WO2014048195A1 - Procédé, système et dispositif de détection de comportements malveillants de logiciels android - Google Patents

Procédé, système et dispositif de détection de comportements malveillants de logiciels android Download PDF

Info

Publication number
WO2014048195A1
WO2014048195A1 PCT/CN2013/082163 CN2013082163W WO2014048195A1 WO 2014048195 A1 WO2014048195 A1 WO 2014048195A1 CN 2013082163 W CN2013082163 W CN 2013082163W WO 2014048195 A1 WO2014048195 A1 WO 2014048195A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
malicious
unit
behavior
feature information
Prior art date
Application number
PCT/CN2013/082163
Other languages
English (en)
Chinese (zh)
Inventor
巫妍
程绍银
蒋凡
Original Assignee
中兴通讯股份有限公司
中国科学技术大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司, 中国科学技术大学 filed Critical 中兴通讯股份有限公司
Publication of WO2014048195A1 publication Critical patent/WO2014048195A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Definitions

  • the present invention relates to communication technologies, and in particular, to a method, system and device for detecting malicious behavior of Android software. Background technique
  • mobile terminals generally adopt Android system, but the software distribution channels of Android system are diverse and lack effective supervision. Users are easy to install malware, resulting in malicious consumption of user fees and malicious deletion of personal information, which affects user experience.
  • the detection methods of malware in the related art include: detecting by means of virus killing; dynamic real-time monitoring software running and interacting with an external environment to determine whether the software is malware.
  • the above method for detecting malware by means of virus detection and killing depends on the virus signature, and the newly released software needs to manually analyze the virus signature, so the detection result has a certain lag period; and the dynamic real-time detection method depends on For a specific trigger condition, if the malicious behavior hidden in the software triggers a complicated condition, it may not be detected for a long time whether the software is malware. Summary of the invention
  • the embodiments of the present invention provide a method, a system, and a device for detecting malicious behavior of an Android software, which can determine whether a malicious behavior is hidden in the software to be detected without a virus signature, and is not subject to software malicious behavior. limits.
  • An embodiment of the present invention provides a method for detecting malicious behavior of an Android software, where the method includes: Simulating execution of the software to be detected, and identifying, as a sensitive behavior, a behavior of a function that matches the sensitive feature information of the software to be detected and the pre-stored sensitive feature information;
  • the sensitive behavior of the malicious feature information of the called function in the sensitive behavior and the pre-saved malicious feature information is identified as a malicious behavior.
  • the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
  • the malicious feature information includes: a function name, a function parameter constant value.
  • the method before the performing the software to be detected, the method further includes:
  • the bytecode file in the installation package of the detection software is disassembled, and the program structure is constructed and the program execution path is solved according to the disassembled program code.
  • the method further includes:
  • the instructions in the program execution path are analyzed, and when the instruction introduces an instruction into a constant value, the introduced constant value is recorded and the constant value is propagated downward in the program execution path.
  • the method further includes:
  • the risk level of the malicious behavior is determined according to the function name and the function parameter constant value of the called function in the malicious behavior, and the mapping relationship between the pre-stored function name, the function parameter constant value and the danger level.
  • the method further includes:
  • the detection result is generated according to the dangerous level of the malicious behavior, and the detection result is reported to the user through a user interface (UI, User Interface).
  • UI User Interface
  • the embodiment of the present invention further provides a server, where the server includes an analog execution unit, a detection rule storage unit, an identification unit, and a matching unit;
  • the simulation execution unit is configured to simulate execution of software to be detected
  • the detection rule storage unit is configured to store sensitive feature information and malicious feature information; and the matching unit is configured to: when the analog execution unit calls a function, the called The sensitive feature information of the function is matched with the sensitive feature information in the detecting rule storage unit; the malicious feature information of the called function is matched with the malicious feature information in the detecting rule storage unit, and the called function is the identity unit identifier
  • the called function is configured to: when the matching unit matches the sensitive feature information, the behavior of the function that successfully matches the sensitive feature information is identified as a sensitive behavior; When the malicious feature information is successful, the sensitive behavior that matches the successful matching of the malicious feature information is identified as a malicious behavior.
  • the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
  • the malicious feature information includes: a function name, a function parameter constant value.
  • the server further includes:
  • the program structure construction unit is configured to construct a program structure according to the program code after the preprocessing unit disassembles the program code according to the bytecode file;
  • the program execution path solving unit is configured to solve a program execution path according to the program structure after the program structure building unit constructs a program structure.
  • the simulation execution unit is further configured to execute a program execution path solved by the path solving unit according to the program, and sequentially analyze an instruction in the program execution path;
  • the server further includes: a constant value analyzing unit configured to: when the analog execution unit analyzes that the instruction in the program execution path is a constant value import instruction, record the introduced constant value and lower the constant value in the program execution path propagation.
  • a constant value analyzing unit configured to: when the analog execution unit analyzes that the instruction in the program execution path is a constant value import instruction, record the introduced constant value and lower the constant value in the program execution path propagation.
  • the server further includes:
  • a hazard rating unit configured to calculate a function name and a function parameter constant value according to the called function in the malicious behavior, and a pre-saved function name, a function parameter constant value, and a danger level
  • the mapping relationship determines the risk level of the malicious behavior.
  • the server further includes: a detection result saving unit and a malicious behavior reporting unit; wherein
  • the risk rating unit is further configured to generate a detection result according to a malicious behavior risk level
  • the detection result saving unit is configured to save the detection result generated by the risk rating unit
  • the malicious behavior reporting unit is configured to report the detection result saved by the detection result saving unit to the user through the client UI after the simulation execution unit simulates executing the software to be detected.
  • the embodiment of the present invention further provides an Android software malicious behavior detecting system, where the system includes: a client and a server;
  • the client is configured to enable the user to upload an installation package of the software to be tested to the server through the UI running on the client; receive the detection result sent by the server, and report the user through the UI;
  • the server is configured to identify, as a sensitive behavior, a behavior of a function that matches the sensitive feature information to be detected and the pre-stored sensitive feature information; and the malicious feature information of the called function in the sensitive behavior is The sensitive behavior of the saved malicious feature information is identified as malicious behavior.
  • the server includes a simulation execution unit, a detection rule storage unit, an identification unit, and a matching unit; the server further includes: a preprocessing unit, a program structure construction unit, a program execution path solving unit, and a constant value analysis unit; The server further includes: a hazard rating unit, a detection result saving unit, and a malicious behavior reporting unit; each unit function is the same as described above.
  • the sensitive feature information of the software calling function to be detected and the sensitive feature stored by the server are simulated by executing all the instructions in the software to be detected. The information is matched.
  • the malicious feature information of the called function in the sensitive behavior is further matched with the malicious feature information stored by the server. If the matching is successful, the software to be detected is determined to be malware. In this way, when detecting the software to be tested, there is no need to use the virus signature, and there is no problem that the detection result has a lag period; no limitation of the condition of the malicious behavior of the software to be detected is complicated, and the malicious behavior detection of the software can be performed accurately and timely. .
  • FIG. 1 is a schematic flowchart of a method for detecting malicious behavior of an Android software according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a malicious behavior detection system for an Android software according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of detecting malicious behavior of an Android software according to an embodiment of the present invention
  • FIG. 1 is a schematic flowchart of an implementation method for detecting malicious behavior of an Android software according to an embodiment of the present invention. As shown in FIG. 1 , the method includes the following steps:
  • Step 101 Simulate execution of the software to be detected, and identify the behavior of the function that matches the sensitive feature information of the software to be detected and the pre-stored sensitive feature information as a sensitive behavior.
  • the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number, and a function can be uniquely determined by a function name, a function class name, a function parameter number, and a function parameter type.
  • the server locally stores the sensitive feature information of the dangerous function, and the dangerous function is a library function that is invoked when the malicious behavior in the software to be detected is implemented.
  • the malicious behavior in the software to be detected includes: sending a fixed content short message to a fixed number, and ordering a server provider (SP, Service Provider) service without consuming the user to consume the user fee; opening a fixed unified resource Locator (URL, Universal Resource Locator) to consume user fees; execute fixed system commands to modify or delete user files.
  • SP Service Provider
  • URL Universal Resource Locator
  • the above malicious behavior needs to be implemented by calling a dangerous function and introducing a certain number of values of a type constant to the parameters of the dangerous function, the fixed content short message, fixed number, fixed URL and fixed system command in the software code to be detected.
  • a parameter that introduces a dangerous function as a constant of a fixed string or an immediate value.
  • the function call is identified as a sensitive behavior for further detection. Determine if the function call is malicious.
  • the installation package of the software to be detected may be obtained by the user uploading the installation package of the software to be detected after the user uploads the file, and disassembling the bytecode file in the installation package. And build the program structure and solve the program execution path according to the disassembled program code.
  • the installation package format is an installation package based on the APK format of the Android system, and the unpacking tool is run on the server to operate the installation package, and a bytecode file in the dex format is obtained, and the byte in the dex format is obtained.
  • the code file is an executable file on the Dalvik virtual machine, and the Dalvik virtual machine is an application environment for running software in the Android system.
  • the disassembly tool is run to disassemble the bytecode file, according to the disassembled
  • the program code analyzes program structure information by using a script, and the program structure information includes: an instruction structure, a basic block structure, a function structure, a class structure, a function call graph, a control flow graph, and a fixed string table.
  • the script structure is used to analyze the program structure information and is not related to the technical domain of the disassembly tool;
  • the instruction structure includes the address, operation code and operand of the instruction;
  • the basic block structure includes the basic block number and the first address.
  • the program execution path is an instruction execution sequence for running all the instructions in the disassembled program code.
  • the instruction structure, and the basic block Structure, function structure and class structure starting from the entry function of the disassembled program code, analyzing the instruction execution sequence of the current function, the above analysis operation adopts the graph traversal algorithm, so that for the branch instruction in the function, each guarantee can be guaranteed
  • the branch block is executed at least once; for the loop body in the function, the instruction of the loop body part is guaranteed to be executed at least once;
  • the instruction structure, the basic block structure, the function structure and the class structure, the function called by each function call point in the current function is analyzed, and the connection relationship between the current function and the called function is established to analyze the The instruction execution sequence of the calling function; when the function called by the function call point is a thread start function, a virtual function or an interface function, the following processing is also required:
  • the instruction in the program execution path is analyzed, and when the instruction is a constant value introduction instruction, the introduced constant value is recorded and the constant value is executed in the program. Propagating down the path; the constants include immediate and fixed strings;
  • the instruction in the program execution path is a constant value to introduce an instruction
  • the constant value introduction instruction introduces a constant value in the form of an immediate value
  • the value of the immediate value directly introduced is recorded, and the corresponding variable in the program execution path is marked as a constant state.
  • the constant value import instruction introduces a constant value in the form of a fixed string
  • the fixed string table is searched for the fixed string table to obtain the value of the fixed string, the value of the introduced fixed string is recorded, and the program is executed.
  • the corresponding variable in the path is marked as a constant state;
  • the instruction is an instruction for a constant value containing a operand for a variable, according to the semantic information of the current instruction, the corresponding variable is marked as a constant state in the program execution path, and the introduced constant value is recorded;
  • Step 102 Identify, as a malicious behavior, a sensitive behavior that matches the malicious feature information of the called function in the sensitive behavior with the pre-stored malicious feature information.
  • the malicious feature information includes: a function name, and a function parameter constant value.
  • step 101 in the process of simulating execution of the software to be detected, if the sensitive feature information of the function called by the software to be detected matches the sensitive feature information of a dangerous function saved locally by the server, it is determined that the function call meets the preliminary behavior of the malicious behavior.
  • Feature ie: sending a fixed content SMS to a fixed number, opening a fixed URL or executing a fixed system command, and the fixed content SMS, fixed number, fixed URL and fixed system commands introduce dangerous function parameters in the form of constant values To implement sensitive behavior.
  • the malicious feature information of the function called in the sensitive behavior that has been identified in the software to be detected is matched with the malicious feature information of the pre-stored dangerous function to further determine the Whether the sensitive behavior is malicious, that is, sending a fixed content SMS to a fixed number, whether to order a service to the SP to consume the user fee; opening a fixed URL, whether to open the network IP (Internet Protocol, Internet Protocol) address To cause the consumption of user fees; execute a fixed system command, whether it causes loss to the user's files. If yes, the function call is identified as a malicious behavior, and the software to be detected is determined to be malware.
  • the risk level of the malicious behavior is also assessed, and the detection result is generated according to the risk level of the malicious behavior.
  • the detection result is passed through the client UI (User Interface, user). Interface) report users to make users Understand the relevant information of the malware; the detection results include: the dangerous level of malicious behavior, the function name and class name of the dangerous function in the malicious behavior, the function name of the function of the malicious behavior, the malicious behavior type and the malicious behavior description.
  • the function name and the function parameter constant value of the malicious behavior calling function are respectively matched with the locally pre-stored evaluation rule to determine the danger level, wherein
  • the rating rule describes a hazard level corresponding to a different function and its function parameter constant value, the hazard level being determined according to the degree of loss to the user, for example, the hazard level of the malicious act of ordering multiple SP services to consume the user fee is more than The level of danger of malicious behavior that orders an SP service to consume user fees is high.
  • FIG. 2 is a schematic structural diagram of a malicious software behavior detection system for an Android software according to an embodiment of the present invention. As shown in FIG. 2, the system includes: a server 21 and a client 22:
  • the server 21 is configured to identify, as a sensitive behavior, a behavior of a function that matches the to-be-detected software call sensitive feature information and the pre-stored sensitive feature information; and the malicious feature information of the called function in the sensitive behavior is pre-saved The sensitive behavior of the malicious feature information matching, identified as malicious behavior;
  • the client 22 is configured to enable the user to upload an installation package of the software to be detected to the server 21 through the UI running on the client 22; receive the detection report sent by the server 21, and report the user through the UI.
  • the server 21 includes: an emulation execution unit 2101, a detection rule storage unit 2102, a matching unit 2103, and an identification unit 2104;
  • the simulation execution unit 2101 is configured to simulate executing the software to be detected
  • the detection rule storage unit 2102 is configured to store the sensitive feature information and the malicious feature information.
  • the matching unit 2103 is configured to simulate the sensitive function information of the called function and the sensitivity in the detection rule storage unit 2102 when the simulation execution unit 2101 calls the function.
  • the feature information is matched; the malicious feature information of the called function is matched with the malicious feature information in the detection rule storage unit, and the called function is adjusted in the sensitive behavior identified by the identity unit 2104 Use a function;
  • the identifier unit 2104 is configured to identify, when the matching unit 2103 matches the sensitive feature information, the behavior of the function that successfully matches the sensitive feature information is a sensitive behavior; when the matching unit 2103 matches the malicious feature information successfully, the malicious feature information is matched. Successful sensitive behavior is identified as malicious.
  • the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
  • the malicious feature information includes: a function name, a function parameter constant value.
  • the server 21 further includes: a preprocessing unit 2105, a program structure building unit 2106, a program execution path solving unit 2107, and a constant value analyzing unit 2108;
  • the pre-processing unit 2105 is configured to receive an installation package of the software to be detected uploaded by the user through the client 22, and disassemble the bytecode file in the installation package;
  • the program structure construction unit 2106 is configured to construct a program structure according to the program code after the pre-processing unit 2105 disassembles the program code according to the bytecode file;
  • the program execution path solving unit 2107 is configured to solve the program execution path according to the program structure after the program structure building unit 2106 constructs the program structure.
  • the simulation execution unit 2101 is further configured to execute the program execution path solved by the path execution unit 2107 according to the program, and sequentially analyze the instructions in the program execution path;
  • the server 21 also includes a constant value analysis unit 2108 configured to record the introduced constant value and propagate the constant value down in the program execution path when the analog execution unit 2101 analyzes that the instruction in the program execution path is a constant value introduction instruction.
  • the server 21 further includes: a risk rating unit 2109 configured to calculate a function name and a function parameter constant value of the called function according to the malicious behavior, and a mapping relationship between the pre-saved function name, the function parameter constant value, and the danger level. , determining the level of danger of the malicious act.
  • the server 21 further includes: a detection result holding unit 2110 and a malicious behavior reporting unit 2111; wherein
  • the hazard rating unit 2109 is further configured to generate a detection result according to the risk level of the malicious behavior
  • the detection result saving unit 2110 is configured to save the detection result generated by the risk rating unit 2109;
  • the malicious behavior reporting unit 2111 is configured to report the detection result saved by the detection result holding unit 2110 to the user through the client 22 UI after the simulation execution unit 2101 simulates execution of the software to be detected.
  • the behavior reporting unit 2111 can be implemented by a central processing unit (CPU) in a server 21, a digital signal processor (DSP), or a Field Programmable Gate Array (FPGA).
  • CPU central processing unit
  • DSP digital signal processor
  • FPGA Field Programmable Gate Array
  • the detection rule storage unit 2102 and the detection result holding unit 2110 may each be implemented by a memory in the server 21, and the detection rule storage unit 2102 and the detection result holding unit 2110 may be implemented by the same memory in the server 21 or by a server. Different memory implementations in 21.
  • FIG. 3 is a schematic diagram of an implementation process for detecting malicious behavior of an Android software according to an embodiment of the present invention. The following is an example of the hippoSMS to be detected, as shown in FIG. 3, including the following steps:
  • Step 301 The server receives the software to be detected uploaded by the client, and performs preprocessing.
  • the user uploads the installation package hippoSMS.apk corresponding to the to-be-detected software hippoSMS to the server through the client UI, and the server decompresses the installation package by using the decompression software, and extracts the bytecode file in the installation package, and the suffix is dex. And run the disassembly tool on the bytecode file Disassemble and output the program code.
  • the decompression software may adopt WINRAR or APKTOOL, and the disassembly tool may adopt IDA pro (Interactive Disassembler Professional).
  • Step 302 The server builds the program structure and solves the program execution path according to the disassembled program code.
  • the server constructs a program structure according to the disassembled program code, and the program structure includes: an instruction structure, a basic block structure, a function structure, a class structure, a function call graph, a control flow graph, and a string table; and according to the above program Structure, solver execution path.
  • the instruction in the third line is a function call instruction
  • the called function is not a thread start function, a virtual function or an interface function, and directly finds the called function according to the function call graph to establish a connection relationship between the current function and the function. , and enter the called function to execute the program Path solving operation;
  • the instruction in the fourth line is a system function call instruction, and the function is a thread initialization function.
  • the class name of the initialization parameter is Download$myThread
  • the vl object is bound to the ⁇ object, and the class name of the ⁇ object is marked as
  • the class name of the vl object is Download$myThread, and continue to look down the run function in Downloads myThread;
  • the instruction in the fifth line of code is the thread start function call instruction, and the class name of the ⁇ parameter is Downloads myThread.
  • the run function in Downloads myThread will continue to be searched, and the name of the called function will be changed from Thread.start to Download$myThread. .run, and solve the program execution path for the function Do wnload$myThread.run.
  • Step 303 The server analyzes the instructions in the execution path, and when the instruction introduces an instruction into a constant value, records the introduced constant value and propagates the constant value downward in the program execution path.
  • the first line instruction is a constant value introduction instruction
  • v7 is defined as a string constant a8
  • a8 is a fixed string
  • the instruction introduces a constant value in the form of a string, and queries in a fixed string table by using a8 as an index.
  • the second line to the fourth line of instructions are constant value introduction instructions, and are in the form of strings Introduce a constant value, query the value of the corresponding string in the fixed string table with v6, v5, and v4 as indexes, mark v6, v5, and v4 as constant states, and record the value of the corresponding string, where v6
  • the value is 1066156686
  • the value of v5 is data
  • the value of v4 is an empty string.
  • the instruction of the 5th line is a function call instruction
  • the values of the argument variables this, v6, v7, v4 and this are passed to the Call the function MessageService.sendsms, and initialize the corresponding parameters of the function Messa geService.sendsms to the values of this, p0, pl, p2 and p3 to the value of the argument passed to the called function, further to the function MessageService.sendsms
  • the instructions are analyzed.
  • the first line instruction introduces the instruction as a constant value, and introduces the constant value in the form of an immediate value.
  • the instruction introduces the immediate value 0 into the variable v2, marks the v2 variable as a constant state, and records the value of v2 as immediate. Number 0;
  • the second line instruction is analyzed to introduce an instruction for the constant value of the variable v1 containing the operand, which introduces the value of the parameter ⁇ into vl.
  • the argument corresponding to the parameter ⁇ is the string v6, and V6 is assigned the value of 1066156686, then the value of ⁇ is the value of the string v6 1066156686; according to the semantic information of the instruction, the variable vl is marked as a constant state, and the value of vl is recorded as a constant value of 1066156686;
  • the third line instruction is analyzed to introduce a constant value containing the operand for the variable V3, which The instruction introduces the value of the formal parameter pl into v3.
  • the actual parameter corresponding to the formal parameter pi is the string v7, and v7 is assigned the value 8, and the value of pl is the value 8 of the string v7;
  • Semantic information mark v3 as a constant state, and record the value of v3 as a constant value of 8;
  • the fourth line instruction is analyzed as the system function call instruction. Since the called function SmsManager.sendTextMessage is a library function, the called function analysis cannot be entered, and the process proceeds to step 304.
  • Step 304 The server matches the sensitive feature information of the function called by the software to be detected with the locally stored sensitive feature information.
  • the server locally maintains detection rules to store sensitive feature information and malicious feature information, and uses the same detection rule for XML (Extensible Markup Language, Extensible Markup Language) for sensitive feature information and malicious feature information of the same risk function.
  • XML Extensible Markup Language
  • Extensible Markup Language Extensible Markup Language
  • the detection rules for the function SmsManager. sendTextMessage can be described as follows:
  • ⁇ ParaTypeList> list of parameter types, the parameter type of the function whose function class name is SmsManager, where the first three function parameters are of type String (string), and the latter two function parameters are of type system-defined type.
  • the list matches the first three functions whose function type is a string;
  • ⁇ ParamSize> A function that matches the number of arguments of the function to 6.
  • the first argument of each function is the this pointer, and the number of arguments here is the number containing the this pointer;
  • ⁇ KeyParamList> Matches the parameter information of one or more functions, and the matching rule of each parameter is represented by ⁇ KeyParam>;
  • ⁇ KeyParam> contains a matching rule for a parameter
  • ⁇ ParamPos> The position of the parameter to be matched, counting from 0;
  • ⁇ ParamValue> The value of the parameter to be matched, the characteristics of the value are described by a regular expression
  • ⁇ SinkType> The behavior type of the function.
  • the server analyzes that the fourth line of the code segment 3 is a function call instruction, and the called function is a library function, the sensitive feature of the called function is matched with the sensitive feature information in the detection rule of the code segment 4, wherein
  • the sensitive feature information includes a function name, a function parameter class name, a function parameter type, and a function parameter number, and the processing is as follows:
  • Step 305 The server matches the malicious feature information of the function called by the software to be detected with the locally saved malicious feature information.
  • the malicious feature information includes: a function name, and a function parameter constant value.
  • step 304 after the call of the function SmsManager.sendTextMessage is identified as a sensitive behavior, in this step, the server performs the following processing:
  • Step 306 The server evaluates the risk level of the malicious behavior, generates the detection result, and reports the user through the client.
  • the generated detection result is: Hazard level: high;
  • Type of malicious behavior malicious deduction
  • the detection result server is sent to the client, and is displayed by the client through the UI to report to the user.
  • the software to be detected is simulated, and the sensitive feature information and the malicious feature information of the function to be detected by the software to be detected are matched with the pre-stored sensitive feature information and the malicious feature information, and if the matching is successful, the method is determined.
  • Function calls are malicious.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne, dans un mode de réalisation, un procédé, un système et un dispositif de détection de comportements malveillants de logiciels Android, le procédé comprenant les étapes suivantes : simulation de l'exécution du logiciel à détecter ; mise en correspondance des informations caractéristiques sensibles et des informations caractéristiques malveillantes d'une fonction appelée par le logiciel à détecter avec des informations caractéristiques sensibles et des informations caractéristiques malveillantes préenregistrées ; si la mise en correspondance réussit, alors détermination de l'appel de fonction comme un comportement malveillant. La solution technique du mode de réalisation de la présente invention permet d'éviter le problème de l'incapacité à déterminer si le logiciel à détecter est un logiciel malveillant en raison de la phase de retard de détection et des conditions complexes pour déclencher des comportements malveillants de logiciels malveillants dans l'art pertinent.
PCT/CN2013/082163 2012-09-29 2013-08-23 Procédé, système et dispositif de détection de comportements malveillants de logiciels android WO2014048195A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210376038.XA CN102945347B (zh) 2012-09-29 2012-09-29 一种检测Android恶意软件的方法、系统及设备
CN201210376038.X 2012-09-29

Publications (1)

Publication Number Publication Date
WO2014048195A1 true WO2014048195A1 (fr) 2014-04-03

Family

ID=47728288

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/082163 WO2014048195A1 (fr) 2012-09-29 2013-08-23 Procédé, système et dispositif de détection de comportements malveillants de logiciels android

Country Status (2)

Country Link
CN (1) CN102945347B (fr)
WO (1) WO2014048195A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106663172A (zh) * 2014-07-23 2017-05-10 高通股份有限公司 用于检测以移动设备的行为安全机制为目标的恶意软件和攻击的方法和系统

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014048194A1 (fr) * 2012-09-29 2014-04-03 中兴通讯股份有限公司 Procédé, système et dispositif de détection de programmes d'application malveillants android
CN102945347B (zh) * 2012-09-29 2016-02-24 中兴通讯股份有限公司 一种检测Android恶意软件的方法、系统及设备
US9058494B2 (en) * 2013-03-15 2015-06-16 Intel Corporation Method, apparatus, system, and computer readable medium to provide secure operation
CN103246846A (zh) * 2013-04-24 2013-08-14 北京网秦天下科技有限公司 检测定制rom的安全性的方法和装置
CN103473507B (zh) * 2013-09-25 2016-03-30 西安交通大学 一种Android恶意代码检测方法
CN103473509A (zh) * 2013-09-30 2013-12-25 清华大学 Android平台恶意软件自动检测方法
CN103685251B (zh) * 2013-12-04 2016-08-17 电子科技大学 一种面向移动互联网的Android恶意软件检测平台
CN103701800A (zh) * 2013-12-25 2014-04-02 贝壳网际(北京)安全技术有限公司 cookie处理方法、装置及浏览器、客户端
CN104899505A (zh) * 2014-03-07 2015-09-09 北京奇虎科技有限公司 软件检测方法及装置
CN104079673B (zh) * 2014-07-30 2018-12-07 北京奇虎科技有限公司 一种应用下载中防止dns劫持的方法、装置和系统
CN104268473B (zh) * 2014-09-23 2017-05-24 龙芯中科技术有限公司 应用程序检测方法和装置
CN105989294B (zh) * 2015-02-17 2019-02-26 华为技术有限公司 安卓安装包检测方法及装置
CN106156630A (zh) * 2015-04-23 2016-11-23 阿里巴巴集团控股有限公司 一种应用程序安装包的漏洞检测方法和装置
CN104978527B (zh) * 2015-07-30 2017-12-08 深圳数字电视国家工程实验室股份有限公司 一种计算程序切片的方法及装置
CN106778261A (zh) * 2015-11-20 2017-05-31 中兴通讯股份有限公司 伪装应用的处理方法和装置
CN106815524B (zh) * 2015-11-27 2020-05-15 阿里巴巴集团控股有限公司 恶意脚本文件的检测方法及装置
CN105404583B (zh) * 2015-12-04 2017-10-20 中科信息安全共性技术国家工程研究中心有限公司 一种apk的快速检测及提高单位资源利用率的方法
CN105740706B (zh) * 2015-12-25 2019-05-07 哈尔滨安天科技股份有限公司 基于api名称和立即数的启发式样本检测方法及系统
CN106940775B (zh) * 2016-01-04 2020-07-14 阿里巴巴集团控股有限公司 应用程序的漏洞检测方法和装置
CN108062472A (zh) * 2016-11-07 2018-05-22 武汉安天信息技术有限责任公司 一种安卓平台下勒索应用的检测方法及系统
CN107016286B (zh) * 2016-12-30 2019-09-24 深圳市安之天信息技术有限公司 一种基于随机跟踪的恶意代码随机化识别方法及系统
CN109214179B (zh) * 2017-06-30 2021-04-27 武汉斗鱼网络科技有限公司 一种程序模块安全检测方法及装置
CN107577944A (zh) * 2017-09-08 2018-01-12 杭州安恒信息技术有限公司 基于代码语法分析器的网站恶意代码检测方法及装置
CN108040064A (zh) * 2017-12-22 2018-05-15 北京知道创宇信息技术有限公司 数据传输方法、装置、电子设备及存储介质
CN108875361A (zh) * 2017-12-28 2018-11-23 北京安天网络安全技术有限公司 一种监控程序的方法、装置、电子设备及存储介质
CN108491722A (zh) * 2018-03-30 2018-09-04 广州汇智通信技术有限公司 一种恶意软件检测方法及系统
CN108959092B (zh) * 2018-07-09 2022-03-18 中国联合网络通信集团有限公司 软件行为分析方法及系统
CN109101815B (zh) * 2018-07-27 2023-04-07 平安科技(深圳)有限公司 一种恶意软件检测方法及相关设备
CN109815701B (zh) * 2018-12-29 2022-04-22 奇安信安全技术(珠海)有限公司 软件安全的检测方法、客户端、系统及存储介质
CN110362995B (zh) * 2019-05-31 2022-12-02 电子科技大学成都学院 一种基于逆向与机器学习的恶意软件检测及分析系统
CN111078234B (zh) * 2019-12-06 2023-06-02 广州微算互联信息技术有限公司 一种云手机Android系统动态限制安装卸载的方法、系统、装置及存储介质
CN111597552B (zh) * 2020-04-15 2023-11-10 深圳市捷顺科技实业股份有限公司 代码扫描方法及终端设备
CN113222053B (zh) * 2021-05-28 2022-03-15 广州大学 基于RGB图像和Stacking多模型融合的恶意软件家族分类方法、系统和介质
CN113434872A (zh) * 2021-08-27 2021-09-24 迅管(深圳)科技有限公司 一种可针对恶意程序进行识别防御的数据库安全系统
CN116451229B (zh) * 2023-06-14 2023-09-12 北京长亭科技有限公司 一种恶意软件检测方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359352A (zh) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 分层协同的混淆后api调用行为发现及其恶意性判定方法
US20110047620A1 (en) * 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
CN102012988A (zh) * 2010-12-02 2011-04-13 张平 自动二进制恶意代码行为分析方法
CN102110220A (zh) * 2011-02-14 2011-06-29 宇龙计算机通信科技(深圳)有限公司 一种应用程序监控方法及装置
CN102945347A (zh) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 一种检测Android恶意软件的方法、系统及设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359352A (zh) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 分层协同的混淆后api调用行为发现及其恶意性判定方法
US20110047620A1 (en) * 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
CN102012988A (zh) * 2010-12-02 2011-04-13 张平 自动二进制恶意代码行为分析方法
CN102110220A (zh) * 2011-02-14 2011-06-29 宇龙计算机通信科技(深圳)有限公司 一种应用程序监控方法及装置
CN102945347A (zh) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 一种检测Android恶意软件的方法、系统及设备

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106663172A (zh) * 2014-07-23 2017-05-10 高通股份有限公司 用于检测以移动设备的行为安全机制为目标的恶意软件和攻击的方法和系统

Also Published As

Publication number Publication date
CN102945347A (zh) 2013-02-27
CN102945347B (zh) 2016-02-24

Similar Documents

Publication Publication Date Title
WO2014048195A1 (fr) Procédé, système et dispositif de détection de comportements malveillants de logiciels android
US11295341B2 (en) Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit
Cheng et al. DTaint: detecting the taint-style vulnerability in embedded device firmware
JP5425699B2 (ja) 情報処理装置、テストケース生成方法、プログラムおよび記録媒体
CN107925696B (zh) 用于识别、索引和导航至移动应用的深度状态的系统和方法
Greenwood et al. Smv-hunter: Large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps
Zheng et al. Statically locating web application bugs caused by asynchronous calls
CN102622536A (zh) 一种恶意代码捕获方法
CN110765459A (zh) 一种恶意脚本检测方法、装置和存储介质
US10452421B2 (en) Identifying kernel data structures
Gomes et al. Cryptojacking detection with cpu usage metrics
CN104932974B (zh) 一种脚本转换方法和装置
WO2015084664A1 (fr) Exécution dirigée de programmes dynamiques dans des environnements isolés
CN108733559B (zh) 页面事件的触发方法、终端设备及介质
CN106663171B (zh) 浏览器模拟器装置、构建装置、浏览器模拟方法以及构建方法
CN109933977A (zh) 一种检测webshell数据的方法及装置
CN109359045B (zh) 一种测试方法、装置、设备和存储介质
Erinle Performance testing with JMeter 2.9
Wen et al. Protocol vulnerability detection based on network traffic analysis and binary reverse engineering
JP2016099857A (ja) 不正プログラム対策システムおよび不正プログラム対策方法
WO2016168428A1 (fr) Procédé de détection de scénarisation à sites croisés
CN112099802B (zh) 应用程序的组件识别方法及装置
WO2014048194A1 (fr) Procédé, système et dispositif de détection de programmes d'application malveillants android
CN116775034A (zh) 内核观测程序的构建方法、装置及设备
CN113660230B (zh) 云安全防护测试方法、系统、计算机及可读存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13841220

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13841220

Country of ref document: EP

Kind code of ref document: A1