Android界面劫持攻击检测
发布时间:2018-09-19 08:52
【摘要】:Android界面劫持是一种通过劫持用户使用过程中的界面输入流窃取用户隐私信息的攻击方式。本文首先通过实验验证了该攻击在安卓多个版本上的有效性,继而分析了包含界面劫持攻击的恶意应用的4个必备特征,提出了一种基于代码特征以及多组件数据流跟踪的静态检测方法 AHDetector(activity hijacking detector)。AHDetector方法包括4个步骤:通过分析manifest配置文件,判断被检测应用是否申请了外传数据的敏感权限;根据代码特征判断被检测应用中是否同时存在界面劫持攻击必备的3种功能组件:后台扫描组件,劫持界面组件以及隐私外传组件;通过分析组件间的调用关系,判断应用中具有扫描功能的组件与接受界面输入的组件之间是否存在调用关系;通过组件间数据流分析,确定劫持界面组件和隐私外传组件之间是否存在隐私数据的传递。继而判定被检测应用是否包含界面劫持攻击。为了验证AHDetector的检测效果,本文设计实现了覆盖界面劫持功能组件所有逻辑路径的18个样例来测试方法的有效性,同时采用了4个应用锁样例来检测误判性。测试结果表明,AHDetector能够有效的检测出应用中所有的界面劫持攻击行为,同时不会误判,而6个常见的恶意应用在线检测平台(Andrubis、Virus Total、visual Threat、安全管家在线检测、腾讯安全实验室在线检测、网秦安全)则不能检测出界面劫持攻击行为。
[Abstract]:Android interface hijacking is an attack way to steal user privacy information by hijacking user interface input stream. In this paper, the effectiveness of the attack in several versions of Android is verified by experiments, and then the four essential features of malicious applications including interface hijacking attacks are analyzed. A static detection method, AHDetector (activity hijacking detector). AHDetector, which is based on code features and multi-component data stream tracking, is proposed. The method includes four steps: by analyzing the manifest configuration file, we can determine whether the detected application has applied for the sensitive authority of the outgoing data; According to the code features, it is determined whether there are three necessary functional components in the detected application: background scan component, hijack interface component and privacy transmission component. It determines whether there is a call relationship between the components with scanning function and the components receiving interface input, and determines whether there is a transfer of privacy data between hijack interface components and private outgoing components through the analysis of data flow between components. Then it is determined whether the detected application contains an interface hijacking attack. In order to verify the detection effect of AHDetector, this paper designs and implements 18 samples covering all logical paths of interface hijacking function component to test the validity of the method. At the same time, 4 lock samples are used to detect misjudgment. The test results show that AHDetector can effectively detect all the interface hijack attacks in the application without misjudgment, and six common malicious applications online detection platform (Andrubis,Virus Total,visual Threat, security housekeeper online detection, Tencent security laboratory online detection, Net Qin security) cannot detect the interface hijack attack behavior.
【作者单位】: 中南大学信息科学与工程学院;
【基金】:国家自然科学基金资助项目(61672543) 长沙市移动互联网产业项目(2015年)
【分类号】:TP316;TP309
[Abstract]:Android interface hijacking is an attack way to steal user privacy information by hijacking user interface input stream. In this paper, the effectiveness of the attack in several versions of Android is verified by experiments, and then the four essential features of malicious applications including interface hijacking attacks are analyzed. A static detection method, AHDetector (activity hijacking detector). AHDetector, which is based on code features and multi-component data stream tracking, is proposed. The method includes four steps: by analyzing the manifest configuration file, we can determine whether the detected application has applied for the sensitive authority of the outgoing data; According to the code features, it is determined whether there are three necessary functional components in the detected application: background scan component, hijack interface component and privacy transmission component. It determines whether there is a call relationship between the components with scanning function and the components receiving interface input, and determines whether there is a transfer of privacy data between hijack interface components and private outgoing components through the analysis of data flow between components. Then it is determined whether the detected application contains an interface hijacking attack. In order to verify the detection effect of AHDetector, this paper designs and implements 18 samples covering all logical paths of interface hijacking function component to test the validity of the method. At the same time, 4 lock samples are used to detect misjudgment. The test results show that AHDetector can effectively detect all the interface hijack attacks in the application without misjudgment, and six common malicious applications online detection platform (Andrubis,Virus Total,visual Threat, security housekeeper online detection, Tencent security laboratory online detection, Net Qin security) cannot detect the interface hijack attack behavior.
【作者单位】: 中南大学信息科学与工程学院;
【基金】:国家自然科学基金资助项目(61672543) 长沙市移动互联网产业项目(2015年)
【分类号】:TP316;TP309
【相似文献】
相关期刊论文 前10条
1 林耕宇;;观摩50名Google Android程序开发竞赛作品[J];电子与电脑;2008年08期
2 树子;;Android中文版不完全体验[J];互联网天地;2009年04期
3 Jason Whitmire;;产业软件专家如何协助解决Android的分裂困境[J];电子与电脑;2010年02期
4 蒋彬;;10款Android手机必备应用——Android操作系下的软件评测[J];微电脑世界;2010年04期
5 ;PCWorld Windows Phone 7挑战Android 毅然崛起的AndroidⅠ洗心革面的Windows Phone 7[J];微电脑世界;2010年08期
6 韩青;;Android平台发展的动力与挑战[J];中国电子商情(基础电子);2010年09期
7 方智勇;;Android手机这样用[J];电脑迷;2010年15期
8 缺少浪漫;;Android的另一面[J];电脑迷;2010年13期
9 ;ZTE and Three Release Android ,
本文编号:2249649
本文链接:https://www.wllwen.com/kejilunwen/ruanjiangongchenglunwen/2249649.html
