CN113805894A - Abnormal APK (android Package) identification method, electronic equipment and readable storage medium - Google Patents

Abnormal APK (android Package) identification method, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN113805894A
CN113805894A CN202111090861.XA CN202111090861A CN113805894A CN 113805894 A CN113805894 A CN 113805894A CN 202111090861 A CN202111090861 A CN 202111090861A CN 113805894 A CN113805894 A CN 113805894A
Authority
CN
China
Prior art keywords
apk
target
sample
abnormal
list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111090861.XA
Other languages
Chinese (zh)
Other versions
CN113805894B (en
Inventor
俞锋锋
吕繁荣
孙勇韬
尹祖勇
周琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Yunshen Technology Co ltd
Original Assignee
Hangzhou Yunshen Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Yunshen Technology Co ltd filed Critical Hangzhou Yunshen Technology Co ltd
Priority to CN202111090861.XA priority Critical patent/CN113805894B/en
Publication of CN113805894A publication Critical patent/CN113805894A/en
Application granted granted Critical
Publication of CN113805894B publication Critical patent/CN113805894B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses an identification method of abnormal APK, electronic equipment and a readable storage medium, wherein the method comprises the following steps: extracting a target list from the grammar tree of the target APK pair, comparing the target list with the sample list, when the hierarchy number of the target list is consistent with that of the sample list, the similarity T of the editing distance generation target APK file is obtained, when the number of levels of the target list is not consistent with the number of levels of the sample list, the editing distance and the weight value corresponding to the editing distance need to be set for the levels which cannot be in one-to-one correspondence, and then based on the set edit distance and the calculated edit distance, generating the similarity T of the target APK file, and judging whether the target APK is an abnormal APK, the invention can obtain the code packet corresponding to the APK through static analysis to identify the abnormal APK, avoid the omission of the abnormal APK, and simultaneously, according to the editing distance corresponding to the level number between the target list and the sample list, the accuracy of identifying the abnormal APK and the use safety of a user are improved.

Description

Abnormal APK (android Package) identification method, electronic equipment and readable storage medium
Technical Field
The invention relates to the technical field of APK files, in particular to an abnormal APK identification method, electronic equipment and a readable storage medium.
Background
Currently, android platforms have many types for android installation packages (APKs), where an abnormal APK may have negative effects on a user, such as leaking user information or inserting an abnormal plug-in.
In the prior art, in an APK list for device installation, it cannot be determined that some APKs belong to APKs of abnormal types, which may cause a user to install the APKs during device usage, and may cause a negative effect to the user, and at the same time, the APKs may not recognize the APKs as belonging to abnormal types due to the encryption of the APKs themselves, and further, the APKs may cause a negative effect to the user, thereby affecting the user safety.
Disclosure of Invention
In order to solve the problems in the prior art, a target list is extracted from a syntax tree of a target APK and compared with a sample list, when the number of layers of the target list is consistent with the number of layers of the sample list, the similarity T of an editing distance generation target APK file is obtained, when the number of layers of the target list is not consistent with the number of layers of the sample list, the editing distance of the layers which cannot be in one-to-one correspondence and a weight value corresponding to the editing distance need to be set, then the similarity T of the target APK file is generated based on the set editing distance and the calculated editing distance, whether the target APK is an abnormal APK or not is judged, a code packet of the APK can be obtained through static analysis, whether the target APK is the abnormal APK or not is judged based on information in the code packet, the identification of the APK is realized, the abnormal APK determination caused by the incapability of identification is avoided, the number of layers of the target list and the editing distance of each layer in the number of layers of the sample list are obtained, the accuracy of identifying the abnormal APK and the use safety of a user are improved; the embodiment of the invention provides an abnormal APK identification method, electronic equipment and a readable storage medium. The technical scheme is as follows:
in one aspect, a method for identifying an abnormal APK includes the following steps:
S101、obtaining a target list A ═ A (A) corresponding to the target APK1,A2,A3,……,Am) Wherein A isiThe method includes the steps that a target character string corresponding to the ith level of a target syntax tree is referred to, i is 1 … … m, and m is the level number of the target syntax tree;
s103, list C ═ according to a and sample APK (C)1,C2,……,Cr) Obtaining a similarity list T, CgThe g-th sample APK is defined, g is 1 … … r, and r is the number of sample APKs, wherein S103 further includes the following steps:
s1031, obtaining CgCorresponding sample list B ═ (B)1,B2,B3,……,Bn) Wherein B isjThe method includes the steps that a sample character string corresponding to the ith level of a sample syntax tree is referred to, j is 1 … … n, and n is the level number of the sample syntax tree;
s1033, comparing m with n to obtain a target edit distance list L ═ L (L)1,L2,L3,……,Lx) The method comprises the following steps:
when m is less than n, traversing A and B to obtain a first edit distance Li and inserting the first edit distance Li into L, wherein L isiMeans AiB transformed to the same hierarchyiThe distance of (d);
mixing L withxTo LmAre each set to a first fixed value and inserted into L, where x ═ n;
when m is n, traversing A and B to obtain a second editing distance LzAnd inserted into L, LzMeans AzB transformed to the same hierarchyzZ is 1 … … x, x is m n;
when m is larger than n, traversing A and B to obtain a third editing distance LjAnd inserted into L, LiMeans AjB transformed to the same hierarchyjThe distance of (d);
mixing L withxTo LnAre each set to a second fixed value and inserted into L, where x ═ m;
s1035, based on L, obtaining target similarity Tg
S105, traversing T and when any T isgAnd when the target APK is more than or equal to a preset similarity threshold value, determining the target APK as an abnormal APK.
In another aspect, an electronic device includes a processor and a memory, where at least one instruction or at least one program is stored in the memory, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the method for identifying an abnormal APK according to any one of the above embodiments.
In another aspect, a computer-readable storage medium stores at least one instruction or at least one program, and the at least one instruction or the at least one program is loaded and executed by a processor to implement the method for identifying an abnormal APK according to any of the above embodiments.
The identification method of the abnormal APK, the electronic device and the readable storage medium provided by the invention have the following technical effects:
the invention obtains the target file by decompiling the APK, processes the target file to obtain the syntax tree of the target file, extracts the target list from the syntax tree of the target file, obtains the sample list from the sample database in the same way, calculates the corresponding edit distance of the same level and the corresponding similarity of the target APK when the level of the target list is consistent with the level of the sample list, compares the code packet name set in the target list of the same level with the code packet name set in the sample list to obtain the edit distance and the edit distance list of the level when the level of the target list is not consistent with the level of the sample list, and sets the edit distance of the level which can not be in one-to-one correspondence and the corresponding weight value of the edit distance at the same time, and further generates the corresponding similarity of the target APK based on all the edit distances and the corresponding weight values of the edit distances, further determining whether the target APK is an abnormal APK; therefore, in the technical scheme of the invention, the code packet name set of each layer of the target list is compared with the code packet name set in the sample list of the same level, so that the situation that encrypted APK cannot be identified and the abnormal APK is determined is avoided, meanwhile, the editing distance and the corresponding weight value obtained by comparing the code packet name set of each layer of the target list of the same level with the code packet name set in the sample list can be used for improving the determination of the abnormal APK, further ensuring the use safety of a user, and for the levels which cannot be in one-to-one correspondence, the editing distance for determining the similarity of the APK file is perfected, the accuracy for calculating the similarity is improved, further the determination of the abnormal APK is improved, and the use safety of the user is ensured.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of an identification method of an abnormal APK according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating step S103 according to an embodiment of the present invention
FIG. 3 is a flow chart illustrating the determination of a target list provided by an embodiment of the present invention;
fig. 4 is a flowchart illustrating an abnormal APK identification method according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
With reference to fig. 1, fig. 2 and fig. 3, a first embodiment provides a method for identifying an abnormal APK, where the method includes the following steps:
s101, obtain target list a ═ a (a)1,A2,A3,……,Am) Wherein A isiThe method includes the steps that a target character string corresponding to the ith level of a target syntax tree is referred to, i is 1 … … m, and m is the level number of the target syntax tree; the target character string is one or a plurality of target file name combinations, and the target file name is a section of non-Chinese character string.
Specifically, the method further comprises the following steps of obtaining A:
s201, performing decompiling processing on a target APK to obtain a target code package, wherein the target code package comprises a plurality of target files;
s203, inputting the target code packet into syntax tree software to obtain a target syntax tree, wherein the target syntax tree is a syntax structure which represents the reference relation between target files in a tree form;
s205, traversing the target syntax tree from the root node of the target syntax tree to the leaf node of the target syntax tree to obtain AiCorresponding target File List (A)i1,Ai2,Ai3,……,Aip),AiqThe name of the target file corresponding to the qth node is 1 … … p, and p is the number of nodes;
s207, mixing Ai1To AipMerging according to the arrangement sequence to obtain AiAnd A isiIs inserted into A.
Specifically, the target file refers to a file containing an editing code.
Specifically, the A isiThe corresponding target file list is arranged according to a preset arrangement rule, preferably the preset arrangement rule is an English letter ordering rule, for example, AiqThe corresponding first letter has an ordering value > Aip+1The corresponding first letter, or AixThe corresponding first letter has the rank value aiq+1When the corresponding first letter is ordered, determining AiqWhether the ranking value of the corresponding sub-letter is > Aiq+1The ordering values of the corresponding sub-letters, analogized in turn, can facilitate A in the same leveliAnd BiA is calculated by comparisoniAnd the corresponding editing distance is favorable for determining whether the target APK is homologous with the sample APK or not, and further marking the target APK.
Specifically, a person skilled in the art may adopt any method to perform decompilation processing on the target APK, and the decompilation process is not described herein again; preferably, the target APK is decompiled using python decompilation software, which facilitates obtaining a file with a name.
Preferably, the syntax tree software is ANTLR software, which is software that processes input text into a visualized syntax tree according to user-defined syntax rules.
In order to further facilitate the calculation of the similarity corresponding to the target APK, the comparison characteristics between the target APK and the sample APK are further obtained through the target syntax tree structure, so that on one hand, the calculation of the similarity of the target APK is facilitated, the accuracy of the calculation of the similarity is improved, and whether the target APK is an abnormal APK is further determined; on the other hand, when determining whether the target APK is homologous with the sample APK, the interference of other factors is avoided, and the judgment result is influenced.
S103, list C ═ according to a and sample APK (C)1,C2,……,Cr) Obtaining a similarity list T, CgThe number of the g samples APK is 1 … … r, and r is the number of the sample APK; wherein, S103 further comprises the following steps:
s1031, obtainingGet CgCorresponding sample list B ═ (B)1,B2,B3,……,Bn) Wherein B isjThe method includes the steps that a sample character string corresponding to the ith level of a sample syntax tree is referred to, j is 1 … … n, and n is the level number of the sample syntax tree;
s1033, comparing m with n to obtain a target edit distance list L ═ L (L)1,L2,L3,……,Lx) The method comprises the following steps:
when m is less than n, traversing A and B to obtain a first editing distance LiAnd inserted into L, LiMeans AiB transformed to the same hierarchyiThe distance of (d);
mixing L withxTo LmAre each set to a first fixed value and inserted into L, where x ═ n;
when m is equal to n, traversing A and B to obtain a second editing distance Lz and inserting into L, LzMeans AzB transformed to the same hierarchyzZ is 1 … … x, x is m n;
when m is larger than n, traversing A and B to obtain a third editing distance LjAnd inserted into L, LjMeans AjB transformed to the same hierarchyjThe distance of (d);
mixing L withxTo LnAre each set to a second fixed value and inserted into L, where x ═ m;
s1035, based on L, obtaining target similarity Tg
Specifically, B is obtained by the same method as a in S101, and is not described herein again.
Specifically, the sample APK corresponding to B is an APK marked with an abnormal identifier, and can be advantageously compared with the target APK to determine whether the target APK is an abnormal APK.
Specifically, Bi corresponds to a sample file list (B)i1,Bi2,Bi3,……,Bip) And said AiThe corresponding target file lists are sorted by adopting the same arrangement rule, and are not described herein again.
In particular, LiAlso in accordance withA piece:
Figure BDA0003267408040000071
Bixmeans AixCorresponding sample file name, F () is the edit distance function
In some embodiments, LiThe following conditions are also met:
Li=F(Ai,Bi) And F () is an editing distance function, so that the calculation process can be simplified, the calculation efficiency is improved, and the calculation of the similarity is not influenced.
Further, using LiCan reflect AiTo BiThe degree of difference between them, which in turn can be based on LiDetermining AiAnd BiThe similarity of the APK model is avoided, the interference of other factors is avoided, and the abnormal APK model can be identified.
Specifically, m and n are each an integer of not less than 3.
In particular, the first fixed value is smaller than the second fixed value, which can be understood as: at LxTo LnSince the level of the target syntax tree corresponding to any target editing distance has no leaf node, that is, the level of a has no target information, and the editing distance of the same level cannot be calculated, the calculation of the similarity is affected by the lack of the editing distance of the corresponding level, so that the editing distance corresponding to the level of the target syntax tree is set to be a first fixed value, and preferentially the first fixed value is 1, the calculation of the similarity caused by the lack of the editing distance of the corresponding level can be avoided, and the judgment of the target APK is further affected; similarly, the second fixed value is 100, so that the calculation of the similarity caused by the lack of the editing distance of the corresponding hierarchy can be avoided, and the judgment of the target APK is further influenced.
In a specific embodiment, LjAnd LzAnd LiThe same conditions are met, and the details are not repeated herein.
S105, traversing T and when any T isgAnd when the target APK is more than or equal to a preset similarity threshold value, determining the target APK as an abnormal APK.
In one embodiment, TgBased on the weight list W ═ according to L and L (W)1,W2,W3,……,Wx) Determining;
specifically, when m < n, TgThe following conditions are met:
Figure BDA0003267408040000072
wherein, WiIs LiAnd (4) corresponding weight values.
Specifically, when m is equal to n, TgThe following conditions are met:
Figure BDA0003267408040000081
wherein, WzIs LzAnd (4) corresponding weight values.
When m > n, TgThe following conditions are met:
Figure BDA0003267408040000082
wherein, WjIs LjAnd (4) corresponding weight values.
In particular, W1≥W2≥W3≥……≥WxAnd x is n when m < n, or m when m > n; preferably, W1>W2>W3>……>WxThe method can continuously increase the proportion of the weighted values according to the sequence of the target syntax tree or the sample syntax from top to bottom, can improve the accuracy of calculating the similarity of the target APK and the sample APK relative to the condition that all weighted values are consistent, avoids uniform weighted values, is favorable for determining whether the target APK is homologous with the sample APK, and further marks the target APK.
Specifically, the preset similarity threshold may be adjusted according to the number of levels of the target syntax tree or the number of levels of the sample syntax tree, that is, when m is less than n, the preset similarity threshold is increased when m is greater than n; the influence of the level number can be avoided, the determination of whether the target APK is homologous with the sample APK is facilitated, and the target APK is identified.
In a specific embodiment, as shown in fig. 4, the method further comprises the following: s107, traversing the T and determining the sample APK corresponding to the maximum target similarity in the T, so that the abnormal identification corresponding to the sample APK is marked on the target APK and stored in the sample database corresponding to the sample APK, the number of the sample databases can be increased, comparison among other target APKs is facilitated, the accuracy of determining the target APK is ensured, and the omission of the abnormal APK is avoided, so that the use safety of a user is influenced.
On one hand, when the hierarchy of a target list is consistent with that of a sample list, an edit distance corresponding to the same hierarchy and a similarity corresponding to a target APK are calculated, so that whether the target APK is an abnormal APK is determined, meanwhile, aiming at the condition that the hierarchy of a target syntax tree corresponding to the target APK is not equal to that of a sample syntax tree corresponding to the sample APK, the similarity calculation accuracy can be prevented from being influenced by inconsistency of the two hierarchies, the accuracy of identifying the abnormal APK is improved, the safety of use of a user is ensured, and on the other hand, the condition that whether the encrypted APK cannot be determined to be the abnormal APK or not, so that the abnormal APK is omitted can be avoided; meanwhile, whether the file which is only decompiled by the APK is the abnormal APK or not is determined, the process of identifying the abnormal APK is simplified, the interference of other factors is avoided, the accuracy of identifying the abnormal APK is influenced, the accuracy of identifying the abnormal APK is improved, and the safety of use of a user is ensured.
Example two
The difference between the second embodiment and the second embodiment is that: w1>W2>……>WsNot less than K and Ws+1……WmK, preferably, K is 1, and a large number of experiments can confirm that when the target APK and the sample APK have the same first three levels, i.e., S is 3, the probability of similarity between the target APK and the sample APK is high, so that on one hand, the calculation process between the target APK and the sample APK can be simplified, and the calculation process between the target APK and the sample APK is improvedCalculating the accuracy of the similarity between the target APK and the sample APK; on the other hand, the uniform weight value is avoided, so that whether the target APK is homologous with the sample APK or not is determined, and the target APK is marked.
Specifically, other steps in this embodiment are the same as S101 to S107 in the first embodiment, and are not described herein again.
The embodiment of the present invention further provides an electronic device, which includes a processor and a memory, where the memory stores at least one instruction or at least one program, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the method for identifying an abnormal APK as described above.
The computer device of embodiments of the present invention exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MiD and UMPC devices, etc., such as tPad.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic devices with data interaction functions.
The embodiment of the present invention further provides a computer-readable storage medium, which may be disposed in an electronic device to store at least one instruction or at least one program for implementing an identification method of an abnormal APK in the method embodiment, where the at least one instruction or the at least one program is loaded and executed by the processor to implement the identification method of an abnormal APK provided in the method embodiment.
Alternatively, in this embodiment, the storage medium may be located in at least one network server of a plurality of network servers of a computer network. Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (10)

1. A method for identifying abnormal APK is characterized by comprising the following steps:
s101, acquiring a target list A corresponding to the target APK (A)1,A2,A3,……,Am) Wherein A isiThe method includes the steps that a target character string corresponding to the ith level of a target syntax tree is referred to, i is 1 … … m, and m is the level number of the target syntax tree;
s103, list C ═ according to a and sample APK (C)1,C2,……,Cr) Obtaining a similarity list T, CgThe g-th sample APK is defined, g is 1 … … r, and r is the number of sample APKs, wherein S103 further includes the following steps:
s1031, obtaining CgCorresponding sample list B ═ (B)1,B2,B3,……,Bn) Wherein B isjIs the sample character string corresponding to the ith level of the sample syntax tree, j is 1 … … n, and n is the level number of the sample syntax tree;
S1033, comparing m with n to obtain a target edit distance list L ═ L (L)1,L2,L3,……,Lx) The method comprises the following steps:
when m is less than n, traversing A and B to obtain a first edit distance Li and inserting the first edit distance Li into L, wherein L isiMeans AiB transformed to the same hierarchyiThe distance of (d);
mixing L withxTo LmAre each set to a first fixed value and inserted into L, where x ═ n;
when m is n, traversing A and B to obtain a second editing distance LzAnd inserted into L, LzMeans AzB transformed to the same hierarchyzZ is 1 … … x, x is m n;
when m is larger than n, traversing A and B to obtain a third editing distance LjAnd inserted into L, LiMeans AjB transformed to the same hierarchyjThe distance of (d);
mixing L withxTo LnAre each set to a second fixed value and inserted into L, where x ═ m;
s1035, based on L, obtaining target similarity Tg
S105, traversing T and when any T isgAnd when the target APK is more than or equal to a preset similarity threshold value, determining the target APK as an abnormal APK.
2. The method of claim 1, wherein the target string is one or more target file name combinations, and the target file name is a non-chinese string.
3. The method for identifying abnormal APK according to claim 1, further comprising obtaining A by:
s201, performing decompiling processing on a target APK to obtain a target code package, wherein the target code package comprises a plurality of target files;
s203, inputting the target code packet into syntax tree software to obtain a target syntax tree, wherein the target syntax tree is a syntax structure which represents the reference relation between target files in a tree form;
s205, traversing the target syntax tree from the root node of the target syntax tree to the leaf node of the target syntax tree to obtain AiCorresponding target File List (A)i1,Ai2,Ai3,……,Aip),AiqThe name of the target file corresponding to the qth node is 1 … … p, and p is the number of nodes;
s207, mixing Ai1To AipMerging according to the arrangement sequence to obtain AiAnd A isiIs inserted into A.
4. The method according to claim 3, wherein the target file is a file containing editing code.
5. The method for identifying abnormal APK according to claim 1, wherein m and n are integers not less than 3.
6. The method according to claim 1, wherein the sample APK is an APK labeled with an anomaly identifier.
7. The method according to claim 1, wherein the first fixed value is smaller than the second fixed value.
8. The method for identifying abnormal APK according to claim 1, further comprising:
s107, traversing the T and determining a sample APK corresponding to the maximum target similarity in the T, so that the abnormal identifier corresponding to the sample APK is marked on the target APK and is stored in a sample database corresponding to the sample APK.
9. An electronic device, comprising a processor and a memory, wherein the memory stores at least one instruction or at least one program, and the at least one instruction or the at least one program is loaded by the processor and executed to implement the method for identifying an abnormal APK according to any one of claims 1 to 8.
10. A computer readable storage medium having stored therein at least one instruction or at least one program, the at least one instruction or the at least one program being loaded and executed by a processor to implement the method for identifying an abnormal APK according to any one of claims 1 to 8.
CN202111090861.XA 2021-09-17 2021-09-17 Abnormal APK identification method, electronic equipment and readable storage medium Active CN113805894B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111090861.XA CN113805894B (en) 2021-09-17 2021-09-17 Abnormal APK identification method, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111090861.XA CN113805894B (en) 2021-09-17 2021-09-17 Abnormal APK identification method, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN113805894A true CN113805894A (en) 2021-12-17
CN113805894B CN113805894B (en) 2023-08-18

Family

ID=78895737

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111090861.XA Active CN113805894B (en) 2021-09-17 2021-09-17 Abnormal APK identification method, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN113805894B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180253298A1 (en) * 2017-03-03 2018-09-06 Foundation Of Soongsil University-Industry Cooperation Android dynamic loading file extraction method, recording medium and system for performing the method
CN110348206A (en) * 2019-07-11 2019-10-18 网易(杭州)网络有限公司 Applied to the guard method of Android installation kit APK, medium, device and calculate equipment
WO2020000743A1 (en) * 2018-06-27 2020-01-02 平安科技(深圳)有限公司 Webshell detection method and related device
US20200019384A1 (en) * 2018-07-15 2020-01-16 Microsoft Technology Licensing, Llc Text editor buffering implementation with offsets management

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180253298A1 (en) * 2017-03-03 2018-09-06 Foundation Of Soongsil University-Industry Cooperation Android dynamic loading file extraction method, recording medium and system for performing the method
WO2020000743A1 (en) * 2018-06-27 2020-01-02 平安科技(深圳)有限公司 Webshell detection method and related device
US20200019384A1 (en) * 2018-07-15 2020-01-16 Microsoft Technology Licensing, Llc Text editor buffering implementation with offsets management
CN110348206A (en) * 2019-07-11 2019-10-18 网易(杭州)网络有限公司 Applied to the guard method of Android installation kit APK, medium, device and calculate equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
魏松杰;杨铃;: "基于分层API调用的Android恶意代码静态描述方法", 计算机科学, no. 01 *

Also Published As

Publication number Publication date
CN113805894B (en) 2023-08-18

Similar Documents

Publication Publication Date Title
CN105335409B (en) A kind of determination method, equipment and the network server of target user
CN103336766B (en) Short text garbage identification and modeling method and device
CN112494952B (en) Target game user detection method, device and equipment
CN105809471B (en) Method and device for acquiring user attribute and electronic equipment
CN108829650B (en) Card number generation method, device, server and storage medium
CN115830649A (en) Network asset fingerprint feature identification method and device and electronic equipment
CN111030968A (en) Detection method and device capable of customizing threat detection rule and storage medium
CN111507400A (en) Application classification method and device, electronic equipment and storage medium
CN108804917B (en) File detection method and device, electronic equipment and storage medium
CN112052676B (en) Text content processing method, computer equipment and storage medium
CN112099870B (en) Document processing method, device, electronic equipment and computer readable storage medium
CN111027065B (en) Leucavirus identification method and device, electronic equipment and storage medium
CN113805894A (en) Abnormal APK (android Package) identification method, electronic equipment and readable storage medium
CN112364022A (en) Information derivation management method and device, computer equipment and readable storage medium
CN113805893B (en) Abnormal APK identification method, electronic equipment and readable storage medium
CN110688517B (en) Audio distribution method, device and storage medium
CN113805892B (en) Abnormal APK identification method, electronic equipment and readable storage medium
CN115935358A (en) Malicious software identification method and device, electronic equipment and storage medium
CN116366603A (en) Method and device for determining active IPv6 address
CN113805895B (en) Method for determining keywords in database, electronic equipment and storage medium
CN111951070A (en) Intelligent recommendation method and device based on Internet of vehicles, server and storage medium
CN114070638B (en) Computer system security defense method and device, electronic equipment and medium
CN114638303A (en) Application software group acquisition method, electronic equipment and readable storage medium
CN113805931B (en) Method for determining APP label, electronic equipment and readable storage medium
CN116244659B (en) Data processing method, device, equipment and medium for identifying abnormal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant