摘要: |
随着移动互联网的快速发展,移动终端及移动应用在人们日常生活中越来越重要,与此同时,恶意移动应用给网络和信息安全带来了严峻的挑战。Android平台由于其开放性和应用市场审查机制不够完善,使其成为了移动互联网时代恶意应用的主要传播平台。现有的恶意应用检测方法主要有静态分析和动态测试两种。一般而言,静态分析方法代码覆盖率高、时间开销小,但存在误报率较高的问题;而动态测试准确度较高,但需要实际运行应用,所需的时间和计算资源开销较大。针对上述情况,本文基于静动态结合的方法,自动检测恶意Android应用。首先,使用静态分析技术获取应用API的调用情况来判定其是否为疑似恶意应用,特别是可有效检测试图通过反射机制调用API躲避静态分析的恶意应用;然后,根据疑似恶意应用UI控件的可疑度进行有针对性的动态测试,来自动确认疑似恶意应用中是否存在恶意行为。基于此方法,我们实现了原型检测工具框架,并针对吸费短信类恶意行为,对由465个恶意应用和1085个正常应用组成的数据集进行了对比实验。实验结果表明,该方法在提高恶意应用检测效率的同时,有效地降低了误报率。 |
关键词: Android应用 静态分析 动态测试 恶意行为 |
DOI:10.19363/j.cnki.cn10-1380/tn.2017.10.003 |
Received:April 28, 2017Revised:August 09, 2017 |
基金项目:国家重点研发计划项目课题(No.2016YFB1000802),国家自然科学基金项目(No.61472179,No.61572249,No.61632015,No.61561146394),计算机软件新技术国家重点实验室开放课题(No.KFKT2016B12)资助。 |
|
Automatic Malicious Android Application Detection Approach by Combining Static Analysis and Dynamic Testing |
HUANG Haohua,CUI Zhanqi,PAN Minxue,WANG Linzhang,LI Xuandong |
State Key Laboratory of Novel Computer Software Technology, Nanjing University, Nanjing 210023, China;Jiangsu Novel Software Technology and Industrialization, Nanjing 210023, China;Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China;State Key Laboratory of Novel Computer Software Technology, Nanjing University, Nanjing 210023, China;Computer School, Beijing Information Science and Technology University, Beijing 100101, China;Software Institute, Nanjing University, Nanjing 210023, China |
Abstract: |
Mobile devices and mobile applications are becoming more and more important with the rapid development of mobile Internet. Meanwhile, malicious applications have brought serious challenges for the security of network and information. Because the openness and poor review mechanism of the Android platform, it becomes the main transmission platform of malicious applications. At present, static analysis and dynamic testing can be used to detect malicious Android applications. Generally speaking, static analysis has high code coverage and low time costs, but it could cause high false alarm rates. While dynamic testing has high accuracy, but it has high time costs and requires much resource. Therefore, this paper combines static and dynamic detection technology to detect malicious applications automatically. Firstly, this paper uses static analysis to determine whether an application is potentially malicious according to sensitive API calls. Especially, to prevent hidden malwares from static analysis, we take into consideration the reflection call and can detect them effectively. And then, this paper confirms whether the application contains malicious behavior using dynamic testing base on suspicious degree of UI controls. Focus on malicious SMS applications, this paper implements a tool and makes experiments on 465 malicious and 1085 non-malicious applications in real. The experimental results show that the proposed method can effectively improve the detection efficiency and reduce the false alarm rate. |
Key words: Android Application Static Analysis Dynamic Detection Malicious Behavior |