CN108133139A - A kind of Android malicious application detecting system compared based on more running environment behaviors - Google Patents

A kind of Android malicious application detecting system compared based on more running environment behaviors Download PDF

Info

Publication number
CN108133139A
CN108133139A CN201711217805.1A CN201711217805A CN108133139A CN 108133139 A CN108133139 A CN 108133139A CN 201711217805 A CN201711217805 A CN 201711217805A CN 108133139 A CN108133139 A CN 108133139A
Authority
CN
China
Prior art keywords
behavior
application program
simulator
application
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711217805.1A
Other languages
Chinese (zh)
Other versions
CN108133139B (en
Inventor
陶敬
张岩
王平辉
韩婷
曹鹏飞
王铮
赵琪琪
孙立远
柳哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CN201711217805.1A priority Critical patent/CN108133139B/en
Publication of CN108133139A publication Critical patent/CN108133139A/en
Application granted granted Critical
Publication of CN108133139B publication Critical patent/CN108133139B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A kind of Android malicious application detecting system compared based on more running environment behaviors, including:Information extraction modules carry out decompiling to detected APK installation files, and providing data for follow-up log analysis supports;Dynamic analysis module carries out Android application programs dynamic analysis, and the behavior performed in logging program operational process using Sandboxing;Environment measuring fights module, detects the environment measuring behavior in program operation process in real time, and fought for the detection behavior of different levels, by the running environment feature that the results modification that running environment in application program detects is camouflage;Behavior record analysis module is uniformly processed and is analyzed to all user behaviors logs after operation whole is repeated several times in a certain application program to be measured;System operation scheduler module controls whole service flow in system operation.The present invention can capture the behavioral difference situation of application program, and detect whether malicious act, suitable for environment-identification sensitivity malicious application.

Description

A kind of Android malicious application detecting system compared based on more running environment behaviors
Technical field
The invention belongs to technical field of network security, more particularly to a kind of Android compared based on more running environment behaviors is disliked Meaning is using detecting system.
Background technology
Current internet fast development has had comparable scale.It is emerging with intelligent mobile terminal equipment in recent years It rises, mobile Internet is also developed rapidly therewith, and smart mobile phone is just a large amount of universal in people's lives with tablet computer. With gradually popularizing for intelligent mobile terminal operating system, android system platform is easy-to-use, outstanding by facilitating for its operation Many advantages, such as increasing income with autgmentability and system can be transformed, receive numerous mobile equipment research and development and the welcome of manufacturer, Also gradually have a batch huge system fans and user group simultaneously.
Exactly because the also high user's occupation rate of android system and its distinctive increasing income property feature, android system Become the target of attack of many Malware producers and black industry pursuer, a large amount of malice for being directed to Android platform Code also occurs therewith.Therefore, it studies and mature technology that is quick and effectively detecting is realized to malicious code, be not only able to vast Privacy of user is implemented to protect with property safety, reduces the interests loss of user, and can largely protect The interests of Android application developers.The technology being detected at present to Android malicious codes can be mainly divided into it is static and Dynamically two class.
Traditional static detection method is to beat again packet phenomenon and for evil for largely existing in malicious code mostly Privilege abuse phenomenon in meaning code is analyzed, and needs to analyze the APK installation kits of Android application programs, anti-to compile Translate wherein executable file and analyze other resource files to obtain basic data, then further excavated and classify from And judge the property of application program.But with the continuous development of encryption technology and obfuscation, the method for static analysis is difficult Get effective detail of information.
Existing malicious code dynamic detection technology is mainly to be detected by veritably being run in various simulated environments Application program, malicious code is detected on the basis of the true dynamic feature information that shows of monitoring application program. It is virtual that the widely used dry run environment of current dynamic detection system is based primarily upon QEMU, Virtual Box, VMWare etc. Change technology, regardless of using which kind of technology, dry run environment with true physical equipment always there are certain difference, and Application program can get these information that can show that running environment during operation from running environment.Therefore such as The application program of one malice of fruit is very sensitive to running environment, it is found that it is currently running in a simulated environment, and this Kind simulated environment is likely to be a kind of component part of dynamic detection system, then the malicious application would not directly perform its Sensitive behavior, so as to achieve the purpose that escape detection.This behavior for detecting dry run environment and changing operating status is claimed For anti-simulator behavior, such case is to limit a key factor of dynamic testing method detection result.Therefore, it needs at present A kind of anti-simulator behavior for coping with application program, the method for effectively detecting environmentally sensitive malicious application, to answer The deficiency existing in these areas to dynamic detection technology.
Invention content
In order to overcome the disadvantages of the above prior art, the purpose of the present invention is to provide one kind to be based on more running environment behaviors The Android malicious application detecting system of comparison, it relies on dynamic analysis isolation sandbox technology, was run by detecting application program Running environment detection behavior in journey, and targetedly counter measure is taken, by the practical a variety of differences of running environment disguise as Running environment, application program is placed in these different running environment, using behavior dynamic method for catching is applied, to application Concrete behavior in different running environment is recorded, and analysis comparison application program expression behaviour compares it in varying environment Under operation action otherness, so as to capture the behavioral difference situation of application program, and detected whether malicious act, be applicable in In the environment sensitive malicious application that the existing detection technique of identification can not be detected effectively.
To achieve these goals, the technical solution adopted by the present invention is:
A kind of Android malicious application detecting system compared based on more running environment behaviors, including:
Information extraction modules carry out decompiling to detected APK installation files, analyze the smali generated after decompiling The relevant information of each class in file provides data for subsequent log analysis and supports;
Dynamic analysis module carries out dynamic analysis, including being based on Android original using Sandboxing to Android application programs There is system to call the system operation mirror image of writing function and pass through the simulator operating file system of customization for raw system modification, Simulator sandbox running environment is combined into, and a series of behaviors performed in application program operation process are recorded, by The submodule recorded to being detected application program operation when institute's expression behaviour forms;
Environment measuring fights module, detects the environment measuring behavior in application program operational process in real time, and for difference The detection behavior of level is fought, by the running environment spy that the results modification that running environment in application program detects is camouflage Sign, including being changed into Mobile state application layer, Android system layer, linux system layer and simulator architecture layers feature respectively Dynamic modification submodule;
Behavior record analysis module, to all behaviors after operation whole is repeated several times in a certain application program to be measured Daily record is uniformly processed and is analyzed, and submodule, behavior sequence extracting sub-module, behavior point are pre-processed including application user behaviors log Analysis comparison submodule and report generation submodule;
System operation scheduler module controls whole service flow, including simulator traffic control in system operation Submodule, application management submodule to be analyzed, system event simulation submodule and user interface event triggering submodule.
The system operation mirror image is holding of carrying out that compiling after secondary modification obtains on the basis of android system source code Style of writing part, modification content are that the execution of API is called to specifically system each in 6 class behaviors described in application dynamic analysis module Flow, it is therefore intended that so that during application program implementation procedure, dynamic analysis module is able to record the various actions of application program.
The simulator operating file system by customization is the Android simulator file system mirror in initial configuration After adding users' usage behavior data such as address list information, message registration information, short message, photographic intelligence in file File system mirror file.
The dynamic analysis module includes network communication operations record sub module, file operation record sub module, encryption and decryption Operation note submodule, system Shell operation notes submodule, privacy behavior obtain record sub module, sensitive operation record Module etc..
Compared with prior art, the beneficial effects of the invention are as follows:
1st, using dynamic analysing method, the confrontation inspection such as the insoluble application shell adding of static analysis is effectively prevented, obscures The method of survey.
2nd, using the application program that reruns in a variety of running environment, the method for its behavior expression of analysing and comparing can Accurately detect the anti-simulator behavior of application program, and judge its whether there is hide malicious act, indicate its whether be Malicious application.
3rd, it using simple, efficient data analysis algorithm, can record in real time using real behavior, efficient process high number of row For data.
4th, the application behavioral data of acquisition has reliability and accuracy, and does not need to obtain application program to be detected times What additional other information.
5th, its flexibly customized various environmental characteristic of the running environment of dynamic generation can easily carry out whole system Update upgrading and expansion.
6th, Android malicious application analysis platform can be enhanced as a kind of expansion of existing various Android applied analysis platforms Whole analysis detectability.
Description of the drawings
Fig. 1 is present system overall operation flow chart.
Fig. 2 is each sub-modular structure figure in dynamic analysis module of the present invention.
Fig. 3 is present system traffic control module flow diagram.
Fig. 4 is dynamic analysis module flow diagram of the present invention.
Specific embodiment
In order to which the purpose of the present invention, technical solution and advantage is more clearly understood, below in conjunction with attached drawing and exemplary Embodiment, the present invention will be described in further detail.It should be appreciated that exemplary embodiment described herein is only explaining The present invention, the scope of application being not intended to limit the present invention.
First, the Android malicious application detecting system overall operation flow that Behavior-based control of the invention compares is as shown in Figure 1. 4 main modulars wherein drawn are respectively information extraction modules, dynamic analysis module, environment measuring confrontation module and behavior note Analysis module is recorded, system operation scheduler module is not drawn in the flow chart.System operation scheduler module is responsible for transporting in system Control whole service flow, same application program to be detected is reruned repeatedly during row:First by dynamic analysis module In simulator sandbox running environment revert to preset original state;Then installation starts application program to be detected, is applying When program is run, module is fought respectively to application layer, Android system layer, linux system layer and simulator system by environment measuring The environmental characteristic of structure sheaf carries out camouflage confrontation, while system when application program can be run by dynamic analysis module calls row To record, it is stored in a series of user behaviors log file;After whole is run multiple times in same application, behavior A series of running logs that History Parser Module will generate the application carry out processing analysis, and calculate between each other consistent Property, judge the application with the presence or absence of the malicious act hidden in specific run environment, mark according to the consistency matrix being calculated Bright its is malicious, and exports examining report.
Each module detailed functions content is as follows:
1st, information extraction modules
Due to needing the information of all class files in acquisition application program in subsequent behavior comparing module, so right first Original APK installation files carry out decompiling, analyze the information of each class in the smali files after decompiling, are subsequent row It prepares for log analysis.
Before each application program is running in dynamic analysis environment, Android APK installation file decompiling works are used Have apktool by the APK file decompiling, obtain a series of smali formatted files, obtained by scanning decompiling The information of class file in smali files extraction wherein institute's source code, and preserve in the database, treat that subsequent behavior compares mould Block uses.
2nd, dynamic analysis module
The dynamic analysis module of this system carries out dynamic analysis, the module using Sandboxing to Android application programs Main body is there is system to call the system operation mirror image of writing function and pass through the mould of customization based on Android primary system modification Intend the simulator sandbox running environment that both device operating file systems are combined into, carrying out practically flow is as shown in Figure 4.
The system operation mirror image applied in the module is compiles after carrying out secondary modification on the basis of android system source code Obtained executable file, modification content are to call API to specific system each in 6 class behaviors described in dynamic analysis module Execution flow, it is therefore intended that so that during application program implementation procedure, dynamic analysis module is able to record each of application program Kind behavior.
The simulator operating file system by customization applied in the module is the Android simulator in initial configuration The users such as address list information, message registration information, short message, photographic intelligence use is added in file system mirror file File system mirror file after behavioral data.
Main flow is as follows:
Step 1:Start simulator, simulator is waited for solve lock screen after starting.
Step 2:If bugNum under present analysis state be less than 2 if continue from be analyzing the application list or APK file is obtained in queue to be analyzed.
Step 3:It is busy to set simulator state, installs application program, application program is opened, by application program front and rear It is switched between platform, calls simulation system event action, close and unload application program.If occur in this whole process any BugNum is then directly added 1 by mistake, into next step.
Step 4:After cancelling simulator busy states, using the closing simulator of telnet orders gracefulness, if it fails, then Simulator process is directly closed using kill orders.
Wherein, it can be carried out only after simulator starts completely including every behaviour such as application program is installed Make.And simply judge whether the sys.boot_completed system properties set automatically in system are 1 to be not enough to accurately judge Simulator startup finishes.Therefore, after discovery sys.boot_completed system properties have been 1, it is also necessary to judge Whether simulator screen also remains as completely black at present, if still blank screen explanation starts completely not yet;When simulator screen goes out Also need to judge whether number of processes is also increasing in system after existing picture, when number of processes all no longer increases whithin a period of time Then show the complete start completion of simulator after adding.
Malicious application activates its malicious act to be connect by registering the broadcast of reception particular system event in systems mostly It receives device to realize, and the system event that they are utilized belongs to a few class events that can reflect system running state mostly, With certain regularity, for example the broadcast of system start completion, user mutual behavior are broadcasted, WIFI network state change is broadcasted, SIM card network state variation broadcast etc..Therefore start completely in simulator, detected application program and setting are installed thereto After running environment feature, it is necessary to start application program, and input a series of aforementioned system events to trigger application program Respondent behavior.
And it is identical in order to ensure to input information in operational process different several times with an application program, it needs Record sends sequence and the interval time of system event sequence for the first time, when being recorded in identical according to this during follow-up operation Between point send identical system event.In addition to this, malicious application may start after system event is received Service components are performed in the hidden carry out running environment detection in backstage and sensitive behavior, it is also possible to will be in application program Some Activity component is bound to foreground, lures that user is operated by interface of going fishing, so as to obtain other permissions or use Family privacy information.So it needs to grasp come the user interface to application program using UI (User Interface) triggering technique Make, this certain customers' interface operation has system operation scheduler module to be handled.
Meanwhile the module is also responsible for recording a series of behaviors performed in application program operational process, mainly Writing function includes following 6 aspects, as shown in Figure 2:
(1) network communication behavior record:Including TCP communication record, UDP communications records, http communication record, DNS communications Record and network traffic record.
(2) file operation behavior record:Including file operation record and sqlite database manipulations record.
(3) encryption and decryption operation behavior records:Operation note is recorded and decrypted including cryptographic operation.
(4) system shell operation behaviors record:Including putting forward power order, mount orders, chown orders, chmod orders note Record.
(5) privacy information obtains behavior record:Including obtaining system information behavior record, obtaining phone/call/email Information behavior record obtains browser information behaviors record and obtains location information behavior record.
(6) sensitive operation behavior record:It is recorded including dynamic load behavior record, Android components operation behavior and quick Feel operation behavior record.
Dynamic analysis module can be monitored and remember to all of above behavior in application program operational process to be detected Record, and be stored in journal file, it extracts, protects from simulated environment after an end of run of the application program to be measured There are in logfile directory to be analyzed, the processing of behavior record analysis module is waited for.
All monitoring information is exported in the log system of android system, can be with by its included logging tools System log according to label is filtered and is extracted, and is recorded in disk file.But if tune to all monitored system API It is all recorded with situation, then a large amount of behaviors of system application execution are also required for by additional magnetic disc storage operation, meeting The efficiency of system operation is caused to substantially reduce, seriously affects the execution speed of dynamic analysis.Therefore when monitored API is called It can judge whether the process number of caller is equal to the process number of monitored application, if equal just can really be recorded Otherwise disk operating does not record it, the degree that can will be preferably minimized in this way to the influence of system running speed.
Due to Android application program be frequently present of multithreading execution situation, this module used it is a kind of adaptation mostly into Journey application program performs behavior record generation technique and the behavior record comparison techniques of feature to cope with the above problem.It should in record With can be by the process number where this API Calls person and API Calls person institute during the system API called in program operation process It records in the call stack of thread, is finally stored in disk file together.Application program in simulator after end of run, Dynamic analysis module can will record file the behavior and be extracted from simulator, and to every therein record according to its operation Class name and the process number of caller carry out Classifying Sum, are ranked up according to the timestamp of record, and ultimately forming one should With the respective android system API Calls sequence of process each in program operation process.
3rd, environment measuring confrontation module
The module can detect the environment measuring behavior in application program operational process in real time, and for the detection of different levels Behavior is fought, by the running environment feature that the results modification that running environment in application program detects is camouflage.According to application The difference of Programmable detection dry run environment method, these can show that running environment class another characteristic is belonging respectively to 4 differences Level:
(1) application layer
The anti-simulator method of application layer is mainly by detecting in the equipment with the presence or absence of contact person record, call note Record, short message record etc. judges the running environment for simulated environment or true environment using indication character.
(2) Android system layer
The anti-simulator method of android system layer mainly by detection device status information (including IMSI, ICCID, IMEI, telephone number etc.), device hardware information (including battery level information, WiFi module Mac address informations, GPS positioning letter Breath etc.), the spies such as system property information (including calling Android device system attribute acquisition methods, reading build.prop files etc.) It levies to judge running environment for simulated environment or true environment
(3) linux system layer
The anti-simulator method of linux system layer mainly by detection device activation bit, equipment tag file, Getprop orders etc. judge the running environment for simulated environment or true environment.
(4) simulator architecture layers
The anti-simulator method of simulator architecture layers is mainly detection device CPU information tag file, equipment feature The methods of process, judges running environment for simulated environment or true environment.
In addition to method included in 4 class listed above, environment measuring confrontation module can also be as needed to others Feature is modified, and generates new running environment, so as to achieve the purpose that deception application program to be detected.
For the dynamic camouflage with features above running environment, can be realized by changing android system source code, It can also be realized by other methods.The realization of android system source code is changed, mainly using following three kinds of methods come to each A feature carries out Dynamic Customization.
First, special system property modifiers can be used after simulator startup by belonging to the environmental characteristic of system property Change the property value in system kernel, at the same increase some Custom Attributes be used for controlling for android system API features and The camouflage of file characteristic.Why need to modify to the tool is because some read only attribute is in system default situation Under cannot change, it is therefore desirable to by change memory method realize modification.There are a kind of special feelings in system property Condition is exactly the Build static variables in android system, Build.DEVICE attributes as mentioned above etc..This generic attribute Belong to the Java object for being modified to static final, directly can not change its numerical value by changing memory, need to pass through process The mode of injection initializes process injecting codes to zygote, changes its modifier by reflection mode, then changes its numerical value. Since zygote processes are the parent processes of every other application program in android system, so after modifying to it, after The numerical value of Build static variables is all same in the continuous application program started.
Secondly, for judging the spy of running environment information by the way that android system API is called to obtain its return value and be used as Sign, during the application call API, Android frames can be obtained from system property add before it is corresponding with the API from Defined attribute value, and the value of the Custom Attributes is returned into application program as the return value of API Calls rather than returns to it Actual value.Since many system applications also can be by calling API fetching portion system categories in android system operational process Property value, and if its obtain return value be not consistent with actual conditions, it is likely that system operation can be caused unstable even Directly result in system crash.So in these Android frames these API run when can judge currently call from which into Journey, the calling only from process where detected application program can just be returned the value after camouflage.
Again, for belonging to the detection method of file characteristic, whether application program can detect in running environment tag file In the presence of or file in judge running environment with the presence or absence of the method for feature string.Therefore the Android when opening file Frame can judge to call whether the process of the open file operation is process where detected application program, then judge again Whether the file to be opened is the tag file that can embody running environment, if two conditions all meet if by this text Part operation is redirected to preprepared simulated papers, so as to fulfill the camouflage to running environment file characteristic.
4th, behavior record analysis module
The module can carry out all user behaviors logs after operation whole is repeated several times in a certain application program to be measured It is uniformly processed and analyzes, submodule, behavior sequence extracting sub-module, behavioural analysis comparison are pre-processed including application user behaviors log Four submodules of module and report generation submodule.
User behaviors log pretreatment submodule arranges original user behaviors log file, extracts and goes out in all daily records Existing system is called, and is arranged as a list, each unique integer number of corresponding one of system calling;Then behavior sequence The system that extracting sub-module can be generated according to previous step calls the correspondence with number to be converted to each individual behavior Daily record behavior sequence;Behavioural analysis comparison submodule each behavior sequence is compared using alignment algorithm, calculating two-by-two it Between similarity, measure matrix, while count the number of API Calls in each behavior record;Report generation submodule Judge that the application with the presence or absence of hiding malicious act, indicates that its is malicious, and export detection according to the feature of consistency matrix Report.
Wherein behavioural analysis compare submodule to an application program obtained two in different running environment When behavior record is compared, calculated respectively first, in accordance with the thread number in two behavior records corresponding in two behavior records The system API Calls sequence similarity of cross-thread.In order to accurately reflect the similarity between two calling sequences, the two is calculated Between editing distance weigh similarity therebetween, obtain measurement of the real number between 0 to 1 as similarity, Similarity is bigger to represent that the two is more similar.After the similarity between per thread pair is calculated, according in each thread The number that API Calls record in system API Calls sequence ratio shared in API Calls record sum in entire behavior record These individual similarities are added up into the similarity for a totality, as the final of two behavior record similarities of application program As a result.Behavior is consistent when application program operation is just constituted after the similarity-rough set between all behavior records is completed Property matrix.Other than the similarity between statistics application program behavior record, which can also count two corresponding threads Between difference in specific calling system api function type and number, obtain behavior statistic of classification result.If two behavior notes Behavior record in record in the corresponding thread of certain a pair is not identical, and sensitive API letter is had invoked in one of thread Number, another thread do not call the api function then, then show the running environment information that the application program is collected into according to it To this part, sensitive behavior is hidden.
Report generation submodule one application program of synthesis exports the consistency between behavior record after dynamic operation several times Matrix sentences the application program with the presence or absence of behavioral difference using decision algorithm.If after certain one kind camouflage in running environment The comparison result between behavior record in behavior record and original analog running environment is less than threshold value, then proves the application program There are behavioral difference, and its detection dry run environment method used is to belong to the category, so as to judge application program institute The anti-simulator behavior generic used.In addition, decision algorithm can also according to the differential analysis of behavior statistic of classification result its Whether in certain running environment sensitive behavior is concealed, then judge that this application program is if there is hiding sensitive behavior The malicious application application program of anti-simulator method is used.Finally, the submodule by all analysis results summarize for Analysis examining report is simultaneously exported to user.
6th, system operation scheduler module
The module controls the operational process of whole system, including simulator traffic control submodule, application management to be analyzed Submodule, system event simulation submodule and user interface event triggering 4 submodules of submodule.
Simulator traffic control submodule can start in system initialization according to the startup simulator quantity of input simulates Then device starts the control thread of each simulator, as shown in Figure 3.Simulator control thread is provided to a series of of simulator Control operation:Run stopping, being unloaded using acquisition, using installation and operation, using stopping etc..
Application management submodule to be analyzed monitors application to be analyzed and saves contents, one application queue to be analyzed of maintenance, and one It is a to analyze application queue and an analysis completion application queue.Each simulator traffic control submodule is from application to be analyzed It gets an application to be analyzed in queue to be analyzed, and place it in and analyzing application queue, completion to be analyzed is placed on Application queue is completed in analysis.
System event simulation submodule, which is responsible for simulating some real equipments in the application program operational process detected, to be made With the system event that can occur in the process, to trigger application program to be detected to the possible respondent behavior of these system times, wrap Simulation boot complete events, screen locking are included with unlock action event, reception with sending short message, dialing with receiving phone, position Variation etc..
User interface event triggering submodule analog subscriber operation application program, to trigger application program for these users Respondent behavior caused by operation, while the submodule can also start the various assemblies in the presence of application program automatically, including Exposure component and non-exposed component.According to depth-priority-searching method traversal UI Tree during user interface interactive simulation.In traversal UI During UI controls in Tree, user interface interactive simulation function triggers different UI component things according to the difference of UI control types Part realizes the simulation of user's operation.UI Tree traversals are using depth-first traversal.During traversal, first start application program, then Traverse all UI interfaces.When often traversing a UI interface, need first to obtain all effective UI controls at this interface, then traverse All UI controls obtained, and according to the difference of UI control types, trigger different UI component events.If trigger certain control After the UI component events of part, UI interfaces are changed, then the information at former UI interfaces are stored in stack, then traverse new UI circle Face traverses completion and then returns to former UI interfaces and continues to traverse other controls.
After the whole that an application program is completed in the detection system reruns process, ending phase output detection Report.
Sizable ratio, Er Qiejie are accounted for due to there is malicious application in the application program of specific anti-simulator behavior The record analysis to application program sensitive behavior is closed with comparing, the output result of the Android malicious application detecting system in the present invention It can be determined that whether the application program is that there are the malicious applications of anti-simulator behavior, i.e. the application program can be in specific fortune Its sensitive malicious act is hidden in row environment.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention All any modification, equivalent and improvement made within refreshing and principle etc., should all be included in the protection scope of the present invention.
To sum up, a kind of Android malicious application detecting system compared based on more running environment behaviors provided by the invention, is led to It crosses the behavior for showing APK programs in different running environment to analyze, detects its malicious act, so as to further true Whether recognize is malicious application.

Claims (10)

1. a kind of Android malicious application detecting system compared based on more running environment behaviors, which is characterized in that including:
Information extraction modules carry out decompiling to detected APK installation files, analyze the smali files generated after decompiling In each class relevant information, for subsequent log analysis provide data support;
Dynamic analysis module carries out dynamic analysis, including being based on Android primary system using Sandboxing to Android application programs There is system to call the system operation mirror image of writing function and pass through the simulator operating file system of customization, combination for system modification Into simulator sandbox running environment, a series of behaviors performed by it are recorded in application program operational process, by right It is detected the submodule composition that application program operation when institute's expression behaviour is recorded;Environment measuring fights module, detects in real time Environment measuring behavior in application program operational process, and fought for the detection behavior of different levels, by application program The results modification of middle running environment detection be the running environment feature pretended, including respectively to application layer, Android system layer, Linux system layer and simulator architecture layers feature change submodule into the dynamic that Mobile state is changed;
Behavior record analysis module, to all user behaviors logs after operation whole is repeated several times in a certain application program to be measured It is uniformly processed and is analyzed, submodule, behavior sequence extracting sub-module, behavioural analysis pair are pre-processed including application user behaviors log Than submodule and report generation submodule;
System operation scheduler module controls whole service flow, including simulator traffic control submodule in system operation Block, application management submodule to be analyzed, system event simulation submodule and user interface event triggering submodule.
2. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed In the dynamic analysis module workflow is as follows:
Step 1:Start simulator, simulator is waited for solve lock screen after starting;
Step 2:Continue if bugNum under present analysis state is less than 2 from being analyzing the application list or treat point APK file is obtained in analysis queue;
Step 3:It is busy to set simulator state, installs application program, application program is opened, by application program between front and back It switches over, calls simulation system event action, close and unload application program, if occurring any mistake in this whole process Accidentally, then bugNum is directly added 1, into next step;
Step 4:After cancelling simulator busy states, simulator is closed using telnet orders, if it fails, then being ordered using kill It enables and directly closes simulator process.
3. the Android malicious application detecting system compared according to claim 2 based on more running environment behaviors, feature are existed In after finding that sys.boot_completed system properties have been 1, also judging current simulator screen whether also still To be completely black, if still blank screen illustrates that simulator starts completely not yet;It also needs to sentence after picture occurs in simulator screen Whether number of processes is also increasing in disconnected system, then shows that simulator is complete after number of processes is not further added by whithin a period of time Full start completion;Start completely in simulator, after detected application program is installed thereto and sets running environment feature, Start application program, input a series of system events to trigger the respondent behavior of application program, and record first time transmission system The sequence of sequence of events and interval time are recorded in identical time point according to this during follow-up operation and send identical system Event.
4. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed In the system operation mirror image is carries out the executable text compiled after secondary modification on the basis of android system source code Part, modification content are that the execution flow of API, mesh are called to specific system each in 6 class behaviors described in dynamic analysis module Be that dynamic analysis module is able to record the various actions of application program so that during application program implementation procedure.
The simulator operating file system by customization is the Android simulator file system mirror text in initial configuration The text after users' usage behavior data such as address list information, message registration information, short message, photographic intelligence is added in part Part system image file.
5. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed In the environment measuring is fought in module, according to the difference of application program detection dry run environment method, can show that operation Environmental classes another characteristic difference is as follows:
(1) application layer
Judge the running environment for simulated environment or true ring using indication character by detecting to whether there is in the equipment Border;
(2) Android system layer
By detection device status information, device hardware information, system property information come judge running environment for simulated environment also It is true environment;
(3) linux system layer
By detection device activation bit, equipment tag file, getprop orders come judge running environment for simulated environment still True environment;
(4) simulator architecture layers
Judge running environment for simulated environment or true by detection device CPU information tag file, equipment characteristic course Environment;
In addition to method included in 4 class listed above, as needed, environment measuring confrontation module carries out other features pair Anti- modification generates new running environment, so as to achieve the purpose that deception application program to be detected.
6. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed In, by change android system source code dynamic generation have the feature running environment, specifically include:
First, belonging to the environmental characteristic of system property can be changed after simulator startup using special system property modifiers Property value in system kernel, while increase some Custom Attributes and be used for controlling for android system API features and file The camouflage of feature for the Build static variables of android system in system property, can not directly be changed by changing memory Its numerical value then initializes process injecting codes to zygote by way of process injection, its modification is changed by reflection mode Symbol, then changes its numerical value;
Secondly, it for judging the feature of running environment information by the way that android system API is called to obtain its return value and be used as, answers During with the routine call API, Android frames can be obtained from system property add before it is corresponding with the API self-defined Property value, and return to application program using the value of the Custom Attributes as the return value of API Calls rather than return to it really Value can judge currently to call from which process, only from detected application in Android frames during these API operations The calling of process can just be returned the value after camouflage where program;
Again, for belonging to the detection method of file characteristic, application program can detect tag file in running environment and whether there is Or judge running environment with the presence or absence of the method for feature string in file, when opening file, Android frames can be sentenced Whether the disconnected process for calling the open file operation is process where detected application program, is then judged again open Whether file is the tag file that can embody running environment, if two conditions all meet if by this file operation weight Preprepared simulated papers are directed to, so as to fulfill the camouflage to running environment file characteristic.
7. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed In the dynamic analysis module, essential record function includes following aspect:
(1) network communication behavior record:Including TCP communication record, UDP communications records, http communication record, DNS communications records It is recorded with network traffic;
(2) file operation behavior record:Including file operation record and sqlite database manipulations record;
(3) encryption and decryption operation behavior records:Operation note is recorded and decrypted including cryptographic operation;
(4) system shell operation behaviors record:Including putting forward power order, mount orders, chown orders, chmod command records;
(5) privacy information obtains behavior record:Including obtaining system information behavior record, obtaining phone/call/email information Behavior record obtains browser information behaviors record and obtains location information behavior record;
(6) sensitive operation behavior record:Including dynamic load behavior record, Android components operation behavior record and sensitive behaviour Make behavior record.
Dynamic analysis module is monitored and records to all of above behavior in application program operational process to be detected, owns Monitoring information export in the log system of android system, monitored API judges the process number of caller when called Whether the process number of monitored application is equal to, if the equal disk operating that just can be really recorded, otherwise not to it It is recorded;
In the dynamic analysis module, when system API called in records application program operational process, can be by this API tune The call stack of thread is recorded together where process number and API Calls person where user, is finally stored in disk file In;For application program in simulator after end of run, behavior record generation module can will record file the behavior from simulator It extracts, and class name of caller and process number progress Classifying Sum is run according to it to every therein record, press It is ranked up according to the timestamp of record, ultimately forms each respective Android systems of process in an application program operational process System API Calls sequence.
8. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed In the user behaviors log pretreatment submodule arranges original user behaviors log file, extracts and goes out in all daily records Existing system is called, and is arranged as a list, each unique integer number of corresponding one of system calling;
The system that the behavior sequence extracting sub-module is generated according to previous step calls the correspondence with number to be converted to will be every One individual user behaviors log behavior sequence;
The behavioural analysis comparison submodule is compared each behavior sequence using alignment algorithm, calculates phase between any two Like degree, measure matrix, while count the number of API Calls in each behavior record;
The report generation submodule judges the application with the presence or absence of hiding malicious act, mark according to the feature of consistency matrix Bright its is malicious, and exports examining report.
9. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed In the behavioural analysis compares submodule to obtained two behaviors are remembered in different running environment with an application program When record is compared, is calculated respectively in two behavior records first, in accordance with the thread number in two behavior records and correspond to cross-thread System API Calls sequence similarity;After the similarity between per thread pair is calculated, according to being in each thread The number and ratio shared in API Calls record sum in entire behavior record that API Calls record in API Calls sequence of uniting These individual similarities are added up the similarity for a totality, as two behavior record similarities of application program by example Final result, behavior is consistent when application program operation is formed after the similarity-rough set between all behavior records is completed Property matrix;
The behavioural analysis compares submodule and also counts specific calling system api function type and number between two corresponding threads On difference, if obtain behavior statistic of classification as a result, the behavior record in two behavior records in certain corresponding thread of a pair not It is identical, and sensitive API function is had invoked in one of thread, another thread does not call the API letters then Number, then show that the running environment information that the application program is collected into according to it hides this part sensitive behavior;
One application program of the report generation submodule synthesis exports the consistency between behavior record after dynamic operation several times Matrix sentences the application program with the presence or absence of behavioral difference using decision algorithm, if after certain one kind camouflage in running environment The comparison result between behavior record in behavior record and original analog running environment is less than threshold value, then proves the application program There are behavioral difference, and its detection dry run environment method used is to belong to the category, so as to judge application program institute The anti-simulator behavior generic used;The decision algorithm also according to behavior statistic of classification result differential analysis its whether Sensitive behavior is concealed in certain running environment, then judges this application program to use if there is hiding sensitive behavior The malicious application application program of anti-simulator method.
10. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed In, the simulator traffic control submodule starts simulator in system initialization according to the startup simulator quantity of input, Then start the control thread of each simulator, a series of controls that simulator control thread is provided to simulator operate;
The application management submodule to be analyzed, monitors application to be analyzed and saves contents, one application queue to be analyzed of maintenance, and one A to analyze application queue and application queue is completed in an analysis, each simulator traffic control submodule is from application to be analyzed It gets an application to be analyzed in queue to be analyzed, and place it in and analyzing application queue, completion to be analyzed is placed on Application queue is completed in analysis;
The system event simulation submodule, which is responsible for simulating some real equipments in the application program operational process detected, to be made With the system event that can occur in the process, to trigger application program to be detected to the possible respondent behavior of these system times;
The user interface event triggering submodule analog subscriber operation application program, to trigger application program for these users Respondent behavior caused by operation, while the submodule also starts the various assemblies in the presence of application program automatically, including sudden and violent Reveal component and non-exposed component, UI Tree are traversed according to depth-priority-searching method during user interface interactive simulation, in traversal UI During UI controls in Tree, user interface interactive simulation function triggers different UI component things according to the difference of UI control types Part realizes the simulation of user's operation.
CN201711217805.1A 2017-11-28 2017-11-28 Android malicious application detection system based on multi-operation environment behavior comparison Active CN108133139B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711217805.1A CN108133139B (en) 2017-11-28 2017-11-28 Android malicious application detection system based on multi-operation environment behavior comparison

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711217805.1A CN108133139B (en) 2017-11-28 2017-11-28 Android malicious application detection system based on multi-operation environment behavior comparison

Publications (2)

Publication Number Publication Date
CN108133139A true CN108133139A (en) 2018-06-08
CN108133139B CN108133139B (en) 2020-06-26

Family

ID=62389035

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711217805.1A Active CN108133139B (en) 2017-11-28 2017-11-28 Android malicious application detection system based on multi-operation environment behavior comparison

Country Status (1)

Country Link
CN (1) CN108133139B (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109492391A (en) * 2018-11-05 2019-03-19 腾讯科技(深圳)有限公司 A kind of defence method of application program, device and readable medium
CN110135160A (en) * 2019-04-29 2019-08-16 北京邮电大学 The method, apparatus and system of software detection
CN110166493A (en) * 2019-07-01 2019-08-23 武汉斗鱼鱼乐网络科技有限公司 A kind of social client address list dynamic protection method and device
CN110377499A (en) * 2019-06-06 2019-10-25 北京奇安信科技有限公司 The method and device that a kind of pair of application program is tested
CN110427752A (en) * 2019-08-06 2019-11-08 北京智游网安科技有限公司 A kind of method, mobile terminal and the storage medium of sandbox monitoring application program
CN110430177A (en) * 2019-07-26 2019-11-08 北京智游网安科技有限公司 A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior
CN110543760A (en) * 2019-08-28 2019-12-06 南京市晨枭软件技术有限公司 Software management system and software protection method thereof
CN110737463A (en) * 2019-10-24 2020-01-31 北京智游网安科技有限公司 analysis method of key function source information, intelligent terminal and storage medium
CN110889113A (en) * 2019-10-30 2020-03-17 泰康保险集团股份有限公司 Log analysis method, server, electronic device and storage medium
CN110990054A (en) * 2019-12-03 2020-04-10 北京明略软件***有限公司 Configuration processing method and device of open source framework
CN111104337A (en) * 2019-12-30 2020-05-05 杭州云缔盟科技有限公司 Method for detecting terminal simulator
CN111259382A (en) * 2018-11-30 2020-06-09 中国电信股份有限公司 Malicious behavior identification method, device and system and storage medium
CN111385309A (en) * 2020-03-21 2020-07-07 薛爱君 Security detection method, system and terminal for online office equipment
CN111382424A (en) * 2018-12-27 2020-07-07 全球能源互联网研究院有限公司 Mobile application sensitive behavior detection method and system based on controlled environment
CN111740817A (en) * 2020-06-17 2020-10-02 国网天津市电力公司电力科学研究院 Code tampering detection method and system for concentrator in electric power data acquisition system
CN112527672A (en) * 2020-12-21 2021-03-19 北京深思数盾科技股份有限公司 Detection method and equipment for shell adding tool
CN112685737A (en) * 2020-12-24 2021-04-20 恒安嘉新(北京)科技股份公司 APP detection method, device, equipment and storage medium
CN112887388A (en) * 2021-01-20 2021-06-01 每日互动股份有限公司 Data processing system based on sandbox environment
CN113672918A (en) * 2021-08-04 2021-11-19 安天科技集团股份有限公司 Malicious code detection method and device, storage medium and electronic equipment
CN114528205A (en) * 2022-01-24 2022-05-24 山东浪潮科学研究院有限公司 Android-based application program analysis method, device and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN103077351A (en) * 2012-12-20 2013-05-01 北京奇虎科技有限公司 Anti-detection system of virtual machine system
CN105718793A (en) * 2015-09-25 2016-06-29 哈尔滨安天科技股份有限公司 Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification
US20170111374A1 (en) * 2015-10-20 2017-04-20 Sophos Limited Mitigation of anti-sandbox malware techniques

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN103077351A (en) * 2012-12-20 2013-05-01 北京奇虎科技有限公司 Anti-detection system of virtual machine system
CN105718793A (en) * 2015-09-25 2016-06-29 哈尔滨安天科技股份有限公司 Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification
US20170111374A1 (en) * 2015-10-20 2017-04-20 Sophos Limited Mitigation of anti-sandbox malware techniques

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张翔飞: "基于多层次行为差异的沙箱逃逸检测及其实现", 《计算机工程与应用》 *

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109492391B (en) * 2018-11-05 2023-02-28 腾讯科技(深圳)有限公司 Application program defense method and device and readable medium
CN109492391A (en) * 2018-11-05 2019-03-19 腾讯科技(深圳)有限公司 A kind of defence method of application program, device and readable medium
CN111259382A (en) * 2018-11-30 2020-06-09 中国电信股份有限公司 Malicious behavior identification method, device and system and storage medium
CN111382424A (en) * 2018-12-27 2020-07-07 全球能源互联网研究院有限公司 Mobile application sensitive behavior detection method and system based on controlled environment
CN110135160A (en) * 2019-04-29 2019-08-16 北京邮电大学 The method, apparatus and system of software detection
CN110135160B (en) * 2019-04-29 2021-11-30 北京邮电大学 Software detection method, device and system
CN110377499A (en) * 2019-06-06 2019-10-25 北京奇安信科技有限公司 The method and device that a kind of pair of application program is tested
CN110377499B (en) * 2019-06-06 2023-05-23 奇安信科技集团股份有限公司 Method and device for testing application program
CN110166493A (en) * 2019-07-01 2019-08-23 武汉斗鱼鱼乐网络科技有限公司 A kind of social client address list dynamic protection method and device
CN110166493B (en) * 2019-07-01 2021-10-15 武汉斗鱼鱼乐网络科技有限公司 Social client address book dynamic protection method and device
CN110430177A (en) * 2019-07-26 2019-11-08 北京智游网安科技有限公司 A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior
CN110427752A (en) * 2019-08-06 2019-11-08 北京智游网安科技有限公司 A kind of method, mobile terminal and the storage medium of sandbox monitoring application program
CN110543760A (en) * 2019-08-28 2019-12-06 南京市晨枭软件技术有限公司 Software management system and software protection method thereof
CN110737463A (en) * 2019-10-24 2020-01-31 北京智游网安科技有限公司 analysis method of key function source information, intelligent terminal and storage medium
CN110889113A (en) * 2019-10-30 2020-03-17 泰康保险集团股份有限公司 Log analysis method, server, electronic device and storage medium
CN110990054A (en) * 2019-12-03 2020-04-10 北京明略软件***有限公司 Configuration processing method and device of open source framework
CN110990054B (en) * 2019-12-03 2023-03-21 北京明略软件***有限公司 Configuration processing method and device of open source framework
CN111104337A (en) * 2019-12-30 2020-05-05 杭州云缔盟科技有限公司 Method for detecting terminal simulator
CN111385309A (en) * 2020-03-21 2020-07-07 薛爱君 Security detection method, system and terminal for online office equipment
CN111385309B (en) * 2020-03-21 2020-12-08 浙江电科智盛科技有限公司 Security detection method, system and terminal for online office equipment
CN111740817A (en) * 2020-06-17 2020-10-02 国网天津市电力公司电力科学研究院 Code tampering detection method and system for concentrator in electric power data acquisition system
CN112527672B (en) * 2020-12-21 2021-10-22 北京深思数盾科技股份有限公司 Detection method and equipment for shell adding tool
CN112527672A (en) * 2020-12-21 2021-03-19 北京深思数盾科技股份有限公司 Detection method and equipment for shell adding tool
CN112685737A (en) * 2020-12-24 2021-04-20 恒安嘉新(北京)科技股份公司 APP detection method, device, equipment and storage medium
CN112887388A (en) * 2021-01-20 2021-06-01 每日互动股份有限公司 Data processing system based on sandbox environment
CN113672918A (en) * 2021-08-04 2021-11-19 安天科技集团股份有限公司 Malicious code detection method and device, storage medium and electronic equipment
CN114528205A (en) * 2022-01-24 2022-05-24 山东浪潮科学研究院有限公司 Android-based application program analysis method, device and medium

Also Published As

Publication number Publication date
CN108133139B (en) 2020-06-26

Similar Documents

Publication Publication Date Title
CN108133139A (en) A kind of Android malicious application detecting system compared based on more running environment behaviors
CN105653956B (en) Android malware classification method based on dynamic behaviour dependency graph
CN104766012B (en) The data safety dynamic testing method and system followed the trail of based on dynamic stain
CN110737899B (en) Intelligent contract security vulnerability detection method based on machine learning
CN106203113B (en) The privacy leakage monitoring method of Android application file
US10581879B1 (en) Enhanced malware detection for generated objects
CN105893848A (en) Precaution method for Android malicious application program based on code behavior similarity matching
US6735703B1 (en) Multi-platform sequence-based anomaly detection wrapper
CN102054149B (en) Method for extracting malicious code behavior characteristic
CN105787366B (en) Android software visualization safety analytical method based on component relation
CN111931166B (en) Application program anti-attack method and system based on code injection and behavior analysis
CN112685737A (en) APP detection method, device, equipment and storage medium
CN107341401A (en) A kind of malicious application monitoring method and equipment based on machine learning
CN105956468B (en) A kind of Android malicious application detection method and system based on file access dynamic monitoring
CN104834858A (en) Method for statically detecting malicious code in android APP (Application)
CN109992968A (en) Android malicious act dynamic testing method based on binary system dynamic pitching pile
CN112149124B (en) Android malicious program detection method and system based on heterogeneous information network
CN106845234A (en) A kind of Android malware detection method based on the monitoring of function flow key point
CN108090360A (en) The Android malicious application sorting technique and system of a kind of Behavior-based control feature
CN103905423A (en) Harmful advertisement piece detecting method and system based on dynamic behavior analysis
CN113158251B (en) Application privacy disclosure detection method, system, terminal and medium
CN112688966A (en) Webshell detection method, device, medium and equipment
CN109800569A (en) Program identification method and device
CN113468524B (en) RASP-based machine learning model security detection method
CN112817877A (en) Abnormal script detection method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant