基于函数调用图的Android重打包应用检测方法研究

发布时间：2018-03-28 09:01

本文选题：Android系统　切入点：重打包　出处：《北京交通大学》2017年硕士论文

【摘要】：近年来,Android平台因其开放性以及良好的用户体验等特点使得Android应用的数量快速增长。与此同时,也吸引了越来越多恶意开发者的目光。恶意开发者对市场中的应用修改,如更改广告库、修改代码、插入恶意代码等,然后将修改过后的应用重新打包并发布到市场中,以此来获取利益。这种重打包行为不仅侵犯合法开发者的权益,而且会给用户带来巨大的安全隐患,因此如何检测市场中的重打包应用就显得十分重要。目前主要利用静态分析方式和动态分析方式对应用程序进行分析。针对第三方市场中重打包应用越来越多的现象,通过对现有方法的研究与学习,本文提出了一种新型的基于函数调用图的检测Android重打包应用的方法,主要利用函数调用图的相似度来确定两个应用的相似性。以下是本文的主要工作:(1)通过对检测Android重打包应用常用的静态分析方法和动态分析方法,以及国内外现有的检测技术进行研究与总结,提出了基于函数调用图的重打包应用检测方法。首先,对应用进行反编译并提取Smali代码,对Smali代码进行分析,生成函数调用图,在生成函数调用图时,将函数中的操作码作为结点的属性;然后,对函数调用图进行处理,过滤掉第三方库,如:系统库、广告库等,随后保留与界面相关的API;最后,用Motifs模式中的结构子图表示函数调用图,根据子图的相似度确定应用的相似度,从而判断是否为重打包应用。(2)根据本文所设计的检测方法,对5500个Android市场中的应用和1500个恶意应用进行检测,在Android市场中一共检测出385个重打包应用,检测率为96.5%,在1500个恶意应用中检测到重打包应用672个,重打包率44.8%。实验结果表明,本文的检测方法准确率较高并且具有良好的可扩展性。
[Abstract]:In recent years, the Android platform for its openness and good user experience and other characteristics so that the number of Android rapid growth. At the same time, also attracted more and more attention. The malicious developers malicious developers on the app in the market changes, such as changing advertising base, modify the code, insert malicious code, and then the application of the modified repackaged and released to the market, in order to obtain benefits. This packaging behavior not only violated the legitimate rights and interests of developers, but also bring huge hidden trouble to the user, so how to detect the market re packaged applications is very important. The main use of static analysis and dynamic analysis methods of application were analyzed. According to the application of more and more heavy pack third party phenomenon in the market, through the research and study of the existing methods, this paper presents a new type of Android method for the detection of call graph based on the application of re packaging, mainly by the similarity function call graph to determine the similarity of the two applications. The following is the main work of this paper: (1) based on the detection of Android packaged applications commonly used static analysis method and dynamic analysis method, research and summarize at home and abroad the existing detection technology, this paper puts forward the application package detection method based on call graph. Firstly, decompile and extract the Smali code on the application of Smali code analysis, generating function call graph, generated in the function call graph, the function of the operation code as the node attributes; then, processing the function call graph, filter out third party libraries, such as library, advertising library, and then retain the interface related API; finally, with the structure of Motifs model in graph function call graph, according to the sub graph The application of similarity to determine the similarity, to decide whether to re packaged applications. (2) according to the detection method is designed in this paper, the application of 5500 Android in the market and 1500 malicious applications were detected in the Android market were detected by 385 heavy packaging applications, detection rate was 96.5%, detected re packaged applications 672 in 1500 malicious applications, heavy packing rate of 44.8%. and the experimental results show that this method has higher accuracy and has good scalability.

【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP316;TP309

【参考文献】