each piece of software in the Android system has a private and unique package name (packagemame), and the packagemame is a file directory which can be operated by the software and is also a mark of uniqueness of the software. The multi-open application can achieve the purpose of copying the application by a method of processing a getPackAgName (the getPackAgName method is an Android system method) through hook. When it is detected that there are multiple identical packagenames present, this indicates that the current software has been copied.

In some embodiments, software running on the Android phone system may detect the package name when the App is copied by the hook processing getpackagemame method as follows:

(1) acquiring the packageName of the running software:

String packageName＝context.getPackageName()；

(2) acquiring the packageName of other software in the system:

PackageManager pm＝context.getPackageManager()；

List<PackageInfo>pkgs＝pm.getInstalledPackages(0)；

(3) detecting whether the same packageName exists:

in some embodiments, one or more of the following detection means may also be used in combination:

(1) and (3) Java API detection: detecting whether a debugger is connected through a Java Api: os.

(2) The way of TracerPid in java read/proc/uid/status file is to detect whether it is debugged.

The detection methods are based on the method and the interface provided by the Android native system for expansion, do not have special requirements on detection environment, and have good universality. And various concrete detection methods can be increased, decreased and matched flexibly, and can be adjusted in pertinence according to different requirements, so that the applicability is better.

If an abnormal application parameter or abnormal action (e.g., the same UID exists, the same package name exists, an abnormality exists in the private package name, etc.) is detected, step S370 is performed to feed back the existence of the abnormality and end the detection.

If the abnormal application parameters or abnormal actions are not detected, the step S360 is continuously executed to detect whether the application is in the blacklist. In some embodiments, a blacklist mechanism is established for all currently found cheating software through a cloud management mechanism, and a characteristic value of a blacklist App is mainly stored to assist monitoring as a bottom-of-pocket scheme so as to avoid omission. Through blacklist detection, existing technical blind spots and new technical bugs can be effectively dealt with, and therefore compensation and bottom-finding strategies are achieved. A blacklist mechanism is placed in the last detection, a detection compensation mechanism can be played, the influence of the development of the technology and the appearance of a new clone technology on a combined detection result can be better adapted, and the detection precision and flexibility are improved.

The invention also provides an anomaly detection system which comprises a system operation environment detection module and an application program parameter detection module.

The system running environment detection module is used for detecting whether the system running environment is abnormal, for example, whether simulation positioning is opened or not, whether the system runs in a virtual environment or not, whether Root or not, whether an XPosed framework exists or not and the like. In some embodiments, the system operating environment detection module detects whether the simulated positioning is turned on and/or whether the system operates in a virtual environment, and then detects whether Root exists. Detecting whether an XPossed framework exists when the system runtime environment is Root, and skipping detection of the XPossed framework when the system runtime environment is not Root.

The application parameter detection module is used for detecting whether the application parameters are abnormal, for example, detecting whether the same UID exists, detecting whether the same package name exists, detecting whether the private package name is abnormal, and the like.

The anomaly detection system provided by the invention can also comprise a blacklist detection module which is used for detecting whether the application program in the blacklist exists or not.

In some embodiments, when the application program starts to run, the application program asynchronously enters the anomaly detection system, after a result is detected, a popup window pops up under the condition of anomaly to prevent a user, and no feedback can be made under the normal condition.

The anomaly detection method and system provided by the invention comprise a main detection scheme and an auxiliary detection scheme, wherein the main detection scheme establishes a priority level for step-by-step detection by referring to factors such as difficulty degree of cheating means, inclusion relationship of technical means and the like, the accuracy of a monitoring result and the improvement of detection performance are achieved according to the determination of the priority level, and whether cheating behaviors or cheating risks exist in the environment where the current App operates is comprehensively determined. The auxiliary monitoring scheme mainly combines cloud management, and adds a blacklist and a registration form mechanism to cooperate with detection.

The technical scheme of the invention can effectively detect and identify the following cheating means:

(1) software running in a virtual environment;

(2) software for simulating a positioning function is started;

(3) software that has the same UID or package name or private directory modified;

(4) software running on top of the XPosed framework;

(5) the black list is maintained regularly by other cheating means appearing in the black list.

In some embodiments, the present invention also provides a computer apparatus, device or terminal, the internal structure of one embodiment of which may be as shown in fig. 4. The computer apparatus, device or terminal includes a processor, a memory, a network interface, a display screen and an input device connected by a system bus. The processor is used for providing calculation and control capability, and the memory comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run in the non-volatile storage medium. The network interface is used for communicating with an external terminal through network connection. The computer program is executed by a processor to implement the various methods, procedures, steps disclosed in the present invention, or the processor executes the computer program to implement the functions of the respective modules or units in the embodiments disclosed in the present invention. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell, an external keyboard, a touch pad or a mouse and the like.

Illustratively, a computer program may be divided into one or more modules or units, which are stored in a memory and executable by a processor to implement the inventive arrangements. These modules or units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of a computer program in an apparatus, device or terminal.

The device, the equipment or the terminal can be computing equipment such as a desktop computer, a notebook computer, a mobile electronic device, a palm computer, a cloud server and the like. It will be appreciated by those skilled in the art that the arrangements shown in the drawings are merely block diagrams of some of the arrangements relevant to the inventive arrangements and do not constitute limitations on the apparatus, devices or terminals to which the arrangements are applied, and that a particular apparatus, device or terminal may include more or less components than shown in the drawings, or may combine certain components, or have a different arrangement of components.

The Processor may be a Central Processing Unit (CPU), other general or special purpose Processor, a microprocessor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The processor is the control center of the above-mentioned apparatus, device or terminal, and connects the respective parts of the apparatus, device or terminal by using various interfaces and lines.

The memory may be used to store computer programs, modules and data, and the processor may implement various functions of the apparatus, device or terminal by executing or executing the computer programs and/or modules stored in the memory and calling the data stored in the memory. The memory may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required by at least one function, and the like; the data storage area may store various types of data (such as multimedia data, documents, operation histories, etc.) created according to the application, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), a magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.

The invention also provides a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the above-mentioned method. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, databases, or other media used in embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).

The above-described apparatus or terminal device integrated modules and units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer-readable storage medium. Based on such understanding, the present invention can realize all or part of the procedures of the disclosed methods, and can also be realized by relevant hardware instructed by a computer program, which can be stored in a computer readable storage medium, and when the computer program is executed by a processor, the steps of the methods can be realized. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, recording medium, U.S. disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution media, and the like. It should be noted that the computer readable medium may contain content that is appropriately increased or decreased as required by legislation and patent practice in the jurisdiction.

In some embodiments, the various methods, procedures, modules, devices, apparatuses, or systems disclosed herein may be implemented or performed in one or more processing devices (e.g., digital processors, analog processors, digital circuits designed to process information, analog circuits designed to process information, state machines, computing devices, computers, and/or other mechanisms for electronically processing information). The one or more processing devices may include one or more devices that perform some or all of the operations of a method in response to instructions stored electronically on an electronic storage medium. The one or more processing devices may include one or more devices configured through hardware, firmware, and/or software to be specifically designed for performing one or more operations of a method. The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and the technical solutions and the inventive concepts thereof according to the present invention should be equivalent or changed within the scope of the present invention.

Embodiments of the invention may be implemented in hardware, firmware, software, or various combinations thereof, and may also be implemented as instructions stored on a machine-readable medium, which may be read and executed using one or more processing devices. In some implementations, a machine-readable medium may include various mechanisms for storing and/or transmitting information in a form readable by a machine (e.g., a computing device). For example, a machine-readable storage medium may include read-only memory, random-access memory, magnetic disk storage media, optical storage media, flash-memory devices, and other media for storing information, and a machine-readable transmission medium may include various forms of propagated signals (including carrier waves, infrared signals, digital signals), and other media for transmitting information. While firmware, software, routines, or instructions may be described in the above disclosure in terms of performing certain exemplary aspects and embodiments of certain actions, it will be apparent that such descriptions are merely for convenience and that such actions in fact result from a machine device, computing device, processing device, processor, controller, or other device or machine executing the firmware, software, routines, or instructions.

This written description uses examples to disclose the invention, one or more examples of which are described or illustrated in the specification and drawings. Each example is provided by way of explanation of the invention, not limitation of the invention. In fact, it will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope or spirit of the invention. For instance, features illustrated or described as part of one embodiment, can be used with another embodiment to yield a still further embodiment. It is therefore intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents. The above description is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto, and any technical solutions that can be obtained by logic analysis, reasoning or limited experiments based on the prior art by those skilled in the art according to the concept of the present invention, or easily conceivable variations or alternatives thereof, should be covered within the protection scope of the present invention.

Claims

1. An abnormality detection method characterized by comprising the steps of:

detecting whether the system operating environment is abnormal; and

detecting whether the application program parameters are abnormal.

2. The abnormality detection method according to claim 1, wherein said step of detecting whether the system operating environment is abnormal includes:

detecting whether to turn on the analog positioning; and/or

Detecting whether to operate in a virtual environment; and/or

Detecting whether Root exists; and/or

Detecting whether an XPossed framework exists.

3. The abnormality detection method according to claim 2, characterized in that:

whether the simulated positioning is opened and/or whether the simulated positioning is operated in a virtual environment is detected, and then whether Root exists is detected.

4. The abnormality detection method according to claim 2, characterized in that:

if the system running environment is Root, detecting whether an XPosed framework exists; and

if the system runtime environment is not Root, then detection of the XPosed framework is skipped.

5. The anomaly detection method according to claim 1, characterized in that said step of detecting whether an application parameter is anomalous comprises:

detecting whether the same UID exists; and/or

Detecting whether the same package name exists; and/or

And detecting whether the private packet name is abnormal.

6. The abnormality detection method according to claim 1, characterized in that:

if the system operation environment is abnormal, providing abnormal feedback and finishing detection; and

and if the system operating environment is not abnormal, continuously detecting whether the application program parameters are abnormal.

7. The abnormality detection method according to claim 1, further comprising:

it is detected whether there are applications in the blacklist.

8. The abnormality detection method according to claim 7, characterized in that:

firstly, whether the system operating environment and/or the application program parameters are abnormal is detected, and then whether the application programs in the blacklist exist is detected.

9. An anomaly detection system, comprising:

the system running environment detection module is configured to detect whether the system running environment is abnormal or not; and

and the application program parameter detection module is configured to detect whether the application program parameters are abnormal.

10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, is able to carry out the steps of the anomaly detection method according to any one of claims 1 to 8.