WO2015056885A1 - Detection device and detection method for malicious android application - Google Patents

Detection device and detection method for malicious android application Download PDF

Info

Publication number
WO2015056885A1
WO2015056885A1 PCT/KR2014/008560 KR2014008560W WO2015056885A1 WO 2015056885 A1 WO2015056885 A1 WO 2015056885A1 KR 2014008560 W KR2014008560 W KR 2014008560W WO 2015056885 A1 WO2015056885 A1 WO 2015056885A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
malicious
detection
file
detection data
Prior art date
Application number
PCT/KR2014/008560
Other languages
French (fr)
Korean (ko)
Inventor
김준섭
황명국
김동원
Original Assignee
(주)이스트소프트
주식회사 이스트시큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)이스트소프트, 주식회사 이스트시큐리티 filed Critical (주)이스트소프트
Publication of WO2015056885A1 publication Critical patent/WO2015056885A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to a detection device and a detection method of an Android malicious application, and more particularly, by extracting a part of the components of the AndroidManifest file and the Classes file in the application package file to calculate the degree of identity and the degree of identity of the malicious application pattern
  • the present invention relates to a detection device and a detection method of an Android malicious application.
  • OSs Operating systems that control the behavior of smartphones include Apple's iOS, Google's Android, Nokia's Symbian, RIM's BlackBerry, and Microsoft's Windows Mobile. have. Unlike iOS, which distributes applications only through the App Store operated by Apple, smartphones using Android OS can download applications through various paths.
  • Android-based applications which are spread through various types of application markets, also include malicious code created for malicious purposes, which may lead to the leakage of information that users did not intend while using the application.
  • FIG. 1 is a block diagram illustrating a structure of a smartphone malicious application detection system based on signature information according to the related art
  • FIG. 2 is a flowchart illustrating a process of detecting and removing a malicious application using the detection system of FIG. 1.
  • the malicious application detection system of the related art includes an analysis server 100 and a test smartphone 200, and the user smartphone 400 and an application market 500 through a communication network 300. Connect and exchange information and data.
  • the malicious application detection system obtains application information including signature information about an application newly installed in the user smartphone 400 from the malicious application detection program installed in the user smartphone 400.
  • the malicious application detection system obtains an installation file for the corresponding application from the application market 500 or the like based on the application information transmitted from the user's smartphone 400, performs static analysis and dynamic analysis, and the result of the user smart. Provide back to phone 400.
  • the malicious application detection program provides a result of analyzing the malicious status of the newly installed application to the user, and when a delete command is input for the file, the malicious application detection program deletes and repairs the file.
  • the test smartphone 200 and the user smartphone 400 may be installed and used by the user.
  • the test smartphone 200 is a smartphone used by a malicious application detection system administrator connected to the analysis server 100 to detect a malicious application, and the user smartphone 400 is installed with a malicious application detection program in an application form. The detection result of the application is notified to the user, and the treatment is performed according to the user's selection.
  • the communication network 300 includes both the Internet, mobile communication networks such as 3G and 4G, Wi-Fi, WIBRO, and the like.
  • the analysis server 100 includes a static analysis module 110 for malicious application detection, a database 120 storing various information for supporting malicious application detection, and an application collection module 130 for collecting the analysis target application. .
  • the app collection module 130 obtains an app installation file from the app market 500 using the app package name transmitted from the malicious app detection program, or based on the app download location information included in the app information and transmitted, the app installation file. Acquire.
  • the DB 120 stores signature information (MD5 hash value, SHA1, application package name, etc.) for an application already registered as malicious.
  • the database 120 stores in advance the information on the API available for malicious behavior among API (Application Program Interface) used in the smartphone operating system.
  • the user smartphone 400 receives and installs a malicious application detection program from a download server operated in an application market or a malicious application detection system (S210).
  • the malicious application detection program extracts the signature information for the corresponding application from the application installation file and transmits it to the analysis server 100 (S220).
  • the analysis server 100 determines whether the malicious application by comparing the application signature information transmitted from the user smartphone 400 with the signature information of the malicious application registered in the database 120 (S230). If it is determined that the malicious application in the previous step (S230) (S230-Y), it can immediately provide a malicious application detection result to the user smartphone 400 (S270).
  • the analysis server 100 collects the installation file of the analysis target application from the app market 600, etc. through the app collection module 130 (S240).
  • the analysis server 100 performs a static analysis operation for the application installation file through the static analysis module 110 (S250).
  • the static analysis module 110 extracts an executable file (for example, a DEX file for Android) from the app installation file by extracting an application installation file (for example, an APK file for Android). And it generates static analysis result including contents of malicious behavior related to malicious behavior available API. For example, a static analysis result is generated that includes information on whether the extracted API is related to personal information leakage, inducing abnormal charging, or abnormally operating the smartphone.
  • an executable file for example, a DEX file for Android
  • an application installation file for example, an APK file for Android
  • static analysis result including contents of malicious behavior related to malicious behavior available API. For example, a static analysis result is generated that includes information on whether the extracted API is related to personal information leakage, inducing abnormal charging, or abnormally operating the smartphone.
  • the analysis server 100 is requested to remove the malicious application from the user smartphone 400, the detection and removal of the malicious application is completed.
  • the existing methods of detecting malicious Android applications such as the prior art include data such as a package name existing in the AndroidManifest.xml file, a CRC value in a classes.dex file, a SHA-1 value, a class name, a string, and an MD5 value of an APK file. After combining hash values or enumerated values, hash values are taken and used as detection patterns. In other words, it uses signature-based detection method that uses specific unique value.
  • the present invention to solve the above-mentioned problems is extracted the component and permission information from the AndroidManifest.xml file included in the Android-based application package file, the string.
  • the object of the present invention is to provide a detection device and detection method for Android malicious applications that can be classified into malicious or normal applications according to similarity.
  • the present invention is divided into parts of the pattern of the data contained in the malicious application stored in the database in advance, and the detection of the android malicious application to give a similarity according to how much the pattern of the malicious application is included in the extracted data pattern
  • An object of the present invention is to provide an apparatus and a detection method.
  • the present invention devised to solve the above-mentioned problem is a system for detecting malicious applications by analyzing an Android application package (APK), AndroidManifest.xml file (hereinafter referred to as "Manifest file”) and the inside of the Android application package;
  • a detection data extracting unit 111 for extracting detection data necessary for detecting malicious code from a Classes.dex file (hereinafter referred to as a 'Dex file');
  • a detection data DB 112 for storing the detection data extracted from the manifest file and the dex file by the detection data extraction unit 111;
  • a detection engine that determines whether malicious code is included by using the detection data, and classifies an application package to be diagnosed as a malicious application when a pattern matching a pattern of a malicious application package is included in the detection data.
  • a malicious pattern DB 114 for storing a pattern included in an application determined to be malicious, wherein the detection data includes a component included in the manifest file, permission information, and a string included in the Dex file.
  • the component is a code that becomes a basic unit of a user interface (UI) of the application, and includes activity information that functions to provide an interface for interacting with a user; Service information which is code for a task executed in the background of the application; It is a code that is called by an operating system (OS) as a broadcast receiver, and includes receiver information for receiving and processing a message generated by an intent.
  • OS operating system
  • a method of detecting a malicious application by analyzing an Android application package detects data necessary for detecting malicious codes in Manifest files and Dex files inside the Android application package. Extracting the first step; A second step of classifying the application package to be diagnosed as a malicious application when the detection engine 113 includes a pattern that matches a pattern of a malicious application package stored in the malicious pattern DB 114 in the detection data.
  • the detection data may include component and permission information included in the manifest file, string data and class data included in the Dex file.
  • the component is a code that is a basic unit of the UI of the application, the activity information to function to provide an interface for interaction with the user; Service information which is code for a task executed in the background of the application; It is a code called by the OS as a broadcast receiver, and includes receiver information for receiving and processing a message generated by an intent.
  • a malicious application can be detected by analyzing a structure of data related to execution of the application.
  • the pattern of malicious code stored in the database can be used for analysis of a plurality of application package files, thereby detecting a large number of modified malicious application packages.
  • FIG. 1 is a block diagram showing the structure of a smartphone malicious application detection system based on the signature information according to the prior art.
  • Figure 2 is a flow chart illustrating a process of detecting and removing malicious applications using the detection system of FIG.
  • Figure 3 is a block diagram showing a connection state of the detection apparatus according to an embodiment of the present invention.
  • Figure 4 is a block diagram showing the internal structure of the malicious app detection device.
  • FIG. 5 is a block diagram showing the structure of a manifest file
  • Fig. 6 is a diagram showing an example of actual creation of the manifest file of Fig. 5;
  • FIG. 7 is a block diagram showing the structure of a Dex file.
  • FIG. 8 is a diagram showing an example of actual creation of a Dex file of FIG.
  • FIG. 9 is a flow chart showing the operation of the detection method of the present invention.
  • Figure 3 is a block diagram showing the connection state of the detection device according to an embodiment of the present invention
  • Figure 4 is a block diagram showing the internal structure of the malicious app detection device
  • Figure 5 is a block diagram showing the structure of the AndroidManifest file
  • Figure 6 Is a diagram showing an example of actual creation of AndroidManifest of FIG. 5
  • FIG. 7 is a block diagram showing the structure of a Classes file
  • FIG. 8 is a diagram showing an example of actual creation of a Classes file of FIG.
  • the "detecting device of an android malicious application” (hereinafter referred to as “detecting device") of the present invention is installed in any one of the user terminal 100, the application providing system 300, the detection server 400.
  • the user terminal 100 of the present invention refers to a smartphone or tablet PC installed with the Android-based OS.
  • the detection device 110 installed in the user terminal 100 monitors whether the malicious application is included in the Android application installed or used by the user, and stops or deletes the execution of the application including the malicious code.
  • the detection device 110 operates when the application is installed or executed to detect malicious code.
  • the application providing system 300 is a system for providing an application program to the user terminal 100 through online, and operates an operating system such as 'Play Store' operated by Google (Google) or 'Samsung Apps' operated by Samsung Electronics. Include.
  • the detection device 110 installed in the application providing system 300 checks whether the malicious code is included before distributing the application provided by the system, thereby preventing the malicious code from being distributed.
  • Detection server 400 is a surveillance system that exists separately from the user terminal 100 or the application providing system 300, it is generally a system of a company that provides a malicious code vaccine program. The detection server 400 collects new applications in real time or periodically to investigate whether malicious code is included.
  • the detection apparatus 110 of the present invention is installed in software, and it is most preferable to operate the user terminal 100 in which the installation and execution of the application are performed.
  • the user terminal 100 is connected to the application providing system 300 or the detection server 400 through a communication network 200, such as 3G or 4G mobile communication network or wired or wireless Internet.
  • a communication network 200 such as 3G or 4G mobile communication network or wired or wireless Internet.
  • the detection device 110 extracts data used for malware detection from an application and analyzes an execution pattern of a program included in the extracted data to analyze whether the operation is the same as that of the malicious code. As a result of the analysis, it finds an application that behaves like the malicious code pattern and classifies it as a malicious application, and classifies an application as a normal application.
  • the detection device 110 includes a detection data extracting unit 111, a detection data DB 112, a detection engine 113, and a malicious pattern DB 114.
  • Detection data extracting unit 111 detects malicious code in AndroidManifest.xml file (hereinafter referred to as 'Manifest file') and Classes.dex file (hereinafter referred to as 'Dex file') inside the Android application package (APK). Extract detection data to help The detection data is a part which does not change even when the application package is modified or repackaged, and details thereof will be described later.
  • the detection data DB 112 stores the detection data extracted from the manifest file and the Dex file by the detection data extracting unit 111 and delivers the detection data to the detection engine 113 to use for analyzing the malicious code.
  • the detection engine 113 determines whether the malicious code is included by using the extracted detection data, and calculates the matching degree by calling a pattern of the malicious APK stored in the malicious pattern DB 114. If it is found to have the same pattern as the malicious APK above a certain level, it is classified as a malicious application.
  • the malicious pattern DB 114 stores data on execution patterns of malicious codes that are already classified as malicious application packages by other detection systems.
  • Detection data necessary for analysis of the detection device 110 is extracted from the manifest file and the Dex file.
  • To extract the detection data first load the application package to be analyzed and extract the manifest and dex files by decompressing (decompiling) the application package. Extraction of the manifest file and the dex file may be performed by the detection apparatus 110 or may be executed by a separate system. The extracted manifest file and the dex file are delivered to the detection device 110 to analyze the application.
  • Manifest file is a file that contains information about what kind of activity the application is doing and what permissions it needs. It includes application information such as project version, name, and execution permission. As shown in FIG. 5, the manifest file includes a package name, a component, and permission information.
  • the package name is a part of recording the unique name of the application package, and in the Android app market, only one application having a specific package name may exist (1 in FIG. 6).
  • Components include activity information, service information, and receiver information.
  • Activity information is a code that is a basic unit of an application user interface (UI), and serves to provide an interface for interacting with a user (2 in FIG. 6).
  • UI application user interface
  • the service information is code for a task executed in the background of the application and is not exposed to the user (3 in FIG. 6).
  • the receiver information is a code called by the OS as a broadcast receiver, and is a code for receiving and processing a message generated by an intent. Receiver information is responsive to certain events, such as SMS reception (4 in FIG. 6).
  • the permission information defines an authority for an operation performed when the application is executed. (5 of FIG. 6) In order to perform an action such as receiving an SMS while the application is executed, the permission information must be requested to the OS. Write this to the manifest file.
  • the detection data extraction unit 111 extracts the component and permission information and delivers the detected information to the detection engine 113.
  • the component extracts the action field and property values defined in each field.
  • Dex file is an executable file created by compiled Java class, which converts Java class file into byte code for recognition by Dalvik Virtual Machine of Android terminal. .
  • the Dalvik virtual machine loads specific Java classes from a Dex file to execute the application's intended behavior.
  • the Dex file includes a header, string data, and class data.
  • the string data is a string used by the application and exists inside the Dex file (3 in FIG. 8).
  • the class data is a class list used by the application and includes a method list for each class (4 in FIG. 8).
  • Such manifest files are decompiled into text documents by the decompiler, and the dex files are decompiled into cut files (* .jar) or Java files (* .java).
  • the detection data extracting unit 111 extracts data to be used for detecting malicious applications (hereinafter, referred to as 'detection data') from the decompiled manifest file and the dex file.
  • 'detection data' data to be used for detecting malicious applications
  • component and permission information is extracted. Extract string data and class data.
  • the extracted detection data (component, permission information, string data, class data) is stored in the detection data DB 112 and provided to the detection engine 113.
  • the extraction and analysis may be directly transmitted from the detection data extraction unit 111 to the detection engine 113.
  • the detection engine 113 analyzes the transmitted detection data to determine whether a malicious application pattern exists.
  • the malicious application pattern that the detection engine 113 uses as a comparison target is stored in the malicious pattern DB 114.
  • 1 is an example of a pattern stored in the malicious pattern DB 114, and is composed of components that are contrasted with components included in a manifest file and a dex file. Although the present invention illustrates one of the representative patterns, there are various values in the actual application package.
  • the detection device 110 classifies a malicious application when the same data or character string is included in the detection data extracted from the application package to be detected. If the degree of identity is below a certain level or if there is no identical data at all, it is classified as a normal application.
  • FIG. 9 is a flowchart illustrating an operation process of a detection method of the present invention.
  • a search for an application package to be determined whether the malicious application package is included (S202)
  • the subject of the search may vary depending on the installation location of the detection device 110, generally in the user terminal 100
  • the installed detection device 110 diagnoses an application package installed or being installed in the user terminal 100.
  • a separate control unit decompresses the application package to be diagnosed (S204).
  • the application package is a compressed file in a ZIP format, and includes a manifest file, a dex file, metadata, an image, and other files. .
  • Manifest file and Dex file are the target of detection.
  • the detection data extraction unit 111 extracts detection data from the decompressed manifest file and the Dex file (S206).
  • the detection data extraction unit 111 extracts the component and permission information from the manifest file and the string data from the Dex file. Extract class data.
  • the extracted detection data is stored in a file or memory, and information about the stored location is transmitted to the detection engine 113 (S208).
  • the detection engine 113 analyzes the patterns included in the extracted detection data and checks whether a malicious application pattern exists. (S210)
  • the malicious application pattern to be compared is called by the malicious pattern DB 114.
  • the detection engine 113 classifies the malicious application when the malicious application pattern is included in the pattern included in the detection data.
  • the detection data includes component data, permission information, string data, and class data, and each data may include a plurality of patterns.
  • the detection engine 113 may be classified as a malicious application when not only the entire method list matches but also the same pattern as a result of partial matching of the method list.
  • a pattern that is exactly the same as a malicious application pattern is found, it may be classified as a malicious application, and may be classified as a suspicious application when a partially identical but partially identical string is found. If none of the same patterns are found, they can be classified as normal applications.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephone Function (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention relates to a detection device and a detection method for a malicious Android application and, more specifically, to a detection device and a detection method for a malicious Android application, which are capable of detecting a malicious application by extracting some of the elements of a Manifest file and a Dex file inside an application package file to calculate a degree of similarity with a malicious application pattern. According to the present invention, a malicious application can be detected by analyzing the structure of data related to the execution of an application even when a part of data in an application package file is changed or a malicious code is repackaged into a normal application package.

Description

안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법Android Malicious Application Detection Device and Detection Method
본 발명은 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법에 관한 것으로서, 보다 상세하게는 애플리케이션 패키지 파일 내부의 AndroidManifest 파일과 Classes 파일의 구성요소 중 일부를 추출하여 악성 애플리케이션 패턴과 동일성 정도를 계산함으로써 악성 애플리케이션을 탐지하도록 하는 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법에 관한 것이다.The present invention relates to a detection device and a detection method of an Android malicious application, and more particularly, by extracting a part of the components of the AndroidManifest file and the Classes file in the application package file to calculate the degree of identity and the degree of identity of the malicious application pattern The present invention relates to a detection device and a detection method of an Android malicious application.
스마트폰의 동작을 제어하는 운영체계(OS)에는 애플의 iOS, 구글의 안드로이드(Android), 노키아의 심비안(Symbian), 림(RIM)의 블랙베리, 마이크로소프트의 윈도우 모바일(Windows Mobile) 등이 있다. 이 중에서 애플이 운영하는 앱스토어를 통해서만 폐쇄적으로 애플리케이션(Application)을 배포하는 iOS와 달리, 안드로이드 OS를 사용하는 스마트폰은 여러 경로를 통해 애플리케이션을 다운로드 받을 수 있다.Operating systems (OSs) that control the behavior of smartphones include Apple's iOS, Google's Android, Nokia's Symbian, RIM's BlackBerry, and Microsoft's Windows Mobile. have. Unlike iOS, which distributes applications only through the App Store operated by Apple, smartphones using Android OS can download applications through various paths.
다양한 형태의 애플리케이션 마켓을 통해 전파되는 안드로이드용 애플리케이션에는 악의적인 의도로 제작된 악성코드가 함께 포함되어 있어서 사용자가 애플리케이션을 사용하는 동안, 사용자가 의도하지 않았던 정보의 유출이 일어나는 경우가 있다.Android-based applications, which are spread through various types of application markets, also include malicious code created for malicious purposes, which may lead to the leakage of information that users did not intend while using the application.
도 1은 종래기술에 따른 시그니쳐 정보 기반의 스마트폰 악성 어플 탐지시스템의 구조를 나타낸 블럭도이며, 도 2는 도 1의 탐지시스템을 이용하여 악성 어플을 탐지 및 제거하는 과정을 나타낸 순서도이다.1 is a block diagram illustrating a structure of a smartphone malicious application detection system based on signature information according to the related art, and FIG. 2 is a flowchart illustrating a process of detecting and removing a malicious application using the detection system of FIG. 1.
도 1을 참고하면, 종래기술의 악성 어플 탐지 시스템은 분석 서버(100)와 테스트용 스마트폰(200)을 포함하고, 통신망(300)을 통해 사용자 스마트폰(400)과 어플 마켓(500)에 접속하여 정보 및 데이터를 교환한다.Referring to FIG. 1, the malicious application detection system of the related art includes an analysis server 100 and a test smartphone 200, and the user smartphone 400 and an application market 500 through a communication network 300. Connect and exchange information and data.
악성 어플 탐지 시스템은 사용자 스마트폰(400)에 설치된 악성 어플 탐지 프로그램으로부터 사용자 스마트폰(400)에 새로 설치되는 어플에 대한 시그니처 정보를 포함한 어플 정보를 획득한다. 그리고 악성 어플 탐지 시스템은 사용자 스마트폰(400)에서 전달된 어플 정보를 기초로 어플 마켓(500) 등으로부터 해당 어플에 대한 설치 파일을 획득하여 정적 분석 및 동적 분석을 수행하고, 그 결과를 사용자 스마트폰(400)에 다시 제공한다.The malicious application detection system obtains application information including signature information about an application newly installed in the user smartphone 400 from the malicious application detection program installed in the user smartphone 400. In addition, the malicious application detection system obtains an installation file for the corresponding application from the application market 500 or the like based on the application information transmitted from the user's smartphone 400, performs static analysis and dynamic analysis, and the result of the user smart. Provide back to phone 400.
여기서 악성 어플 탐지 프로그램은 새로 설치되는 어플에 대한 악성 여부를 분석한 결과를 사용자에게 제공하고, 해당 파일에 대한 삭제 명령이 입력되면 해당 파일을 삭제하여 치료하는 동작을 수행한다.The malicious application detection program provides a result of analyzing the malicious status of the newly installed application to the user, and when a delete command is input for the file, the malicious application detection program deletes and repairs the file.
테스트용 스마트폰(200) 및 사용자 스마트폰(400)은 사용자가 원하는 어플을 설치하여 이용할 수 있다. 테스트용 스마트폰(200)은 악성 어플 탐지를 위해 악성 어플 탐지 시스템 관리자가 분석 서버(100)에 연결하여 이용하는 스마트폰이고, 사용자 스마트폰(400)은 악성 어플 탐지 프로그램이 어플 형태로 설치되어 악성 어플에 대한 탐지 결과를 사용자에게 알리고, 사용자 선택에 따라 해당 어플을 삭제하는 등의 치료 조치를 수행한다.The test smartphone 200 and the user smartphone 400 may be installed and used by the user. The test smartphone 200 is a smartphone used by a malicious application detection system administrator connected to the analysis server 100 to detect a malicious application, and the user smartphone 400 is installed with a malicious application detection program in an application form. The detection result of the application is notified to the user, and the treatment is performed according to the user's selection.
통신망(300)은 인터넷, 3G와 4G 등의 이동통신망, Wi-Fi, WIBRO 등을 모두 포함한다.The communication network 300 includes both the Internet, mobile communication networks such as 3G and 4G, Wi-Fi, WIBRO, and the like.
분석 서버(100)는 악성 어플 탐지를 위한 정적 분석 모듈(110), 악성 어플 탐지를 지원하기 위한 각종 정보를 저장하는 데이터베이스(120) 및 분석 대상 어플을 수집하는 어플 수집 모듈(130)을 포함한다.The analysis server 100 includes a static analysis module 110 for malicious application detection, a database 120 storing various information for supporting malicious application detection, and an application collection module 130 for collecting the analysis target application. .
어플 수집 모듈(130)은 악성 어플 탐지 프로그램으로부터 전달되는 어플 패키지 이름을 이용하여 어플 마켓(500)으로부터 어플 설치 파일을 획득하거나, 어플 정보에 포함되어 전달된 어플 다운로드 위치 정보를 기초로 어플 설치 파일을 획득한다.The app collection module 130 obtains an app installation file from the app market 500 using the app package name transmitted from the malicious app detection program, or based on the app download location information included in the app information and transmitted, the app installation file. Acquire.
DB(120)는 이미 악성으로 등록된 어플에 대한 시그니처 정보(MD5 해쉬값, SHA1, 어플 패키지 이름 등)를 저장한다. 또한 데이터베이스(120)는 스마트폰 운영체제에서 사용되는 API(Application Program Interface) 중에서 악성 행위에 이용 가능한 API에 대한 정보를 미리 정의하여 저장한다.The DB 120 stores signature information (MD5 hash value, SHA1, application package name, etc.) for an application already registered as malicious. In addition, the database 120 stores in advance the information on the API available for malicious behavior among API (Application Program Interface) used in the smartphone operating system.
도 2를 참고하면, 먼저 사용자 스마트폰(400)은 어플 마켓 또는 악성 어플 탐지 시스템에서 운영하는 다운로드 서버 등으로부터 악성 어플 탐지 프로그램을 제공받아 설치한다(S210).Referring to FIG. 2, first, the user smartphone 400 receives and installs a malicious application detection program from a download server operated in an application market or a malicious application detection system (S210).
그리고 사용자 스마트폰(400)에 새로운 어플에 대한 설치 시도가 있으면(S215), 악성 어플 탐지 프로그램은 어플 설치 파일에서 해당 어플에 대한 시그니처 정보를 추출하여 분석서버(100)에 전송한다(S220).And if there is an installation attempt for a new application in the user smartphone 400 (S215), the malicious application detection program extracts the signature information for the corresponding application from the application installation file and transmits it to the analysis server 100 (S220).
그러면 분석 서버(100)는 사용자 스마트폰(400)에서 전달된 어플 시그니처 정보를 데이터베이스(120)에 등록된 악성 어플의 시그니처 정보와 비교하여 악성 어플 여부를 판단한다(S230). 만약 앞 단계(S230)에서 악성 어플로 판단된 경우(S230-Y)에는 바로 사용자 스마트폰(400)에 악성 어플 탐지 결과를 제공할 수 있다(S270).Then, the analysis server 100 determines whether the malicious application by comparing the application signature information transmitted from the user smartphone 400 with the signature information of the malicious application registered in the database 120 (S230). If it is determined that the malicious application in the previous step (S230) (S230-Y), it can immediately provide a malicious application detection result to the user smartphone 400 (S270).
한편 악성 어플로 판단되지 않은 경우(S230-N), 분석 서버(100)는 어플 수집 모듈(130)을 통해 분석 대상 어플의 설치 파일을 어플 마켓(600) 등으로부터 수집한다(S240).On the other hand, if it is not determined to be a malicious application (S230-N), the analysis server 100 collects the installation file of the analysis target application from the app market 600, etc. through the app collection module 130 (S240).
다음으로 분석 서버(100)는 정적 분석 모듈 (110)을 통해 어플 설치 파일에 대한 정적 분석 동작을 수행한다(S250).Next, the analysis server 100 performs a static analysis operation for the application installation file through the static analysis module 110 (S250).
정적 분석 모듈(110)은 어플 설치 파일(예컨대 안드로이드의 경우 APK 파일)의 압축을 해제하여 어플 설치 파일에서 실행 파일(예컨대 안드로이드의 경우 DEX 파일)을 추출한다. 그리고 악성 행위 이용 가능 API와 관련된 악성 행위 내용을 포함한 정적 분석 결과를 생성한다. 예컨대 추출된 API가 개인 정보 유출에 관한 것인지, 비정상적인 과금을 유도하는 것인지, 스마트폰을 비정상적으로 동작시키는 것인지 등에 대한 내용이 포함된 정적 분석 결과를 생성한다.The static analysis module 110 extracts an executable file (for example, a DEX file for Android) from the app installation file by extracting an application installation file (for example, an APK file for Android). And it generates static analysis result including contents of malicious behavior related to malicious behavior available API. For example, a static analysis result is generated that includes information on whether the extracted API is related to personal information leakage, inducing abnormal charging, or abnormally operating the smartphone.
분석 결과 악성 어플인 것으로 판단되면, 분석서버(100)는 사용자 스마트폰(400)에서 악성 어플을 제거하도록 요청함으로써 악성 어플의 탐지와 제거가 완료된다.If it is determined that the malicious application, the analysis server 100 is requested to remove the malicious application from the user smartphone 400, the detection and removal of the malicious application is completed.
그런데, 종래기술과 같은 기존의 안드로이드 악성 애플리케이션 탐지방법들은 AndroidManifest.xml 파일 내에 존재하는 패키지명, classes.dex 파일 내의 CRC값, SHA-1 값, 클래스 명, 스트링, APK 파일의 MD5값 등의 데이터 해시값 또는 열거한 값들을 조합한 후 해시값을 취하여 탐지 패턴으로 사용하고 있다. 즉 특정 유니크 값을 사용하는 시그니처 기반 탐지방법을 사용한다.However, the existing methods of detecting malicious Android applications such as the prior art include data such as a package name existing in the AndroidManifest.xml file, a CRC value in a classes.dex file, a SHA-1 value, a class name, a string, and an MD5 value of an APK file. After combining hash values or enumerated values, hash values are taken and used as detection patterns. In other words, it uses signature-based detection method that uses specific unique value.
기존의 시그니처 기반 탐지기법은 악성 애플리케이션 파일 내의 데이터 중 일부가 변경 되거나 정상적인 애플리케이션에 악성코드를 리패키징했을 때 탐지가 되지 않는다. 즉 악성 애플리케이션의 변종이 발생하면 악성 애플리케이션의 코드가 변경되지 않더라도 탐지되지 않는 문제점이 있었다.Conventional signature-based detection techniques are not detected when some of the data in the malicious application file changes or when the malware is repackaged into a normal application. That is, when a variant of a malicious application occurs, there is a problem in that even if the code of the malicious application is not changed, it is not detected.
전술한 문제점을 해결하기 위한 본 발명은 안드로이드 기반의 애플리케이션 패키지 파일에 포함된 AndroidManifest.xml 파일에서 컴포넌트와 퍼미션 정보를 추출하고, classes.dex 파일에서는 스트링 데이터와 클래스 데이터를 추출하여 악성 애플리케이션의 패턴과 비교한 후, 유사 정도에 따라 악성 또는 정상 애플리케이션으로 구분하도록 하는 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법을 제공하는 것을 목적으로 한다.The present invention to solve the above-mentioned problems is extracted the component and permission information from the AndroidManifest.xml file included in the Android-based application package file, the string. After comparison, the object of the present invention is to provide a detection device and detection method for Android malicious applications that can be classified into malicious or normal applications according to similarity.
또한 본 발명은 악성 애플리케이션에 포함된 데이터의 패턴을 부분별로 나누어서 미리 데이터베이스에 저장하고, 추출된 데이터의 패턴에 악성 애플리케이션의 패턴이 어느 정도로 포함되어 있는지에 따라서 유사도를 부여하도록 하는 안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법을 제공하는 것을 목적으로 한다.In addition, the present invention is divided into parts of the pattern of the data contained in the malicious application stored in the database in advance, and the detection of the android malicious application to give a similarity according to how much the pattern of the malicious application is included in the extracted data pattern An object of the present invention is to provide an apparatus and a detection method.
전술한 문제점을 해결하기 위해 안출된 본 발명은 안드로이드 애플리케이션 패키지(APK)를 분석하여 악성 애플리케이션을 탐지하는 시스템으로서, 상기 안드로이드 애플리케이션 패키지 내부의 AndroidManifest.xml 파일(이하, 'Manifest 파일'이라 함)과 Classes.dex 파일(이하, 'Dex 파일'이라 함)에서 악성코드의 탐지에 필요한 탐지데이터를 추출하는 탐지데이터추출부(111)와; 상기 탐지데이터추출부(111)에 의해 Manifest 파일과 Dex 파일로부터 추출된 상기 탐지데이터를 저장하는 탐지데이터DB(112)와; 상기 탐지데이터를 이용하여 악성코드가 포함되어 있는지를 판단하는 부분으로서, 악성 애플리케이션 패키지의 패턴과 일치하는 패턴이 상기 탐지데이터에 포함된 경우에 진단 대상이 되는 애플리케이션 패키지를 악성 애플리케이션으로 분류하는 탐지엔진(113)과; 악성으로 판단된 애플리케이션에 포함된 패턴을 저장하는 악성패턴DB(114);를 포함하며, 상기 탐지데이터는 상기 Manifest 파일에 포함된 컴포넌트와 퍼미션(Permission) 정보, 상기 Dex 파일에 포함된 스트링(String) 데이터와 클래스(Class) 데이터로 이루어지는 것을 특징으로 한다.The present invention devised to solve the above-mentioned problem is a system for detecting malicious applications by analyzing an Android application package (APK), AndroidManifest.xml file (hereinafter referred to as "Manifest file") and the inside of the Android application package; A detection data extracting unit 111 for extracting detection data necessary for detecting malicious code from a Classes.dex file (hereinafter referred to as a 'Dex file'); A detection data DB 112 for storing the detection data extracted from the manifest file and the dex file by the detection data extraction unit 111; A detection engine that determines whether malicious code is included by using the detection data, and classifies an application package to be diagnosed as a malicious application when a pattern matching a pattern of a malicious application package is included in the detection data. 113; And a malicious pattern DB 114 for storing a pattern included in an application determined to be malicious, wherein the detection data includes a component included in the manifest file, permission information, and a string included in the Dex file. ) Data and class data.
상기 컴포넌트는 상기 애플리케이션의 UI(User Interface)의 기본단위가 되는 코드로서, 사용자와의 상호작용을 위한 인터페이스를 제공하는 기능을 하는 액티비티(Activity) 정보와; 상기 애플리케이션의 백그라운드로 실행되는 작업을 위한 코드인 서비스(Service) 정보와; 브로드캐스트 리시버로서 OS(Operating System)가 호출하는 코드이며, Intent로 발생하는 메시지를 수신하여 처리하는 리시버(Receiver) 정보;를 포함한다.The component is a code that becomes a basic unit of a user interface (UI) of the application, and includes activity information that functions to provide an interface for interacting with a user; Service information which is code for a task executed in the background of the application; It is a code that is called by an operating system (OS) as a broadcast receiver, and includes receiver information for receiving and processing a message generated by an intent.
다른 실시예에 따른 본 발명은 안드로이드 애플리케이션 패키지를 분석하여 악성 애플리케이션을 탐지하는 방법으로서, 탐지데이터추출부(111)가 상기 안드로이드 애플리케이션 패키지 내부의 Manifest 파일과 Dex 파일에서 악성코드의 탐지에 필요한 탐지데이터를 추출하는 제1단계와; 악성패턴DB(114)에 저장된 악성 애플리케이션 패키지의 패턴과 일치하는 패턴이 상기 탐지데이터에 포함된 경우, 탐지엔진(113)이 진단 대상이 되는 애플리케이션 패키지를 악성 애플리케이션으로 분류하는 제2단계;를 포함하며, 상기 탐지데이터는 상기 Manifest 파일에 포함된 컴포넌트와 퍼미션 정보, 상기 Dex 파일에 포함된 스트링 데이터와 클래스 데이터로 이루어지는 것을 특징으로 한다.According to another exemplary embodiment of the present invention, a method of detecting a malicious application by analyzing an Android application package is provided. The detection data extracting unit 111 detects data necessary for detecting malicious codes in Manifest files and Dex files inside the Android application package. Extracting the first step; A second step of classifying the application package to be diagnosed as a malicious application when the detection engine 113 includes a pattern that matches a pattern of a malicious application package stored in the malicious pattern DB 114 in the detection data. The detection data may include component and permission information included in the manifest file, string data and class data included in the Dex file.
상기 컴포넌트는 상기 애플리케이션의 UI의 기본단위가 되는 코드로서, 사용자와의 상호작용을 위한 인터페이스를 제공하는 기능을 하는 액티비티 정보와; 상기 애플리케이션의 백그라운드로 실행되는 작업을 위한 코드인 서비스 정보와; 브로드캐스트 리시버로서 OS가 호출하는 코드이며, Intent로 발생하는 메시지를 수신하여 처리하는 리시버 정보;를 포함한다.The component is a code that is a basic unit of the UI of the application, the activity information to function to provide an interface for interaction with the user; Service information which is code for a task executed in the background of the application; It is a code called by the OS as a broadcast receiver, and includes receiver information for receiving and processing a message generated by an intent.
본 발명에 따르면 애플리케이션 패키지 파일 내의 데이터 중 일부를 변경하거나 정상적인 애플리케이션 패키지에 악성코드를 리패키지한 경우에도 애플리케이션의 실행에 관련된 데이터의 구조를 분석함으로써 악성 애플리케이션을 탐지해낼 수 있는 효과가 있다.According to the present invention, even when a part of data in an application package file is changed or malware is repackaged in a normal application package, a malicious application can be detected by analyzing a structure of data related to execution of the application.
또한 데이터베이스에 저장된 악성코드의 패턴을 다수의 애플리케이션 패키지 파일의 분석에 사용할 수 있어서 변형된 다수의 악성 애플리케이션 패키지를 탐지할 수 있는 효과가 있다.In addition, the pattern of malicious code stored in the database can be used for analysis of a plurality of application package files, thereby detecting a large number of modified malicious application packages.
도 1은 종래기술에 따른 시그니쳐 정보 기반의 스마트폰 악성 어플 탐지시스템의 구조를 나타낸 블럭도.1 is a block diagram showing the structure of a smartphone malicious application detection system based on the signature information according to the prior art.
도 2는 도 1의 탐지시스템을 이용하여 악성 어플을 탐지 및 제거하는 과정을 나타낸 순서도.Figure 2 is a flow chart illustrating a process of detecting and removing malicious applications using the detection system of FIG.
도 3은 본 발명의 실시예에 따른 탐지장치의 연결상태를 나타낸 블럭도.Figure 3 is a block diagram showing a connection state of the detection apparatus according to an embodiment of the present invention.
도 4는 악성 앱 탐지장치의 내부구조를 나타낸 블럭도.Figure 4 is a block diagram showing the internal structure of the malicious app detection device.
도 5는 Manifest 파일의 구조를 나타낸 블럭도.5 is a block diagram showing the structure of a manifest file;
도 6은 도 5의 Manifest 파일의 실제 작성예를 나타낸 도면.Fig. 6 is a diagram showing an example of actual creation of the manifest file of Fig. 5;
도 7은 Dex 파일의 구조를 나타낸 블럭도.7 is a block diagram showing the structure of a Dex file.
도 8은 도 7의 Dex 파일의 실제 작성예를 나타낸 도면.FIG. 8 is a diagram showing an example of actual creation of a Dex file of FIG.
도 9는 본 발명의 탐지방법의 동작 과정을 나타낸 순서도.9 is a flow chart showing the operation of the detection method of the present invention.
이하에서 도면을 참조하여 본 발명의 실시예에 따른 "안드로이드 악성 애플리케이션의 탐지장치 및 탐지방법"을 설명한다.Hereinafter, with reference to the drawings will be described "detection apparatus and detection method of an android malicious application" according to an embodiment of the present invention.
도 3은 본 발명의 실시예에 따른 탐지장치의 연결상태를 나타낸 블럭도이며, 도 4는 악성 앱 탐지장치의 내부구조를 나타낸 블럭도, 도 5는 AndroidManifest 파일의 구조를 나타낸 블럭도, 도 6은 도 5의 AndroidManifest의 실제 작성예를 나타낸 도면, 도 7은 Classes 파일의 구조를 나타낸 블럭도, 도 8은 도 7의 Classes 파일의 실제 작성예를 나타낸 도면이다.Figure 3 is a block diagram showing the connection state of the detection device according to an embodiment of the present invention, Figure 4 is a block diagram showing the internal structure of the malicious app detection device, Figure 5 is a block diagram showing the structure of the AndroidManifest file, Figure 6 Is a diagram showing an example of actual creation of AndroidManifest of FIG. 5, FIG. 7 is a block diagram showing the structure of a Classes file, and FIG. 8 is a diagram showing an example of actual creation of a Classes file of FIG.
본 발명의 "안드로이드 악성 애플리케이션의 탐지장치"(이하, '탐지장치'라 함)는 사용자단말기(100)나 애플리케이션 제공시스템(300), 탐지서버(400) 중의 어느 하나에 설치된다. The "detecting device of an android malicious application" (hereinafter referred to as "detecting device") of the present invention is installed in any one of the user terminal 100, the application providing system 300, the detection server 400.
본 발명의 사용자단말기(100)는 안드로이드 기반의 OS가 설치된 스마트폰 또는 태블릿PC를 의미한다. 사용자단말기(100)에 설치된 탐지장치(110)는 사용자가 설치하거나 사용하는 안드로이드 애플리케이션에 악성코드가 포함되어 있는지를 감시하고, 악성코드가 포함된 애플리케이션의 실행을 중단시키거나 삭제하는 역할을 한다. 탐지장치(110)가 사용자단말기(100)에 설치되는 경우에는 애플리케이션의 설치 또는 실행시에 동작하여 악성코드를 탐지하게 된다.The user terminal 100 of the present invention refers to a smartphone or tablet PC installed with the Android-based OS. The detection device 110 installed in the user terminal 100 monitors whether the malicious application is included in the Android application installed or used by the user, and stops or deletes the execution of the application including the malicious code. When the detection device 110 is installed in the user terminal 100, the detection device 110 operates when the application is installed or executed to detect malicious code.
애플리케이션 제공시스템(300)은 온라인을 통해서 사용자단말기(100)에 애플리케이션 프로그램을 제공하는 시스템으로서, 구글(Google)이 운영하는 '플레이 스토어'나 삼성전자가 운영하는 '삼성앱스' 등의 운영시스템을 포함한다. 애플리케이션 제공시스템(300)에 설치된 탐지장치(110)는 자사의 시스템에서 제공되는 애플리케이션의 배포 전에 악성코드의 포함 여부를 조사하여 악성코드가 배포되는 것을 막아준다.The application providing system 300 is a system for providing an application program to the user terminal 100 through online, and operates an operating system such as 'Play Store' operated by Google (Google) or 'Samsung Apps' operated by Samsung Electronics. Include. The detection device 110 installed in the application providing system 300 checks whether the malicious code is included before distributing the application provided by the system, thereby preventing the malicious code from being distributed.
탐지서버(400)는 사용자단말기(100)나 애플리케이션 제공시스템(300)과 별도로 존재하는 감시시스템으로서, 악성코드 백신 프로그램을 제공하는 회사의 시스템인 것이 일반적이다. 탐지서버(400)는 실시간으로 또는 주기적으로 새로운 애플리케이션을 수집하여 악성코드의 포함 여부를 조사한다. Detection server 400 is a surveillance system that exists separately from the user terminal 100 or the application providing system 300, it is generally a system of a company that provides a malicious code vaccine program. The detection server 400 collects new applications in real time or periodically to investigate whether malicious code is included.
본 발명의 탐지장치(110)는 소프트웨어적으로 설치되는데, 애플리케이션의 설치와 실행이 이루어지는 사용자단말기(100)에서 동작하도록 하는 것이 가장 바람직하다.The detection apparatus 110 of the present invention is installed in software, and it is most preferable to operate the user terminal 100 in which the installation and execution of the application are performed.
사용자단말기(100)는 3G나 4G 이동통신망 또는 유무선 인터넷 등의 통신망(200)을 통해 애플리케이션 제공시스템(300) 또는 탐지서버(400)와 연결된다.The user terminal 100 is connected to the application providing system 300 or the detection server 400 through a communication network 200, such as 3G or 4G mobile communication network or wired or wireless Internet.
탐지장치(110)는 애플리케이션에서 악성코드 탐지에 사용되는 데이터를 추출하고, 추출된 데이터에 포함된 프로그램의 실행 패턴을 분석하여 악성코드의 동작과 동일한 동작을 하는지를 분석한다. 분석 결과, 악성코드의 패턴과 동일한 동작을 하는 애플리케이션을 찾아서 악성 애플리케이션으로 분류하고, 그렇지 않은 것들은 정상 애플리케이션으로 분류한다.The detection device 110 extracts data used for malware detection from an application and analyzes an execution pattern of a program included in the extracted data to analyze whether the operation is the same as that of the malicious code. As a result of the analysis, it finds an application that behaves like the malicious code pattern and classifies it as a malicious application, and classifies an application as a normal application.
탐지장치(110)는 탐지데이터추출부(111)와 탐지데이터DB(112), 탐지엔진(113), 악성패턴DB(114)로 이루어진다.The detection device 110 includes a detection data extracting unit 111, a detection data DB 112, a detection engine 113, and a malicious pattern DB 114.
탐지데이터추출부(111)는 안드로이드 애플리케이션 패키지(APK) 내부의 AndroidManifest.xml 파일(이하, 'Manifest 파일'이라 함)과 Classes.dex 파일(이하, 'Dex 파일'이라 함)에서 악성코드의 탐지에 도움이 되는 탐지데이터를 추출한다. 탐지데이터는 애플리케이션 패키지가 변형되거나 리패키지된 경우에도 변하지 않는 부분으로서, 상세한 내용은 후술한다.Detection data extracting unit 111 detects malicious code in AndroidManifest.xml file (hereinafter referred to as 'Manifest file') and Classes.dex file (hereinafter referred to as 'Dex file') inside the Android application package (APK). Extract detection data to help The detection data is a part which does not change even when the application package is modified or repackaged, and details thereof will be described later.
탐지데이터DB(112)는 탐지데이터추출부(111)에 의해 Manifest 파일과 Dex 파일로부터 추출된 탐지데이터를 저장했다가 탐지엔진(113)에 전달하여 악성코드의 분석에 활용한다.The detection data DB 112 stores the detection data extracted from the manifest file and the Dex file by the detection data extracting unit 111 and delivers the detection data to the detection engine 113 to use for analyzing the malicious code.
탐지엔진(113)은 추출된 탐지데이터를 이용하여 악성코드가 포함되어 있는지를 판단하는 부분으로서, 악성패턴DB(114)에 저장된 악성 APK의 패턴을 호출하여 일치도를 산정한다. 일정한 수준 이상으로 악성 APK와 동일한 패턴을 가진 것으로 밝혀지면 악성 애플리케이션으로 분류한다. 탐지엔진(113)의 분석을 위해 악성패턴DB(114)에는 다른 탐지시스템에 의해 이미 악성 애플리케이션 패키지로 분류된 악성코드의 실행 패턴에 대한 데이터를 저장한다.The detection engine 113 determines whether the malicious code is included by using the extracted detection data, and calculates the matching degree by calling a pattern of the malicious APK stored in the malicious pattern DB 114. If it is found to have the same pattern as the malicious APK above a certain level, it is classified as a malicious application. In order to analyze the detection engine 113, the malicious pattern DB 114 stores data on execution patterns of malicious codes that are already classified as malicious application packages by other detection systems.
탐지장치(110)의 분석에 필요한 탐지데이터는 Manifest 파일과 Dex 파일로부터 추출된다.Detection data necessary for analysis of the detection device 110 is extracted from the manifest file and the Dex file.
탐지데이터의 추출을 위해서는 먼저 분석 대상이 되는 애플리케이션 패키지를 로딩하고, 애플리케이션 패키지의 압축을 해제(디컴파일)하여 Manifest 파일과 Dex 파일을 추출한다. Manifest 파일과 Dex 파일의 추출은 탐지장치(110)에 의해 이루어질 수도 있고, 별도의 시스템에 의해 실행될 수도 있다. 추출된 Manifest 파일과 Dex 파일은 탐지장치(110)로 전달되어 애플리케이션의 분석이 이루어진다.To extract the detection data, first load the application package to be analyzed and extract the manifest and dex files by decompressing (decompiling) the application package. Extraction of the manifest file and the dex file may be performed by the detection apparatus 110 or may be executed by a separate system. The extracted manifest file and the dex file are delivered to the detection device 110 to analyze the application.
Manifest 파일은 애플리케이션이 어떤 동작(Activity)을 하고 여기에 필요한 권한은 어떤 것인지 등에 대한 정보를 담고 있는 파일로서, 프로젝트의 버전이나 이름, 실행권한 등의 애플리케이션 정보를 포함하고 있다. 도 5에 도시된 바와 같이, Manifest 파일에는 패키지이름, 컴포넌트, 퍼미션(Permission) 정보가 포함된다.Manifest file is a file that contains information about what kind of activity the application is doing and what permissions it needs. It includes application information such as project version, name, and execution permission. As shown in FIG. 5, the manifest file includes a package name, a component, and permission information.
패키지이름은 애플리케이션 패키지의 고유한 이름을 기록한 부분으로서, 안드로이드 앱마켓에서는 특정 패키지이름을 가진 애플리케이션은 하나만 존재할 수 있다.(도 6의 ①)The package name is a part of recording the unique name of the application package, and in the Android app market, only one application having a specific package name may exist (1 in FIG. 6).
컴포넌트에는 액티비티(Activity) 정보와 서비스(Service) 정보, 리시버(Receiver) 정보가 포함된다.Components include activity information, service information, and receiver information.
액티비티 정보는 애플리케이션의 UI(User Interface)의 기본단위가 되는 코드로서, 사용자와의 상호작용을 위한 인터페이스를 제공하는 기능을 한다.(도 6의 ②)Activity information is a code that is a basic unit of an application user interface (UI), and serves to provide an interface for interacting with a user (2 in FIG. 6).
서비스 정보는 애플리케이션의 백그라운드로 실행되는 작업을 위한 코드로서, 사용자에게 노출되지 않는 부분이다.(도 6의 ③)The service information is code for a task executed in the background of the application and is not exposed to the user (3 in FIG. 6).
리시버 정보는 브로드캐스트 리시버로서 OS가 호출하는 코드이며, Intent로 발생하는 메시지를 수신하여 처리하는 코드이다. 리시버 정보는 SMS 수신과 같은 특정 이벤트에 반응한다.(도 6의 ④)The receiver information is a code called by the OS as a broadcast receiver, and is a code for receiving and processing a message generated by an intent. Receiver information is responsive to certain events, such as SMS reception (④ in FIG. 6).
퍼미션 정보는 애플리케이션의 실행시에 이루어지는 동작에 대한 권한을 정의한다.(도 6의 ⑤) 애플리케이션이 실행되면서 SMS 수신과 같은 행위를 하기 위해서는 OS에 해당 동작을 수행할 수 있는 권한을 요청하여야 하는데, 이를 Manifest 파일에 기록한다.The permission information defines an authority for an operation performed when the application is executed. (⑤ of FIG. 6) In order to perform an action such as receiving an SMS while the application is executed, the permission information must be requested to the OS. Write this to the manifest file.
이 중에서 탐지데이터추출부(111)는 컴포넌트와 퍼미션 정보를 추출하여 탐지엔진(113)에 전달한다. 컴포넌트에서는 각각의 필드에 정의되어 있는 액션(action) 필드와 속성값들을 추출한다.Among them, the detection data extraction unit 111 extracts the component and permission information and delivers the detected information to the detection engine 113. The component extracts the action field and property values defined in each field.
한편, Dex 파일은 컴파일된 자바 클래스(Java Class)로 만든 실행파일로서, 안드로이드 단말기의 달빅 가상머신(Dalvik Virtual Machine)이 인식할 수 있도록 자바 클래스 파일을 바이트 코드(Byte Code)로 변환시킨 파일이다. 달빅 가상머신은 Dex 파일에서 특정 자바 클래스를 로딩하여 애플리케이션이 목표하는 동작을 실행시킨다. 도 7에 도시된 바와 같이, Dex 파일은 헤더(Header)와 스트링(String) 데이터, 클래스(Class) 데이터로 이루어진다.On the other hand, Dex file is an executable file created by compiled Java class, which converts Java class file into byte code for recognition by Dalvik Virtual Machine of Android terminal. . The Dalvik virtual machine loads specific Java classes from a Dex file to execute the application's intended behavior. As shown in FIG. 7, the Dex file includes a header, string data, and class data.
스트링 데이터는 애플리케이션이 사용하는 스트링으로서, Dex 파일 내부에 존재한다.(도 8의 ③)The string data is a string used by the application and exists inside the Dex file (3 in FIG. 8).
클래스 데이터는 애플리케이션이 사용하는 클래스 리스트로서, 클래스별 메소드 리스트(Method List)를 포함한다.(도 8의 ④)The class data is a class list used by the application and includes a method list for each class (④ in FIG. 8).
이와 같은 Manifest 파일은 디컴파일러에 의해 텍스트 문서로 디컴파일되며, Dex 파일은 자르 파일(*.jar) 또는 자바 파일(*.java)로 디컴파일된다.Such manifest files are decompiled into text documents by the decompiler, and the dex files are decompiled into cut files (* .jar) or Java files (* .java).
탐지데이터추출부(111)는 디컴파일된 Manifest 파일과 Dex 파일로부터 악성 애플리케이션의 탐지에 사용될 데이터(이하,'탐지데이터'라 함)를 추출하는데, Manifest 파일에서는 컴포넌트와 퍼미션 정보를, Dex 파일에서는 스트링 데이터와 클래스 데이터를 추출한다.The detection data extracting unit 111 extracts data to be used for detecting malicious applications (hereinafter, referred to as 'detection data') from the decompiled manifest file and the dex file. In the manifest file, component and permission information is extracted. Extract string data and class data.
추출된 탐지데이터(컴포넌트, 퍼미션 정보, 스트링 데이터, 클래스 데이터)는 탐지데이터DB(112)에 저장되었다가 탐지엔진(113)으로 제공된다. 추출과 분석이 실시간으로 이루어지는 경우에는 탐지데이터추출부(111)로부터 탐지엔진(113)으로 바로 전달될 수도 있다.The extracted detection data (component, permission information, string data, class data) is stored in the detection data DB 112 and provided to the detection engine 113. When the extraction and analysis is performed in real time, it may be directly transmitted from the detection data extraction unit 111 to the detection engine 113.
탐지엔진(113)은 전달된 탐지데이터를 분석하여 악성 애플리케이션 패턴이 존재하는지를 판단한다. 탐지엔진(113)이 비교대상으로 삼는 악성 애플리케이션 패턴은 악성패턴DB(114)에 저장된다.The detection engine 113 analyzes the transmitted detection data to determine whether a malicious application pattern exists. The malicious application pattern that the detection engine 113 uses as a comparison target is stored in the malicious pattern DB 114.
[참고도 1][Reference Figure 1]
Figure PCTKR2014008560-appb-I000001
Figure PCTKR2014008560-appb-I000001
[참고도 1]은 악성패턴DB(114)에 저장되는 패턴의 일례로서, Manifest 파일과 Dex 파일에 포함된 구성요소와 대비되는 구성요소로 이루어진다. 본 발명에서는 대표적인 패턴 중의 하나를 예시하고 있지만, 실제 애플리케이션 패키지에는 다양한 값들이 존재한다.1 is an example of a pattern stored in the malicious pattern DB 114, and is composed of components that are contrasted with components included in a manifest file and a dex file. Although the present invention illustrates one of the representative patterns, there are various values in the actual application package.
[참고도 2][Reference Figure 2]
Figure PCTKR2014008560-appb-I000002
Figure PCTKR2014008560-appb-I000002
[참고도 2]는 애플리케이션의 각 컴포넌트에 고유값들을 활용한 상태의 패키지를 예시한 도면이다. 탐지장치(110)는 탐지대상이 되는 애플리케이션 패키지에서 추출된 탐지데이터 내부에 이와 동일한 데이터 또는 문자열이 포함된 경우에 악성 애플리케이션으로 분류한다. 그리고 동일성의 정도가 일정 수준 이하이거나, 동일한 데이터가 전혀 없는 경우에는 정상 애플리케이션으로 분류한다.2 is a diagram illustrating a package in a state using unique values for each component of an application. The detection device 110 classifies a malicious application when the same data or character string is included in the detection data extracted from the application package to be detected. If the degree of identity is below a certain level or if there is no identical data at all, it is classified as a normal application.
한편, 도 9는 본 발명의 탐지방법의 동작 과정을 나타낸 순서도이다.9 is a flowchart illustrating an operation process of a detection method of the present invention.
도 9를 참조하여 본 발명의 탐지장치(110)의 구체적인 동작 과정을 순서대로 설명한다.9, a detailed operation process of the detection apparatus 110 of the present invention will be described in order.
먼저, 악성 애플리케이션 패키지가 포함되었는지를 판단할 대상이 되는 애플리케이션 패키지를 탐색한다.(S202) 탐지장치(110)의 설치 위치에 따라서 탐색의 주체가 달라질 수 있으며, 일반적으로는 사용자단말기(100)에 설치된 탐지장치(110)가 사용자단말기(100)에 설치되었거나 설치되고 있는 애플리케이션 패키지를 대상으로 진단을 하게 된다.First, a search for an application package to be determined whether the malicious application package is included (S202) The subject of the search may vary depending on the installation location of the detection device 110, generally in the user terminal 100 The installed detection device 110 diagnoses an application package installed or being installed in the user terminal 100.
별도의 제어부(도면 미도시)가 진단 대상이 될 애플리케이션 패키지의 압축을 해제한다.(S204) 애플리케이션 패키지는 ZIP 포맷의 압축 파일이며, Manifest 파일과 Dex 파일, 메타데이터, 이미지, 기타 파일 등으로 이루어진다. 이 중에서 Manifest 파일과 Dex 파일이 탐지의 대상이 된다.A separate control unit (not shown) decompresses the application package to be diagnosed (S204). The application package is a compressed file in a ZIP format, and includes a manifest file, a dex file, metadata, an image, and other files. . Among them, Manifest file and Dex file are the target of detection.
탐지데이터추출부(111)는 압축이 해제된 Manifest 파일과 Dex 파일에서 탐지데이터를 추출한다.(S206) 탐지데이터추출부(111)는 Manifest 파일에서 컴포넌트와 퍼미션 정보를, Dex 파일에서 스트링 데이터와 클래스 데이터를 추출한다.The detection data extraction unit 111 extracts detection data from the decompressed manifest file and the Dex file (S206). The detection data extraction unit 111 extracts the component and permission information from the manifest file and the string data from the Dex file. Extract class data.
추출된 탐지데이터는 파일 또는 메모리에 저장되며, 저장된 위치에 대한 정보가 탐지엔진(113)으로 전달된다.(S208)The extracted detection data is stored in a file or memory, and information about the stored location is transmitted to the detection engine 113 (S208).
탐지엔진(113)은 추출된 탐지데이터에 포함된 패턴을 분석하여 악성 애플리케이션 패턴이 존재하는지를 검사한다.(S210) 비교대상이 되는 악성 애플리케이션 패턴은 악성패턴DB(114)에서 호출한다.The detection engine 113 analyzes the patterns included in the extracted detection data and checks whether a malicious application pattern exists. (S210) The malicious application pattern to be compared is called by the malicious pattern DB 114.
탐지엔진(113)은 탐지데이터에 포함된 패턴에 악성 애플리케이션 패턴이 포함된 경우에 악성 애플리케이션으로 분류한다. 탐지데이터에는 컴포넌트 데이터와 퍼미션 정보, 스트링 데이터, 클래스 데이터가 포함되는데, 각각의 데이터에는 다수의 패턴이 포함될 수 있다. 탐지엔진(113)은 메소드(Method) 리스트 전체가 일치하는 경우뿐만 아니라, 메소드 리스트의 부분 매칭 결과 동일한 패턴이 존재하는 경우에는 악성 애플리케이션으로 분류할 수 있다.The detection engine 113 classifies the malicious application when the malicious application pattern is included in the pattern included in the detection data. The detection data includes component data, permission information, string data, and class data, and each data may include a plurality of patterns. The detection engine 113 may be classified as a malicious application when not only the entire method list matches but also the same pattern as a result of partial matching of the method list.
경우에 따라서는 악성 애플리케이션 패턴과 완전히 동일한 패턴이 발견되는 경우에는 악성 애플리케이션으로 분류하고, 완전히 동일하지는 않지만 부분적으로 동일한 문자열이 발견되는 경우에 의심 애플리케이션으로 분류할 수도 있다. 악성 패턴과 동일한 패턴이 전혀 발견되지 않는 경우에는 정상 애플리케이션으로 분류할 수 있을 것이다.In some cases, if a pattern that is exactly the same as a malicious application pattern is found, it may be classified as a malicious application, and may be classified as a suspicious application when a partially identical but partially identical string is found. If none of the same patterns are found, they can be classified as normal applications.
이상 첨부된 도면을 참조하여 본 발명의 바람직한 실시예를 설명하였지만, 상술한 본 발명의 기술적 구성은 본 발명이 속하는 기술 분야의 당업자가 본 발명의 그 기술적 사상이나 필수적 특징을 변경하지 않고서 다른 구체적인 형태로 실시될 수 있다는 것을 이해할 수 있을 것이다. 그러므로 이상에서 기술한 실시예들은 모든 면에서 예시적인 것이며 한정적인 것이 아닌 것으로서 이해되어야 하고, 본 발명의 범위는 상기 상세한 설명보다는 후술하는 특허청구범위에 의하여 나타내어지며, 특허청구범위의 의미 및 범위 그리고 그 등가 개념으로부터 도출되는 모든 변경 또는 변형된 형태가 본 발명의 범위에 포함되는 것으로 해석되어야 한다.Although the preferred embodiments of the present invention have been described above with reference to the accompanying drawings, the above-described technical configuration of the present invention may be embodied by those skilled in the art to which the present invention pertains without changing its technical spirit or essential features of the present invention. It will be appreciated that the present invention may be practiced as. Therefore, the above-described embodiments are to be understood as illustrative and not restrictive in all respects, and the scope of the present invention is indicated by the appended claims rather than the detailed description, and the meaning and scope of the claims and All changes or modifications derived from the equivalent concept should be interpreted as being included in the scope of the present invention.

Claims (4)

  1. 안드로이드 애플리케이션 패키지(APK)를 분석하여 악성 애플리케이션을 탐지하는 시스템으로서,A system that detects malicious applications by analyzing Android Application Packages (APKs).
    상기 안드로이드 애플리케이션 패키지 내부의 AndroidManifest.xml 파일(이하, 'Manifest 파일'이라 함)과 Classes.dex 파일(이하, 'Dex 파일'이라 함)에서 악성코드의 탐지에 필요한 탐지데이터를 추출하는 탐지데이터추출부(111)와;Detection data extraction for extracting detection data necessary for detecting malicious code from AndroidManifest.xml file (hereinafter referred to as 'Manifest file') and Classes.dex file (hereinafter referred to as 'Dex file') inside the Android application package Section 111;
    상기 탐지데이터추출부(111)에 의해 Manifest 파일과 Dex 파일로부터 추출된 상기 탐지데이터를 저장하는 탐지데이터DB(112)와;A detection data DB 112 for storing the detection data extracted from the manifest file and the dex file by the detection data extraction unit 111;
    상기 탐지데이터를 이용하여 악성코드가 포함되어 있는지를 판단하는 부분으로서, 악성 애플리케이션 패키지의 패턴과 일치하는 패턴이 상기 탐지데이터에 포함된 경우에 진단 대상이 되는 애플리케이션 패키지를 악성 애플리케이션으로 분류하는 탐지엔진(113)과;A detection engine that determines whether malicious code is included by using the detection data, and classifies an application package to be diagnosed as a malicious application when a pattern matching a pattern of a malicious application package is included in the detection data. 113;
    악성으로 판단된 애플리케이션에 포함된 패턴을 저장하는 악성패턴DB(114);를 포함하며,It includes; malicious pattern DB 114 for storing a pattern included in the application determined to be malicious,
    상기 탐지데이터는 상기 Manifest 파일에 포함된 컴포넌트와 퍼미션(Permission) 정보, 상기 Dex 파일에 포함된 스트링(String) 데이터와 클래스(Class) 데이터로 이루어지는 것을 특징으로 하는, 안드로이드 악성 애플리케이션의 탐지장치.The detection data comprises a component and permission information contained in the manifest file, string data and class data contained in the Dex file, characterized in that the detection device of the android malicious application.
  2. 제1항에 있어서,The method of claim 1,
    상기 컴포넌트는 The component is
    상기 애플리케이션의 UI(User Interface)의 기본단위가 되는 코드로서, 사용자와의 상호작용을 위한 인터페이스를 제공하는 기능을 하는 액티비티(Activity) 정보와;Activity information that serves as a basic unit of a user interface (UI) of the application, and serves to provide an interface for interacting with a user;
    상기 애플리케이션의 백그라운드로 실행되는 작업을 위한 코드인 서비스(Service) 정보와;Service information which is code for a task executed in the background of the application;
    브로드캐스트 리시버로서 OS(Operating System)가 호출하는 코드이며, Intent로 발생하는 메시지를 수신하여 처리하는 리시버(Receiver) 정보;를 포함하는, 안드로이드 악성 애플리케이션의 탐지장치.A code that is called by an operating system (OS) as a broadcast receiver and includes receiver information for receiving and processing a message generated by an intent.
  3. 안드로이드 애플리케이션 패키지를 분석하여 악성 애플리케이션을 탐지하는 방법으로서,A method of detecting malicious applications by analyzing Android application packages.
    탐지데이터추출부(111)가 상기 안드로이드 애플리케이션 패키지 내부의 Manifest 파일과 Dex 파일에서 악성코드의 탐지에 필요한 탐지데이터를 추출하는 제1단계와;A first step of extracting, by the detection data extracting unit, detection data necessary for detecting malicious code from a manifest file and a Dex file in the Android application package;
    악성패턴DB(114)에 저장된 악성 애플리케이션 패키지의 패턴과 일치하는 패턴이 상기 탐지데이터에 포함된 경우, 탐지엔진(113)이 진단 대상이 되는 애플리케이션 패키지를 악성 애플리케이션으로 분류하는 제2단계;를 포함하며,A second step of classifying the application package to be diagnosed as a malicious application when the detection engine 113 includes a pattern that matches a pattern of a malicious application package stored in the malicious pattern DB 114 in the detection data. ,
    상기 탐지데이터는 상기 Manifest 파일에 포함된 컴포넌트와 퍼미션 정보, 상기 Dex 파일에 포함된 스트링 데이터와 클래스 데이터로 이루어지는 것을 특징으로 하는, 안드로이드 악성 애플리케이션의 탐지방법.The detection data comprises a component and permission information included in the manifest file, string data and class data included in the Dex file, Android malicious application detection method.
  4. 제3항에 있어서,The method of claim 3,
    상기 컴포넌트는The component is
    상기 애플리케이션의 UI의 기본단위가 되는 코드로서, 사용자와의 상호작용을 위한 인터페이스를 제공하는 기능을 하는 액티비티 정보와;Activity information serving as a basic unit of the UI of the application, the function providing a interface for interacting with a user;
    상기 애플리케이션의 백그라운드로 실행되는 작업을 위한 코드인 서비스 정보와;Service information which is code for a task executed in the background of the application;
    브로드캐스트 리시버로서 OS가 호출하는 코드이며, Intent로 발생하는 메시지를 수신하여 처리하는 리시버 정보;를 포함하는, 안드로이드 악성 애플리케이션의 탐지방법.The code is called by the OS as a broadcast receiver, the receiver information for receiving and processing a message generated by the Intent; including, Android malicious application detection method.
PCT/KR2014/008560 2013-10-16 2014-09-15 Detection device and detection method for malicious android application WO2015056885A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2013-0123361 2013-10-16
KR20130123361A KR20150044490A (en) 2013-10-16 2013-10-16 A detecting device for android malignant application and a detecting method therefor

Publications (1)

Publication Number Publication Date
WO2015056885A1 true WO2015056885A1 (en) 2015-04-23

Family

ID=52828289

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/008560 WO2015056885A1 (en) 2013-10-16 2014-09-15 Detection device and detection method for malicious android application

Country Status (2)

Country Link
KR (1) KR20150044490A (en)
WO (1) WO2015056885A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101733633B1 (en) 2016-01-12 2017-05-08 계명대학교 산학협력단 Detecting and tracing method for leaked phone number data in mobile phone through application
CN107392020A (en) * 2017-06-30 2017-11-24 北京奇虎科技有限公司 Database manipulation analysis method, device, computing device and computer-readable storage medium
CN108491327A (en) * 2018-03-26 2018-09-04 中南大学 A kind of Android application dynamic Receiver components local refusal service leak detection method
CN109670310A (en) * 2019-01-28 2019-04-23 杭州师范大学 A kind of Android malware detection method based on semi-supervised K-Means clustering algorithm
CN110851834A (en) * 2019-11-18 2020-02-28 北京工业大学 Android malicious application detection method integrating multi-feature classification
CN111339531A (en) * 2020-02-24 2020-06-26 南开大学 Malicious code detection method and device, storage medium and electronic equipment
CN111552518A (en) * 2019-01-24 2020-08-18 阿里巴巴集团控股有限公司 Control loading method and device for starting application
CN112565274A (en) * 2020-12-11 2021-03-26 国家计算机网络与信息安全管理中心江苏分中心 Method and system for intelligently identifying malicious APP

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101666176B1 (en) * 2015-06-25 2016-10-14 한국전자통신연구원 Apparatus and method for of monitoring application based on android platform
JP7131946B2 (en) 2017-04-20 2022-09-06 Line株式会社 Method and system for assessing application security
WO2019004502A1 (en) * 2017-06-29 2019-01-03 라인 가부시키가이샤 Application security assessment method and system
JP2020531936A (en) * 2017-06-29 2020-11-05 Line株式会社 How and systems to detect application vulnerabilities
KR101880628B1 (en) 2017-11-27 2018-08-16 한국인터넷진흥원 Method for labeling machine-learning dataset and apparatus thereof
KR20190061231A (en) * 2017-11-27 2019-06-05 주식회사 엔에스에이치씨 Method for detecting malicious codes using big data
KR102011725B1 (en) 2017-12-28 2019-08-19 숭실대학교산학협력단 Whitelist construction method for analyzing malicious code, computer readable medium and device for performing the method
KR102073068B1 (en) * 2018-02-26 2020-02-04 한국인터넷진흥원 Method for clustering application and apparatus thereof
KR20200071822A (en) 2018-11-30 2020-06-22 단국대학교 산학협력단 System and method for detecting and classifying malware using machine learning and dynamic feature of applications
KR102149466B1 (en) * 2019-01-31 2020-08-28 단국대학교 산학협력단 Apparatus and method for feature information extraction and similarity comparison of android app considering obfuscation
KR102226218B1 (en) * 2019-10-29 2021-03-10 단국대학교 산학협력단 Apparatus and method for extracting feature information to identify an application created by cross-platform development framework
US11886584B2 (en) 2021-05-28 2024-01-30 AO Kaspersky Lab System and method for detecting potentially malicious changes in applications

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110084693A (en) * 2010-01-18 2011-07-26 (주)쉬프트웍스 Method of examining malicious codes and dangerous files in android terminal platform
KR101246623B1 (en) * 2012-09-03 2013-03-25 주식회사 안랩 Apparatus and method for detecting malicious applications
KR101256468B1 (en) * 2012-09-11 2013-04-19 주식회사 안랩 Apparatus and method for detecting malicious file
KR20130078278A (en) * 2011-12-30 2013-07-10 (주)이지서티 Smartphone malicious application detect system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110084693A (en) * 2010-01-18 2011-07-26 (주)쉬프트웍스 Method of examining malicious codes and dangerous files in android terminal platform
KR20130078278A (en) * 2011-12-30 2013-07-10 (주)이지서티 Smartphone malicious application detect system and method
KR101246623B1 (en) * 2012-09-03 2013-03-25 주식회사 안랩 Apparatus and method for detecting malicious applications
KR101256468B1 (en) * 2012-09-11 2013-04-19 주식회사 안랩 Apparatus and method for detecting malicious file

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017122843A1 (en) * 2016-01-12 2017-07-20 계명대학교 산학협력단 Method for detecting and tracking address book leaked through application
KR101733633B1 (en) 2016-01-12 2017-05-08 계명대학교 산학협력단 Detecting and tracing method for leaked phone number data in mobile phone through application
CN107392020A (en) * 2017-06-30 2017-11-24 北京奇虎科技有限公司 Database manipulation analysis method, device, computing device and computer-readable storage medium
CN108491327A (en) * 2018-03-26 2018-09-04 中南大学 A kind of Android application dynamic Receiver components local refusal service leak detection method
CN108491327B (en) * 2018-03-26 2020-08-25 中南大学 Android application dynamic Receiver component local denial of service vulnerability detection method
CN111552518B (en) * 2019-01-24 2023-04-07 阿里巴巴集团控股有限公司 Method and device for loading control for starting application
CN111552518A (en) * 2019-01-24 2020-08-18 阿里巴巴集团控股有限公司 Control loading method and device for starting application
CN109670310A (en) * 2019-01-28 2019-04-23 杭州师范大学 A kind of Android malware detection method based on semi-supervised K-Means clustering algorithm
CN110851834A (en) * 2019-11-18 2020-02-28 北京工业大学 Android malicious application detection method integrating multi-feature classification
CN110851834B (en) * 2019-11-18 2024-02-27 北京工业大学 Android malicious application detection method integrating multi-feature classification
CN111339531A (en) * 2020-02-24 2020-06-26 南开大学 Malicious code detection method and device, storage medium and electronic equipment
CN111339531B (en) * 2020-02-24 2023-12-19 南开大学 Malicious code detection method and device, storage medium and electronic equipment
CN112565274A (en) * 2020-12-11 2021-03-26 国家计算机网络与信息安全管理中心江苏分中心 Method and system for intelligently identifying malicious APP

Also Published As

Publication number Publication date
KR20150044490A (en) 2015-04-27

Similar Documents

Publication Publication Date Title
WO2015056885A1 (en) Detection device and detection method for malicious android application
US9537897B2 (en) Method and apparatus for providing analysis service based on behavior in mobile network environment
US8726387B2 (en) Detecting a trojan horse
US9525706B2 (en) Apparatus and method for diagnosing malicious applications
US9832211B2 (en) Computing device to detect malware
WO2015178578A1 (en) System and method for analyzing patch file
WO2018182126A1 (en) System and method for authenticating safe software
CN106709346B (en) Document handling method and device
WO2013089340A1 (en) Apparatus and method for detecting similarity between applications
CN103839003A (en) Malicious file detection method and device
TW201426381A (en) Method and system for detecting malware applications
WO2014088262A1 (en) Apparatus and method for detecting fraudulent/altered applications
CN104580133A (en) Malicious program protection method and system and filtering table updating method thereof
CN110086811B (en) Malicious script detection method and related device
WO2013100320A1 (en) System, user terminal, method, and apparatus for protecting and recovering system file.
CN105631312A (en) Method and system for processing rogue programs
JP6000465B2 (en) Process inspection apparatus, process inspection program, and process inspection method
CN102567674A (en) Method and equipment for judging whether software contains viruses or not on basis of behaviors
CN103793649A (en) Method and device for cloud-based safety scanning of files
WO2014168408A1 (en) Device, system and method for diagnosing malware on basis of cloud
WO2014042344A1 (en) Apparatus and method for detecting malicious shellcode by using debug event
WO2014010847A1 (en) Apparatus and method for diagnosing malicious applications
KR101803888B1 (en) Method and apparatus for detecting malicious application based on similarity
KR101657667B1 (en) Malicious app categorization apparatus and malicious app categorization method
CN103139169A (en) Virus detection system and method based on network behavior

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14854160

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14854160

Country of ref document: EP

Kind code of ref document: A1