|
|
- 2015
采用函数调用关系的注入型Android恶意应用检测
|
Abstract:
针对注入型Android恶意应用日益泛滥、传统检测方法依赖大量已知特征的问题,提出了采用函数调用关系的注入型Android恶意应用检测方法。该方法无须依赖大量已知特征,仅通过分析注入型Android恶意应用的自身结构特征即可实现对该类恶意应用的有效检测,并能够实现对未知恶意代码家族的识别。所提方法在smali代码的基础上构建函数调用关系图,并进一步进行子图划分,通过判定各子图威胁度确定是否存在恶意行为。检测过程无需动态行为分析辅助,因此分析检测时间短、效率高。该方法不仅可以检测出Android应用是否存在恶意行为,还可根据子图威胁度确定包含恶意行为的具体代码。经过对1 260个Android恶意应用和1 000个正常应用的实验分析发现:所提方法能够很好地检测注入型Android恶意应用,当误报率为8 90%的时候,检测率达到95 94%,相对于主流Android恶意应用检测系统Androguard,检测效果有显著提升。
The number of injected Android malicious applications is increasing, and the traditional detection method heavily relies on lots of extracted characteristics. A static analysis method based on function calling graph is proposed to detect injected Android malicious applications. The method can efficiently detect injected Android malicious applications only by analyzing the application’s structure, and there is no need for known characteristics. The method constructs a function calling graph based on decompiled smali code, and sub??graphs will be further processed to tell whether the Android application is malicious or not. The period of analysis is much shorter than that of any other dynamic detection method. The detection method not only detects whether the Android application is malicious or not, but also has the ability to tell which part of the Android application contains malicious code. The approach is tested on 1 260 Android malicious applications and 1 000 Android normal applications, and the test results show that the approach is effective in detecting injected Android malicious applications. The detection rate of the method for the injected Android malicious applications is 95??94% when the false positive rate is 8??90%. A comparison with the mainstream Android malware detection system Androguard shows that the detection performance of the proposed method has a remarkable promotion
| [1] | [1]IDC. Smartphone OS market share, Q4 2014 [EB/OL]. (2015??01??20) [2015??03??12]. http:∥www??idc?? com/prodserv/smartphone??os??market??share??jsp. |
| [2] | [2]ZHOU Wu, ZHOU Yajin, JIANG Xuxian, et al. Detecting repackaged smartphone applications in third??party Android marketplaces [C]∥Proceedings of the Second ACM Conference on Data and Application Security and Privacy. New York, USA: ACM, 2012: 317??326. |
| [3] | [4]WU Dongjie, MAO Chinghao, WEI Teen, et al. Droidmat: Android malware detection through manifest and API calls tracing. [C]∥Proceedings of the 7th Asia Joint Conference on Information Security. Piscataway, NJ, USA: IEEE, 2012: 62??69. |
| [4] | [10]DESNOS A. Androguard: reverse engineering, malware and goodware analysis of Android applications and more [EB/OL]. (2013??11??21) [2015??03??12]. http:∥code??google??com/p/androguard. |
| [5] | [3]AAFER Y, DU Wenliang, YIN Heng. DroidAPIMiner: mining API??level features for robust malware detection in Android [C]∥Proceedings of the 9th International Conference on Security and Privacy in Communication Networks. Berlin, Germany: Springer, 2013: 86??103. |
| [6] | [6]ISOHARA T, TAKEMORI K, KUBOTA A. Kernel??based behavior analysis for Android malware detection [C]∥Proceedings of the 7th International Conference on Computational Intelligence and Security. Piscataway, NJ, USA: IEEE, 2011: 1011??1015. |
| [7] | [7]YAN L K, YIN Heng. DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis [C]∥Proceedings of the 21st USENIX Conference on Security Symposium. Berkeley, CA, USA: USENIX, 2012: 29. |
| [8] | [8]PIETERSE H, OLIVIER M S. Android botnets on the rise: trends and characteristics [C]∥Proceedings of the Conference on Information Security for South Africa. Piscataway, NJ, USA: IEEE, 2012: 1??5. |
| [9] | [9]JIANG Xuexian, ZHOU Yajin. Android malware genome project [EB/OL]. (2012??08??11)[2015??03??12]. http:∥www??malgenomeproject??org. |
| [10] | [5]GRACE M, ZHOU Yajin, ZHANG Qiang, et al. Riskranker: scalable and accurate zero??day Android malware detection [C]∥Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services. New York, USA: ACM, 2012: 281??294. |
