malicious behavior. , that is: whether to send a fixed content SMS to a fixed number, whether to order a service to the SP, to consume user fees; whether to open a fixed URL, whether to open the Internet Protocol (IP) address, to cause users Consumption of tariffs; whether to perform a fixed system command, causing loss to the user's files. If so, the function call is identified as a malicious act, and the application to be detected is determined to be a malicious application.
  • IP Internet Protocol
  • a malicious behavior detection report is generated, which details the triggering process of the current malicious behavior, the sensitive data of the operation, and the harm caused, and classifies according to the dangerous behavior according to the detected dangerous behavior. And calculating the degree of danger and the possible harm, outputting the program information such as the calling path of the dangerous behavior, and sending the detection report to the client; wherein the report can be graphically and extensible markup language (Extensible Markup Language) , XML) and other forms of representation.
  • Extensible Markup Language Extensible Markup Language
  • FIG. 2 is a schematic diagram of the composition of the Android malicious application detection system according to the first embodiment of the present invention.
  • the system includes: a client 11 and a server 12; wherein: the client 11 is configured as Sending the APK file of the Android application to be tested to the server 12;
  • the server 12 is configured to simulate the execution of the Android application according to the APK file sent by the client 11, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base.
  • the variables matching the successful system functions are marked as sensitive data; the function parameters containing the sensitive data are matched with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the successfully matched function parameters are marked as malicious behaviors.
  • the server 12 is further configured to send a detection report to the client after the simulation is completed.
  • the client 11 is further configured to receive a detection report sent by the server 12 and report the detection result to the user.
  • the first embodiment of the present invention further provides a server.
  • the server 12 includes: a communication module 121, a flow sensitivity analysis module 123, a sensitive data import rule base 124, and a malicious behavior detection rule base. 125; where:
  • the communication module 121 is configured to receive the APK file sent by the client 11 and send the APK file to the flow sensitive analysis module 123;
  • the flow sensitivity analysis module 123 is configured to simulate execution of the Android application according to the received APK file, and match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information stored in the rule base 124. Also configured to match the function parameters containing the sensitive data with the detection rules of the malicious behavior stored in the malicious behavior detection rule base 125, and mark the successfully matched function parameters as malicious behavior;
  • the sensitive data introduction rule base 124 is configured to store sensitive feature information
  • the malicious behavior detection rule base 125 is configured to store malicious behavior feature information.
  • the server 12 further includes a risk behavior reporting module 122 configured to generate a detailed description of the dangerous behavior according to the result of matching with the malicious behavior detection rule base 125 after the execution of the Android application is simulated by the flow sensitivity analysis module 123. Output test report, and will The detection is sent to the client 11 via the communication module 121.
  • a risk behavior reporting module 122 configured to generate a detailed description of the dangerous behavior according to the result of matching with the malicious behavior detection rule base 125 after the execution of the Android application is simulated by the flow sensitivity analysis module 123.
  • Output test report, and will The detection is sent to the client 11 via the communication module 121.
  • the server 12 further includes: a decompression module 128, a program structure building module 126, and an entry function parsing module 127; wherein:
  • the decompression module 128 is configured to decompress an APK file sent by the client, extract a Dalvik bytecode file in the APK file, and an AndroidManifest.xml configuration file, and send the Dalvik bytecode file to the The program structure building module 126, the AndroidManifest.xml configuration file is sent to the entry function parsing module 127;
  • the program structure construction module 126 is configured to disassemble the Dalvik bytecode file, and construct a program structure according to the information of the Dalvik bytecode file, and send the constructed program structure to the flow sensitivity analysis module. 123;
  • the entry function parsing module 127 is configured to parse the AndroidManifest.xml configuration file to obtain an entry function name, and find a corresponding function structure from the constructed program structure as an entry function for starting analysis, and send the obtained entry function.
  • the flow sensitive analysis module 123 is provided.
  • the flow sensitivity analysis module 123 includes: a matching module 1231 and a malicious behavior detecting module 1232; wherein:
  • the matching module 1231 is configured to match the sensitive feature information of the system function invoked by the Android application with the sensitive feature information in the sensitive data import rule base 124, and mark the variable of the successfully matched system function as sensitive data, which will match The subsequent data is sent to the malicious behavior detecting module 1232 for malicious behavior detection;
  • the malicious behavior detecting module 1232 is configured to match the function parameter containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detecting rule base 125, mark the successfully matched function parameter as a malicious behavior, and send the matching result to the The risk behavior reporting module 122.
  • the flow sensitivity analysis module 123 further includes an instruction simulation module 1235 configured to According to the program structure constructed by the program structure construction module 126, the calling sequence of the simulation function and the execution order of the instructions within the function start from the entry function obtained by the entry function parsing module 127, and the execution of each instruction is simulated in order.
  • an instruction simulation module 1235 configured to According to the program structure constructed by the program structure construction module 126, the calling sequence of the simulation function and the execution order of the instructions within the function start from the entry function obtained by the entry function parsing module 127, and the execution of each instruction is simulated in order.
  • the flow sensitivity analysis module 123 further includes: a program state collection module 1234 and a dynamic mechanism connection module 1233; wherein:
  • the program state collection module 1234 is configured to collect program state information of the function variable during the simulation execution of the instruction, and send the program state information of the collected function variable to the dynamic mechanism connection module 1233;
  • the dynamic mechanism connection module 1233 is configured to determine the actual call object of the dynamic mechanism function according to the program state information of the variable collected by the program state collection module 1234, and search for the relevant function according to the current object.
  • the dangerous behavior reporting module 122, the decompression module 128, the program structure building module 126, the entry function parsing module 127, and the flow sensitivity analyzing module 123 and the submodules thereof in the server 12 include: a matching module 1231, a malicious behavior detecting module 1232.
  • the program state collection module 1234, the dynamic mechanism connection module 1233, and the command simulation module 1235 may be implemented by a central processing unit (CPU) in the server, or a digital signal processor (DSP).
  • the rule base 124 and the malicious behavior detection rule base 125 can be implemented by a memory or a storage database in practical applications.
  • FIG. 3 is a schematic flowchart of a method for detecting an Android malicious application according to Embodiment 2 of the present invention. As shown in FIG. 3, the method includes the following steps: Step 301: The client sends the APK file of the Android application to be tested to the server, and the server extracts the APK file, and extracts the Dalvik bytecode file and the AndroidManifest.xml configuration file.
  • the server decompresses the APK file by using decompression software such as WinRAR, and the APKTOOL.jar tool;
  • the AndroidManifest.xml configuration file is an encrypted file, and can be decrypted by using AXMLPrinter2.jar, APKTOOL.jar, and the like.
  • Step 302 The server disassembles the Dalvik bytecode file and constructs a program structure according to the disassembled Dalvik bytecode file information.
  • the extracted Dalvik bytecode file may be disassembled by using a disassembly tool such as smali, IDA pro, etc.;
  • the structure of the Dalvik bytecode file according to the disassembled constructor includes an instruction structure, a basic structure, and a function structure. , class structure, function call graphs, control flow graphs, and more.
  • Step 303 The server parses the AndroidManifest.xml configuration file to obtain the entry function name, and finds the corresponding function structure from the constructed program structure, as an entry function of the simulation execution.
  • the AndroidManifest.xml configuration file records detailed information related to the application running, and parses the AndroidManifest.xml configuration file to extract the value of the "android: name" field in the activity, service, receiver, provider, etc. as an entry.
  • the function name find the corresponding function structure from the constructed program structure, as the entry function of the simulation execution, taking InitOnlineActivity as an example, the corresponding entry function is:
  • Step 304 The server starts from the entry function, according to the constructed program structure, simulates the calling sequence of the function and the execution order of the instructions in the function, and simulates the execution of each instruction in order according to the execution order of the instruction;
  • the execution order of the instructions in the function is generated according to the control flow graph, and the traversal algorithm of the graph is used to ensure that each basic block is executed at least once; for the branch, each branch is guaranteed to be executed; , the instruction of the loop body part is guaranteed to be executed at least once;
  • the call sequence of the function is generated according to the function call graph, and the function that should be called is calculated according to the parameter type of the function call point;
  • the calling sequence of the function may be specifically analyzed by using the semantic information of the function parameter, for example, according to the function calling instruction, first determining whether the function is a virtual function or an interface calling function, and when the result of the judgment is yes, according to the this parameter
  • the type finds the function actually called; when the result of the judgment is no, it continues to determine whether the function is a user-implemented function; when the judgment determines whether the function is a user-implemented function, the result of the determination is yes, then
  • the called function is internally executed, and the instruction execution module is used to calculate the instruction execution sequence of the called function; when it is determined whether the function is a user-implemented function, the determination result is no, then it is continued to determine whether the function is a dynamic mechanism.
  • the function when the judgment of whether the function is a dynamic mechanism function is YES, the dynamic mechanism connection module is entered to find a corresponding function, and the execution is sequentially performed, otherwise the analysis ends.
  • Step 305 During the execution of the simulation instruction, the server collects the program state information of the function variable, and uses the program state information of the collected variable to determine the actual call object of the dynamic mechanism function, and finds the relevant response function according to the actual call object.
  • the program status information of the server collecting the function variable includes collecting type information and value information of each variable; for some functions related to the dynamic mechanism, such as an interface calling function, a virtual function, etc.
  • the program state information of the collected variables the actual calling object is judged, and the relevant response function is searched according to the actual calling object.
  • Step 306 The server matches the sensitive feature information of the system function called by the Android application with the sensitive feature information stored in the rule base during the execution of the simulated Android application, and marks the variable of the successfully matched system function as Sensitive data.
  • the obtained system object of the TelephonyManager is saved in the vO variable; when executing to the fourth line of code
  • getDeviceId() function reads the device number information of the user equipment, all the library function information related to reading the user's privacy is recorded in the sensitive data import rule base, and the getDeviceld rule in the sensitive data introduction rule base is as follows Shown as follows:
  • the function name is named getDeviceld, and the function class name is TelephonyManager. Therefore, when executing the fourth line of code, it is found that the current function satisfies a certain item in the rule base of sensitive data. Rule, according to the description of the rule, the return value of the current function needs to be marked as sensitive data, so when executing the code to the fifth line, The variable vl contains sensitive data and is marked as sensitive.
  • Step 307 The server matches the function containing the sensitive data with the malicious behavior characteristic information stored in the malicious behavior detection rule base, and marks the successfully matched function parameter as a malicious behavior.
  • the malicious behavior detection rule base stores a detection rule of malicious behavior, and if one of the rules is satisfied, the detected function parameter is marked as a malicious behavior.
  • the partial code segment of the transmitted user privacy data that matches the malicious behavior detection rule base is as follows:
  • the URL system object is generated and stored in the v9 variable, and the object can communicate with the network server; when executing to the second line
  • the vl5 variable is found to contain sensitive data, and then the information contained in the vl5 variable is stored in v9, which is the device number information in the above example; when the third line is executed, the current function is detected to satisfy the malicious behavior detection rule.
  • a rule in the library, the openConnection rule in the malicious behavior detection rule base is as follows:
  • the function name is openConnection
  • the function class name is URL.
  • Step 308 After the server simulates execution of the Android application, the detection report is output according to the matching result, and the detection report is sent to the client.
  • a malicious behavior detection report describe in detail the triggering process of the current malicious behavior, the sensitive data of the operation and the harm caused, classify according to the detected dangerous behavior according to the dangerous behavior category, and calculate The degree of danger and its possible hazards, the program information such as the calling path of the dangerous behavior is output; after the detection is completed, the time spent detecting, the number of detected instructions, the number of functions detected, the command coverage, and the function are also output. Statistics such as coverage.
  • the above information is finally represented in various forms such as graphical, XML, etc.
  • the resulting generated detection report is sent by the server to the client.
  • the embodiment of the present invention simulates an execution application program, and the sensitive feature information of the system function called by the application program is matched with the sensitive feature information stored in the rule base, and the variable of the successfully matched system function is marked as sensitive data;
  • the function of the sensitive data matches the malicious behavior characteristic information stored in the malicious behavior detection rule base, and the function parameters matching the success are marked as malicious behavior.
  • the technical solution of the embodiment of the present invention does not depend on the signature database obtained by manual analysis, which greatly reduces the workload of the technician; and does not depend on a specific trigger condition, and can complete all execution paths in a short time, which can be accurate Promptly detect malicious behavior of the application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

La présente invention concerne, selon un mode de réalisation, un procédé, un système et un dispositif de détection de programmes d'application malveillants Android, le procédé de détection comprenant les étapes suivantes : un serveur simule l'exécution d'un programme d'application Android, met en correspondance les informations caractéristiques sensibles d'une fonction de système invoquée par le programme d'application Android avec les informations caractéristiques sensibles stockées dans une base de règles d'introduction de données sensibles, et marque la variable de la fonction de système mise en correspondance avec succès comme données sensibles ; le serveur met en correspondance la fonction contenant les données sensibles avec les informations caractéristiques de comportements malveillants stockées dans une base de règles de détection de comportements malveillants, et marque le paramètre de la fonction mise en correspondance avec succès comme un comportement malveillant. La solution technique du mode de réalisation de la présente invention permet de détecter un programme d'application malveillant sans s'appuyer sur une analyse humaine de code caractéristique, ce qui réduit la charge de travail du personnel technique.
PCT/CN2013/082152 2012-09-29 2013-08-23 Procédé, système et dispositif de détection de programmes d'application malveillants android WO2014048194A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210376003.6A CN102938040B (zh) 2012-09-29 Android恶意应用程序检测方法、系统及设备
CN201210376003.6 2012-09-29

Publications (1)

Publication Number Publication Date
WO2014048194A1 true WO2014048194A1 (fr) 2014-04-03

Family

ID=47696936

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/082152 WO2014048194A1 (fr) 2012-09-29 2013-08-23 Procédé, système et dispositif de détection de programmes d'application malveillants android

Country Status (1)

Country Link
WO (1) WO2014048194A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105550581A (zh) * 2015-12-10 2016-05-04 北京奇虎科技有限公司 一种恶意代码检测方法及装置
CN106096405A (zh) * 2016-04-26 2016-11-09 浙江工业大学 一种基于Dalvik指令抽象的Android恶意代码检测方法
CN106372511A (zh) * 2016-08-24 2017-02-01 北京奇虎测腾安全技术有限公司 一种源代码检测系统及方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040205411A1 (en) * 2003-03-14 2004-10-14 Daewoo Educational Foundation Method of detecting malicious scripts using code insertion technique
CN102254113A (zh) * 2011-06-27 2011-11-23 深圳市安之天信息技术有限公司 一种检测和拦截移动终端恶意代码的方法及系统
CN102663281A (zh) * 2012-03-16 2012-09-12 成都市华为赛门铁克科技有限公司 检测恶意软件的方法和装置
CN102938040A (zh) * 2012-09-29 2013-02-20 中兴通讯股份有限公司 Android恶意应用程序检测方法、系统及设备
CN102945347A (zh) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 一种检测Android恶意软件的方法、系统及设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040205411A1 (en) * 2003-03-14 2004-10-14 Daewoo Educational Foundation Method of detecting malicious scripts using code insertion technique
CN102254113A (zh) * 2011-06-27 2011-11-23 深圳市安之天信息技术有限公司 一种检测和拦截移动终端恶意代码的方法及系统
CN102663281A (zh) * 2012-03-16 2012-09-12 成都市华为赛门铁克科技有限公司 检测恶意软件的方法和装置
CN102938040A (zh) * 2012-09-29 2013-02-20 中兴通讯股份有限公司 Android恶意应用程序检测方法、系统及设备
CN102945347A (zh) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 一种检测Android恶意软件的方法、系统及设备

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105550581A (zh) * 2015-12-10 2016-05-04 北京奇虎科技有限公司 一种恶意代码检测方法及装置
CN106096405A (zh) * 2016-04-26 2016-11-09 浙江工业大学 一种基于Dalvik指令抽象的Android恶意代码检测方法
CN106096405B (zh) * 2016-04-26 2019-07-05 浙江工业大学 一种基于Dalvik指令抽象的Android恶意代码检测方法
CN106372511A (zh) * 2016-08-24 2017-02-01 北京奇虎测腾安全技术有限公司 一种源代码检测系统及方法

Also Published As

Publication number Publication date
CN102938040A (zh) 2013-02-20

Similar Documents

Publication Publication Date Title
US11295341B2 (en) Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit
CN105069355B (zh) webshell变形的静态检测方法和装置
Spreitzenbarth et al. Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques
Damshenas et al. M0droid: An android behavioral-based malware detection model
US9081961B2 (en) System and method for analyzing malicious code using a static analyzer
CN103186740B (zh) 一种Android恶意软件的自动化检测方法
Canfora et al. Acquiring and analyzing app metrics for effective mobile malware detection
CN112685737A (zh) 一种app的检测方法、装置、设备及存储介质
Fass et al. Doublex: Statically detecting vulnerable data flows in browser extensions at scale
WO2014048195A1 (fr) Procédé, système et dispositif de détection de comportements malveillants de logiciels android
CN106295348B (zh) 应用程序的漏洞检测方法及装置
CN102082802A (zh) 一种基于行为的移动终端的安全防护系统和方法
CN112084497A (zh) 嵌入式Linux系统恶意程序检测方法及装置
WO2017071148A1 (fr) Système de défense intelligent basé sur une plate-forme informatique en nuage
CN104392177A (zh) 基于安卓平台的病毒取证系统及其方法
CN110765459A (zh) 一种恶意脚本检测方法、装置和存储介质
Faruki et al. Droidanalyst: Synergic app framework for static and dynamic app analysis
US20230252136A1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
CN112688966A (zh) webshell检测方法、装置、介质和设备
CN115552401A (zh) 一种快应用检测方法、装置、设备及存储介质
Li et al. Large-scale third-party library detection in android markets
KR101657667B1 (ko) 악성 앱 분류 장치 및 악성 앱 분류 방법
Chen et al. Detection, traceability, and propagation of mobile malware threats
WO2014048194A1 (fr) Procédé, système et dispositif de détection de programmes d'application malveillants android
Cui et al. TraceDroid: A robust network traffic analysis framework for privacy leakage in Android apps

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13840530

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13840530

Country of ref document: EP

Kind code of ref document: A1