KR20110128632A - Method and device for detecting malicious action of application program for smartphone - Google Patents

Method and device for detecting malicious action of application program for smartphone Download PDF

Info

Publication number
KR20110128632A
KR20110128632A KR1020100048173A KR20100048173A KR20110128632A KR 20110128632 A KR20110128632 A KR 20110128632A KR 1020100048173 A KR1020100048173 A KR 1020100048173A KR 20100048173 A KR20100048173 A KR 20100048173A KR 20110128632 A KR20110128632 A KR 20110128632A
Authority
KR
South Korea
Prior art keywords
api
malicious behavior
application
malicious
information
Prior art date
Application number
KR1020100048173A
Other languages
Korean (ko)
Inventor
류재철
Original Assignee
충남대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 충남대학교산학협력단 filed Critical 충남대학교산학협력단
Priority to KR1020100048173A priority Critical patent/KR20110128632A/en
Publication of KR20110128632A publication Critical patent/KR20110128632A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

PURPOSE: A bad action detection method of a smart phone application program and apparatus thereof are provided to inspect the bad action of an application program by analyzing API(Application Programming Interface) which uses the application program. CONSTITUTION: A database unit(41) stores pattern API information according to a bad action. An API usage information creation unit(33) creates API usage information by calling the application program. A bad action analysis unit(43) determines the bad action by comparing and analyzing the API usage information with the pattern API information. The bad action analysis unit includes an examination unit.

Description

Method and device for detecting malicious action of application program for smartphone}

The present invention relates to detection of malicious behavior of an application, and more particularly, to a method and apparatus for detecting malicious behavior of an application for a smartphone capable of installing an application according to various functions as well as telephone and communication.

Recently, due to the development of mobile communication technology as well as wired and wireless Internet, mobile phones having various functions such as wireless internet function as well as telephone call function are widely used. In particular, the smart phone (smartphone) has been spreading in recent years, it is possible to install a variety of applications such as multimedia playback function, users are using the smartphone for various purposes.

In general, a smartphone combines the advantages of a mobile phone and a personal digital assistant (PDA), and is defined as the integration of data communication functions such as schedule management, fax transmission and Internet access into a mobile phone. In general, a smart phone is equipped with a wireless communication module such as Wi-Fi, and can transmit and receive data through the Internet network. Also, it is possible to search for information on the Internet and to send and receive picture information such as directions by using an electronic pen on the liquid crystal display. .

Such smartphones have their own operating systems, and active development of applications that can be executed by the operating systems is being made. In the case of the iPhone released by Apple, the application listed in the App Store can be downloaded, installed and used. For example, various applications such as games, business card recognition programs, e-books, etc. are still being developed a number of times, and users can download and install applications that perform their desired functions at any time.

However, as many applications are being developed and provided, not only are they useful for smartphone users, but also those that perform malicious actions for other purposes, such as advertisements, are provided to smartphone users. There is a situation. For example, if there is an application for uploading the user's personal information stored in the smartphone to a specific server, the smartphone user who installed the application may be at risk of exposing his or her personal information.

Accordingly, the present invention has been made to solve the above-described problems, and to provide a method and apparatus for detecting malicious behavior of an application program installed in a smartphone.

Other objects of the present invention will become more apparent through the following preferred embodiments.

According to an aspect of the present invention, in a method for detecting malicious behavior of a smartphone application, generating API usage information sequentially listing one or more APIs called by an application to determine whether malicious behavior exists step; And analyzing the API usage information and comparing the malicious behavior pattern with a predetermined malicious behavior pattern to determine the existence of malicious behavior, and providing a recording medium recording a malicious behavior detection method of a smart phone application and a program executing the method. do.

Here, the presence or absence of the malicious activity may be determined using at least one of the number of calls of each API or the call time interval between APIs, together with the API type and calling order.

In addition, the malicious behavior pattern may include a pattern according to at least one of personal information leakage, billing induction, failure occurrence induction, communication company attack, remote control attack.

The malicious behavior pattern according to the leakage of personal information may be a case where a network transmission API is called after the personal information viewing API or a text message transmission API is called after the address book viewing API.

In addition, the malicious behavior pattern according to the billing induction may be a case of calling a dialing API to a telephone number according to a pre-registered adult or paid service, the malicious behavior pattern according to the induction of the failure, process generation API, At least one of a forced write API or a temporary file generation API for the configuration file may be called more than a preset number of times.

In addition, the malicious behavior pattern according to the carrier attack, the dialing API, and the call termination API may be repeated more than a predetermined number of times, the malicious behavior pattern according to the remote control attack, port binding API, text message reception The listener registration API and the network connection API to a specific port may be sequentially called.

The method may further include receiving the request for determining the malicious behavior of the application from the request terminal coupled through the communication network, and transmitting the malicious behavior information of the application according to the determination to the requesting terminal.

In addition, receiving the signature information of the application from the request terminal; And searching for having the same signature as the received signature information among the programs classified into the blacklist or the whitelist, which are held in advance, wherein the analysis using the API is performed only when the search fails. Can be done.

In addition, the source code of the application may be analyzed to extract and list the API, or the application may be executed in an emulator to extract and list the API.

According to another aspect of the invention, the analysis service server for detecting malicious behavior of the smart phone application, comprising: a database unit for storing pattern API information according to each malicious behavior; An API usage information generation unit for generating API usage information sequentially listing one or more APIs called by the input application program; And analyzing and analyzing the API usage information and the pattern API information stored in the database unit, thereby providing an analysis service server for detecting malicious behavior of the smart phone application program.

Here, the malicious behavior analysis unit may include a check unit for checking whether the application program is hidden or registered as a start program.

In addition, the malicious behavior analysis unit may determine whether the malicious behavior exists by using at least one of the number of calls of each API or the call time interval between APIs together with the type and calling order of the API.

In addition, the pattern API information may include an API pattern according to at least one of personal information leakage, billing induction, failure occurrence induction, carrier attack, remote control attack.

According to the present invention, by analyzing the API used by the application, it is possible to check whether the application performs a malicious action such as personal information leakage, billing induction, it is possible to prevent the disadvantage of the smartphone user due to the malicious action.

1 is a schematic diagram showing an overall system for detecting malicious behavior of a smartphone application according to an embodiment of the present invention.
Figure 2 is a whole flow diagram illustrating a malicious behavior detection service process of the smartphone application according to an embodiment of the present invention.
3 is a flowchart illustrating a schematic process of detecting malicious behavior of an application program using API usage information according to an embodiment of the present invention.
4 and 5 are exemplary diagrams for explaining a method of extracting API usage information of an application program according to each embodiment of the present invention.
6 to 11 are exemplary views illustrating a detection method for malicious behavior types of an application program according to each embodiment of the present invention.
12 is a block diagram showing a configuration of a service server according to an embodiment of the present invention.

As the invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in the drawings and described in detail in the written description. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout the specification and claims. The description will be omitted.

1 is a block diagram schematically showing the entire system for detecting malicious behavior of a smart phone application according to an embodiment of the present invention.

Referring to FIG. 1, the entire system according to the present embodiment includes a request terminal 10 and an analysis service server 30.

The request terminal 10 is a user terminal for requesting the analysis service server 30 coupled to detect the malicious behavior of the held application program through a communication network. For example, the request terminal 10 may be a smart phone that can be used by installing any application program, but is not limited thereto, and all terminal devices having a communication function through a communication network may be equally applied. Hereinafter, for convenience of description, a smart phone that directly utilizes an application program as the request terminal 10 will be described as an example.

The analysis service server 30 determines whether the application program performs malicious behavior, and functions to provide the information about the request to the requesting terminal 10. That is, upon receiving a request for detection of malicious behavior for an application from the requesting terminal 10, the analysis service server 30 determines whether the corresponding application is a program for performing malicious behavior, and requests the information accordingly. 10) to provide.

Hereinafter, a process in which the analysis service server 30 detects malicious behavior of a specific application program requested from the request terminal 10 will be described.

2 is an overall flowchart illustrating a malicious behavior detection service process of an application for a smartphone according to an embodiment of the present invention.

Referring to FIG. 2, the request terminal 10 acquiring an arbitrary application program detects malicious behavior with the analysis service server 30 in order to know whether the corresponding application program has malicious code (that is, a program that performs malicious behavior). Request a service (S210).

In this case, the request terminal 10 does not need to transmit all data according to an application program, but may transmit only unique signature information for identifying the application program.

The analysis service server 30 maintains a black list, which is information about malicious codes that perform malicious actions, and a white list, which is information about normal applications that do not perform malicious actions.

Therefore, the analysis service server 30 determines whether the application belongs to the white list or the black list by using the received signature information (S215 and S225). That is, it is to search whether information about an application program having the same signature as the received signature information exists in a pre-stored whitelist or blacklist.

When the application program according to the received signature information belongs to any one of a white list or a black list, the analysis service server 30 may provide the corresponding information to the requesting terminal 10 to determine whether the application is malicious. Report the contents (S210, S220).

On the contrary, if it does not belong to any of the blacklist and the whitelist, since it does not own the information on the application, the analysis service server 30 directly analyzes the application to determine whether the malicious behavior and its type. do. Here, the analysis service server 30 may directly receive the data according to the application from the request terminal 10, or may obtain from a provider that provides the application to determine malicious behavior.

The analysis service server 30 analyzes one or more APIs (application programming interfaces) used by the application to determine whether the malicious activity and its type (S235), in a method for detecting malicious behavior by analyzing the APIs used by the application This will be described later in detail with reference to the related drawings (FIG. 3).

The analysis service server 30 provides a result to the requesting terminal 10 based on the content of the malicious activity of the application, which is determined (S240). The user of the request terminal 10 may check whether the corresponding application program is a malicious code that performs malicious behavior with reference to the received result, and determine whether to use the application.

According to the determination result, the analysis service server 30 determines whether the corresponding application performs a malicious action (S245), and if the malicious result exists, registers the corresponding application as a blacklist ( S250) or, if there is no malicious activity is registered in the white list (S255).

Hereinafter, the analysis service server 30 will be described in detail how to analyze the API of the application to detect malicious behavior.

3 is a flowchart illustrating a schematic process of detecting malicious behavior of an application program using API usage information according to an embodiment of the present invention.

Referring to FIG. 3, the malicious behavior detection process according to the present embodiment includes generating API usage information by listing calling APIs of an application program (S310) and analyzing API usage information to determine whether malicious behavior is present. (S320) and checking the process concealment and registration of the start program (S330).

Before describing each step of malicious behavior detection according to the present embodiment in detail, the API will be briefly described. An API is a language or message format used to communicate between an operating system and an application. It consists of a number of functions that allow you to do things like create windows and open files. In other words, an API consists of functions for communicating with an operating system mounted on a smartphone. In general, an API has a language or message format that is used when an application communicates with a system program such as an operating system or database management system. An API calls a function that provides a link to a specific subroutine for execution within the program. Is implemented. Thus, an API has several program modules or routines that must already exist or be linked in order to perform the work requested by the function call. Since the API will be apparent to those skilled in the art, a detailed description thereof will be omitted.

Hereinafter, for convenience of description, the request terminal 10, that is, an Android provided by Google as an operating system used by a smartphone will be described as an example. Of course, this is only one example, and other operating systems are equally applicable. It can be taken for granted.

Referring back to FIG. 3, in S310, API usage information listing APIs used by an application program for detecting malicious behavior is generated. That is, when the corresponding application is executed, it is possible to search and list which APIs are called in what order, at what time intervals, and how many times each API is called.

As an example for the sake of understanding, if application A uses APIs a, b, c, d in the order [a, b, a, c, d, b, a], You can search the number and order of usage and create them as API usage information. That is, it is recognized that a is used three times, b is used twice, c and d are used once, and each is used in the order as described above. In addition, as described above, a time interval between each API used may also be searched together. For example, if b is called 30 seconds after the first a is called, the time interval of 30 seconds can also be used as API usage information.

Hereinafter, a description will be given of a method of generating API usage information as described above by extracting information on APIs that are called by an arbitrary application.

4 and 5 are exemplary diagrams for explaining a method of extracting API usage information of an application program according to each embodiment of the present invention.

First, referring to FIG. 4, a part of source code of an application program is illustrated. According to this embodiment, the analysis service server 30 extracts API usage information from the source code of the application program. Source code can be obtained by decompiling an application program. That is, the analysis service server 30 obtains source code by decompiling an application program, extracts APIs called from the corresponding source code, and generates API usage information listing APIs.

[GetContentResolver (). Query] as shown in FIG. 4 is an API for accessing a database of a smartphone, and the analysis service server 30 extracts the corresponding API and uses it as API usage information.

According to another embodiment, the analysis service server 30 actually executes an application to extract APIs used by the application to generate API usage information. According to an embodiment, the analysis service server 30 generates an API usage information by executing an application program using an emulator. An emulator means an apparatus or a program for emulating a hardware or software function by another type of hardware or software, and it will be obvious to those skilled in the art, and thus detailed description thereof will be omitted.

FIG. 5 illustrates a protocol layer of Android, which is an operating system of a smartphone, and according to the present embodiment, the analysis service server 30 includes an application framework among source codes of an Android emulator. By modifying the source code of, the application program needs to access the API implemented in Content Providers in order to access the smartphone database.

Therefore, when an application program calls the corresponding API, it checks whether the call is made, the number of calls, and parameters, and monitors which data (SMS, address book, etc.) is accessed to generate API usage information.

In summary, the analysis service server 30 extracts APIs from the source code of the application or extracts APIs that access the database by actually executing the application using an emulator to generate API usage information used by the application. will be.

Referring back to FIG. 3, the analysis service server 30 determines whether the corresponding application program performs malicious behavior by using the API usage information generated as described above.

In this embodiment, malicious behavior of an application program is classified into personal information leakage, billing induction, failure occurrence induction, telecommunications company attack, and remote control attack.

The personal information leakage may be a case where the personal information of the smart phone user is accessed and leaked to the outside, and the personal information such as a contact may be leaked to the outside by accessing a message such as an address book or an SMS message.

In addition, billing induction may be the case that the application to make a call to a specific phone number (paid service, overseas, etc.).

In addition, there may be a case in which the failure induction causes the smartphone to fail by performing the same operation several times.

In addition, a carrier attack may include a denial of service attack (DoS) that causes a failure by adding data traffic to a carrier by immediately making a call and hanging up.

Finally, a remote control attack refers to an attack that causes a failure by controlling a smartphone remotely using an SMS message.

Hereinafter, a method of detecting malicious behavior of the application program as described above will be described.

6 to 11 are exemplary views illustrating a detection method for malicious behavior types of an application program according to each embodiment of the present invention.

6 and 7 illustrate a method of detecting malicious behavior of an application for the leakage of personal information.

According to Figure 6, when the network transfer API is called after the API for reading the personal information (name, phone number, email address, etc.) of the smart phone user, to perform a malicious action to leak the personal information to the outside To judge.

According to FIG. 7, if the number of calls of the API for transmitting a text message is repeated after the API for viewing the address book (and / or receiving a text message) is called, the malicious personal information such as a contact stored in the address book is leaked to the outside. It is judged to carry out an action. That is, if the text sending is repeated after reading the address book as shown in FIG. 6, it is recognized as a malicious act of reading the address book, extracting the personal information, and then transmitting the personal information to the specific phone number as a text message.

Referring to FIG. 8, when the dialing API is called, it is determined whether the phone number of the corresponding receiver is a phone number according to an adult / paid service registered in advance in the analysis service server 30, and the corresponding action is for inducing billing. It is to determine whether it is malicious. Of course, according to the present embodiment, the analysis service server 30 should store in advance information about a phone number according to a paid service for which billing is induced.

Referring to FIG. 9, which shows a method of detecting a failure induction, a method of checking whether at least one of a process generation API, a forced write API for a smartphone configuration file, and a temporary file generation API is repeatedly called is checked. Detects malicious behavior.

In other words, repeatedly creating multiple processes on a smartphone consumes system resources (memory, CPU, etc.), causing the system to slow down and, in some cases, to freeze the system. Therefore, the API that creates the process is called repeatedly. Is to check whether In addition, the reason for checking the forced write API for the configuration file is that the file used by the system may be replaced with another file or the contents may be changed to cause an error. Of course, the operating system itself may block access to files in the system area, so there is no need to check the forced write API for the configuration file.

Also, repeatedly creating multiple temporary files consumes system resources (storage), which can slow down your system and interfere with the operation of applications that use other temporary files. To check.

In summary, the detection of failure induction as shown in FIG. 9 is intended to detect behaviors that cause excessive system consumption (memory, CPU, storage, etc.) to slow down the system and cause malfunctions.

10 illustrates a malicious behavior detection method for a denial of service attack of a carrier. Referring to FIG. 10, the analysis service server 30 checks whether the act of calling the hangup API is repeatedly performed more than a predetermined number of times (for example, five times) after the call making API is called. To judge.

Referring to FIG. 11, which illustrates a method for detecting a remote control attack, the analysis service server 30 checks whether an application calls an API that calls a port binding API for creating a backdoor and registers a text message reception listener. The network connection API to the port is called to determine whether it is malicious.

In this case, the backdoor is a program that can be accessed through the network without the user's knowledge. Port binding refers to the act of creating a connection path (port) for network communication. For example, to access a webpage, Must bind to port 80 and wait for a connection.

In other words, the port binding API call for backdoor creation refers to calling the API to create a network connection path (port binding) to receive commands remotely (backdoor). In other words, it detects the act of creating a statement so that the person who created the malicious code can remotely access and issue commands.

When receiving a text message to a smartphone, the text message receiving listener registration delivers the received text message to an application that has registered a text message receiving listener in the system. For example, a text message program receives a text message from the system when the text message is received, and informs the user that the text message has been received and can be read. When a malicious code (program performing malicious activity) registers a text message receiving listener, it can monitor incoming text messages. It monitors incoming text messages and detects predefined strings (commands). You can perform an action. As an example, for convenience of understanding, an attacker can send a text message containing the string [@ ababc123 @] and the malware can detect the string and send personal information to a specific address. That is, the remote control attack detection method according to the present embodiment is a method for detecting an action for receiving a remote command through a text message.

For example, the detection of various malicious behaviors using the API usage information described above uses the type of API, its calling order, and the number of times. However, according to another exemplary embodiment, a time interval called between each API may be used together. Can be. For example, the malicious behavior pattern according to the leakage of personal information may be set to be determined to be malicious only when the network transmission API is called within 1 minute after the personal information viewing API call.

In addition, the method of detecting various malicious behaviors using the API usage information was described with reference to FIGS. 6 to 11, but this is only an example, and is not limited thereto. No wonder all the ways of judging behavior can be applied equally.

As described above, the S320 of FIG. 3 recognizes the malicious behavior of the application and its type using the API usage information. Since this step detects the malicious behavior of any application, determining whether the application is malicious code (a program that performs malicious behavior) may be terminated at this stage, but further improving the accuracy of detection of malicious code. In order to increase, in S330 it is further checked whether the process concealment and startup program registration.

A process concealment is a hidden state in which the user cannot know whether the process is running. The process concealment is performed so that the user does not appear even if the task manager is executed to terminate a process that is not needed. In general, malicious code operates as a hidden process so that users cannot terminate it in the usual way.

Startup program registration is to ensure that it always runs with booting even if the smartphone is restarted, when registered as a startup program, the application is executed even if the smartphone is shut down and turned on again. In general, malicious code operates as a hidden process to prevent termination by the user and registers as a startup program to always operate.

Since hiding a process or detecting whether it is registered in a startup program is a technique that is still widely used, it will be obvious to those skilled in the art, and thus a detailed description of the method will be omitted.

Hereinafter, the configuration of the analysis service server 30 will be described.

12 is a block diagram showing the configuration of a service server according to an embodiment of the present invention.

Referring to FIG. 12, the analysis service server 30 according to the present embodiment includes an input unit 31, an API usage information generation unit 33, a malicious behavior pattern database unit 41, a malicious behavior analysis unit 43, and a result. And an output unit 45.

The input unit 31 is for receiving an application program for determining the requested malicious behavior from the request terminal 10, and the API usage information generating unit 33 calls APIs that are input by the application program input through the input unit 31. To generate API usage information for.

API usage information generation unit 33 is a source code analysis unit 35 for extracting the API from the source code of the application program, an emulator execution unit for executing the application to extract the API called by executing the application program ( 37) and an API listing unit 39 for listing the extracted APIs in order and generating API usage information having the order, the number of calls, the call interval time, and the like. As described above, the API usage information generation unit 33 extracts the API called from the source code of the application program or recognizes the API called by executing it directly, thereby using the APIs listed for the APIs used by the application program. To generate information.

The malicious behavior pattern database unit 41 stores information about patterns of APIs according to malicious behaviors as shown in FIGS. 6 to 11. Therefore, the malicious behavior analysis unit 43 detects malicious behavior of an application to be analyzed by referring to each API pattern according to malicious behavior stored in the malicious behavior pattern database unit 41, and the application is concealed or started. It also checks if it is registered at.

As shown in the figure, the malicious behavior analysis unit 43 detects malicious behavior of an application program according to personal information leakage, billing induction, failure induction, telecommunications company DoS, remote control attack, and the like. Since the malicious behavior analysis unit 43 detects each of the malicious behaviors described above, duplicate description thereof will be omitted.

When the inspection for the malicious behavior is finished, the result output unit 45 outputs the inspection result, and it is natural that the output inspection result may be provided to the request terminal 10 coupled through the communication network.

The malicious behavior detection method of the smart phone application according to the present invention described above may be implemented as computer readable code on a computer readable recording medium. Computer-readable recording media include all kinds of recording media having data stored thereon that can be decrypted by a computer system. For example, there may be a read only memory (ROM), a random access memory (RAM), a magnetic tape, a magnetic disk, a flash memory, an optical data storage device, and the like. In addition, the computer-readable recording medium may be distributed and executed in a computer system connected to a computer network, and may be stored and executed as a code readable in a distributed manner.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined in the appended claims. It will be understood that various modifications and changes may be made.

10: request terminal
30: Analysis service server
31: input unit
33: API usage information generation unit
41: malicious behavior pattern database
43: malicious behavior analysis unit
45: result output unit

Claims (16)

In the method of detecting malicious behavior of a smartphone application,
Generating API usage information sequentially listing one or more APIs called by an application program to determine whether malicious activity exists; And
Analyzing the API usage information and comparing the malicious behavior pattern with the predetermined malicious behaviors comprising the step of determining the presence of malicious behaviors smart phone application.
The method of claim 1,
The malicious behavior detection method of the smartphone application, characterized in that the presence or absence of the malicious behavior further using at least one of the number of calls and the interval between the API call, together with the API type and calling order. .
The method of claim 1,
The malicious behavior pattern is a malicious behavior detection method of a smart phone application, characterized in that it comprises a pattern according to at least one of personal information leakage, billing induction, failure occurrence induction, carrier attack, remote control attack.
The method of claim 3, wherein
The malicious behavior pattern according to the leakage of personal information is a method of detecting malicious behavior of a smart phone application, characterized in that when the network transmission API is called after the personal information viewing API or when the text message transmission API is called after the address book viewing API. .
The method of claim 3, wherein
The malicious behavior pattern according to the billing induction is a malicious behavior detection method of a smart phone application, characterized in that the call to the telephone number according to a pre-registered adult or paid service is called.
The method of claim 3, wherein
The malicious behavior pattern according to the induction of the failure occurs when at least one of a process creation API, a forced write API for a configuration file, or a temporary file creation API is called more than a predetermined number of times. Behavior detection method.
The method of claim 3, wherein
The malicious behavior pattern according to the telecommunications company attack is a method of detecting malicious behavior of a smart phone application, characterized in that when the call API and the call termination API is repeated a predetermined number of times.
The method of claim 3, wherein
The malicious behavior pattern according to the remote control attack is a case where a port binding API, a text message reception listener registration API, and a network connection API to a specific port are sequentially called.
The method of claim 1,
Prior to the step of receiving a request to determine the malicious behavior for the application from the request terminal coupled through the communication network,
Malicious behavior detection method of the smart phone application, characterized in that for transmitting the malicious behavior information of the application in accordance with the determination to the request terminal.
The method of claim 9,
Receiving signature information of the application program from the requesting terminal; And
Further comprising the step of retrieving one of the programs classified into a blacklist or a whitelist held in advance having the same signature as the received signature information,
Malicious behavior detection method of the smart phone application, characterized in that for performing the analysis using the API only when the search fails.
The method of claim 1,
Method of extracting and listing the API by analyzing the source code of the application, or extracting and listing the API by running the application in an emulator.
A recording medium on which a combination of instructions for performing the method of any one of claims 1 to 11 is tangibly embodied and in which a program readable by a digital information processing apparatus is recorded. In the analysis service server for detecting malicious behavior of smart phone application,
Database unit for storing the pattern API information according to each malicious behavior;
An API usage information generation unit for generating API usage information sequentially listing one or more APIs called by the input application program; And
Analysis service server for detecting malicious behavior of the smart phone application including a malicious behavior analysis unit for comparing the analysis of the API usage information and the pattern API information stored in the database unit to determine the existence of malicious behavior.
The method of claim 13,
The malicious behavior analysis unit detects malicious behavior of a smartphone application, characterized in that it comprises a check unit for checking whether the application is hidden or registered as a startup program.
The method of claim 13,
The malicious behavior analysis unit determines the presence of the malicious behavior by using at least one of the number of calls or intervals between API calls, together with the API type and calling order. Analysis service server to detect malicious behavior.
The method of claim 13,
The pattern API information, the analysis service server for detecting malicious behavior of the smartphone application, characterized in that it comprises an API pattern according to at least one of personal information leakage, billing induction, induction of failure, carrier attack, remote control attack .
KR1020100048173A 2010-05-24 2010-05-24 Method and device for detecting malicious action of application program for smartphone KR20110128632A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020100048173A KR20110128632A (en) 2010-05-24 2010-05-24 Method and device for detecting malicious action of application program for smartphone

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020100048173A KR20110128632A (en) 2010-05-24 2010-05-24 Method and device for detecting malicious action of application program for smartphone

Publications (1)

Publication Number Publication Date
KR20110128632A true KR20110128632A (en) 2011-11-30

Family

ID=45396783

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020100048173A KR20110128632A (en) 2010-05-24 2010-05-24 Method and device for detecting malicious action of application program for smartphone

Country Status (1)

Country Link
KR (1) KR20110128632A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130066901A (en) * 2011-12-13 2013-06-21 삼성전자주식회사 Apparatus and method for analyzing malware in data analysis system
KR20130115045A (en) * 2012-04-10 2013-10-21 알서포트 주식회사 Data interception method for mobile telephone on the remote control
KR101324691B1 (en) * 2011-12-08 2013-11-04 한국인터넷진흥원 System and method for detecting malicious mobile applications
WO2014012441A1 (en) * 2012-07-16 2014-01-23 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining malicious program
US8661543B2 (en) 2012-02-16 2014-02-25 Electronics And Telecommunications Research Institute Mobile terminal having security diagnosis functionality and method of making diagnosis on security of mobile terminal
KR101414084B1 (en) * 2013-03-28 2014-07-04 한신대학교 산학협력단 System and for Malicious Application Detection on Mobile Device and Method thereof
WO2014116025A1 (en) * 2013-01-24 2014-07-31 (주)잉카인터넷 Behavior-based process inspection system and method
KR20150008033A (en) 2014-12-30 2015-01-21 주식회사 안랩 Method and apparatus for inspecting malicious code of a mobile terminal
US9448859B2 (en) 2013-09-17 2016-09-20 Qualcomm Incorporated Exploiting hot application programming interfaces (APIs) and action patterns for efficient storage of API logs on mobile devices for behavioral analysis
KR20170086926A (en) * 2016-01-19 2017-07-27 삼성전자주식회사 Apparatus for security vulnerabilities evaluation of application and control method of the same
KR20180082504A (en) * 2015-11-05 2018-07-18 알리바바 그룹 홀딩 리미티드 Methods and equipment for application information risk management
KR20210051669A (en) * 2019-10-31 2021-05-10 삼성에스디에스 주식회사 method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME
CN113672902A (en) * 2021-08-31 2021-11-19 挂号网(杭州)科技有限公司 Application program detection method, device, equipment and storage medium
CN111191201B (en) * 2019-12-25 2024-02-09 中国平安财产保险股份有限公司 User identification method, device, equipment and storage medium based on data embedded point

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101324691B1 (en) * 2011-12-08 2013-11-04 한국인터넷진흥원 System and method for detecting malicious mobile applications
KR20130066901A (en) * 2011-12-13 2013-06-21 삼성전자주식회사 Apparatus and method for analyzing malware in data analysis system
US8661543B2 (en) 2012-02-16 2014-02-25 Electronics And Telecommunications Research Institute Mobile terminal having security diagnosis functionality and method of making diagnosis on security of mobile terminal
KR20130115045A (en) * 2012-04-10 2013-10-21 알서포트 주식회사 Data interception method for mobile telephone on the remote control
US9158918B2 (en) 2012-07-16 2015-10-13 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining malicious program
WO2014012441A1 (en) * 2012-07-16 2014-01-23 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining malicious program
WO2014116025A1 (en) * 2013-01-24 2014-07-31 (주)잉카인터넷 Behavior-based process inspection system and method
KR101414084B1 (en) * 2013-03-28 2014-07-04 한신대학교 산학협력단 System and for Malicious Application Detection on Mobile Device and Method thereof
US9448859B2 (en) 2013-09-17 2016-09-20 Qualcomm Incorporated Exploiting hot application programming interfaces (APIs) and action patterns for efficient storage of API logs on mobile devices for behavioral analysis
KR20150008033A (en) 2014-12-30 2015-01-21 주식회사 안랩 Method and apparatus for inspecting malicious code of a mobile terminal
KR20180082504A (en) * 2015-11-05 2018-07-18 알리바바 그룹 홀딩 리미티드 Methods and equipment for application information risk management
US10715550B2 (en) 2015-11-05 2020-07-14 Alibaba Group Holding Limited Method and device for application information risk management
KR20170086926A (en) * 2016-01-19 2017-07-27 삼성전자주식회사 Apparatus for security vulnerabilities evaluation of application and control method of the same
KR20210051669A (en) * 2019-10-31 2021-05-10 삼성에스디에스 주식회사 method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME
US11475133B2 (en) 2019-10-31 2022-10-18 Samsung Sds Co., Ltd. Method for machine learning of malicious code detecting model and method for detecting malicious code using the same
CN111191201B (en) * 2019-12-25 2024-02-09 中国平安财产保险股份有限公司 User identification method, device, equipment and storage medium based on data embedded point
CN113672902A (en) * 2021-08-31 2021-11-19 挂号网(杭州)科技有限公司 Application program detection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
KR20110128632A (en) Method and device for detecting malicious action of application program for smartphone
He et al. Dynamic privacy leakage analysis of Android third-party libraries
US8099472B2 (en) System and method for a mobile cross-platform software system
CN105956474B (en) Android platform software unusual checking system
US9158918B2 (en) Method and apparatus for determining malicious program
KR101373986B1 (en) Method and apparatus to vet an executable program using a model
US9280665B2 (en) Fast and accurate identification of message-based API calls in application binaries
US9747449B2 (en) Method and device for preventing application in an operating system from being uninstalled
US20160350525A1 (en) Application Program Management Method, Device, Terminal, and Computer Storage Medium
KR20140074252A (en) Secure execution of unsecured apps on a device
EP2769324A1 (en) System and method for whitelisting applications in a mobile network environment
US10754717B2 (en) Fast and accurate identification of message-based API calls in application binaries
KR20130066901A (en) Apparatus and method for analyzing malware in data analysis system
CN111596971A (en) Application cleaning method and device, storage medium and electronic equipment
KR20160031590A (en) Malicious app categorization apparatus and malicious app categorization method
CN108932199B (en) Automatic taint analysis system based on user interface analysis
WO2015037850A1 (en) Device and method for detecting url call
Wu et al. Pacs: Pemission abuse checking system for android applictions based on review mining
CN110348226A (en) A kind of scan method of project file, device, electronic equipment and storage medium
KR101493820B1 (en) Mobile Security System
JP5865180B2 (en) Portable communication terminal, data communication detection device, data communication detection method, and program
CN111666581A (en) Data protection method, device, equipment and medium
KR20160024719A (en) Method and device to defend against the phishing of short message service based on operating system
CN107567627B (en) Device with test execution environment
Khan et al. Differences in Inter-App Communication Between Android and iOS Systems

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application