WO2014098387A1 - Appareil et méthode de diagnostic d'application malveillante - Google Patents

Appareil et méthode de diagnostic d'application malveillante Download PDF

Info

Publication number
WO2014098387A1
WO2014098387A1 PCT/KR2013/010994 KR2013010994W WO2014098387A1 WO 2014098387 A1 WO2014098387 A1 WO 2014098387A1 KR 2013010994 W KR2013010994 W KR 2013010994W WO 2014098387 A1 WO2014098387 A1 WO 2014098387A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
hash information
malicious
file
diagnostic
Prior art date
Application number
PCT/KR2013/010994
Other languages
English (en)
Korean (ko)
Inventor
주설우
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Publication of WO2014098387A1 publication Critical patent/WO2014098387A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition

Definitions

  • the present invention relates to the diagnosis of malicious applications.
  • a malicious application can be diagnosed more quickly and accurately while using minimal hardware resources.
  • the present invention relates to an apparatus and method for diagnosing malicious applications.
  • a smart phone combines the advantages of a mobile phone and a personal digital assistant (PDA).
  • the smart phone is implemented by integrating data communication functions such as scheduling, fax transmission and Internet access.
  • a smart phone is equipped with a wireless communication module such as Wi-Fi, and can transmit and receive data through the Internet network. Also, it is possible to search for information on the Internet and to send and receive picture information such as directions by using an electronic pen on the liquid crystal display. .
  • Such smartphones have their own operating systems, and active development of applications that can be executed by the operating systems is being made.
  • the Android platform is an open source platform opened by Google's OHA (Open Handset Alliance). It is a Linux kernel, a virtual machine (VM) and a frame. Framework refers to a software package that includes both the application and the application.
  • the malicious application is typically produced by modifying the classes.dex and AndroidManifest.xml files included in the Android application APK file.
  • the apk file of the Android application is decompressed to detect a hash value for all apk decompressed files, and the detection is performed by comparing with a DB having a signature for the malicious application.
  • the present invention is to diagnose a malicious application in a portable terminal such as an Android OS-based smartphone, the header of the DEX file containing the executable code of the application in the apk (application package) file that is the installation file of the application It extracts the hash information of the application to be diagnosed by extracting only part of the image, and compares the extracted hash information with pre-stored signature hash information to check whether the malicious application is a malicious application while using minimal hardware resources.
  • a device and method for diagnosing malicious applications that can diagnose the virus more quickly and accurately.
  • the present invention described above is a malicious application diagnosis apparatus, and includes a signature DB storing normal or malicious signature hash information for an application that can be installed in a portable terminal, and execution code and hash information of the application from the APK file of the application.
  • a file extracting unit for extracting a specific file a diagnostic information extracting unit for extracting hash information of the application from the specific file extracted by the file extracting unit, and hash information of the application extracted from the diagnostic information extracting unit;
  • a diagnosis unit for comparing the signature hash information previously stored in the signature DB, and diagnosing whether the corresponding application is malicious.
  • the file extracting unit may extract and extract only the specific file from the APK file.
  • the diagnostic information extracting unit may extract the hash information by parsing a header of the specific file.
  • the hash information may be recorded in a predetermined area set in the header.
  • the hash information may be recorded in 20 bytes from 0x0C to 0x1F on the header.
  • the specific file may be a DEX file.
  • the diagnostic unit may diagnose the application as a normal application when the hash information of the application matches the normal signature hash information stored in the signature DB.
  • the diagnosis unit may diagnose the application as a malicious application when the hash information of the application matches the malicious signature hash information stored in the signature DB.
  • the diagnostic unit may block installation of the mobile terminal with respect to the application diagnosed as a malicious application or delete the application with respect to an already installed application.
  • the portable terminal is characterized in that the electronic device equipped with the Android OS.
  • the present invention also provides a method for diagnosing malicious applications, the method comprising: extracting a specific file including execution code and hash information of the application from an APK file of an application existing in a portable terminal; and hash information of the application from the specific file. Extracting and comparing hash information of the application with previously stored normal or malicious signature hash information, and diagnosing whether the application is malicious or normal based on the comparison result.
  • the diagnosing may include checking whether the hash information of the application matches the normal or malicious signature hash information, and if the hash information of the application matches the normal signature hash information, the application returns to the normal application. And diagnosing the application as a malicious application when the hash information of the application coincides with the malicious signature hash information.
  • blocking the installation of the application to the portable terminal, and if the application is already installed in the portable terminal further comprises the step of deleting the application It features.
  • the extracting of the specific file may include extracting and extracting only the specific file from the APK file.
  • the hash information may be included in the header of the specific file and extracted through parsing the header.
  • the hash information may be recorded in a predetermined area set in the header.
  • the hash information may be recorded in 20 bytes from 0x0C to 0x1F on the header.
  • the specific file may be a DEX file.
  • the DEX file including the executable code of the application in the apk file, which is the installation file of the application is extracted, and the DEX file in the DEX file is verified.
  • the DEX file header containing the hash information to compare the signature information with the hash information recorded in the DEX file header, it checks whether the malicious application is a malicious application while preventing the performance degradation of the device.
  • FIG. 1 is a detailed block diagram of a malicious application diagnostic apparatus according to an embodiment of the present invention.
  • 2A is a diagram illustrating a structure of a DEX file to which an embodiment of the present invention is applied;
  • 2b is a diagram illustrating a structure of a DEX file header to which an embodiment of the present invention is applied;
  • FIG 3 is an operation control flowchart for diagnosing malicious applications according to an embodiment of the present invention.
  • Combinations of each block of the accompanying block diagram and each step of the flowchart may be performed by computer program instructions.
  • These computer program instructions may be mounted on a processor of a general purpose computer, special purpose computer, or other programmable data processing equipment such that instructions executed through the processor of the computer or other programmable data processing equipment may not be included in each block or flowchart of the block diagram. It will create means for performing the functions described in each step.
  • These computer program instructions may be stored in a computer usable or computer readable memory that can be directed to a computer or other programmable data processing equipment to implement functionality in a particular manner, and thus the computer usable or computer readable memory.
  • instructions stored in may produce an article of manufacture containing instruction means for performing the functions described in each block or flowchart of each step of the block diagram.
  • Computer program instructions may also be mounted on a computer or other programmable data processing equipment, such that a series of operating steps may be performed on the computer or other programmable data processing equipment to create a computer-implemented process to create a computer or other programmable data. Instructions that perform processing equipment may also provide steps for performing the functions described in each block of the block diagram and in each step of the flowchart.
  • each block or step may represent a portion of a module, segment or code that includes one or more executable instructions for executing a specified logical function (s).
  • a specified logical function s.
  • the functions noted in the blocks or steps may occur out of order.
  • the two blocks or steps shown in succession may in fact be executed substantially concurrently or the blocks or steps may sometimes be performed in the reverse order, depending on the functionality involved.
  • FIG. 1 is a detailed block diagram of a diagnostic apparatus 100 for diagnosing a malicious application of a portable terminal according to an embodiment of the present invention.
  • Such a portable terminal may include a terminal such as a smartphone and a tablet PC.
  • the signature DB 102 stores white signature hash information and / or malware signature hash information for an application installed in the portable terminal.
  • the file extraction unit 104 extracts only the DEX file 150 from an application newly downloaded and installed in the portable terminal or an APK file of a previously installed application.
  • the DEX file 150 may include hash information for verifying the execution code of the application and the DEX file. Therefore, the present invention extracts only the DEX file 150 without decompressing and checking all the files of the APK so that the application can be used to quickly and accurately check the maliciousness of the application.
  • the diagnostic information extractor 106 extracts the hash information included in the DEX file 150 extracted by the file extractor 104 to verify the execution code of the application.
  • the diagnostic information extracting unit 106 does not decompress the entire DEX file 150, and the hash information is recorded on the header.
  • Hash information can be extracted by decompressing only the region.
  • Such hash information may be, for example, a SHA-1 hash, and may be recorded in 20 bytes from 0x0C to 0x1F on the header of the DEX file 150.
  • the diagnosis unit 108 compares the hash information of the diagnosis target application extracted from the diagnosis information extraction unit 106 with normal or malicious signature hash information previously stored in the signature DB 102 and diagnoses whether the corresponding application is malicious. do.
  • the diagnosis unit 108 may determine, for example, that the application is a normal application when the hash information of the application coincides with the normal signature hash information stored in the signature DB 102. In addition, the diagnosis unit 108 may diagnose the malicious application when the hash information of the application coincides with the malicious signature hash information. In this case, the diagnosis unit 108 may block the installation of the mobile terminal for the corresponding application diagnosed as the malicious application as above, or delete the corresponding application for the already installed application.
  • 2A and 2B show the structure of the DEX file 150 and the structure of the DEX file header, respectively.
  • the DEX file header 200 is positioned at the beginning of the file in the structure of the DEX file 150, and the structure of the DEX file header 200 is illustrated in FIG. 2B.
  • SHA-1 hash information is recorded in a predetermined area 250 of the DEX file header 200, for example, a 20 byte area from 0x0C to 0x1F.
  • the diagnostic apparatus 100 as described above does not decompress the entire DEX file 150, but for example, the predetermined area 250 of the DEX file header 200 in which hash information is recorded, that is, 0x0C to 0x1F.
  • the minimum hardware resource can be used and the diagnosis time can be minimized.
  • the redundancy rate is close to 0, which is possible. Can be greatly reduced.
  • the file extractor 104 in the diagnosis apparatus 100 performs a file type analysis on the files installed in the portable terminal (S300).
  • the file extraction unit 104 searches for an application having the apk file format in the analysis target files (S302).
  • the file extractor 104 extracts a specific file, for example, a DEX file 150, having hash information capable of verifying whether the application is malicious from an apk file of the corresponding application. (S304).
  • the DEX file 150 may include an execution code of the application and hash information for verifying the DEX file 150.
  • the diagnostic information extracting unit 106 extracts the hash information included in the DEX file 150 extracted by the file extracting unit 104 to verify the execution code of the application (S306).
  • the above hash information may exist in the header 200 of the DEX file 150.
  • the diagnostic information extracting unit 106 does not decompress the entire DEX file 150, but decompresses only a predetermined area 250 of the DEX file header 200 in which the hash information is recorded on the header 200.
  • the hash information recorded in the predetermined area 250 of the 200 may be extracted.
  • the hash information may be, for example, a SHA-1 hash, and may be recorded in 20 bytes from 0x0C to 0x1F on the DEX file header 200. Therefore, the diagnostic information extraction unit 106 extracts the hash information by decompressing only 20 bytes from 0x0C to 0x1F on the DEX file header 200 without decompressing the entire DEX file 150.
  • the hash information of the application extracted from the diagnostic information extraction unit 106 may be provided to the diagnosis unit 108 for diagnosing whether the application is malicious.
  • the diagnosis unit 108 compares the hash information of the diagnosis target application extracted from the diagnosis information extraction unit 106 with the normal or malicious signature hash information previously stored in the signature DB 102 to diagnose whether the application is malicious. It may be (S308).
  • the diagnosis unit 108 may determine, for example, that the application is a normal application when the hash information of the application coincides with the normal signature hash information stored in the signature DB 102. In addition, the diagnosis unit 108 may diagnose the malicious application when the hash information of the application coincides with the malicious signature hash information.
  • the diagnosis unit 108 blocks the installation of the portable terminal when the diagnosis target application is diagnosed as the malicious application (S310), or deletes the application for the already installed application. Can be made (S312).
  • a DEX file including an executable code of an application in an apk file which is an installation file of the application, is extracted and the DEX file is extracted. Decompresses only a portion of the DEX file header that contains the hash information to verify my DEX file, and compares the hash information recorded in the DEX file header with the signature hash information to check whether the application is malicious or not. It also helps to diagnose malicious applications more quickly and accurately.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephone Function (AREA)

Abstract

Selon la présente invention, lors du diagnostic d'une application malveillante dans un terminal portable tel qu'un smartphone avec un système d'exploitation Android, l'application malveillante peut être diagnostiquée rapidement et précisément, et on peut empêcher la dégradation de performance du terminal en extrayant un fichier DEX comprenant les codes d'exécution d'une application dans un fichier apk qui est un fichier d'installation de l'application, décompresser uniquement une région partielle d'un en-tête de fichier DEX comprenant des informations de hachage pour la vérification du fichier DEX dans le fichier DEX, et rechercher la présence de l'application malveillante en comparant les informations de hachage enregistrées dans l'en-tête de fichier DEX avec des signatures d'informations de hachage.
PCT/KR2013/010994 2012-12-17 2013-11-29 Appareil et méthode de diagnostic d'application malveillante WO2014098387A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR20120147229 2012-12-17
KR10-2012-0147229 2012-12-17

Publications (1)

Publication Number Publication Date
WO2014098387A1 true WO2014098387A1 (fr) 2014-06-26

Family

ID=50978654

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2013/010994 WO2014098387A1 (fr) 2012-12-17 2013-11-29 Appareil et méthode de diagnostic d'application malveillante

Country Status (1)

Country Link
WO (1) WO2014098387A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180025380A (ko) * 2016-08-30 2018-03-09 한남대학교 산학협력단 Apk 파일 동적로딩 기법을 이용한 뱅킹 어플리케이션 무결성 검증 시스템 및 무결성 검증방법
CN109564613A (zh) * 2016-07-27 2019-04-02 日本电气株式会社 签名创建设备、签名创建方法、记录签名创建程序的记录介质、以及软件确定系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110084693A (ko) * 2010-01-18 2011-07-26 (주)쉬프트웍스 안드로이드 단말 플랫폼에서의 악성 코드와 위험 파일의 진단 방법
KR20120031963A (ko) * 2012-01-30 2012-04-04 주식회사 안철수연구소 악성 코드 차단 장치
KR20120071817A (ko) * 2010-12-23 2012-07-03 한국인터넷진흥원 악성코드 dna 및 메타데이터 자동 관리 시스템

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110084693A (ko) * 2010-01-18 2011-07-26 (주)쉬프트웍스 안드로이드 단말 플랫폼에서의 악성 코드와 위험 파일의 진단 방법
KR20120071817A (ko) * 2010-12-23 2012-07-03 한국인터넷진흥원 악성코드 dna 및 메타데이터 자동 관리 시스템
KR20120031963A (ko) * 2012-01-30 2012-04-04 주식회사 안철수연구소 악성 코드 차단 장치

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YOON, JIN SIK: "Malware Detection Technique of Android-based Smartphone using Static Analysis", MASTER'S THESIS, 2011, pages 15 - 30 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109564613A (zh) * 2016-07-27 2019-04-02 日本电气株式会社 签名创建设备、签名创建方法、记录签名创建程序的记录介质、以及软件确定系统
KR20180025380A (ko) * 2016-08-30 2018-03-09 한남대학교 산학협력단 Apk 파일 동적로딩 기법을 이용한 뱅킹 어플리케이션 무결성 검증 시스템 및 무결성 검증방법
KR101872104B1 (ko) 2016-08-30 2018-06-28 한남대학교 산학협력단 Apk 파일 동적로딩 기법을 이용한 뱅킹 어플리케이션 무결성 검증 시스템 및 무결성 검증방법

Similar Documents

Publication Publication Date Title
CN103279706B (zh) 拦截在移动终端中安装安卓应用程序的方法和装置
US8726387B2 (en) Detecting a trojan horse
WO2015056885A1 (fr) Dispositif de détection et procédé de détection pour une application android malveillante
WO2021027630A9 (fr) Procédé de correction, appareil associé et système
WO2019072008A1 (fr) Procédé et appareil de balayage de sécurité pour un mini programme et dispositif électronique
WO2014035043A1 (fr) Appareil et procédé permettant de diagnostiquer des applications malveillantes
CN112685737A (zh) 一种app的检测方法、装置、设备及存储介质
WO2011122845A2 (fr) Terminal de communication mobile ayant une fonction de détection de programme malveillant basée sur un comportement et procédé de détection associé
US10176327B2 (en) Method and device for preventing application in an operating system from being uninstalled
Haris et al. Evolution of android operating system: a review
KR20110128632A (ko) 스마트폰 응용프로그램의 악성행위 탐지 방법 및 장치
Zhukovskyy et al. Method of forensic analysis for compromising carrier-lock algorithm on 3G modem firmware
WO2014088262A1 (fr) Dispositif et procédé de détection d'applications frauduleuses/modifiées
CN110362488B (zh) 一种页面测试方法、装置、电子设备及存储介质
CN110209416A (zh) 应用软件更新方法、装置、终端及存储介质
WO2014010847A1 (fr) Appareil et procédé de diagnostic d'applications malveillantes
CN105631312A (zh) 恶意程序的处理方法及系统
WO2021243555A1 (fr) Procédé et appareil d'essai d'application rapide, dispositif et support de stockage
WO2014168408A1 (fr) Dispositif, système et procédé permettant de diagnostiquer un logiciel malveillant sur la base du nuage
KR20130066901A (ko) 데이터 분석 시스템에서 맬웨어를 분석하기 위한 장치 및 방법
CN1869927A (zh) 设备控制器、控制设备的方法及其程序
CN115378686A (zh) 一种工控网络的沙盒应用方法、装置及存储介质
CN116578297A (zh) H5页面的运行方法、装置、电子设备及存储介质
US20190102279A1 (en) Generating an instrumented software package and executing an instance thereof
WO2015037850A1 (fr) Dispositif et procédé pour détecter un appel d'adresse url

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13866124

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13866124

Country of ref document: EP

Kind code of ref document: A1