[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN110990221A - Kernel LKM-based Android platform malicious software automatic detection method and system - Google Patents

Kernel LKM-based Android platform malicious software automatic detection method and system Download PDF

Info

Publication number
CN110990221A
CN110990221A CN201911177188.6A CN201911177188A CN110990221A CN 110990221 A CN110990221 A CN 110990221A CN 201911177188 A CN201911177188 A CN 201911177188A CN 110990221 A CN110990221 A CN 110990221A
Authority
CN
China
Prior art keywords
kernel
monitoring
interface
message
control information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911177188.6A
Other languages
Chinese (zh)
Inventor
沈志东
崔晓晖
韩小范
孙慧
陈维英
黄隆欢
付忠旺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN201911177188.6A priority Critical patent/CN110990221A/en
Publication of CN110990221A publication Critical patent/CN110990221A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses an automatic Android platform malicious software detection method and system based on kernel LKM, and the method comprises the following steps: step 1) installing and operating software to be detected, analyzing control information of an interface of a detected program, and simulating a clicking operation of a user according to the control information; step 2) monitoring API call of Android software target sensitive behavior in a kernel in an operation process; step 3) sending the generated monitoring message from the kernel space to an external automation module. The method can overcome the defect that the dynamic analysis cannot monitor the application containing the third-party local library, effectively improves the coverage of the malicious software detection, and improves the accuracy of the dynamic analysis result.

Description

Kernel LKM-based Android platform malicious software automatic detection method and system
Technical Field
The invention relates to a software testing technology, in particular to an Android platform malicious software automatic detection method and system based on kernel LKM.
Background
With the smart phone also having an independent operating system, the functions of the smart phone are greatly enriched. The smart phone allows a user to download various software uploaded by a third-party manufacturer, and a large amount of third-party software can meet most requirements of the user except communication. And among the various mobile terminal operating systems, the Linux kernel-based Android operating system is developed most rapidly.
Because the Android system selects an open source, the malicious attack of malicious software on an Android user is facilitated to a great extent. At present, the main Android software behavior analysis technologies are divided into two major categories, namely static analysis technologies and dynamic analysis technologies. The detection effect of the static analysis technology greatly depends on the selection summary of the feature library, and the excessive authority and the malicious software cannot be effectively distinguished. The dynamic analysis technology can effectively avoid the problems encountered by the static analysis technology, but the existing dynamic analysis tools such as TaintDroid and Droldbox can only perform behavior analysis on the application using the API of the Android framework layer, and when the application calls the API in the local library, the TaintDroid and Droldbox cannot perform the behavior analysis.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an automatic Android platform malicious software detection method and system based on kernel LKM aiming at the defects in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows: an automatic Android platform malicious software detection method based on kernel LKM comprises the following steps:
step 1) installing and operating software to be detected, analyzing control information of an interface of a detected program, and simulating a clicking operation of a user according to the control information;
step 2) monitoring API call of Android software target sensitive behavior in a kernel in an operation process;
the method comprises the following specific steps:
step 2.1) monitoring the kernel system call of two behaviors of short message sending and telephone dialing by calling a hijack technology;
the short message sending and the telephone dialing are carried out by calling the write system, the two behaviors are monitored by hijacking the write system calling function, and then the short message and the telephone dialing behavior can be intercepted by analyzing the input parameters;
hijacking the system call by the inner core, and monitoring the system call of the framework and the local library;
step 2.2) using a netfilter frame to monitor the network behavior transmitted by using an 80 or 8080 port through a TCP protocol;
registering a hook function on NF _ INET _ LOCAL _ OUT of the netfilter framework to check the network data packet, so as to monitor the network behavior;
step 2.3) using an adb tool to execute a logcat command to obtain a sandbox system log, and then storing the obtained log into a log.txt file of the current working directory;
calling a Popen function in a subways module through Python to create a sub-process, executing a logcat command by using an adb tool to obtain a sandbox system log marked as ApanalyLog, and storing the obtained log into a log.txt file of a current working directory;
step 2.4) storing the monitoring messages generated in the steps 2.1) to 2.3);
step 3) sending the generated monitoring message from the kernel space to an external automation module.
According to the scheme, the step of analyzing the control information of the interface of the tested program in the step 1) comprises the following steps:
1.1) acquiring an android manifest.
1.2) decompiling a configuration file by using an apktool tool, and analyzing an android manifest.xml file to obtain a package name of a tested program and the MainActivity of a starting interface;
1.3) compiling a MonkeyRunner script according to the real path of the apk file, and then calling a MonkeyRunner command to execute the script and install the application into a sandbox;
the installation process is as follows: the method comprises the following steps that two key APIs mainly used in the installation process comprise waitForConnection () and installPackage (), wherein the waitForConnection () is mainly responsible for connecting with a sandbox, the installPackage () is mainly responsible for completing installation of a tested program in the sandbox, and then a MonkeyRunner command is called to execute a script to install an application into the sandbox;
1.4) the MonkeyRunner is connected with the monitoring simulator through a corresponding port of the monitoring simulator, and the connecting object is stored in the device, and the main interface of the tested program can be operated by calling a startActivity () method in the device;
1.5) analyzing the control information of the current interface, and then traversing and clicking all controls in the interface according to the obtained control coordinates.
According to the scheme, the specific step of sending the generated monitoring message from the kernel space to the external automation module in the step 3) is as follows:
3.1) creating a socket variable, wherein the socket is the representation of the socket in the kernel;
3.2) realizing a message receiving function and a message sending function;
3.3) defining a message format of a JSON format, and facilitating the analysis of an external automation trigger module.
An Android platform malicious software automatic detection system based on kernel LKM comprises:
the user click operation simulation module is used for analyzing the control information of the interface of the tested program after the software to be tested is automatically installed and operated, and simulating the user click operation according to the control information;
the method for analyzing the control information of the interface of the tested program comprises the following steps:
1) acquiring an android manifest.
2) Decompiling the configuration file by using an apktool tool, and analyzing an android manifest.
3) Compiling a MonkeyRunner script according to the real path of the apk file, and then calling a MonkeyRunner command to execute the script to install the application into the sandbox;
4) the MonkeyRunner is connected with the corresponding port of the monitoring simulator through the corresponding port, saves the connection object in the device, and calls a startActivity () method in the device to run a main interface of the tested program;
5) and analyzing the control information of the current interface, and traversing and clicking all controls in the interface according to the obtained control coordinates.
The kernel monitoring module is used for monitoring API call of the Android software target sensitive behavior in the kernel in the process of simulating the click operation of the user;
the method comprises the following specific steps:
step 1) monitoring kernel system calling of two behaviors of short message sending and telephone dialing by calling a hijack technology;
step 2) using a netfilter frame to monitor the network behavior transmitted by using an 80 or 8080 port through a TCP (transmission control protocol);
and 3) executing a logcat command by using an adb tool to obtain a sandbox system log, and then storing the obtained log into a log.txt file of the current working directory.
Step 4) storing the monitoring messages generated in the steps 1) to 3);
the external automation triggering module is used for sending the generated monitoring message to the external automation module from the kernel space;
the specific steps of sending the generated monitoring message from the kernel space to the external automation module are as follows:
1) a socket variable is created, the socket is a representation of the socket in the kernel;
2) realizing a message receiving function and a message sending function;
3) and defining a message format of a JSON format, and facilitating the analysis of an external automation trigger module.
The invention has the following beneficial effects:
according to the method, the malicious software is detected by a dynamic analysis method, so that the Android application can be detected more comprehensively; judging whether the Android application has the sensitive behavior according to whether the tested software calls the sensitive behavior API in the kernel;
the invention can overcome the defect that dynamic analysis can not monitor the application containing the third-party local library, effectively improves the coverage of malicious software detection and improves the accuracy of the dynamic analysis result.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a schematic structural diagram of an embodiment of the present invention;
FIG. 2 is a flow diagram of a kernel monitoring module of the method of the present invention;
FIG. 3 is a flow chart of the resolution process of the external automation module of the method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, an automatic Android platform malware detection method based on kernel LKM includes the following steps: the specific process is as follows:
step 1, automatically installing and running software and simulating the clicking operation of a user.
Step 1.1, decompressing an application program to obtain an android manifest.
Step 1.2, decompiling a configuration file by using an apktool tool, and analyzing an android manifest.xml file to obtain a package name of a tested program and the MainActivity of a starting interface;
step 1.3, compiling a MonkeyRunner script according to the real path of the apk file, and then calling a MonkeyRunner command to execute the script and install the application into a sandbox;
step 1.4, the MonkeyRunner is connected with the monitoring simulator through a corresponding port of the monitoring simulator, and the MonkeyRunner saves the connection object in the device and calls a startActivity () method in the device to run a main interface of the tested program;
step 1.5, analyzing control information of the current interface, and traversing and clicking all controls in the interface according to the obtained control coordinates;
and 2, monitoring API call of the target sensitive behavior of the Android software in the kernel.
Step 2.1, monitoring kernel system calling of two behaviors of short message sending and telephone dialing through calling hijack technology;
step 2.2, using a netfilter frame to monitor the network behavior transmitted by using an 80 or 8080 port through a TCP protocol;
and 2.3, executing a logcat command by using an adb tool to obtain a sandbox system log, and storing the obtained log into a log.txt file of the current working directory.
And 3, sending the generated monitoring message to an external automation module from the kernel space.
3.1, creating a socket variable, wherein the socket is the representation of the socket in the kernel;
step 3.2, realizing a message receiving function and a message sending function;
and 3.3, defining a message format of the JSON format, so that an external automation module can conveniently analyze the message format.
And the external automation module is used for installing and simulating a tested program, the kernel monitoring module is used for monitoring the sensitive behavior and sending the monitoring message to the external automation module, and the external automation module is used for generating an analysis file to obtain a detection result of the malicious program.
According to the method, the malicious software is detected by a dynamic analysis method, so that the Android application can be detected more comprehensively; judging whether the Android application has the sensitive behavior according to whether the tested software calls the sensitive behavior API in the kernel; and calling the script file by using an automatic tool, and simulating manual work to automatically detect the batch Android application. The invention can overcome the defect that dynamic analysis can not monitor the application containing the third-party local library, effectively improves the coverage of malicious software detection and improves the accuracy of the dynamic analysis result.
According to the method, an Android platform malicious software automatic detection system based on kernel LKM is further provided, and comprises the following steps:
the user click operation simulation module is used for analyzing the control information of the interface of the tested program after the software to be tested is automatically installed and operated, and simulating the user click operation according to the control information;
the method for analyzing the control information of the interface of the tested program comprises the following steps:
1) acquiring an android manifest.
2) Decompiling the configuration file by using an apktool tool, and analyzing an android manifest.
3) Compiling a MonkeyRunner script according to the real path of the apk file, and then calling a MonkeyRunner command to execute the script to install the application into the sandbox;
4) the MonkeyRunner is connected with the corresponding port of the monitoring simulator through the corresponding port, saves the connection object in the device, and calls a startActivity () method in the device to run a main interface of the tested program;
5) and analyzing the control information of the current interface, and traversing and clicking all controls in the interface according to the obtained control coordinates.
The kernel monitoring module is used for monitoring API call of the Android software target sensitive behavior in the kernel in the process of simulating the click operation of the user;
the method comprises the following specific steps:
step 1) monitoring kernel system calling of two behaviors of short message sending and telephone dialing by calling a hijack technology;
step 2) using a netfilter frame to monitor the network behavior transmitted by using an 80 or 8080 port through a TCP (transmission control protocol);
and 3) executing a logcat command by using an adb tool to obtain a sandbox system log, and then storing the obtained log into a log.txt file of the current working directory.
Step 4) storing the monitoring messages generated in the steps 1) to 3);
the external automation trigger module is used for sending the generated monitoring message to an external automation program from the kernel space;
the specific steps of sending the generated monitoring message from the kernel space to the external automation module are as follows:
1) a socket variable is created, the socket is a representation of the socket in the kernel;
2) realizing a message receiving function and a message sending function;
3) and defining a message format of a JSON format, so that an external automation program module can conveniently analyze the message format.
And the external automation program module generates an analysis file according to the monitoring message to obtain a detection result of the malicious program.
It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.

Claims (6)

1. An automatic Android platform malicious software detection method based on kernel LKM is characterized by comprising the following steps:
step 1) installing and operating software to be detected, analyzing control information of an interface of a detected program, and simulating a clicking operation of a user according to the control information;
step 2) monitoring API call of Android software target sensitive behavior in a kernel in an operation process;
the method comprises the following specific steps:
step 2.1) monitoring the kernel system call of two behaviors of short message sending and telephone dialing by calling a hijack technology;
step 2.2) using a netfilter frame to monitor the network behavior transmitted by using an 80 or 8080 port through a TCP protocol;
step 2.3) using an adb tool to execute a logcat command to obtain a sandbox system log, and then storing the obtained log into a log.txt file of the current working directory;
step 2.4) storing the monitoring messages generated in the steps 2.1) to 2.3);
step 3) sending the generated monitoring message from the kernel space to an external automation module.
2. The kernel LKM-based Android platform malware automatic detection method according to claim 1, wherein the analyzing control information of the interface of the tested program in the step 1) comprises the following steps:
1.1) acquiring an android manifest.
1.2) decompiling a configuration file by using an apktool tool, and analyzing an android manifest.xml file to obtain a package name of a tested program and the MainActivity of a starting interface;
1.3) compiling a MonkeyRunner script according to the real path of the apk file, and then calling a MonkeyRunner command to execute the script and install the application into a sandbox;
1.4) the MonkeyRunner is connected with the monitoring simulator through a corresponding port of the monitoring simulator, and the connecting object is stored in the device, and the main interface of the tested program can be operated by calling a startActivity () method in the device;
1.5) analyzing the control information of the current interface, and then traversing and clicking all controls in the interface according to the obtained control coordinates.
3. The kernel-LKM-based Android platform malware automated detection method according to claim 1, wherein the specific step of sending the generated monitoring message from the kernel space to the external automation module in step 3) is:
3.1) creating a socket variable, wherein the socket is the representation of the socket in the kernel;
3.2) realizing a message receiving function and a message sending function;
3.3) defining a message format of a JSON format, and facilitating the analysis of an external automation trigger module.
4. The kernel LKM-based Android platform malicious software automatic detection system is characterized by comprising:
the user click operation simulation module is used for analyzing the control information of the interface of the tested program after the software to be tested is automatically installed and operated, and simulating the user click operation according to the control information;
the kernel monitoring module is used for monitoring API call of the Android software target sensitive behavior in the kernel in the process of simulating the click operation of the user;
the method comprises the following specific steps:
step 1) monitoring kernel system calling of two behaviors of short message sending and telephone dialing by calling a hijack technology;
step 2) using a netfilter frame to monitor the network behavior transmitted by using an 80 or 8080 port through a TCP (transmission control protocol);
and 3) executing a logcat command by using an adb tool to obtain a sandbox system log, and then storing the obtained log into a log.txt file of the current working directory.
Step 4) storing the monitoring messages generated in the steps 1) to 3);
and the external automation triggering module is used for sending the generated monitoring message to the external automation module from the kernel space.
5. The kernel LKM-based Android platform malware automated detection system of claim 4, wherein the step of analyzing control information of an interface of a tested program in the user click operation simulation module comprises the following steps:
1) acquiring an android manifest.
2) Decompiling the configuration file by using an apktool tool, and analyzing an android manifest.
3) Compiling a MonkeyRunner script, and calling a MonkeyRunner command to execute the script to install the application into the sandbox;
4) the MonkeyRunner is connected with the corresponding port of the monitoring simulator through the corresponding port, saves the connection object in the device, and calls a startActivity () method in the device to run a main interface of the tested program;
5) and analyzing the control information of the current interface, and traversing and clicking all controls in the interface according to the obtained control coordinates.
6. The kernel-LKM-based Android platform malware automated detection system of claim 4, wherein the specific steps of sending the generated monitoring message from the kernel space to the external automation module in the external automation trigger module are:
1) a socket variable is created, the socket is a representation of the socket in the kernel;
2) realizing a message receiving function and a message sending function;
3) and defining a message format of a JSON format, so that an external automation module can analyze the message format conveniently.
CN201911177188.6A 2019-11-26 2019-11-26 Kernel LKM-based Android platform malicious software automatic detection method and system Pending CN110990221A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911177188.6A CN110990221A (en) 2019-11-26 2019-11-26 Kernel LKM-based Android platform malicious software automatic detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911177188.6A CN110990221A (en) 2019-11-26 2019-11-26 Kernel LKM-based Android platform malicious software automatic detection method and system

Publications (1)

Publication Number Publication Date
CN110990221A true CN110990221A (en) 2020-04-10

Family

ID=70087219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911177188.6A Pending CN110990221A (en) 2019-11-26 2019-11-26 Kernel LKM-based Android platform malicious software automatic detection method and system

Country Status (1)

Country Link
CN (1) CN110990221A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112084494A (en) * 2020-09-21 2020-12-15 百度在线网络技术(北京)有限公司 Sensitive information detection method, device, equipment and storage medium
CN114944992A (en) * 2022-07-26 2022-08-26 南京赛宁信息技术有限公司 Active defense gateway configuration detection method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN103207969A (en) * 2013-04-12 2013-07-17 百度在线网络技术(北京)有限公司 Device and method for detecting Android malware
US20140137184A1 (en) * 2012-11-13 2014-05-15 Auckland Uniservices Ltd. Security system and method for operating systems
CN106357670A (en) * 2016-10-17 2017-01-25 成都知道创宇信息技术有限公司 Simulator-based android application server side Web vulnerability detection method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
US20140137184A1 (en) * 2012-11-13 2014-05-15 Auckland Uniservices Ltd. Security system and method for operating systems
CN103207969A (en) * 2013-04-12 2013-07-17 百度在线网络技术(北京)有限公司 Device and method for detecting Android malware
CN106357670A (en) * 2016-10-17 2017-01-25 成都知道创宇信息技术有限公司 Simulator-based android application server side Web vulnerability detection method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李健鹏: "基于动态分析的Android恶意软件检测系统的研究与实现", 《中国优秀硕士学位论文全文数据库-信息科技辑》 *
路程: "Android平台恶意软件检测系统的设计与实现", 《中国优秀硕士学位论文全文数据库-信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112084494A (en) * 2020-09-21 2020-12-15 百度在线网络技术(北京)有限公司 Sensitive information detection method, device, equipment and storage medium
CN114944992A (en) * 2022-07-26 2022-08-26 南京赛宁信息技术有限公司 Active defense gateway configuration detection method, device and system
CN114944992B (en) * 2022-07-26 2022-10-18 南京赛宁信息技术有限公司 Active defense gateway configuration detection method, device and system

Similar Documents

Publication Publication Date Title
CN108133139B (en) Android malicious application detection system based on multi-operation environment behavior comparison
CN109361562B (en) Automatic testing method based on associated network equipment access
CN102810143B (en) Safety detecting system and method based on mobile phone application program of Android platform
CN108268371B (en) Intelligent fuzzy test method for Android application
KR101008977B1 (en) Method of testing OSGi service platform and test tool thereof
CN110765464B (en) Vulnerability detection method, device, equipment and computer storage medium
CN108595953B (en) Method for carrying out risk assessment on mobile phone application
CN103973858B (en) The Auto-Test System of mobile terminal
CN111858336B (en) Automatic software testing method and system
CN105975856A (en) Method and system for dynamic virus detection of mobile terminal
CN110990221A (en) Kernel LKM-based Android platform malicious software automatic detection method and system
CN111061489A (en) Multi-platform compiling detection method, device, equipment and medium
CN111782530A (en) Remote debugging method, device and system, electronic equipment and storage medium
CN112231206A (en) Script editing method for application program test, computer readable storage medium and test platform
CN111831395B (en) Behavior monitoring analysis method and system
CN113934642B (en) Software compatibility testing method based on dynamic and static combination
KR100794130B1 (en) Automatic Function Testing Equipment for Application Software and Additional Service of Mobile Communication Terminal
CN106713215B (en) Information processing method, terminal and server
CN111026651A (en) Test method, test device, storage medium and electronic equipment
CN112506782B (en) Application program testing method, device, equipment and storage medium
CN110795330A (en) Monkey pressure testing method and device
CN113157576A (en) Application program safety detection method and device and electronic equipment
CN111382416B (en) Application program operation identification method and device, terminal equipment and storage medium
CN113986263A (en) Code automation test method, device, electronic equipment and storage medium
CN108959092B (en) Software behavior analysis method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200410