WO2015196982A1 - Android malicious program detecting and processing methods and apparatuses, and device - Google Patents

Android malicious program detecting and processing methods and apparatuses, and device Download PDF

Info

Publication number
WO2015196982A1
WO2015196982A1 PCT/CN2015/082123 CN2015082123W WO2015196982A1 WO 2015196982 A1 WO2015196982 A1 WO 2015196982A1 CN 2015082123 W CN2015082123 W CN 2015082123W WO 2015196982 A1 WO2015196982 A1 WO 2015196982A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
malicious program
program
malicious
activity
Prior art date
Application number
PCT/CN2015/082123
Other languages
French (fr)
Chinese (zh)
Inventor
沈江波
陈章群
张楠
陈勇
Original Assignee
北京金山安全软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京金山安全软件有限公司 filed Critical 北京金山安全软件有限公司
Publication of WO2015196982A1 publication Critical patent/WO2015196982A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to the field of mobile Internet information security technologies, and in particular, to a malicious virus detection and processing method, device and device.
  • a typical example is a malicious application such as Cryptolocker, which controls the user's device desktop and constantly asks the user to pay a fine to unlock it; it also encrypts the data files in the user's device using an encryption algorithm.
  • Common encrypted data objects include the user's audio and video files, making it impossible for users to access and use these data files. The user must complete the payment before unlocking, decrypting the audio and video files, and restoring the device to normal use.
  • the malicious application will automatically cancel the user behavior and request the user to pay again.
  • the user device operating system is infected with such a malicious application virus
  • the user will not be able to remove the malicious application, and the user device will become completely unavailable.
  • the only solution can only be sent back to the factory for reset, and reset.
  • the behavior will completely destroy the data stored by the user, causing irreparable damage to the user.
  • the file encrypted by the malicious program cannot be used normally, and the user data can only be processed as a useless file, which also brings a lot of trouble to the user.
  • the present application provides an Android malicious application detection and processing method, which can accurately detect whether the mobile device operating system has such a way to control the user desktop, prevent the user from uninstalling, and encrypt the user file to achieve blackmail fraudulent users.
  • the malicious application of the purpose can accurately detect whether the mobile device operating system has such a way to control the user desktop, prevent the user from uninstalling, and encrypt the user file to achieve blackmail fraudulent users.
  • An embodiment of the present application provides a method for detecting an Android malicious program, including:
  • Whether the application is a malicious program is determined based on the result of the monitoring.
  • the embodiment of the present application further provides an Android malicious program processing method, where the method is applicable to the malicious program, and the method includes:
  • T2 is less than T1;
  • the preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
  • an Android malicious program device including:
  • a first monitoring module configured to monitor whether an application invokes an ACTIVITY conforms to a preset rule, and whether a specific type of file corresponding to the application exists in the system;
  • a determining module configured to determine, according to the result of the monitoring, whether the application is a malicious program.
  • the embodiment of the present application further provides an Android malicious program processing device, where the device is adapted to process the malicious program, and the device includes:
  • a second monitoring module configured to monitor the first calling period T1 of the malicious program for ACTIVITY
  • T2 is less than T1;
  • the startup module is configured to start the malicious program to delete the boot program, so that the malicious program deletes the boot program to call ACTIVITY in the second calling period T2;
  • the decryption module is configured to invoke a preset decryption algorithm function, and decrypt the file encrypted by the malicious program by using a preset key string.
  • the embodiment of the present application further provides a storage medium, where the storage medium is used for An application is stored for executing an Android malicious program detection method described herein at runtime.
  • an embodiment of the present application further provides an application, where the application is used to execute an Android malicious program detection method described in the present application at runtime.
  • an embodiment of the present application further provides a storage medium, where the storage medium is used to store an application, and the application is configured to execute an Android malicious program processing method described in the present application at runtime. .
  • an embodiment of the present application further provides an application, where the application is used to execute an Android malicious program processing method described in the present application at runtime.
  • the embodiment of the present application further provides a terminal device, including:
  • processor a memory, a communication interface, and a bus
  • the processor, the memory, and the communication interface are connected by the bus and complete communication with each other;
  • the memory stores executable program code
  • the processor runs a program corresponding to the executable program code by reading executable program code stored in the memory for:
  • Whether the application is a malicious program is determined based on the result of the monitoring.
  • the embodiment of the present application further provides a terminal device, which is suitable for processing the malicious program, and includes:
  • processor a memory, a communication interface, and a bus
  • the processor, the memory, and the communication interface are connected by the bus and complete communication with each other;
  • the memory stores executable program code
  • the processor runs a program corresponding to the executable program code by reading executable program code stored in the memory for:
  • T2 is less than T1;
  • the preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
  • the application's call to ACTIVITY By monitoring the application's call to ACTIVITY, it is possible to locate a specific application.
  • the application is determined to be a malicious program that occupies the user's desktop, prevents the user from uninstalling, and encrypts the user's files.
  • Android malicious applications can be accurately detected and processed to protect user equipment security.
  • FIG. 1 is a schematic flowchart of a method for detecting a malicious application of Android according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of another method for detecting a malicious application of Android according to an embodiment of the present application
  • FIG. 3 is a schematic flowchart of a method for processing a malicious program of an Android provided by an embodiment of the present application
  • FIG. 4 is a schematic structural diagram of an Android malicious program detecting apparatus according to an embodiment of the present application.
  • FIG. 5 is another schematic structural diagram of an Android malicious program detecting apparatus according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of an Android malicious program processing apparatus according to an embodiment of the present application.
  • Activity is one of the most basic and most commonly used components of the Android component (Activity, Service Service, Content Provider Content Provider, BroadcastReceiver Broadcast Receiver).
  • an Activity is usually a separate screen, which can display some controls, and can also listen to and process user events. Out of response.
  • a new Activity After a new Activity is launched onto the stack, it is displayed at the front end of the screen.
  • the processing is at the top of the stack (the top of the Activity stack). At this time, it is in an active state that is visible and can interact with the user. It is called active or running (active). OR running).
  • the Activity When the Activity loses focus, it is placed on the top of the stack by a new non-full-screen Activity or a transparent Activity. The state at this time is called Paused. At this point it remains connected to the window manager, the activity remains viable (maintaining all state, member information, and the window manager remain connected), but will be forcibly terminated when the system memory is extremely low. So it's still visible, but it has lost its focus and can't interact with the user.
  • Stopped If an Activity is completely covered by another Activity, it is called Stopped. It still maintains all state and member information, but it is no longer visible, so its window is hidden. When the system memory needs to be used elsewhere, the Stopped Activity will be forcibly terminated.
  • the system can delete the Activity from memory.
  • the Android system deletes it in two ways, either requiring the Activity to end or directly terminating its process. When the Activity is displayed to the user again, it must restart and reset the previous state.
  • the Android manages the Activity through an Activity stack.
  • the state of an Activity instance determines its position on the stack.
  • the activity in the foreground is always in At the top of the stack, when the current Activity of the station is destroyed due to an exception or other reasons, the Activity at the second level of the stack will be activated and floated to the top of the stack.
  • the new Activity is launched onto the stack, the original Activity will be pushed to the second layer of the stack.
  • the change in the position of an Activity on the stack reflects its transition between states.
  • Cryptolocker and similar malicious applications take advantage of this feature of Activity, by constantly calling a new Activity, to generate a new screen, when the user clicks on other operations, the application will call the new Activity to override the Activity of other applications clicked by the user, so This type of application occupies the user's desktop, the user will not be able to remove the malicious application, and the user device will become completely unavailable.
  • the upgraded version of Cryptolocker also uses the public encryption algorithm AES algorithm to encrypt the personal files commonly used by users. For example, after the user's video and audio files are encrypted, the user cannot open and use them normally, only when the user pays Virus writers can decrypt these files.
  • AES public encryption algorithm
  • FIG. 1 is a schematic flowchart of a method for detecting a malicious application of the Android provided by the embodiment of the present application. The method includes:
  • the monitoring application calls the ACTIVITY
  • This type of malicious application mainly utilizes the characteristics of the ACTIVITY stack to periodically call the ACTIVITY. This application mainly monitors the calling behavior of ACTIVITY to determine whether it maliciously occupies the user's desktop.
  • the preset rule includes: the application periodically calls the ACTIVITY; the preset rule is obtained by a local or server
  • monitoring whether there is a file encrypted by the malicious program in the user equipment system including monitoring whether there is a specific folder corresponding to the application in the system, such as a specific file for a specific application.
  • the folder further includes monitoring a specific extension file corresponding to the application in the system, and the virus program encrypts the user file and then changes the user file suffix extension, for example, modifying the original video or audio file to be an enc file.
  • the ACTIVITY is called periodically and frequently, so that the user has no The normal use of other applications, and the application cannot be uninstalled in the normal way; then the application can be initially determined to be a malicious program;
  • the application can be determined to be a malicious program.
  • FIG. 2 is another schematic flowchart of an Android malicious application detection method according to an embodiment of the present application.
  • the method includes:
  • the monitoring application calls the ACTIVITY
  • the feature information of the application may be uploaded to the server for determination.
  • the specific feature information includes a package name and/or an MD5 value of the application, and further optionally, Includes behavioral characteristics information for the application.
  • S203 Receive a malicious program determination result sent by the server, and perform a preset operation according to the determination result.
  • the malicious program judgment result sent by the server is received, and when the determination result indicates that the application program is a malicious program, the application program is deleted.
  • the malicious program processing information sent by the server is received, and when the processing information indicates that the file is a file encrypted by a malicious program, the file is decrypted according to the malicious program processing information.
  • the method may further include: after the application is deleted successfully, uploading the processing result of the malicious program to the server. And uploading device information of the device where the malicious program is located to the server.
  • the application does periodically and periodically call ACTIVITY and whether there is a specific type of file corresponding to the application in the system for preliminary determination; and then uploading the feature information of the application to the server for further confirmation, combining
  • the preliminary determination result can accurately determine whether the application is a malicious program
  • FIG. 3 is a schematic flowchart of a method for processing an Android malicious program according to an embodiment of the present disclosure.
  • the method in this embodiment is applicable to the malicious program in the method shown in FIG. 1 and FIG. 2, and the method in this embodiment includes:
  • the malicious application mainly utilizes the characteristics of the ACTIVITY stack, and periodically calls ACTIVITY to occupy the user's desktop, so the malicious application can be monitored to obtain the ACTIVITY calling period T1;
  • the purpose is to preempt the ACTIVITY instance of the uninstaller before the malicious program, and create conditions for the user to uninstall the malicious application.
  • the malicious program deletion boot program receives a malicious program deletion instruction of the user, and deletes the malicious program.
  • the malicious program deletion boot program completes deletion of the malicious program by calling a deletion program of the Android system.
  • the boot program calls the ACTIVITY instance of the uninstaller.
  • the ACTIVITY instance of the uninstaller is placed on the top of the ACTIVITY stack, and the user is visible. Therefore, the user can click the uninstaller to uninstall the malicious program. If the uninstall program is not clicked in time during the T1 period, the malicious program will call its own ACTIVITY instance in the next cycle. At this time, the malicious program is deleted because the calling period T2 of the malicious program deletion boot program is smaller than the calling period T1 of the malicious program.
  • the bootloader is started again, and the ACTIVITY instance of the uninstaller is called with the second call cycle T2. Therefore, it can be ensured that the malicious program removal boot program can always call the deletion program before the malicious program to help the user uninstall the malicious application.
  • the preset decryption algorithm function and the preset key string are obtained by a local or server. Specifically, by unpacking and decompiling the apk file of the malicious program, the function of the encryption algorithm used by the malicious program, such as the AES encryption function, is analyzed; and the function of the encryption algorithm is analyzed, and the encryption function can be obtained. Key information. Therefore, the decryption function corresponding to the encryption function can be called, and the obtained user information can be used to decrypt the user file encrypted by the malicious program.
  • the apparatus includes:
  • the first monitoring module 100 is configured to monitor whether the application invokes the ACTIVITY according to a preset rule, and whether a specific type file corresponding to the application exists in the system;
  • the determining module 101 is configured to determine, according to the result of the monitoring, whether the application is a malicious program
  • the preset rule includes: the application periodically calling the ACTIVITY.
  • the preset rule is obtained by a local or server.
  • the ACTIVITY is called periodically and frequently, so that the user cannot use other applications normally and cannot uninstall the application in a normal manner. If the user data file is further monitored to be encrypted, the application can be initially determined. For malicious programs.
  • FIG. 5 is another schematic structural diagram of an Android malicious program detecting apparatus according to an embodiment of the present application.
  • the apparatus includes:
  • the first monitoring module 200 is configured to monitor whether the application invokes the ACTIVITY according to a preset rule, and whether a specific type file corresponding to the application exists in the system;
  • the determining module 201 is configured to determine, according to the result of the monitoring, whether the application is a malicious program
  • the preset rule includes: the application periodically calling the ACTIVITY.
  • the preset rule is obtained by a local or server.
  • the first uploading module 202 is configured to upload feature information corresponding to the application to the server, so that the server determines whether the application is a malicious program based on the feature information.
  • the feature information of the application may be uploaded to the server for determination, and the specific feature information includes a package name and/or an MD5 value of the application.
  • the device may further include:
  • the first receiving module 203 is configured to receive a malicious program determination result sent by the server;
  • the deleting module 204 is configured to delete the application when the determining result indicates that the application is a malicious program.
  • the combination of the determination result may be accurate. Determining whether the application is a malicious program, and then further deleting the malicious application.
  • the device may further include:
  • a second receiving module 205 configured to receive malicious program processing information sent by the server
  • the decryption module 206 is configured to decrypt the file according to the malicious program processing information when the processing information indicates that the file is a file encrypted by a malicious program.
  • the device may further include:
  • the second uploading module 207 is configured to upload a processing result of the malicious program to a server.
  • FIG. 6 is a schematic structural diagram of an Android malicious program processing apparatus according to an embodiment of the present application.
  • the apparatus includes:
  • a second monitoring module 300 configured to monitor a first calling period T1 of the malicious program for ACTIVITY
  • the setting module 301 is configured to set a second calling period T2, where T2 is less than T1;
  • the startup module 302 is configured to start the malicious program deletion booting program, so that the malicious program deletes the boot program to call ACTIVITY in the second calling period T2;
  • the decryption module 303 is configured to invoke a preset decryption algorithm function, and decrypt the file encrypted by the malicious program by using a preset key string.
  • the preset decryption algorithm function and the preset key string are obtained by a local or server end.
  • the embodiment of the present application further provides a storage medium, where the storage medium is used to store an application, and the application is used to execute an Android malicious program detection method described in the present application at runtime.
  • the Android malicious program detection method described in the present application includes:
  • Whether the application is a malicious program is determined based on the result of the monitoring.
  • an embodiment of the present application further provides an application, where the application is used to execute an Android malicious program detection method described in the present application at runtime.
  • the Android malicious program detection method described in the present application includes:
  • Whether the application is a malicious program is determined based on the result of the monitoring.
  • an embodiment of the present application further provides a storage medium, where the storage medium is used to store an application, and the application is configured to execute an Android malicious program processing method described in the present application at runtime.
  • the Android malicious program processing method described in the present application is applicable to processing the malicious program, including:
  • T2 is less than T1;
  • the preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
  • an embodiment of the present application further provides an application, where the application is used to execute an Android malicious program processing method described in the present application at runtime.
  • the Android malicious program processing method described in the present application is applicable to processing the malicious program, including:
  • T2 is less than T1;
  • the preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
  • the embodiment of the present application further provides a terminal device, including:
  • processor a memory, a communication interface, and a bus
  • the processor, the memory, and the communication interface are connected by the bus and complete communication with each other;
  • the memory stores executable program code
  • the processor runs a program corresponding to the executable program code by reading executable program code stored in the memory for:
  • Whether the application is a malicious program is determined based on the result of the monitoring.
  • the embodiment of the present application further provides a terminal device, which is suitable for processing the malicious program, and includes:
  • processor a memory, a communication interface, and a bus
  • the processor, the memory, and the communication interface are connected by the bus and complete communication with each other;
  • the memory stores executable program code
  • the processor runs a program corresponding to the executable program code by reading executable program code stored in the memory for:
  • T2 is less than T1;
  • the preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Abstract

An Android malicious program detecting method. The method comprises: monitoring whether the call of an ACTIVITY by an application program meets a preset rule (S100); monitoring whether a specific type of file corresponding to the application program exits in a system (S101); and determining whether the application program is a malicious program according to a monitoring result (S102). An Android malicious program detecting apparatus, an Android malicious program processing method and apparatus, and a smart terminal device. The methods can accurately detect and process a malicious application that is installed in an operating system of a mobile device of a user and aims to blackmail the user by controlling a user desktop, preventing uninstallation performed by the user and encrypting a file of the user, and therefore the security of the system is improved.

Description

一种Android恶意程序检测和处理方法、装置及设备Android malicious program detection and processing method, device and device
本申请要求于2014年6月27日提交中国专利局、申请号为201410302960.3发明名称为“一种Android恶意程序检测和处理方法、装置及设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201410302960.3, entitled "An Android Malicious Program Detection and Processing Method, Apparatus and Apparatus", which is filed on June 27, 2014, the entire contents of which are hereby incorporated by reference. Combined in this application.
技术领域Technical field
本申请涉及移动互联网信息安全技术领域,尤其涉及一种恶意病毒检测和处理方法、装置及设备。The present invention relates to the field of mobile Internet information security technologies, and in particular, to a malicious virus detection and processing method, device and device.
背景技术Background technique
随着Android系统的发展,Android系统中的应用程序也越来越多,通常情况下,在基于Android系统的移动终端设备中,所有安装的应用程序都可以在系统设置中进行管理,其中包括应用程序的停止、卸载等。With the development of the Android system, there are more and more applications in the Android system. Generally, in the Android terminal-based mobile terminal device, all installed applications can be managed in the system settings, including the application. Stop, uninstall, etc. of the program.
由于Android系统应用程序的来源比较广泛,用户通常对安装的应用程序是否为恶意程序没有辨别能力,而恶意应用程序一旦安装之后,将会对用户带来诸多的不便。一个典型的例子便是如Cryptolocker之类的恶意应用程序,该类恶意应用会控制用户设备桌面并不断要求用户支付罚款以解除锁定;另外还会使用加密算法对用户设备中的数据文件进行加密,常见的加密数据对象包括用户的音频、视频文件,使用户无法正常访问和使用这些数据文件。用户必须完成付款之后才能解除锁定,解密音频视频文件,使设备恢复正常使用,如果用户试图进行其他点击或者操作来卸载该恶意应用,则该恶意应用会自动取消用户行为并再度要求用户付费。通常一旦用户设备操作系统感染此类恶意应用病毒,用户将无法移除该恶意应用,用户设备将会变成完全不可用状态,唯一的解决办法只能送回原厂进行重置,而重置行为将完全摧毁用户存储的资料,给用户带来不可弥补的损失。进一步的,即使用户卸载了该恶意程序,但是被恶意程序加密过的文件依然不能正常使用,用户资料只能作为无用文件进行处理,这样也给用户带来了很多困扰。 Since the source of the Android system application is relatively wide, the user usually does not have the ability to distinguish whether the installed application is a malicious program, and once the malicious application is installed, it will bring a lot of inconvenience to the user. A typical example is a malicious application such as Cryptolocker, which controls the user's device desktop and constantly asks the user to pay a fine to unlock it; it also encrypts the data files in the user's device using an encryption algorithm. Common encrypted data objects include the user's audio and video files, making it impossible for users to access and use these data files. The user must complete the payment before unlocking, decrypting the audio and video files, and restoring the device to normal use. If the user attempts to perform other clicks or actions to uninstall the malicious application, the malicious application will automatically cancel the user behavior and request the user to pay again. Usually, once the user device operating system is infected with such a malicious application virus, the user will not be able to remove the malicious application, and the user device will become completely unavailable. The only solution can only be sent back to the factory for reset, and reset. The behavior will completely destroy the data stored by the user, causing irreparable damage to the user. Further, even if the user uninstalls the malicious program, the file encrypted by the malicious program cannot be used normally, and the user data can only be processed as a useless file, which also brings a lot of trouble to the user.
发明内容Summary of the invention
本申请提供了一种Android恶意应用检测和处理方法,能够准确检测出用户移动设备操作系统中是否安装了此类通过控制用户桌面、阻止用户进行卸载,并对用户文件进行加密,达到勒索讹诈用户目的的恶意应用。The present application provides an Android malicious application detection and processing method, which can accurately detect whether the mobile device operating system has such a way to control the user desktop, prevent the user from uninstalling, and encrypt the user file to achieve blackmail fraudulent users. The malicious application of the purpose.
本申请实施例提供一种Android恶意程序检测方法,包括:An embodiment of the present application provides a method for detecting an Android malicious program, including:
监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;Whether the monitoring application's call to ACTIVITY conforms to a preset rule, and whether there is a specific type of file corresponding to the application in the system;
基于所述监控的结果确定所述应用程序是否为恶意程序。Whether the application is a malicious program is determined based on the result of the monitoring.
本申请实施例还提供一种Android恶意程序处理方法,所述方法适用于上述的恶意程序,所述方法包括:The embodiment of the present application further provides an Android malicious program processing method, where the method is applicable to the malicious program, and the method includes:
监控所述恶意程序对于ACTIVITY的第一调用周期T1;Monitoring the first call cycle T1 of the malicious program for ACTIVITY;
设置第二调用周期T2,其中T2小于T1;Setting a second calling period T2, wherein T2 is less than T1;
启动恶意程序删除引导程序,使所述恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;Initiating a malicious program to delete the boot program, causing the malicious program to delete the boot program to call ACTIVITY in the second call cycle T2;
调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
相应的,本申请实施例还提供一种Android恶意程序装置,包括:Correspondingly, the embodiment of the present application further provides an Android malicious program device, including:
第一监控模块,用于监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;a first monitoring module, configured to monitor whether an application invokes an ACTIVITY conforms to a preset rule, and whether a specific type of file corresponding to the application exists in the system;
判断模块,用于基于所述监控的结果确定所述应用程序是否为恶意程序。And a determining module, configured to determine, according to the result of the monitoring, whether the application is a malicious program.
相应的,本申请实施例还提供一种Android恶意程序处理装置,所述装置适用于处理上述恶意程序,所述装置包括:Correspondingly, the embodiment of the present application further provides an Android malicious program processing device, where the device is adapted to process the malicious program, and the device includes:
第二监控模块,用于监控所述恶意程序对于ACTIVITY的第一调用周期T1;a second monitoring module, configured to monitor the first calling period T1 of the malicious program for ACTIVITY;
设置模块,用于设置第二调用周期T2,其中T2小于T1;Setting a module, configured to set a second calling period T2, wherein T2 is less than T1;
启动模块,用于启动恶意程序删除引导程序,使恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;The startup module is configured to start the malicious program to delete the boot program, so that the malicious program deletes the boot program to call ACTIVITY in the second calling period T2;
解密模块,用于调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The decryption module is configured to invoke a preset decryption algorithm function, and decrypt the file encrypted by the malicious program by using a preset key string.
相应地,本申请实施例还提供了一种存储介质,其中,该存储介质用于 存储应用程序,所述应用程序用于在运行时执行本申请所述的一种Android恶意程序检测方法。Correspondingly, the embodiment of the present application further provides a storage medium, where the storage medium is used for An application is stored for executing an Android malicious program detection method described herein at runtime.
为了实现上述目的,本申请实施例还提供了一种应用程序,其中,该应用程序用于在运行时执行本申请所述的一种Android恶意程序检测方法。In order to achieve the above object, an embodiment of the present application further provides an application, where the application is used to execute an Android malicious program detection method described in the present application at runtime.
为了实现上述目的,本申请实施例还提供了一种存储介质,其中,该存储介质用于存储应用程序,所述应用程序用于在运行时执行本申请所述的一种Android恶意程序处理方法。In order to achieve the above object, an embodiment of the present application further provides a storage medium, where the storage medium is used to store an application, and the application is configured to execute an Android malicious program processing method described in the present application at runtime. .
为了实现上述目的,本申请实施例还提供了一种应用程序,其中,该应用程序用于在运行时执行本申请所述的一种Android恶意程序处理方法。In order to achieve the above object, an embodiment of the present application further provides an application, where the application is used to execute an Android malicious program processing method described in the present application at runtime.
为了实现上述目的,本申请实施例还提供了一种终端设备,包括:In order to achieve the above object, the embodiment of the present application further provides a terminal device, including:
处理器、存储器、通信接口和总线;a processor, a memory, a communication interface, and a bus;
所述处理器、所述存储器和所述通信接口通过所述总线连接并完成相互间的通信;The processor, the memory, and the communication interface are connected by the bus and complete communication with each other;
所述存储器存储可执行程序代码;The memory stores executable program code;
所述处理器通过读取所述存储器中存储的可执行程序代码来运行与所述可执行程序代码对应的程序,以用于:The processor runs a program corresponding to the executable program code by reading executable program code stored in the memory for:
监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;Whether the monitoring application's call to ACTIVITY conforms to a preset rule, and whether there is a specific type of file corresponding to the application in the system;
基于所述监控的结果确定所述应用程序是否为恶意程序。Whether the application is a malicious program is determined based on the result of the monitoring.
为了实现上述目的,本申请实施例还提供了一种终端设备,适用于处理上述恶意程序,包括:In order to achieve the above object, the embodiment of the present application further provides a terminal device, which is suitable for processing the malicious program, and includes:
处理器、存储器、通信接口和总线;a processor, a memory, a communication interface, and a bus;
所述处理器、所述存储器和所述通信接口通过所述总线连接并完成相互间的通信;The processor, the memory, and the communication interface are connected by the bus and complete communication with each other;
所述存储器存储可执行程序代码;The memory stores executable program code;
所述处理器通过读取所述存储器中存储的可执行程序代码来运行与所述可执行程序代码对应的程序,以用于:The processor runs a program corresponding to the executable program code by reading executable program code stored in the memory for:
监控所述恶意程序对于ACTIVITY的第一调用周期T1;Monitoring the first call cycle T1 of the malicious program for ACTIVITY;
设置第二调用周期T2,其中T2小于T1; Setting a second calling period T2, wherein T2 is less than T1;
启动恶意程序删除引导程序,使所述恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;Initiating a malicious program to delete the boot program, causing the malicious program to delete the boot program to call ACTIVITY in the second call cycle T2;
调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
实施本申请实施例,具有如下有益效果:The implementation of the embodiment of the present application has the following beneficial effects:
通过监控应用程序对于ACTIVITY的调用,能够定位到具体的应用程序,当应用程序对ACTIVITY的调用符合预设的规则,并且监控中系统中存在于所述应用程序对应的特定类型文件时,即可判定该应用程序为占据用户桌面、阻止用户进行卸载、并对用户文件进行加密的恶意程序。通过本申请实施例,可准确检测和处理此类Android恶意应用程序,保护用户设备安全。By monitoring the application's call to ACTIVITY, it is possible to locate a specific application. When the application's call to ACTIVITY conforms to a preset rule, and the system in the monitoring exists in a specific type of file corresponding to the application, The application is determined to be a malicious program that occupies the user's desktop, prevents the user from uninstalling, and encrypts the user's files. Through the embodiments of the present application, such Android malicious applications can be accurately detected and processed to protect user equipment security.
附图说明DRAWINGS
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present application, and other drawings can be obtained according to the drawings without any creative work for those skilled in the art.
图1是本申请实施例提供的一种Android恶意应用检测方法的流程示意图;1 is a schematic flowchart of a method for detecting a malicious application of Android according to an embodiment of the present application;
图2是本申请实施例提供的一种Android恶意应用检测方法的另一流程示意图;2 is a schematic flowchart of another method for detecting a malicious application of Android according to an embodiment of the present application;
图3是本申请实施例提供的一种Android恶意程序处理方法流程示意图;3 is a schematic flowchart of a method for processing a malicious program of an Android provided by an embodiment of the present application;
图4是本申请实施例提供的一种Android恶意程序检测装置的结构示意图;4 is a schematic structural diagram of an Android malicious program detecting apparatus according to an embodiment of the present application;
图5是本申请实施例提供的一种Android恶意程序检测装置的另一结构示意图;FIG. 5 is another schematic structural diagram of an Android malicious program detecting apparatus according to an embodiment of the present application;
图6是本申请实施例提供的一种Android恶意程序处理装置结构示意图。FIG. 6 is a schematic structural diagram of an Android malicious program processing apparatus according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行 清楚、完整地描述,显然,所描述的实施例仅是本申请的一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solution in the embodiment of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. It is clear that the described embodiments are only a part of the embodiments of the present application, and not all of them. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
Activity是Android组件中最基本也是最为常见用的四大组件(Activity,Service服务,Content Provider内容提供者,BroadcastReceiver广播接收器)之一。Activity is one of the most basic and most commonly used components of the Android component (Activity, Service Service, Content Provider Content Provider, BroadcastReceiver Broadcast Receiver).
Activity中所有操作都与用户密切相关,是一个负责与用户交互的组件,在一个android应用中,一个Activity通常就是一个单独的屏幕,它上面可以显示一些控件,也可以监听并处理用户的事件做出响应。All operations in the Activity are closely related to the user. It is a component responsible for interacting with the user. In an android application, an Activity is usually a separate screen, which can display some controls, and can also listen to and process user events. Out of response.
在android中,Activity拥有四种基本状态:In android, Activity has four basic states:
一个新Activity启动入栈后,它显示在屏幕最前端,处理是处于栈的最顶端(Activity栈顶),此时它处于可见并可和用户交互的激活状态,叫做活动状态或者运行状态(active OR running)。After a new Activity is launched onto the stack, it is displayed at the front end of the screen. The processing is at the top of the stack (the top of the Activity stack). At this time, it is in an active state that is visible and can interact with the user. It is called active or running (active). OR running).
当Activity失去焦点,被一个新的非全屏的Activity或者一个透明的Activity被放置在栈顶,此时的状态叫做暂停状态(Paused)。此时它依然与窗口管理器保持连接,Activity依然保持活力(保持所有的状态,成员信息,和窗口管理器保持连接),但是在系统内存极端低下的时候将被强行终止掉。所以它仍然可见,但已经失去了焦点故不可与用户进行交互。When the Activity loses focus, it is placed on the top of the stack by a new non-full-screen Activity or a transparent Activity. The state at this time is called Paused. At this point it remains connected to the window manager, the activity remains viable (maintaining all state, member information, and the window manager remain connected), but will be forcibly terminated when the system memory is extremely low. So it's still visible, but it has lost its focus and can't interact with the user.
如果一个Activity被另外的Activity完全覆盖掉,叫做停止状态(Stopped)。它依然保持所有状态和成员信息,但是它不再可见,所以它的窗口被隐藏,当系统内存需要被用在其他地方的时候,Stopped的Activity将被强行终止掉。If an Activity is completely covered by another Activity, it is called Stopped. It still maintains all state and member information, but it is no longer visible, so its window is hidden. When the system memory needs to be used elsewhere, the Stopped Activity will be forcibly terminated.
如果一个Activity是Paused或者Stopped状态,系统可以将该Activity从内存中删除,Android系统采用两种方式进行删除,要么要求该Activity结束,要么直接终止它的进程。当该Activity再次显示给用户时,它必须重新开始和重置前面的状态。If an Activity is Paused or Stopped, the system can delete the Activity from memory. The Android system deletes it in two ways, either requiring the Activity to end or directly terminating its process. When the Activity is displayed to the user again, it must restart and reset the previous state.
Android是通过一种Activity栈的方式来管理Activity的,一个Activity的实例的状态决定它在栈中的位置。处于前台的Activity总是在 栈的顶端,当前台的Activity因为异常或其它原因被销毁时,处于栈第二层的Activity将被激活,上浮到栈顶。当新的Activity启动入栈时,原Activity会被压入到栈的第二层。一个Activity在栈中的位置变化反映了它在不同状态间的转换。Android manages the Activity through an Activity stack. The state of an Activity instance determines its position on the stack. The activity in the foreground is always in At the top of the stack, when the current Activity of the station is destroyed due to an exception or other reasons, the Activity at the second level of the stack will be activated and floated to the top of the stack. When the new Activity is launched onto the stack, the original Activity will be pushed to the second layer of the stack. The change in the position of an Activity on the stack reflects its transition between states.
Cryptolocker以及类似恶意应用即利用了Activity的这种特性,通过不停调用新的Activity,生成新的屏幕,当用户点击其他操作时该应用会调用新的Activity覆盖用户点击的其他应用的Activity,这样该类应用就占据了用户桌面,用户将无法移除该恶意应用,用户设备将会变成完全不可用状态。Cryptolocker and similar malicious applications take advantage of this feature of Activity, by constantly calling a new Activity, to generate a new screen, when the user clicks on other operations, the application will call the new Activity to override the Activity of other applications clicked by the user, so This type of application occupies the user's desktop, the user will not be able to remove the malicious application, and the user device will become completely unavailable.
除此之外,升级版的Cryptolocker还使用了公开的加密算法AES算法,对用户常用的个人文件进行加密,比如用户的视频、音频文件加密之后,用户无法正常打开和使用,只有当用户付费给病毒作者才能解密这些文件。In addition, the upgraded version of Cryptolocker also uses the public encryption algorithm AES algorithm to encrypt the personal files commonly used by users. For example, after the user's video and audio files are encrypted, the user cannot open and use them normally, only when the user pays Virus writers can decrypt these files.
针对上述类似恶意应用,本申请提出了一种Android恶意应用检测方法,请参见图1,图1是本申请实施例提供的一种Android恶意应用检测方法的流程示意图,在本申请实施例中,该方法包括:For the malicious application described above, the present application provides a method for detecting a malicious application of the Android. Referring to FIG. 1 , FIG. 1 is a schematic flowchart of a method for detecting a malicious application of the Android provided by the embodiment of the present application. The method includes:
S100、监控应用程序对于ACTIVITY的调用;S100. The monitoring application calls the ACTIVITY;
此类恶意应用程序主要是利用了ACTIVITY栈的特性,周期性的调用所述ACTIVITY,本申请主要通过监控ACTIVITY的调用行为,判定其是否恶意占据用户桌面。This type of malicious application mainly utilizes the characteristics of the ACTIVITY stack to periodically call the ACTIVITY. This application mainly monitors the calling behavior of ACTIVITY to determine whether it maliciously occupies the user's desktop.
进一步的,所述预设规包括:所述应用程序周期性的调用所述ACTIVITY;所述预设规则由本地或服务器端获得Further, the preset rule includes: the application periodically calls the ACTIVITY; the preset rule is obtained by a local or server
S101、监控系统中是否存在与所述应用程序对应的特定类型文件;S101. Is there a specific type of file corresponding to the application in the monitoring system;
针对此类恶意病毒的行为,主要监控用户设备系统中是否存在被该恶意程序加密的文件,包括监控所述系统中是否存在与所述应用程序对应的特定文件夹,比如针对特定应用的特定文件夹;还包括监控所述系统中是否存在与所述应用程序对应的特定扩展名文件,病毒程序对用户文件加密之后会改变用户文件后缀扩展名,比如修改原本的视频或者音频文件为enc文件。For the behavior of such a malicious virus, mainly monitoring whether there is a file encrypted by the malicious program in the user equipment system, including monitoring whether there is a specific folder corresponding to the application in the system, such as a specific file for a specific application. The folder further includes monitoring a specific extension file corresponding to the application in the system, and the virus program encrypts the user file and then changes the user file suffix extension, for example, modifying the original video or audio file to be an enc file.
S102、基于所述监控的结果确定所述应用程序是否为恶意程序。S102. Determine, according to the result of the monitoring, whether the application is a malicious program.
通过监控所述应用程序确实是周期性频繁的调用ACTIVITY,使得用户无 法正常使用其他应用,并且无法通过正常方式卸载该应用;则可以初步判定所述应用程序为恶意程序;By monitoring the application, it is true that the ACTIVITY is called periodically and frequently, so that the user has no The normal use of other applications, and the application cannot be uninstalled in the normal way; then the application can be initially determined to be a malicious program;
可选的,当进一步监控到用户设备系统中是否存在被该恶意程序加密的文件,比如存在与所述应用程序对应的特定文件夹,或者存在与所述应用程序对应的特定扩展名文件,则可以判定所述应用程序为恶意程序。Optionally, when it is further monitored whether there is a file encrypted by the malicious program in the user equipment system, such as a specific folder corresponding to the application, or a specific extension file corresponding to the application, The application can be determined to be a malicious program.
图2是本申请实施例提供的一种Android恶意应用检测方法的另一流程示意图。在本申请实施例中,该方法包括:FIG. 2 is another schematic flowchart of an Android malicious application detection method according to an embodiment of the present application. In the embodiment of the present application, the method includes:
S200、监控应用程序对于ACTIVITY的调用;S200. The monitoring application calls the ACTIVITY;
S201、监控系统中是否存在与所述应用程序对应的特定类型文件;S201. Is there a specific type of file corresponding to the application in the monitoring system;
S202、上传所述应用程序对应的特征信息至服务器,以便于服务器基于所述特征信息判断所述应用程序是否为恶意程序;S202. Upload feature information corresponding to the application to the server, so that the server determines, according to the feature information, whether the application is a malicious program.
为了确认该应用程序的恶意性,可将所述应用程序的特征信息上传至服务器进行判定,具体的所述特征信息包括所述应用程序的包名和/或MD5值,进一步可选的,还可以包括所述应用程序的行为特征信息。In order to confirm the maliciousness of the application, the feature information of the application may be uploaded to the server for determination. The specific feature information includes a package name and/or an MD5 value of the application, and further optionally, Includes behavioral characteristics information for the application.
S203、接收所述服务器发送的恶意程序判断结果,根据判定结果执行预设操作。S203. Receive a malicious program determination result sent by the server, and perform a preset operation according to the determination result.
具体的,接收所述服务器发送的恶意程序判断结果,当所述判断结果表明所述应用程序为恶意程序时,删除所述应用程序。Specifically, the malicious program judgment result sent by the server is received, and when the determination result indicates that the application program is a malicious program, the application program is deleted.
进一步可选的,接收所述服务器发送的恶意程序处理信息,当所述处理信息表明所述文件为恶意程序加密过的文件时,根据所述恶意程序处理信息对所述文件进行解密。Further optionally, the malicious program processing information sent by the server is received, and when the processing information indicates that the file is a file encrypted by a malicious program, the file is decrypted according to the malicious program processing information.
可选的,在本申请其他实施例中,所述方法还可以包括,在删除应用程序成功之后,向服务器上传所述恶意程序的处理结果。以及向服务器上传所述恶意程序所在设备的设备信息。Optionally, in other embodiments of the present application, the method may further include: after the application is deleted successfully, uploading the processing result of the malicious program to the server. And uploading device information of the device where the malicious program is located to the server.
通过监控所述应用程序确实是周期性频繁的调用ACTIVITY以及系统中是否存在与所述应用程序对应的特定类型文件进行初步判定;然后上传所述应用程序的特征信息到服务器进行进一步的确认,结合初步判定结果则可以准确判定所述应用程序是否为恶意程序;或者 By performing monitoring, the application does periodically and periodically call ACTIVITY and whether there is a specific type of file corresponding to the application in the system for preliminary determination; and then uploading the feature information of the application to the server for further confirmation, combining The preliminary determination result can accurately determine whether the application is a malicious program; or
通过监控所述应用程序确实是周期性频繁的调用ACTIVITY以及系统中是否存在与所述应用程序对应的特定类型文件,上传所述应用程序的这些特征信息到服务器,可以判定所述应用程序是否为恶意程序。By monitoring that the application does call ACTIVITY periodically and frequently, and whether there is a specific type of file corresponding to the application in the system, uploading the feature information of the application to the server, it may be determined whether the application is Malicious program.
图3为本申请实施例提供的一种Android恶意程序处理方法流程示意图,本申请实施例的方法适用于图1及图2所示方法中的恶意程序,本实施例方法包括:FIG. 3 is a schematic flowchart of a method for processing an Android malicious program according to an embodiment of the present disclosure. The method in this embodiment is applicable to the malicious program in the method shown in FIG. 1 and FIG. 2, and the method in this embodiment includes:
S300、监控所述恶意程序对于ACTIVITY的第一调用周期T1;S300, monitoring the first call period T1 of the malicious program for ACTIVITY;
所述恶意应用程序主要是利用了ACTIVITY栈的特性,周期性的调用ACTIVITY,以占据用户桌面,因此可以监控所述恶意应用程序,获取其ACTIVITY的调用周期T1;The malicious application mainly utilizes the characteristics of the ACTIVITY stack, and periodically calls ACTIVITY to occupy the user's desktop, so the malicious application can be monitored to obtain the ACTIVITY calling period T1;
S301、设置第二调用周期T2,其中T2小于T1;S301, setting a second calling period T2, wherein T2 is less than T1;
S302、启动恶意程序删除引导程序,使恶意程序删除引导程序以第二调用周期T2调用ACTIVITY。S302. Start a malicious program to delete the booting program, so that the malicious program deletes the booting program to call ACTIVITY in the second calling period T2.
设置小于T1的调用周期T2,目的在于抢先在所述恶意程序之前调用卸载程序的ACTIVITY实例,为用户创造条件卸载该恶意应用程序。Setting the calling period T2 smaller than T1, the purpose is to preempt the ACTIVITY instance of the uninstaller before the malicious program, and create conditions for the user to uninstall the malicious application.
进一步的,所述恶意程序删除引导程序接收用户的恶意程序删除指令,删除所述恶意程序。Further, the malicious program deletion boot program receives a malicious program deletion instruction of the user, and deletes the malicious program.
具体的,所述恶意程序删除引导程序通过调用Android系统的删除程序来完成所述恶意程序的删除。Specifically, the malicious program deletion boot program completes deletion of the malicious program by calling a deletion program of the Android system.
启动恶意程序删除引导程序时,该引导程序会调用卸载程序的ACTIVITY实例,此时该卸载程序的ACTIVITY实例置于ACTIVITY栈顶,用户可见,因此用户可以点击卸载程序卸载该恶意程序,如果用户在所述T1周期内未能及时点击卸载程序,则该恶意程序会在下一周期调用自身的ACTIVITY实例,此时由于恶意程序删除引导程序的调用周期T2小于恶意程序的调用周期T1,则恶意程序删除引导程序再次启动,以第二调用周期T2调用卸载程序的ACTIVITY实例。因此,能保证恶意程序删除引导程序始终可以在所述恶意程序之前调用删除程序,帮助用户卸载该恶意应用程序。When the boot program is started, the boot program calls the ACTIVITY instance of the uninstaller. At this time, the ACTIVITY instance of the uninstaller is placed on the top of the ACTIVITY stack, and the user is visible. Therefore, the user can click the uninstaller to uninstall the malicious program. If the uninstall program is not clicked in time during the T1 period, the malicious program will call its own ACTIVITY instance in the next cycle. At this time, the malicious program is deleted because the calling period T2 of the malicious program deletion boot program is smaller than the calling period T1 of the malicious program. The bootloader is started again, and the ACTIVITY instance of the uninstaller is called with the second call cycle T2. Therefore, it can be ensured that the malicious program removal boot program can always call the deletion program before the malicious program to help the user uninstall the malicious application.
S303、调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加 密过的文件进行解密。S303. Call a preset decryption algorithm function, and add the malicious program by using a preset key string. The encrypted file is decrypted.
所述预设解密算法函数和预设密钥字符串由本地或服务器端获得。具体的,通过对上述恶意程序的apk文件进行解包和反编译,定位到恶意程序所使用的加密算法的函数,比如AES加密函数;对加密算法的函数进行分析,可以获取到加密函数所使用的密钥信息。因此,可以调用加密函数所对应的解密函数,使用所得到的密钥信息,就可以对恶意程序所加密过的用户文件进行解密。The preset decryption algorithm function and the preset key string are obtained by a local or server. Specifically, by unpacking and decompiling the apk file of the malicious program, the function of the encryption algorithm used by the malicious program, such as the AES encryption function, is analyzed; and the function of the encryption algorithm is analyzed, and the encryption function can be obtained. Key information. Therefore, the decryption function corresponding to the encryption function can be called, and the obtained user information can be used to decrypt the user file encrypted by the malicious program.
图4是本申请实施例提供的一种Android恶意程序检测装置的结构示意图,在本申请实施例中,该装置包括:4 is a schematic structural diagram of an Android malicious program detecting apparatus according to an embodiment of the present application. In the embodiment of the present application, the apparatus includes:
第一监控模块100,用于监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;The first monitoring module 100 is configured to monitor whether the application invokes the ACTIVITY according to a preset rule, and whether a specific type file corresponding to the application exists in the system;
判断模块101,用于根据所述监控的结果确定所述应用程序是否为恶意程序;The determining module 101 is configured to determine, according to the result of the monitoring, whether the application is a malicious program;
具体的,所述预设规则包括:所述应用程序周期性的调用所述ACTIVITY。Specifically, the preset rule includes: the application periodically calling the ACTIVITY.
进一步的,所述预设规则由本地或服务器端获得。Further, the preset rule is obtained by a local or server.
通过监控所述应用程序确实是周期性频繁的调用ACTIVITY,使得用户无法正常使用其他应用且无法通过正常方式卸载该应用,若进一步监控到对用户数据文件进行加密,则可以初步判定所述应用程序为恶意程序。By monitoring the application, the ACTIVITY is called periodically and frequently, so that the user cannot use other applications normally and cannot uninstall the application in a normal manner. If the user data file is further monitored to be encrypted, the application can be initially determined. For malicious programs.
图5是本申请实施例提供的一种Android恶意程序检测装置的另一结构示意图,在本申请实施例中,该装置包括:FIG. 5 is another schematic structural diagram of an Android malicious program detecting apparatus according to an embodiment of the present application. In the embodiment of the present application, the apparatus includes:
第一监控模块200,用于监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;The first monitoring module 200 is configured to monitor whether the application invokes the ACTIVITY according to a preset rule, and whether a specific type file corresponding to the application exists in the system;
判断模块201,用于根据所述监控的结果确定所述应用程序是否为恶意程序;The determining module 201 is configured to determine, according to the result of the monitoring, whether the application is a malicious program;
具体的,所述预设规则包括:所述应用程序周期性的调用所述ACTIVITY。Specifically, the preset rule includes: the application periodically calling the ACTIVITY.
进一步的,所述预设规则由本地或服务器端获得。Further, the preset rule is obtained by a local or server.
第一上传模块202,用于上传所述应用程序对应的特征信息至服务器,以便于服务器基于所述特征信息判断所述应用程序是否为恶意程序。 The first uploading module 202 is configured to upload feature information corresponding to the application to the server, so that the server determines whether the application is a malicious program based on the feature information.
为了进一步确认该应用程序的恶意性,可将所述应用程序的特征信息上传至服务器进行判定,具体的所述特征信息包括所述应用程序的包名和/或MD5值。In order to further confirm the maliciousness of the application, the feature information of the application may be uploaded to the server for determination, and the specific feature information includes a package name and/or an MD5 value of the application.
进一步可选的,所述装置还可以包括:Further optionally, the device may further include:
第一接收模块203,用于接收所述服务器发送的恶意程序判断结果;The first receiving module 203 is configured to receive a malicious program determination result sent by the server;
删除模块204,用于当所述判断结果表明所述应用程序为恶意程序时,删除所述应用程序。The deleting module 204 is configured to delete the application when the determining result indicates that the application is a malicious program.
通过监控所述应用程序确实是周期性频繁的调用ACTIVITY、系统中是否存在与所述应用程序对应的特定类型文件,以及上传所述应用程序的特征信息到服务器进行判断,结合判定结果则可以准确判定所述应用程序是否为恶意程序,然后进一步删除该恶意应用。By monitoring whether the application program periodically calls ACTIVITY, whether a specific type of file corresponding to the application exists in the system, and uploading feature information of the application to the server for judgment, the combination of the determination result may be accurate. Determining whether the application is a malicious program, and then further deleting the malicious application.
进一步可选的,所述装置还可以包括:Further optionally, the device may further include:
第二接收模块205,用于接收所述服务器发送的恶意程序处理信息;a second receiving module 205, configured to receive malicious program processing information sent by the server;
解密模块206,用于当所述处理信息表明所述文件为恶意程序加密过的文件时,根据所述恶意程序处理信息对所述文件进行解密。The decryption module 206 is configured to decrypt the file according to the malicious program processing information when the processing information indicates that the file is a file encrypted by a malicious program.
进一步可选的,所述装置还可以包括:Further optionally, the device may further include:
第二上传模块207,用于向服务器上传所述恶意程序的处理结果。The second uploading module 207 is configured to upload a processing result of the malicious program to a server.
图6是本申请实施例提供的一种Android恶意程序处理装置结构示意图,在本申请实施例中,该装置包括:FIG. 6 is a schematic structural diagram of an Android malicious program processing apparatus according to an embodiment of the present application. In the embodiment of the present application, the apparatus includes:
第二监控模块300,用于监控所述恶意程序对于ACTIVITY的第一调用周期T1;a second monitoring module 300, configured to monitor a first calling period T1 of the malicious program for ACTIVITY;
设置模块301,用于设置第二调用周期T2,其中T2小于T1;The setting module 301 is configured to set a second calling period T2, where T2 is less than T1;
启动模块302,用于启动恶意程序删除引导程序,使恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;The startup module 302 is configured to start the malicious program deletion booting program, so that the malicious program deletes the boot program to call ACTIVITY in the second calling period T2;
解密模块303,用于调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The decryption module 303 is configured to invoke a preset decryption algorithm function, and decrypt the file encrypted by the malicious program by using a preset key string.
具体的,所述预设解密算法函数和预设密钥字符串由本地或服务器端获得。 Specifically, the preset decryption algorithm function and the preset key string are obtained by a local or server end.
相应地,本申请实施例还提供了一种存储介质,其中,该存储介质用于存储应用程序,所述应用程序用于在运行时执行本申请所述的一种Android恶意程序检测方法。其中,本申请所述的一种Android恶意程序检测方法,包括:Correspondingly, the embodiment of the present application further provides a storage medium, where the storage medium is used to store an application, and the application is used to execute an Android malicious program detection method described in the present application at runtime. The Android malicious program detection method described in the present application includes:
监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;Whether the monitoring application's call to ACTIVITY conforms to a preset rule, and whether there is a specific type of file corresponding to the application in the system;
基于所述监控的结果确定所述应用程序是否为恶意程序。Whether the application is a malicious program is determined based on the result of the monitoring.
为了实现上述目的,本申请实施例还提供了一种应用程序,其中,该应用程序用于在运行时执行本申请所述的一种Android恶意程序检测方法。其中,本申请所述的一种Android恶意程序检测方法,包括:In order to achieve the above object, an embodiment of the present application further provides an application, where the application is used to execute an Android malicious program detection method described in the present application at runtime. The Android malicious program detection method described in the present application includes:
监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;Whether the monitoring application's call to ACTIVITY conforms to a preset rule, and whether there is a specific type of file corresponding to the application in the system;
基于所述监控的结果确定所述应用程序是否为恶意程序。Whether the application is a malicious program is determined based on the result of the monitoring.
为了实现上述目的,本申请实施例还提供了一种存储介质,其中,该存储介质用于存储应用程序,所述应用程序用于在运行时执行本申请所述的一种Android恶意程序处理方法。其中,本申请所述的一种Android恶意程序处理方法,适用于处理上述恶意程序,包括:In order to achieve the above object, an embodiment of the present application further provides a storage medium, where the storage medium is used to store an application, and the application is configured to execute an Android malicious program processing method described in the present application at runtime. . The Android malicious program processing method described in the present application is applicable to processing the malicious program, including:
监控所述恶意程序对于ACTIVITY的第一调用周期T1;Monitoring the first call cycle T1 of the malicious program for ACTIVITY;
设置第二调用周期T2,其中T2小于T1;Setting a second calling period T2, wherein T2 is less than T1;
启动恶意程序删除引导程序,使所述恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;Initiating a malicious program to delete the boot program, causing the malicious program to delete the boot program to call ACTIVITY in the second call cycle T2;
调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
为了实现上述目的,本申请实施例还提供了一种应用程序,其中,该应用程序用于在运行时执行本申请所述的一种Android恶意程序处理方法。其中,本申请所述的一种Android恶意程序处理方法,适用于处理上述恶意程序,包括:In order to achieve the above object, an embodiment of the present application further provides an application, where the application is used to execute an Android malicious program processing method described in the present application at runtime. The Android malicious program processing method described in the present application is applicable to processing the malicious program, including:
监控所述恶意程序对于ACTIVITY的第一调用周期T1;Monitoring the first call cycle T1 of the malicious program for ACTIVITY;
设置第二调用周期T2,其中T2小于T1; Setting a second calling period T2, wherein T2 is less than T1;
启动恶意程序删除引导程序,使所述恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;Initiating a malicious program to delete the boot program, causing the malicious program to delete the boot program to call ACTIVITY in the second call cycle T2;
调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
为了实现上述目的,本申请实施例还提供了一种终端设备,包括:In order to achieve the above object, the embodiment of the present application further provides a terminal device, including:
处理器、存储器、通信接口和总线;a processor, a memory, a communication interface, and a bus;
所述处理器、所述存储器和所述通信接口通过所述总线连接并完成相互间的通信;The processor, the memory, and the communication interface are connected by the bus and complete communication with each other;
所述存储器存储可执行程序代码;The memory stores executable program code;
所述处理器通过读取所述存储器中存储的可执行程序代码来运行与所述可执行程序代码对应的程序,以用于:The processor runs a program corresponding to the executable program code by reading executable program code stored in the memory for:
监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;Whether the monitoring application's call to ACTIVITY conforms to a preset rule, and whether there is a specific type of file corresponding to the application in the system;
基于所述监控的结果确定所述应用程序是否为恶意程序。Whether the application is a malicious program is determined based on the result of the monitoring.
为了实现上述目的,本申请实施例还提供了一种终端设备,适用于处理上述恶意程序,包括:In order to achieve the above object, the embodiment of the present application further provides a terminal device, which is suitable for processing the malicious program, and includes:
处理器、存储器、通信接口和总线;a processor, a memory, a communication interface, and a bus;
所述处理器、所述存储器和所述通信接口通过所述总线连接并完成相互间的通信;The processor, the memory, and the communication interface are connected by the bus and complete communication with each other;
所述存储器存储可执行程序代码;The memory stores executable program code;
所述处理器通过读取所述存储器中存储的可执行程序代码来运行与所述可执行程序代码对应的程序,以用于:The processor runs a program corresponding to the executable program code by reading executable program code stored in the memory for:
监控所述恶意程序对于ACTIVITY的第一调用周期T1;Monitoring the first call cycle T1 of the malicious program for ACTIVITY;
设置第二调用周期T2,其中T2小于T1;Setting a second calling period T2, wherein T2 is less than T1;
启动恶意程序删除引导程序,使所述恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;Initiating a malicious program to delete the boot program, causing the malicious program to delete the boot program to call ACTIVITY in the second call cycle T2;
调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
需要说明的是,本说明书中的各个实施例着重描述与其他实施例不同之 处,各个实施例之间相同相似的部分互相参见即可。尤其对于装置实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。It should be noted that the various embodiments in this specification focus on descriptions that are different from other embodiments. Wherein, the same and similar parts between the various embodiments can be referred to each other. Especially for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。One of ordinary skill in the art can understand that all or part of the process of implementing the foregoing embodiments can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
以上所揭露的仅为本申请一种较佳实施例而已,当然不能以此来限定本申请之权利范围,本领域普通技术人员可以理解实现上述实施例的全部或部分流程,并依本申请权利要求所作的等同变化,仍属于申请所涵盖的范围 The above disclosure is only a preferred embodiment of the present application, and of course, the scope of the application should not be limited thereto, and those skilled in the art can understand all or part of the process of implementing the above embodiments, and the rights of the present application are The equivalent change required is still within the scope of the application.

Claims (21)

  1. 一种Android恶意程序检测方法,其特征在于,包括:An Android malicious program detection method, which is characterized in that:
    监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;Whether the monitoring application's call to ACTIVITY conforms to a preset rule, and whether there is a specific type of file corresponding to the application in the system;
    基于所述监控的结果确定所述应用程序是否为恶意程序。Whether the application is a malicious program is determined based on the result of the monitoring.
  2. 如权利要求1所述的方法,其特征在于,所述预设规则包括:The method of claim 1 wherein said predetermined rules comprise:
    所述应用程序周期性的调用所述ACTIVITY。The application periodically invokes the ACTIVITY.
  3. 如权利要求1所述的方法,其特征在于,监控系统中是否存在与所述应用程序对应的特定类型文件包括:The method of claim 1, wherein the monitoring system has a specific type of file corresponding to the application, including:
    监控所述系统中是否存在与所述应用程序对应的特定文件夹。A specific folder corresponding to the application is monitored in the system.
  4. 如权利要求1所述的方法,其特征在于,监控系统中是否存在与所述应用程序对应的特定类型文件包括:The method of claim 1, wherein the monitoring system has a specific type of file corresponding to the application, including:
    监控所述系统中是否存在与所述应用程序对应的特定扩展名文件。A specific extension file corresponding to the application is monitored in the system.
  5. 如权利要求1所述的方法,其特征在于,在基于所述监控的结果确定所述应用程序是否为恶意程序之前,所述方法还包括:The method of claim 1, wherein before determining whether the application is a malicious program based on the result of the monitoring, the method further comprises:
    上传所述应用程序对应的特征信息至服务器,用以在服务器端基于所述特征信息判断所述应用程序是否为恶意程序。Uploading the feature information corresponding to the application to the server, to determine, on the server side, whether the application is a malicious program based on the feature information.
  6. 如权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises:
    接收所述服务器发送的恶意程序判断结果,当所述判断结果表明所述应用程序为恶意程序时,删除所述应用程序。Receiving a malicious program judgment result sent by the server, and deleting the application program when the determination result indicates that the application program is a malicious program.
  7. 如权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises:
    接收所述服务器发送的恶意程序处理信息,当所述处理信息表明所述文件为恶意程序加密过的文件时,根据所述恶意程序处理信息对所述文件进行解密。Receiving malicious program processing information sent by the server, and when the processing information indicates that the file is a file encrypted by a malicious program, decrypting the file according to the malicious program processing information.
  8. 如权利要求6或7所述的方法,其特征在于,所述方法还包括:向服务器上传所述恶意程序的处理结果。The method according to claim 6 or 7, wherein the method further comprises: uploading the processing result of the malicious program to the server.
  9. 一种Android恶意程序处理方法,其特征在于,所述方法适用于处理权利要求1至8中任一权利要求所述的恶意程序,所述方法包括: An Android malicious program processing method, characterized in that the method is suitable for processing the malicious program according to any one of claims 1 to 8, the method comprising:
    监控所述恶意程序对于ACTIVITY的第一调用周期T1;Monitoring the first call cycle T1 of the malicious program for ACTIVITY;
    设置第二调用周期T2,其中T2小于T1;Setting a second calling period T2, wherein T2 is less than T1;
    启动恶意程序删除引导程序,使所述恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;Initiating a malicious program to delete the boot program, causing the malicious program to delete the boot program to call ACTIVITY in the second call cycle T2;
    调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The preset decryption algorithm function is called, and the file encrypted by the malicious program is decrypted using a preset key string.
  10. 如权利要求9所述的方法,其特征在于,所述预设解密算法函数和预设密钥字符串由本地或服务器端获得。The method of claim 9, wherein the predetermined decryption algorithm function and the preset key string are obtained by a local or server.
  11. 一种Android恶意程序检测装置,其特征在于,包括:An Android malicious program detecting device, comprising:
    第一监控模块,用于监控应用程序对于ACTIVITY的调用是否符合预设规则,以及,系统中是否存在与所述应用程序对应的特定类型文件;a first monitoring module, configured to monitor whether an application invokes an ACTIVITY conforms to a preset rule, and whether a specific type of file corresponding to the application exists in the system;
    判断模块,用于基于所述监控的结果确定所述应用程序是否为恶意程序。And a determining module, configured to determine, according to the result of the monitoring, whether the application is a malicious program.
  12. 如权利要求11所述的装置,其特征在于,所述预设规则包括:所述应用程序周期性的调用所述ACTIVITY。The apparatus according to claim 11, wherein the preset rule comprises: the application periodically calling the ACTIVITY.
  13. 如权利要求11所述的装置,其特征在于,所述第一监控模块具体用于监控所述系统中是否存在与所述应用程序对应的特定文件夹。The device according to claim 11, wherein the first monitoring module is specifically configured to monitor whether a specific folder corresponding to the application exists in the system.
  14. 如权利要求11所述的装置,其特征在于,所述第一监控模块具体还用于监控所述系统中是否存在与所述应用程序对应的特定扩展名文件。The device according to claim 11, wherein the first monitoring module is further configured to monitor whether a specific extension file corresponding to the application exists in the system.
  15. 如权利要求11所述的装置,其特征在于,所述装置还包括:The device of claim 11 wherein said device further comprises:
    第一上传模块,用于上传所述应用程序对应的特征信息至服务器,用以在服务器端基于所述特征信息判断所述应用程序是否为恶意程序。The first uploading module is configured to upload the feature information corresponding to the application to the server, to determine, on the server side, whether the application is a malicious program based on the feature information.
  16. 如权利要求11所述的装置,其特征在于,所述装置还包括:The device of claim 11 wherein said device further comprises:
    第一接收模块,用于接收所述服务器发送的恶意程序判断结果;a first receiving module, configured to receive a malicious program determination result sent by the server;
    删除模块,用于当所述判断结果表明所述应用程序为恶意程序时,删除所述应用程序。And deleting the module, when the judgment result indicates that the application is a malicious program, deleting the application.
  17. 如权利要求11所述的装置,其特征在于,所述装置还包括:The device of claim 11 wherein said device further comprises:
    第二接收模块,用于接收所述服务器发送的恶意程序处理信息;a second receiving module, configured to receive malicious program processing information sent by the server;
    解密模块,用于当所述处理信息表明所述文件为恶意程序加密过的文件 时,根据所述恶意程序处理信息对所述文件进行解密。a decryption module, configured to: when the processing information indicates that the file is a file encrypted by a malicious program At the time, the file is decrypted according to the malicious program processing information.
  18. 如权利要求16或17所述的装置,其特征在于,所述装置还包括:The device according to claim 16 or 17, wherein the device further comprises:
    第二上传模块,用于向服务器上传所述恶意程序的处理结果。The second uploading module is configured to upload a processing result of the malicious program to the server.
  19. 一种Android恶意程序处理装置,其特征在于,所述装置适用于处理权利要求1至8中任一权利要求所述的恶意程序,所述装置包括:An Android malicious program processing apparatus, wherein the apparatus is adapted to process the malicious program according to any one of claims 1 to 8, the apparatus comprising:
    第二监控模块,用于监控所述恶意程序对于ACTIVITY的第一调用周期T1;a second monitoring module, configured to monitor the first calling period T1 of the malicious program for ACTIVITY;
    设置模块,用于设置第二调用周期T2,其中T2小于T1;Setting a module, configured to set a second calling period T2, wherein T2 is less than T1;
    启动模块,用于启动恶意程序删除引导程序,使恶意程序删除引导程序以第二调用周期T2调用ACTIVITY;The startup module is configured to start the malicious program to delete the boot program, so that the malicious program deletes the boot program to call ACTIVITY in the second calling period T2;
    解密模块,用于调用预设解密算法函数,使用预设密钥字符串对所述恶意程序加密过的文件进行解密。The decryption module is configured to invoke a preset decryption algorithm function, and decrypt the file encrypted by the malicious program by using a preset key string.
  20. 如权利要求19所述的装置,其特征在于,所述预设解密算法函数和预设密钥字符串由本地或服务器端获得。The apparatus according to claim 19, wherein said predetermined decryption algorithm function and a preset key string are obtained by a local or server.
  21. 一种终端设备,其特征在于,包含如权利要求11-20中任一项所述的装置。 A terminal device, comprising the device according to any one of claims 11-20.
PCT/CN2015/082123 2014-06-27 2015-06-23 Android malicious program detecting and processing methods and apparatuses, and device WO2015196982A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410302960.3A CN105335654B (en) 2014-06-27 2014-06-27 Android malicious program detection and processing method, device and equipment
CN201410302960.3 2014-06-27

Publications (1)

Publication Number Publication Date
WO2015196982A1 true WO2015196982A1 (en) 2015-12-30

Family

ID=54936863

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/082123 WO2015196982A1 (en) 2014-06-27 2015-06-23 Android malicious program detecting and processing methods and apparatuses, and device

Country Status (2)

Country Link
CN (1) CN105335654B (en)
WO (1) WO2015196982A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105956470A (en) * 2016-05-03 2016-09-21 北京金山安全软件有限公司 Method and terminal for intercepting application program behaviors
CN108595989A (en) * 2018-03-15 2018-09-28 杭州电子科技大学 Mobile APP security protection systems and method under a kind of iOS
CN114244599A (en) * 2021-12-15 2022-03-25 杭州默安科技有限公司 Method for interfering malicious program

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106548070A (en) * 2016-07-18 2017-03-29 北京安天电子设备有限公司 A kind of method and system that blackmailer's virus is defendd in stand-by time
CN108197462A (en) * 2016-12-08 2018-06-22 武汉安天信息技术有限责任公司 It is extorted under a kind of Android system using detecting system and method
CN106936994B (en) * 2017-03-10 2019-10-01 Oppo广东移动通信有限公司 A kind of control method of broadcast recipients, device and mobile terminal
CN107291517A (en) * 2017-07-26 2017-10-24 广东小天才科技有限公司 A kind of discharging method of application, device and terminal device
CN108846287A (en) * 2018-06-26 2018-11-20 北京奇安信科技有限公司 A kind of method and device of detection loophole attack
CN110020530B (en) * 2018-12-24 2023-07-04 中国银联股份有限公司 Method for determining security of application program in running time and device thereof
CN110213443B (en) * 2019-05-30 2021-11-02 努比亚技术有限公司 Method for preventing third-party desktop application from self-starting, mobile terminal and storage medium
CN111639341B (en) * 2020-05-29 2023-09-05 北京金山云网络技术有限公司 Malicious program detection method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN103207969A (en) * 2013-04-12 2013-07-17 百度在线网络技术(北京)有限公司 Device and method for detecting Android malware
CN103400076A (en) * 2013-07-30 2013-11-20 腾讯科技(深圳)有限公司 Method, device and system for detecting malicious software on mobile terminal
US20140181973A1 (en) * 2012-12-26 2014-06-26 National Taiwan University Of Science And Technology Method and system for detecting malicious application

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226570A (en) * 2007-09-05 2008-07-23 江启煜 Method for monitoring and eliminating generalized unknown virus
CN102722680B (en) * 2012-06-07 2014-11-05 腾讯科技(深圳)有限公司 Method and system for removing rogue programs
CN103577753B (en) * 2012-08-01 2017-07-25 联想(北京)有限公司 The method and electronic equipment of a kind of prompting camouflage applications hidden danger

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
US20140181973A1 (en) * 2012-12-26 2014-06-26 National Taiwan University Of Science And Technology Method and system for detecting malicious application
CN103207969A (en) * 2013-04-12 2013-07-17 百度在线网络技术(北京)有限公司 Device and method for detecting Android malware
CN103400076A (en) * 2013-07-30 2013-11-20 腾讯科技(深圳)有限公司 Method, device and system for detecting malicious software on mobile terminal

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105956470A (en) * 2016-05-03 2016-09-21 北京金山安全软件有限公司 Method and terminal for intercepting application program behaviors
CN108595989A (en) * 2018-03-15 2018-09-28 杭州电子科技大学 Mobile APP security protection systems and method under a kind of iOS
CN108595989B (en) * 2018-03-15 2020-06-30 杭州电子科技大学 Mobile APP safety protection system and method under iOS
CN114244599A (en) * 2021-12-15 2022-03-25 杭州默安科技有限公司 Method for interfering malicious program
CN114244599B (en) * 2021-12-15 2023-11-24 杭州默安科技有限公司 Method for interfering malicious program

Also Published As

Publication number Publication date
CN105335654A (en) 2016-02-17
CN105335654B (en) 2018-12-14

Similar Documents

Publication Publication Date Title
WO2015196982A1 (en) Android malicious program detecting and processing methods and apparatuses, and device
US9424431B2 (en) Protecting operating system configuration values using a policy identifying operating system configuration settings
EP3692440B1 (en) Systems and methods for preventing malicious applications from exploiting application services
US9465652B1 (en) Hardware-based mechanisms for updating computer systems
EP2812842B1 (en) Security policy for device data
TWI559167B (en) A unified extensible firmware interface(uefi)-compliant computing device and a method for administering a secure boot in the uefi-compliant computing device
JP6055574B2 (en) Context-based switching to a secure operating system environment
US20060265756A1 (en) Disk protection using enhanced write filter
AU2015358292B2 (en) Computing systems and methods
US8572741B2 (en) Providing security for a virtual machine by selectively triggering a host security scan
US9721095B2 (en) Preventing re-patching by malware on a computer
US10140454B1 (en) Systems and methods for restarting computing devices into security-application-configured safe modes
US20130333021A1 (en) Preventing malicious software from utilizing access rights
US10318272B1 (en) Systems and methods for managing application updates
US9330254B1 (en) Systems and methods for preventing the installation of unapproved applications
US9990493B2 (en) Data processing system security device and security method
US9323518B1 (en) Systems and methods for modifying applications without user input
US11366903B1 (en) Systems and methods to mitigate stalkerware by rendering it useless
US20090217378A1 (en) Boot Time Remediation of Malware
US11288361B1 (en) Systems and methods for restoring applications
JP2009169868A (en) Storage area access device and method for accessing storage area
US10691447B2 (en) Writing system software on an electronic device
US20170177863A1 (en) Device, System, and Method for Detecting Malicious Software in Unallocated Memory
KR101552556B1 (en) Method for Preventing Mobile Application Decompiled and Program Publishing Server for Storing Launcher therefor
Xu Security enhancement of secure USB debugging in Android system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15810848

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 11/04/2017)

122 Ep: pct application non-entry in european phase

Ref document number: 15810848

Country of ref document: EP

Kind code of ref document: A1