摘要
为解决Android恶意程序检测中代码分析量大、核心代码定位难、检测判断效率低等问题,提出了将静态分析与动态分析相结合的Android恶意程序行为监测和分析的复合检测方法。该方法在对收集整理的226个和开放的恶意程序样本进行综合分析的基础上,用Python语言编写了自动化Android恶意程序权限统计程序,并统计分析了打开网络套接字、将数据写到外部存储设备和接收系统启动时的广播事件动作等15种常用权限,确定了静态分析中需要重点关注的权限及其调用函数。以Android恶意程序Cute Puppies Wallpaper.apk作为实例,应用Apktool工具对待检测APK文件进行反编译,得到反汇编后的Smali文件,通过定位程序关键代码、定位重要权限关联API函数两种途径快速找到程序的入口和其重要功能代码部分。同时,采用沙箱系统的Android恶意软件动态分析方法,得到开机启动、应用程序变更等事件及其对应的激活方式。研究表明,使用该复合检测方法可以有效提高分析效率,缩短恶意代码分析时间,快速定位核心代码,及时阻止恶意程序传播。
In order to solve problems including excessive codes, key-permission orientation difficulty and low detection efficiency in An- droid malware detection, a composite detection solution with static and dynamic analysis is proposed for Android malware monitoring and analyzing. On the basis of synthetic analysis of collected 226 samples and public malware samples,it uses Python language to compile an automatic Android malware permissions statistical program. Besides, 15 most common permissions including unfolding network socket and activating broadcast event action while transferring data to external storage device or receiving system are carded on statistical analy- sis, determination of those key permissions and corresponding call functions which required further attention. Malware CutePuppiesWall- paper, apk,taken as an example,has been decompiled via APKtool and the decompiled Smali file has been obtained. By locating key codes of the malware and locating crucial permission-related API functions the entering and crucial functioning parts of the codes have been efficiently located. Meanwhile, Sandbox Android malware dynamic analysis on events including booting up and application change along with their corresponding activation patterns have been summarized. The time consumption of codes analysis has been reduced by u- sing it and the key codes have been quickly located while spreading of malware is terminated in time.
出处
《计算机技术与发展》
2017年第11期132-136,共5页
Computer Technology and Development
基金
国家自然科学基金资助项目(61562090)
云南大学教育教学改革研究项目
