Android malicious software detecting platform oriented to mobile internet

[0025] The specific embodiments of the present invention are described below with reference to the accompanying drawings, so that those skilled in the art can better understand the present invention. It should be noted that, in the following description, when the detailed description of known functions and designs may dilute the main content of the present invention, these descriptions will be omitted here.

[0026] figure 1 This is a schematic block diagram of the specific implementation of the mobile Internet-oriented Android malware detection platform of the present invention.

[0027] In this embodiment, as figure 1 As shown, the mobile Internet-oriented Android malware detection platform of the present invention includes a client-side task receiving module 1, a server-side task processing module 2, a server-side console module 3, a server-side automatic scanning module 4, and a client-side result analysis and display module 5. The server-side automatic scanning module 4 further includes an APP static analysis module 401 and an APP dynamic analysis module 402.

[0028] The client-side task receiving module 1 receives the user's detection task, constructs various parameters of the detection task, and sends an HTTP request to the server; the server-side task processing module 2 responds to the client's HTTP request, obtains the complete APP according to the parameter URL, and transmits the APP file to the server. Go to the server-side console module 3. After receiving the task, the server-side console module 3 starts a new thread, sets the parameters of the task, and starts the Android virtual machine snapshot; the server-side automatic scanning module 4 decompresses the APP package and obtains AndroidManifest.xml file, send the plaintext file obtained after decompilation to the APP static analysis module 401 for processing, insert monitoring code into the decompressed APP package so that it can be monitored and repackaged during runtime, and the new APP package is sent to the APP dynamic analysis The module 402 processes; the APP dynamic analysis module 402 realizes the control of the Android virtual machine, so that the APP can be automatically installed and run in the sandbox, and finally obtains the log information of the APP operation; the APP static analysis module 401 obtains the APP by analyzing the AndroidManifest.xml file. The application permissions, components and sensitive functions of the program can be used to determine the malicious behavior that the program itself may contain. The results of the APP static analysis module 401 and the APP dynamic analysis module 402 are merged in the server-side automatic scanning module 4 and then sent to the client-side result analysis and display module 5 through the server-side console module 3 for data analysis and display, and the detection is presented to the user. the result of.

[0029] figure 2 Yes figure 1 The schematic block diagram of the server automation scanning module shown.

[0030] The server automatic scanning module is used to realize the dynamic analysis and static analysis of the APP. The whole process does not require human intervention, and the analysis results are more objective and accurate. Through APP dynamic analysis, simulating the user's operation on the APP can restore the usage scenarios of the APP in the actual environment, expose the real behavior of the APP, and effectively solve the defects of the APP dynamic behavior that cannot be obtained in the APP static analysis. The results of static analysis can more comprehensively reflect the behavior characteristics of APP, and it is easier to find malicious behavior of APP;

[0031] like figure 2 As shown, in this embodiment, the server automatic scanning module 4 is divided into an APP static analysis module 401 and an APP dynamic analysis module 402 .

[0032] The server-side automatic scanning module 4 decompresses the APP package, obtains the AndroidManifest.xml file, and sends the plaintext file obtained after decompilation to the APP static analysis module 401 for processing; inserts the monitoring code into the decompressed APP package and repackages the new APP. The package is sent to the APP dynamic analysis module 402 for processing; the APP dynamic analysis module 402 installs the APP in the Android virtual machine sandbox environment, simulates the user to start and operate the APP through the APP automatic control 4021, obtains the API call log of the APP, and forms the operation log of the APP , and hand it over to the server-side automatic scanning module 4; the APP static analysis module 401 obtains the basic information of the APP from the AndroidManifest.xml plaintext file through XML information extraction 4011, including application permissions, components, trigger functions, etc., and forms a static analysis report, which is handed over to The server-side automatic scanning module 4; the server-side automatic scanning module 4 integrates the results of the APP static analysis module 401 and the APP dynamic analysis module 402 to form a final analysis result.

[0033] The mobile Internet-oriented Android malware detection platform of the present invention has the following characteristics:

[0034] 1) Realize a reasonable combination of Android malware static detection and dynamic detection. The entire detection process does not require human intervention, and the analysis results are more objective and accurate.

[0035] 2) Through APP dynamic analysis, simulating the user's operation on the APP can restore the usage scenarios of the APP in the actual environment, expose the real behavior of the APP, and effectively solve the defects of the dynamic behavior of the APP that cannot be obtained in the static analysis of the APP. Combined with the APP The results of dynamic analysis and static analysis can more comprehensively reflect the behavior characteristics of the APP, and it is easier to discover the malicious behavior of the APP.

[0036] Although the illustrative specific embodiments of the present invention have been described above to facilitate the understanding of the present invention by those skilled in the art, it should be clear that the present invention is not limited to the scope of the specific embodiments. For those of ordinary skill in the art, As long as various changes are within the spirit and scope of the present invention as defined and determined by the appended claims, these changes are obvious, and all inventions and creations utilizing the inventive concept are included in the protection list.