CN104834859A

Movatterモバイル変換

Info

Publication number: CN104834859A
Application number: CN201510203050.4A
Authority: CN
Inventors: 张卫丰; 潘天昊
Original assignee: Nanjing Post and Telecommunication University
Current assignee: Nanjing Post and Telecommunication University
Priority date: 2015-04-24
Filing date: 2015-04-24
Publication date: 2015-08-12
Anticipated expiration: 2035-04-24
Also published as: CN104834859B

Abstract

本发明公开了一种Android应用中恶意行为的动态检测方法，以使得Android应用程序的使用者不受不良软件以及其中恶意代码的伤害。本发明首先获取需要分析的Android App的apk文件并对其进行反编译，获得反编译后的Java代码，之后将获取的Java代码放入转换器，将其转换为中间表示形式，以便后面插桩的工作，然后使用Soot工具对之前的代码进行插桩操作，在相关代码处如涉及发送短信及Http链接请求处，危险API调用处，需要强制执行的条件语句处插桩以便提取信息，并将插桩完成的代码再放入编译器编译，形成新的apk文件，之后运行形成的新文件，将因插桩获取的信息保存进数据库中，方便下一步的研究，运用之前提出的区分恶意行为以及良性行为的方法对数据库中的日志信息进行分析。

The invention discloses a dynamic detection method for malicious behavior in Android applications, so that users of Android application programs are not harmed by bad software and malicious codes therein. The present invention first obtains the apk file of the Android App that needs to be analyzed and decompiles it to obtain the decompiled Java code, then puts the obtained Java code into a converter, and converts it into an intermediate representation form, so as to insert stubs later Then use the Soot tool to perform instrumentation operations on the previous code, such as those involving sending SMS messages and Http link requests, dangerous API calls, and conditional statements that need to be enforced to extract information. The code completed by the instrumentation is put into the compiler to compile to form a new apk file, and then the new file is run to save the information obtained by the instrumentation into the database, which is convenient for the next research, and uses the previously proposed method to distinguish malicious behaviors And the method of benign behavior analyzes the log information in the database.

Description

Translated fromChinese

一种Android应用中恶意行为的动态检测方法A dynamic detection method for malicious behavior in Android applications

技术领域technical field

本发明涉及一种针对终端操作系统的恶意软件的检测方法，属于移动互联网技术领域。The invention relates to a method for detecting malicious software aimed at a terminal operating system, and belongs to the technical field of mobile Internet.

背景技术Background technique

近年来，伴随着移动互联网的飞速发展，具有移动操作系统的智能手机已经成为了目前移动终端发展的主流。智能手机不再是传统意义上的通信工具，而更像是掌上电脑，具有了自己独立的操作系统。在这其中，基于Linux内核的Android移动终端操作系统发展最为迅速。In recent years, with the rapid development of the mobile Internet, smart phones with mobile operating systems have become the mainstream of mobile terminal development. A smartphone is no longer a communication tool in the traditional sense, but more like a handheld computer with its own independent operating system. Among them, the Android mobile terminal operating system based on the Linux kernel is developing most rapidly.

Android系统最为显著的特性就是其开源性，任何用户都可以在不用越狱的情况下，在第三方软件市场中方便地下载并安装各种各样的软件应用，这其中，不乏存在许多恶意软件。这些恶意软件把用户的智能终端作为潜在的攻击目标，给用户带来许多损失。比如通过发送短信和拨打电话的形式产生恶意扣费；在应用中产生不必要的HTTP请求；在用户不知情的情况下安装了另外的软件等等。因此，如何检测出这些隐藏在Android应用中的恶意代码成为近些年来众多国内外研究学者研究的热点。The most notable feature of the Android system is its open source nature. Any user can easily download and install various software applications in the third-party software market without jailbreaking. Among them, there are many malicious software. These malicious softwares regard users' smart terminals as potential attack targets and bring many losses to users. For example, malicious deductions are generated by sending text messages and making phone calls; unnecessary HTTP requests are generated in the application; additional software is installed without the user's knowledge, and so on. Therefore, how to detect these malicious codes hidden in Android applications has become a hot research topic of many domestic and foreign researchers in recent years.

对于Android应用中恶意代码的检测，国内外研究学者主要采取以下2种方法，第一种方法是基于签名(signature-based)的检测方法，这种方法通过文件是否拥有已知恶意软件的特征签名(如：一段特殊代码或字符串)来判断其是否为恶意软件。第二种方法是基于行为(behavior-based)的检测方法，根据检测时机的不同，基于行为的检测方法可以分为动态(dynamic)和静态(static)两种。动态行为检测在程序运行的过程中执行，静态行为检测在程序执行之前进行。由于混淆和加密的方法不能够改变程序的行为模式，因此动态检测有效地防止此类攻击。For the detection of malicious code in Android applications, researchers at home and abroad mainly adopt the following two methods. The first method is based on the signature (signature-based) detection method. This method checks whether the file has the characteristic signature of known malware. (such as: a special code or string) to determine whether it is malicious software. The second method is a behavior-based detection method, which can be divided into dynamic and static according to different detection timings. Dynamic behavior detection is performed while the program is running, and static behavior detection is performed before the program is executed. Since the method of obfuscation and encryption cannot change the behavior mode of the program, dynamic detection can effectively prevent such attacks.

动态行为检测，是在程序运行的过程中执行的，与静态检测相比，由于在程序运行时执行，动态检测对实时性要求较高，必须确保在恶意程序对系统产生损害前检测出威胁，这将带来更大的能耗。但是，由于混淆和加密的方法不能够改变程序的行为模式，因此动态检测有效地防止此类攻击，这是静态分析所不能达到的。现有的动态行为检测方法主要是通过系统记录的日志和网络数据包日志来记录程序行为。该类方法存在如下缺陷：一方面，记录这些日志将消耗系统大量的资源，并且这些日志中包含了太多无用的信息。另一方面，动态执行只是运行了程序中的某几条路径，不能保证对所有敏感行为的覆盖。Dynamic behavior detection is performed while the program is running. Compared with static detection, because it is performed while the program is running, dynamic detection has higher requirements for real-time performance. It must ensure that threats are detected before malicious programs cause damage to the system. This will result in greater energy consumption. However, since the method of obfuscation and encryption cannot change the behavior mode of the program, dynamic detection can effectively prevent such attacks, which cannot be achieved by static analysis. Existing dynamic behavior detection methods mainly record program behavior through system logs and network packet logs. This type of method has the following defects: on the one hand, recording these logs will consume a large amount of system resources, and these logs contain too much useless information. On the other hand, dynamic execution only runs certain paths in the program, and cannot guarantee the coverage of all sensitive behaviors.

发明内容Contents of the invention

本发明的目的是为了解决上述Android应用中恶意软件的动态检测问题，并且能增加程序运行的覆盖率，以提高动态分析结果的准确性。为了解决上述问题，本发明提供了一种Android应用中恶意行为的动态检测方法，对Android应用程序进行检测，检测出Android应用软件中的恶意代码以及隐蔽的恶意行为，为Android用户避免不必要的损失，保护Android用户不受恶意软件的伤害。The purpose of the present invention is to solve the problem of dynamic detection of malicious software in Android applications, and increase the coverage of program operation to improve the accuracy of dynamic analysis results. In order to solve the above problems, the present invention provides a dynamic detection method for malicious behavior in Android applications, detects Android application programs, detects malicious codes and concealed malicious behaviors in Android application software, and avoids unnecessary loss, protecting Android users from malware.

本发明具体包括如下步骤：The present invention specifically comprises the steps:

1、将Android应用程序的APK包转换成为相应的Java代码：1. Convert the APK package of the Android application into the corresponding Java code:

获取需要分析的Android应用程序的APK文件并对其进行反编译，获得反编译后的Java代码，之后将获取的Java代码放入转换器，将其转换为中间表示形式，以便后面的插桩工作；Obtain the APK file of the Android application that needs to be analyzed and decompile it to obtain the decompiled Java code, then put the obtained Java code into the converter to convert it into an intermediate representation, so that the subsequent instrumentation can work ;

2、对Android应用中的Java代码进行插桩操作：2. Insert the Java code in the Android application:

在需要提取信息的地方进行代码插桩，并将插桩完成的代码再放入编译器编译，形成新的APK文件；同时通过代码分析工具强制执行所有条件语句，用以扩大代码的覆盖率；。Perform code insertion where information needs to be extracted, and put the code that has been inserted into the compiler to compile to form a new APK file; at the same time, use the code analysis tool to enforce all conditional statements to expand the coverage of the code; .

3、运行上个步骤形成的新的APK文件，将因插桩获取的信息保存进数据库中，并提取需要的信息，再利用Java代码分析工具Soot工具产生该Android应用程序对应的调用流图(call graph)及其控制流图(control flow graph)；对于数据库中的日志信息(含上述已提取信息的调用流图及控制流图)进行分析，通过分析其与用户行为是否匹配，来判断其是否属于恶意行为。3. Run the new APK file formed in the previous step, save the information obtained by instrumentation into the database, and extract the required information, and then use the Java code analysis tool Soot tool to generate the call flow graph corresponding to the Android application ( call graph) and its control flow graph (control flow graph); analyze the log information in the database (including the call flow graph and control flow graph of the above-mentioned extracted information), and judge whether it matches the user behavior Is it malicious.

4、对于恶意行为进行进一步分析，分析其属于哪一类恶意行为。4. Carry out further analysis on the malicious behavior, and analyze which type of malicious behavior it belongs to.

进一步，使用soot工具对获取的java代码进行插桩的步骤具体为：Further, the steps of using the soot tool to insert the acquired java code are as follows:

步骤2.1在eclipse中加入soot软件包；Step 2.1 Add the soot package in eclipse;

步骤2.2将所获取的java代码通过soot工具转化为Jimple中间语言，方便之后的操作；Step 2.2 converts the acquired java code into Jimple intermediate language through the soot tool, which is convenient for subsequent operations;

步骤2.3编写soot程序对获取的java程序进行插桩操作；Step 2.3 writes the soot program to perform stub operation on the acquired java program;

步骤2.3.1编写soot程序，遍历获取java包中的每一个类；Step 2.3.1 write the soot program, traverse and obtain each class in the java package;

步骤2.3.2编写soot程序，遍历每一个类中的所有方法；Step 2.3.2 Write a soot program, traverse all methods in each class;

步骤2.3.3对于上述方法中的赋值语句，根据其中间表示方法格式的不同，插桩相应的代码；Step 2.3.3 For the assignment statement in the above method, insert the corresponding code according to the format of the intermediate representation method;

步骤2.3.4对于上述方法中的条件语句，根据其中间表示方法格式的不同，插桩相应的代码，并强制执行每个条件；Step 2.3.4 For the conditional statement in the above method, insert the corresponding code according to the format of the intermediate representation method, and enforce each condition;

步骤2.3.5对于上述方法中的循环语句，根据其中间表示方法格式的不同，插桩相应的代码。Step 2.3.5 For the loop statement in the above method, insert the corresponding code according to the format of the intermediate representation method.

进一步，步骤3中分析数据库日志信息的过程具体为：Further, the process of analyzing database log information in step 3 is specifically:

步骤3.1运行编写后的soot代码；Step 3.1 run the written soot code;

步骤3.2获取插桩后soot软件输出的信息；Step 3.2 Obtain the information output by the soot software after stake insertion;

步骤3.3通过插桩后获取的信息，使用soot软件，绘制出原java程序的调用关系图；Step 3.3 Use the soot software to draw the call relationship diagram of the original java program through the information obtained after the stake insertion;

步骤3.4通过插桩后获取的信息，使用soot软件，绘制出原java程序的控制流图；Step 3.4 Use the soot software to draw the control flow diagram of the original java program through the information obtained after the stake insertion;

步骤3.5通过程序的调用关系图以及控制流图，与用户行为意图进行比较，以分析该程序是否存在恶意行为；Step 3.5 compares the program's call relationship graph and control flow graph with the user's behavior intention to analyze whether the program has malicious behavior;

步骤3.6对于存在恶意行为的程序，分析出其包含恶意行为的程序段的位置。Step 3.6 For a program with malicious behavior, analyze the location of the program segment containing malicious behavior.

进一步，步骤4对于存在的恶意行为进行进一步分析的过程具体为：Further, the process of further analyzing the existing malicious behavior in step 4 is specifically as follows:

步骤4.1获取分析后定位得到的恶意行为的程序段；Step 4.1 obtains the program segment of the malicious behavior obtained after the analysis;

步骤4.2通过调用关系图以及控制流图，找到与该程序段相关的语句；Step 4.2 finds the statement related to the program segment by calling the relationship graph and the control flow graph;

步骤4.3将这些语句以谓词逻辑的形式表示为相对应的逻辑表达式；Step 4.3 represents these statements as corresponding logical expressions in the form of predicate logic;

步骤4.4将这些逻辑表达式放入求解器中求解，是否能得到以程序恶意行为所在程序段为结果的解的模型，若有解，则代表程序有路径可以运行到这一段代码。Step 4.4 Put these logical expressions into the solver to solve, whether the model of the solution that results in the program segment where the malicious behavior of the program is obtained can be obtained. If there is a solution, it means that the program has a path to run to this segment of code.

进一步，对于插桩位置的选择，主要有发送短信或者有Http链接请求或者调用危险API的地方。Further, for the choice of the location of the stub, there are mainly places where text messages are sent or Http link requests are made or dangerous APIs are called.

进一步，步骤1中将Android应用程序的APK包转换成为相应的Java代码的过程具体如下：Further, the process of converting the APK package of the Android application into the corresponding Java code in step 1 is as follows:

步骤1.1下载所需要分析Android应用的APK文件；Step 1.1 downloads the APK file of the Android application that needs to be analyzed;

步骤1.2将APK文件后缀改为zip并解压，得到其中的classes.dex；Step 1.2 Change the suffix of the APK file to zip and decompress it to get the classes.dex;

步骤1.3将classes.dex复制到dex2jar.bat所在目录；Step 1.3 Copy classes.dex to the directory where dex2jar.bat is located;

步骤1.4在命令行下定位到dex2jar.bat所在目录，运行dex2jar.batclasses.dex，生成classes_dex2jar.jar；Step 1.4 Locate the directory where dex2jar.bat is located under the command line, run dex2jar.batclasses.dex, and generate classes_dex2jar.jar;

步骤1.5进入jdgui文件夹中的jd-gui.exe，打开上面生成的jar包classes_dex2jar.jar，查看源代码。Step 1.5 Enter jd-gui.exe in the jdgui folder, open the jar package classes_dex2jar.jar generated above, and view the source code.

本发明通过使用动态检测的方法来进行恶意代码的检测，可以更有效地探测到App中的隐蔽行为；并根据目标行为与用户行为意图是否具有一致性来区分恶意行为以及良性行为；使用工具对于条件判断语句强制执行，尽量扩大语句的覆盖率；使用Soot工具对获取的代码进行插桩，分析等一系列操作，方便快捷；使用数理逻辑内容，获取程序运行到恶意行为段代码的模型，方便之后的测试等相关操作。本发明方法能够克服Android应用中恶意软件的动态检测覆盖率低的缺陷，有效提高了动态分析结果的准确性。The present invention detects malicious codes by using a dynamic detection method, which can more effectively detect hidden behaviors in the App; and distinguishes malicious behaviors and benign behaviors according to whether the target behavior is consistent with the user's behavior intention; using tools for The conditional judgment statement is enforced to maximize the coverage of the statement; use the Soot tool to perform a series of operations such as instrumentation and analysis on the obtained code, which is convenient and fast; use mathematical logic content to obtain the model of the code running to the malicious behavior segment of the program, which is convenient Subsequent tests and other related operations. The method of the invention can overcome the defect of low dynamic detection coverage of malicious software in Android applications, and effectively improves the accuracy of dynamic analysis results.

附图说明Description of drawings

图1是本发明方法的总流程图。Fig. 1 is the general flowchart of the method of the present invention.

图2是本发明方法的将Android应用程序反编译为java代码流程图。Fig. 2 is a flow chart of decompiling an Android application program into java code of the method of the present invention.

图3是本发明方法的编写soot插桩程序流程图。Fig. 3 is a flow chart of writing a soot instrumentation program of the method of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例对本发明作进一步详细说明。The present invention will be described in further detail below in conjunction with the accompanying drawings and embodiments.

本发明方法的较佳实施例的总流程如图1所示，其实现步骤为：The general process of the preferred embodiment of the inventive method is as shown in Figure 1, and its realization steps are:

1、将Android应用程序的APK包转换成为相应的Java代码(具体流程图如图2所示)：1. Convert the APK package of the Android application program into the corresponding Java code (the specific flow chart is shown in Figure 2):

步骤1.1)下载所需要分析Android应用的APK文件；Step 1.1) download the APK file that needs to analyze the Android application;

步骤1.2)将APK文件后缀改为zip并解压，得到其中的classes.dex；Step 1.2) Change the suffix of the APK file to zip and decompress it to get the classes.dex;

步骤1.3)将classes.dex复制到dex2jar.bat所在目录；Step 1.3) Copy classes.dex to the directory where dex2jar.bat is located;

步骤1.4)在命令行下定位到dex2jar.bat所在目录，运行dex2jar.batclasses.dex，生成classes_dex2jar.jar；Step 1.4) Locate the directory where dex2jar.bat is located under the command line, run dex2jar.batclasses.dex, and generate classes_dex2jar.jar;

步骤1.5)进入jdgui文件夹双击jd-gui.exe，打开上面生成的jar包classes_dex2jar.jar，查看源代码；Step 1.5) Enter the jdgui folder and double-click jd-gui.exe, open the jar package classes_dex2jar.jar generated above, and view the source code;

2、使用soot软件对获取的java代码进行插桩，编写soot插桩程序流程如图3所示：2. Use the soot software to insert the acquired java code, and the process of writing the soot instrumentation program is shown in Figure 3:

步骤2.1)在eclipse中加入soot软件包；Step 2.1) add the soot software package in eclipse;

步骤2.3)将所获取的java代码通过soot软件中的功能，转化为Jimple中间语言，方便之后的操作；Step 2.3) the acquired java code is converted into Jimple intermediate language by the function in the soot software, to facilitate subsequent operations;

步骤2.3)编写soot程序对获取的java程序进行插桩操作；Step 2.3) write the soot program to perform stub operation on the obtained java program;

步骤2.3.1)编写soot程序，遍历获取java包中的每一个类；Step 2.3.1) write the soot program, traverse and obtain each class in the java package;

步骤2.3.2)编写soot程序，遍历每一个类中的所有方法；Step 2.3.2) write the soot program and traverse all the methods in each class;

步骤2.3.3)对于方法中的赋值语句，根据其中间表示方法格式的不同，插桩相应的代码；Step 2.3.3) For the assignment statement in the method, insert the corresponding code according to the format of the intermediate representation method;

步骤2.3.4)对于方法中的条件语句，根据其中间表示方法格式的不同，插桩相应的代码，并强制执行每个条件；Step 2.3.4) For the conditional statement in the method, insert the corresponding code according to the format of the intermediate representation method, and enforce each condition;

步骤2.3.5)对于方法中的循环语句语句，根据其中间表示方法格式的不同，插桩相应的代码；Step 2.3.5) For the loop statement in the method, insert the corresponding code according to the format of the intermediate representation method;

3、运行编写后的soot程序代码，并进行分析，分析过程如下：3. Run the written soot program code and analyze it. The analysis process is as follows:

步骤3.1)运行编写的soot代码；Step 3.1) run the soot code written;

步骤3.2)获取插桩后soot软件输出的信息；Step 3.2) Obtain the information output by the soot software after the stake insertion;

步骤3.3)通过插桩后获取的信息，使用soot软件，绘制出原java程序的调用关系图；Step 3.3) use the soot software to draw the call relationship diagram of the original java program through the information obtained after the stake insertion;

步骤3.4)通过插桩后获取的信息，使用soot软件，绘制出原java程序的控制流图；Step 3.4) use the soot software to draw the control flow diagram of the original java program through the information obtained after the stake insertion;

步骤3.5)通过程序的调用关系图以及控制流图，分析该程序是否存在恶意行为；Step 3.5) Analyze whether there is malicious behavior in the program through the call relationship graph and the control flow graph of the program;

步骤3.6)对于存在恶意行为的程序，分析出其包含恶意行为的程序段的位置；Step 3.6) For the program with malicious behavior, analyze the position of the program segment containing malicious behavior;

4、对于存在的恶意行为进行进一步分析：4. Further analysis of existing malicious behaviors:

步骤4.1)获取分析后定位得到的恶意行为程序段；Step 4.1) Obtain the malicious behavior program segment obtained after the analysis;

步骤4.2)通过调用关系图以及控制流图，找到与该程序段相关的语句；Step 4.2) Find the statement related to the program segment by calling the relationship graph and the control flow graph;

步骤4.3)将这些语句以为此逻辑的形式表示为相对应的逻辑表达式；Step 4.3) express these statements as corresponding logical expressions in the form of this logic;

步骤4.4)将这些逻辑表达式放入求解器中求解，看是否能得到以程序恶意Step 4.4) Put these logical expressions into the solver to solve, see if you can get the program malicious

行为所在程序段为结果的解的模型。A model of a solution where the block in which the behavior is located is the result.

本发明不限于上述实施例，一切采用等同替换或等效替换形成的技术方案均属于本发明要求保护的范围。The present invention is not limited to the above-mentioned embodiments, and all equivalent replacements or technical solutions formed by equivalent replacements fall within the protection scope of the present invention.