KR20110128632A - Method and device for detecting malicious action of application program for smartphone - Google Patents
Method and device for detecting malicious action of application program for smartphone Download PDFInfo
- Publication number
- KR20110128632A KR20110128632A KR1020100048173A KR20100048173A KR20110128632A KR 20110128632 A KR20110128632 A KR 20110128632A KR 1020100048173 A KR1020100048173 A KR 1020100048173A KR 20100048173 A KR20100048173 A KR 20100048173A KR 20110128632 A KR20110128632 A KR 20110128632A
- Authority
- KR
- South Korea
- Prior art keywords
- api
- malicious behavior
- application
- malicious
- information
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
The present invention relates to detection of malicious behavior of an application, and more particularly, to a method and apparatus for detecting malicious behavior of an application for a smartphone capable of installing an application according to various functions as well as telephone and communication.
Recently, due to the development of mobile communication technology as well as wired and wireless Internet, mobile phones having various functions such as wireless internet function as well as telephone call function are widely used. In particular, the smart phone (smartphone) has been spreading in recent years, it is possible to install a variety of applications such as multimedia playback function, users are using the smartphone for various purposes.
In general, a smartphone combines the advantages of a mobile phone and a personal digital assistant (PDA), and is defined as the integration of data communication functions such as schedule management, fax transmission and Internet access into a mobile phone. In general, a smart phone is equipped with a wireless communication module such as Wi-Fi, and can transmit and receive data through the Internet network. Also, it is possible to search for information on the Internet and to send and receive picture information such as directions by using an electronic pen on the liquid crystal display. .
Such smartphones have their own operating systems, and active development of applications that can be executed by the operating systems is being made. In the case of the iPhone released by Apple, the application listed in the App Store can be downloaded, installed and used. For example, various applications such as games, business card recognition programs, e-books, etc. are still being developed a number of times, and users can download and install applications that perform their desired functions at any time.
However, as many applications are being developed and provided, not only are they useful for smartphone users, but also those that perform malicious actions for other purposes, such as advertisements, are provided to smartphone users. There is a situation. For example, if there is an application for uploading the user's personal information stored in the smartphone to a specific server, the smartphone user who installed the application may be at risk of exposing his or her personal information.
Accordingly, the present invention has been made to solve the above-described problems, and to provide a method and apparatus for detecting malicious behavior of an application program installed in a smartphone.
Other objects of the present invention will become more apparent through the following preferred embodiments.
According to an aspect of the present invention, in a method for detecting malicious behavior of a smartphone application, generating API usage information sequentially listing one or more APIs called by an application to determine whether malicious behavior exists step; And analyzing the API usage information and comparing the malicious behavior pattern with a predetermined malicious behavior pattern to determine the existence of malicious behavior, and providing a recording medium recording a malicious behavior detection method of a smart phone application and a program executing the method. do.
Here, the presence or absence of the malicious activity may be determined using at least one of the number of calls of each API or the call time interval between APIs, together with the API type and calling order.
In addition, the malicious behavior pattern may include a pattern according to at least one of personal information leakage, billing induction, failure occurrence induction, communication company attack, remote control attack.
The malicious behavior pattern according to the leakage of personal information may be a case where a network transmission API is called after the personal information viewing API or a text message transmission API is called after the address book viewing API.
In addition, the malicious behavior pattern according to the billing induction may be a case of calling a dialing API to a telephone number according to a pre-registered adult or paid service, the malicious behavior pattern according to the induction of the failure, process generation API, At least one of a forced write API or a temporary file generation API for the configuration file may be called more than a preset number of times.
In addition, the malicious behavior pattern according to the carrier attack, the dialing API, and the call termination API may be repeated more than a predetermined number of times, the malicious behavior pattern according to the remote control attack, port binding API, text message reception The listener registration API and the network connection API to a specific port may be sequentially called.
The method may further include receiving the request for determining the malicious behavior of the application from the request terminal coupled through the communication network, and transmitting the malicious behavior information of the application according to the determination to the requesting terminal.
In addition, receiving the signature information of the application from the request terminal; And searching for having the same signature as the received signature information among the programs classified into the blacklist or the whitelist, which are held in advance, wherein the analysis using the API is performed only when the search fails. Can be done.
In addition, the source code of the application may be analyzed to extract and list the API, or the application may be executed in an emulator to extract and list the API.
According to another aspect of the invention, the analysis service server for detecting malicious behavior of the smart phone application, comprising: a database unit for storing pattern API information according to each malicious behavior; An API usage information generation unit for generating API usage information sequentially listing one or more APIs called by the input application program; And analyzing and analyzing the API usage information and the pattern API information stored in the database unit, thereby providing an analysis service server for detecting malicious behavior of the smart phone application program.
Here, the malicious behavior analysis unit may include a check unit for checking whether the application program is hidden or registered as a start program.
In addition, the malicious behavior analysis unit may determine whether the malicious behavior exists by using at least one of the number of calls of each API or the call time interval between APIs together with the type and calling order of the API.
In addition, the pattern API information may include an API pattern according to at least one of personal information leakage, billing induction, failure occurrence induction, carrier attack, remote control attack.
According to the present invention, by analyzing the API used by the application, it is possible to check whether the application performs a malicious action such as personal information leakage, billing induction, it is possible to prevent the disadvantage of the smartphone user due to the malicious action.
1 is a schematic diagram showing an overall system for detecting malicious behavior of a smartphone application according to an embodiment of the present invention.
Figure 2 is a whole flow diagram illustrating a malicious behavior detection service process of the smartphone application according to an embodiment of the present invention.
3 is a flowchart illustrating a schematic process of detecting malicious behavior of an application program using API usage information according to an embodiment of the present invention.
4 and 5 are exemplary diagrams for explaining a method of extracting API usage information of an application program according to each embodiment of the present invention.
6 to 11 are exemplary views illustrating a detection method for malicious behavior types of an application program according to each embodiment of the present invention.
12 is a block diagram showing a configuration of a service server according to an embodiment of the present invention.
As the invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in the drawings and described in detail in the written description. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout the specification and claims. The description will be omitted.
1 is a block diagram schematically showing the entire system for detecting malicious behavior of a smart phone application according to an embodiment of the present invention.
Referring to FIG. 1, the entire system according to the present embodiment includes a
The
The
Hereinafter, a process in which the
2 is an overall flowchart illustrating a malicious behavior detection service process of an application for a smartphone according to an embodiment of the present invention.
Referring to FIG. 2, the
In this case, the
The
Therefore, the
When the application program according to the received signature information belongs to any one of a white list or a black list, the
On the contrary, if it does not belong to any of the blacklist and the whitelist, since it does not own the information on the application, the
The
The
According to the determination result, the
Hereinafter, the
3 is a flowchart illustrating a schematic process of detecting malicious behavior of an application program using API usage information according to an embodiment of the present invention.
Referring to FIG. 3, the malicious behavior detection process according to the present embodiment includes generating API usage information by listing calling APIs of an application program (S310) and analyzing API usage information to determine whether malicious behavior is present. (S320) and checking the process concealment and registration of the start program (S330).
Before describing each step of malicious behavior detection according to the present embodiment in detail, the API will be briefly described. An API is a language or message format used to communicate between an operating system and an application. It consists of a number of functions that allow you to do things like create windows and open files. In other words, an API consists of functions for communicating with an operating system mounted on a smartphone. In general, an API has a language or message format that is used when an application communicates with a system program such as an operating system or database management system. An API calls a function that provides a link to a specific subroutine for execution within the program. Is implemented. Thus, an API has several program modules or routines that must already exist or be linked in order to perform the work requested by the function call. Since the API will be apparent to those skilled in the art, a detailed description thereof will be omitted.
Hereinafter, for convenience of description, the
Referring back to FIG. 3, in S310, API usage information listing APIs used by an application program for detecting malicious behavior is generated. That is, when the corresponding application is executed, it is possible to search and list which APIs are called in what order, at what time intervals, and how many times each API is called.
As an example for the sake of understanding, if application A uses APIs a, b, c, d in the order [a, b, a, c, d, b, a], You can search the number and order of usage and create them as API usage information. That is, it is recognized that a is used three times, b is used twice, c and d are used once, and each is used in the order as described above. In addition, as described above, a time interval between each API used may also be searched together. For example, if b is called 30 seconds after the first a is called, the time interval of 30 seconds can also be used as API usage information.
Hereinafter, a description will be given of a method of generating API usage information as described above by extracting information on APIs that are called by an arbitrary application.
4 and 5 are exemplary diagrams for explaining a method of extracting API usage information of an application program according to each embodiment of the present invention.
First, referring to FIG. 4, a part of source code of an application program is illustrated. According to this embodiment, the
[GetContentResolver (). Query] as shown in FIG. 4 is an API for accessing a database of a smartphone, and the
According to another embodiment, the
FIG. 5 illustrates a protocol layer of Android, which is an operating system of a smartphone, and according to the present embodiment, the
Therefore, when an application program calls the corresponding API, it checks whether the call is made, the number of calls, and parameters, and monitors which data (SMS, address book, etc.) is accessed to generate API usage information.
In summary, the
Referring back to FIG. 3, the
In this embodiment, malicious behavior of an application program is classified into personal information leakage, billing induction, failure occurrence induction, telecommunications company attack, and remote control attack.
The personal information leakage may be a case where the personal information of the smart phone user is accessed and leaked to the outside, and the personal information such as a contact may be leaked to the outside by accessing a message such as an address book or an SMS message.
In addition, billing induction may be the case that the application to make a call to a specific phone number (paid service, overseas, etc.).
In addition, there may be a case in which the failure induction causes the smartphone to fail by performing the same operation several times.
In addition, a carrier attack may include a denial of service attack (DoS) that causes a failure by adding data traffic to a carrier by immediately making a call and hanging up.
Finally, a remote control attack refers to an attack that causes a failure by controlling a smartphone remotely using an SMS message.
Hereinafter, a method of detecting malicious behavior of the application program as described above will be described.
6 to 11 are exemplary views illustrating a detection method for malicious behavior types of an application program according to each embodiment of the present invention.
6 and 7 illustrate a method of detecting malicious behavior of an application for the leakage of personal information.
According to Figure 6, when the network transfer API is called after the API for reading the personal information (name, phone number, email address, etc.) of the smart phone user, to perform a malicious action to leak the personal information to the outside To judge.
According to FIG. 7, if the number of calls of the API for transmitting a text message is repeated after the API for viewing the address book (and / or receiving a text message) is called, the malicious personal information such as a contact stored in the address book is leaked to the outside. It is judged to carry out an action. That is, if the text sending is repeated after reading the address book as shown in FIG. 6, it is recognized as a malicious act of reading the address book, extracting the personal information, and then transmitting the personal information to the specific phone number as a text message.
Referring to FIG. 8, when the dialing API is called, it is determined whether the phone number of the corresponding receiver is a phone number according to an adult / paid service registered in advance in the
Referring to FIG. 9, which shows a method of detecting a failure induction, a method of checking whether at least one of a process generation API, a forced write API for a smartphone configuration file, and a temporary file generation API is repeatedly called is checked. Detects malicious behavior.
In other words, repeatedly creating multiple processes on a smartphone consumes system resources (memory, CPU, etc.), causing the system to slow down and, in some cases, to freeze the system. Therefore, the API that creates the process is called repeatedly. Is to check whether In addition, the reason for checking the forced write API for the configuration file is that the file used by the system may be replaced with another file or the contents may be changed to cause an error. Of course, the operating system itself may block access to files in the system area, so there is no need to check the forced write API for the configuration file.
Also, repeatedly creating multiple temporary files consumes system resources (storage), which can slow down your system and interfere with the operation of applications that use other temporary files. To check.
In summary, the detection of failure induction as shown in FIG. 9 is intended to detect behaviors that cause excessive system consumption (memory, CPU, storage, etc.) to slow down the system and cause malfunctions.
10 illustrates a malicious behavior detection method for a denial of service attack of a carrier. Referring to FIG. 10, the
Referring to FIG. 11, which illustrates a method for detecting a remote control attack, the
In this case, the backdoor is a program that can be accessed through the network without the user's knowledge. Port binding refers to the act of creating a connection path (port) for network communication. For example, to access a webpage, Must bind to port 80 and wait for a connection.
In other words, the port binding API call for backdoor creation refers to calling the API to create a network connection path (port binding) to receive commands remotely (backdoor). In other words, it detects the act of creating a statement so that the person who created the malicious code can remotely access and issue commands.
When receiving a text message to a smartphone, the text message receiving listener registration delivers the received text message to an application that has registered a text message receiving listener in the system. For example, a text message program receives a text message from the system when the text message is received, and informs the user that the text message has been received and can be read. When a malicious code (program performing malicious activity) registers a text message receiving listener, it can monitor incoming text messages. It monitors incoming text messages and detects predefined strings (commands). You can perform an action. As an example, for convenience of understanding, an attacker can send a text message containing the string [@ ababc123 @] and the malware can detect the string and send personal information to a specific address. That is, the remote control attack detection method according to the present embodiment is a method for detecting an action for receiving a remote command through a text message.
For example, the detection of various malicious behaviors using the API usage information described above uses the type of API, its calling order, and the number of times. However, according to another exemplary embodiment, a time interval called between each API may be used together. Can be. For example, the malicious behavior pattern according to the leakage of personal information may be set to be determined to be malicious only when the network transmission API is called within 1 minute after the personal information viewing API call.
In addition, the method of detecting various malicious behaviors using the API usage information was described with reference to FIGS. 6 to 11, but this is only an example, and is not limited thereto. No wonder all the ways of judging behavior can be applied equally.
As described above, the S320 of FIG. 3 recognizes the malicious behavior of the application and its type using the API usage information. Since this step detects the malicious behavior of any application, determining whether the application is malicious code (a program that performs malicious behavior) may be terminated at this stage, but further improving the accuracy of detection of malicious code. In order to increase, in S330 it is further checked whether the process concealment and startup program registration.
A process concealment is a hidden state in which the user cannot know whether the process is running. The process concealment is performed so that the user does not appear even if the task manager is executed to terminate a process that is not needed. In general, malicious code operates as a hidden process so that users cannot terminate it in the usual way.
Startup program registration is to ensure that it always runs with booting even if the smartphone is restarted, when registered as a startup program, the application is executed even if the smartphone is shut down and turned on again. In general, malicious code operates as a hidden process to prevent termination by the user and registers as a startup program to always operate.
Since hiding a process or detecting whether it is registered in a startup program is a technique that is still widely used, it will be obvious to those skilled in the art, and thus a detailed description of the method will be omitted.
Hereinafter, the configuration of the
12 is a block diagram showing the configuration of a service server according to an embodiment of the present invention.
Referring to FIG. 12, the
The
API usage
The malicious behavior
As shown in the figure, the malicious
When the inspection for the malicious behavior is finished, the
The malicious behavior detection method of the smart phone application according to the present invention described above may be implemented as computer readable code on a computer readable recording medium. Computer-readable recording media include all kinds of recording media having data stored thereon that can be decrypted by a computer system. For example, there may be a read only memory (ROM), a random access memory (RAM), a magnetic tape, a magnetic disk, a flash memory, an optical data storage device, and the like. In addition, the computer-readable recording medium may be distributed and executed in a computer system connected to a computer network, and may be stored and executed as a code readable in a distributed manner.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined in the appended claims. It will be understood that various modifications and changes may be made.
10: request terminal
30: Analysis service server
31: input unit
33: API usage information generation unit
41: malicious behavior pattern database
43: malicious behavior analysis unit
45: result output unit
Claims (16)
Generating API usage information sequentially listing one or more APIs called by an application program to determine whether malicious activity exists; And
Analyzing the API usage information and comparing the malicious behavior pattern with the predetermined malicious behaviors comprising the step of determining the presence of malicious behaviors smart phone application.
The malicious behavior detection method of the smartphone application, characterized in that the presence or absence of the malicious behavior further using at least one of the number of calls and the interval between the API call, together with the API type and calling order. .
The malicious behavior pattern is a malicious behavior detection method of a smart phone application, characterized in that it comprises a pattern according to at least one of personal information leakage, billing induction, failure occurrence induction, carrier attack, remote control attack.
The malicious behavior pattern according to the leakage of personal information is a method of detecting malicious behavior of a smart phone application, characterized in that when the network transmission API is called after the personal information viewing API or when the text message transmission API is called after the address book viewing API. .
The malicious behavior pattern according to the billing induction is a malicious behavior detection method of a smart phone application, characterized in that the call to the telephone number according to a pre-registered adult or paid service is called.
The malicious behavior pattern according to the induction of the failure occurs when at least one of a process creation API, a forced write API for a configuration file, or a temporary file creation API is called more than a predetermined number of times. Behavior detection method.
The malicious behavior pattern according to the telecommunications company attack is a method of detecting malicious behavior of a smart phone application, characterized in that when the call API and the call termination API is repeated a predetermined number of times.
The malicious behavior pattern according to the remote control attack is a case where a port binding API, a text message reception listener registration API, and a network connection API to a specific port are sequentially called.
Prior to the step of receiving a request to determine the malicious behavior for the application from the request terminal coupled through the communication network,
Malicious behavior detection method of the smart phone application, characterized in that for transmitting the malicious behavior information of the application in accordance with the determination to the request terminal.
Receiving signature information of the application program from the requesting terminal; And
Further comprising the step of retrieving one of the programs classified into a blacklist or a whitelist held in advance having the same signature as the received signature information,
Malicious behavior detection method of the smart phone application, characterized in that for performing the analysis using the API only when the search fails.
Method of extracting and listing the API by analyzing the source code of the application, or extracting and listing the API by running the application in an emulator.
Database unit for storing the pattern API information according to each malicious behavior;
An API usage information generation unit for generating API usage information sequentially listing one or more APIs called by the input application program; And
Analysis service server for detecting malicious behavior of the smart phone application including a malicious behavior analysis unit for comparing the analysis of the API usage information and the pattern API information stored in the database unit to determine the existence of malicious behavior.
The malicious behavior analysis unit detects malicious behavior of a smartphone application, characterized in that it comprises a check unit for checking whether the application is hidden or registered as a startup program.
The malicious behavior analysis unit determines the presence of the malicious behavior by using at least one of the number of calls or intervals between API calls, together with the API type and calling order. Analysis service server to detect malicious behavior.
The pattern API information, the analysis service server for detecting malicious behavior of the smartphone application, characterized in that it comprises an API pattern according to at least one of personal information leakage, billing induction, induction of failure, carrier attack, remote control attack .
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020100048173A KR20110128632A (en) | 2010-05-24 | 2010-05-24 | Method and device for detecting malicious action of application program for smartphone |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020100048173A KR20110128632A (en) | 2010-05-24 | 2010-05-24 | Method and device for detecting malicious action of application program for smartphone |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20110128632A true KR20110128632A (en) | 2011-11-30 |
Family
ID=45396783
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020100048173A KR20110128632A (en) | 2010-05-24 | 2010-05-24 | Method and device for detecting malicious action of application program for smartphone |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20110128632A (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20130066901A (en) * | 2011-12-13 | 2013-06-21 | 삼성전자주식회사 | Apparatus and method for analyzing malware in data analysis system |
KR20130115045A (en) * | 2012-04-10 | 2013-10-21 | 알서포트 주식회사 | Data interception method for mobile telephone on the remote control |
KR101324691B1 (en) * | 2011-12-08 | 2013-11-04 | 한국인터넷진흥원 | System and method for detecting malicious mobile applications |
WO2014012441A1 (en) * | 2012-07-16 | 2014-01-23 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining malicious program |
US8661543B2 (en) | 2012-02-16 | 2014-02-25 | Electronics And Telecommunications Research Institute | Mobile terminal having security diagnosis functionality and method of making diagnosis on security of mobile terminal |
KR101414084B1 (en) * | 2013-03-28 | 2014-07-04 | 한신대학교 산학협력단 | System and for Malicious Application Detection on Mobile Device and Method thereof |
WO2014116025A1 (en) * | 2013-01-24 | 2014-07-31 | (주)잉카인터넷 | Behavior-based process inspection system and method |
KR20150008033A (en) | 2014-12-30 | 2015-01-21 | 주식회사 안랩 | Method and apparatus for inspecting malicious code of a mobile terminal |
US9448859B2 (en) | 2013-09-17 | 2016-09-20 | Qualcomm Incorporated | Exploiting hot application programming interfaces (APIs) and action patterns for efficient storage of API logs on mobile devices for behavioral analysis |
KR20170086926A (en) * | 2016-01-19 | 2017-07-27 | 삼성전자주식회사 | Apparatus for security vulnerabilities evaluation of application and control method of the same |
KR20180082504A (en) * | 2015-11-05 | 2018-07-18 | 알리바바 그룹 홀딩 리미티드 | Methods and equipment for application information risk management |
KR20210051669A (en) * | 2019-10-31 | 2021-05-10 | 삼성에스디에스 주식회사 | method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME |
CN113672902A (en) * | 2021-08-31 | 2021-11-19 | 挂号网(杭州)科技有限公司 | Application program detection method, device, equipment and storage medium |
CN111191201B (en) * | 2019-12-25 | 2024-02-09 | 中国平安财产保险股份有限公司 | User identification method, device, equipment and storage medium based on data embedded point |
-
2010
- 2010-05-24 KR KR1020100048173A patent/KR20110128632A/en not_active Application Discontinuation
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101324691B1 (en) * | 2011-12-08 | 2013-11-04 | 한국인터넷진흥원 | System and method for detecting malicious mobile applications |
KR20130066901A (en) * | 2011-12-13 | 2013-06-21 | 삼성전자주식회사 | Apparatus and method for analyzing malware in data analysis system |
US8661543B2 (en) | 2012-02-16 | 2014-02-25 | Electronics And Telecommunications Research Institute | Mobile terminal having security diagnosis functionality and method of making diagnosis on security of mobile terminal |
KR20130115045A (en) * | 2012-04-10 | 2013-10-21 | 알서포트 주식회사 | Data interception method for mobile telephone on the remote control |
US9158918B2 (en) | 2012-07-16 | 2015-10-13 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining malicious program |
WO2014012441A1 (en) * | 2012-07-16 | 2014-01-23 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining malicious program |
WO2014116025A1 (en) * | 2013-01-24 | 2014-07-31 | (주)잉카인터넷 | Behavior-based process inspection system and method |
KR101414084B1 (en) * | 2013-03-28 | 2014-07-04 | 한신대학교 산학협력단 | System and for Malicious Application Detection on Mobile Device and Method thereof |
US9448859B2 (en) | 2013-09-17 | 2016-09-20 | Qualcomm Incorporated | Exploiting hot application programming interfaces (APIs) and action patterns for efficient storage of API logs on mobile devices for behavioral analysis |
KR20150008033A (en) | 2014-12-30 | 2015-01-21 | 주식회사 안랩 | Method and apparatus for inspecting malicious code of a mobile terminal |
KR20180082504A (en) * | 2015-11-05 | 2018-07-18 | 알리바바 그룹 홀딩 리미티드 | Methods and equipment for application information risk management |
US10715550B2 (en) | 2015-11-05 | 2020-07-14 | Alibaba Group Holding Limited | Method and device for application information risk management |
KR20170086926A (en) * | 2016-01-19 | 2017-07-27 | 삼성전자주식회사 | Apparatus for security vulnerabilities evaluation of application and control method of the same |
KR20210051669A (en) * | 2019-10-31 | 2021-05-10 | 삼성에스디에스 주식회사 | method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME |
US11475133B2 (en) | 2019-10-31 | 2022-10-18 | Samsung Sds Co., Ltd. | Method for machine learning of malicious code detecting model and method for detecting malicious code using the same |
CN111191201B (en) * | 2019-12-25 | 2024-02-09 | 中国平安财产保险股份有限公司 | User identification method, device, equipment and storage medium based on data embedded point |
CN113672902A (en) * | 2021-08-31 | 2021-11-19 | 挂号网(杭州)科技有限公司 | Application program detection method, device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR20110128632A (en) | Method and device for detecting malicious action of application program for smartphone | |
He et al. | Dynamic privacy leakage analysis of Android third-party libraries | |
US8099472B2 (en) | System and method for a mobile cross-platform software system | |
CN105956474B (en) | Android platform software unusual checking system | |
US9158918B2 (en) | Method and apparatus for determining malicious program | |
KR101373986B1 (en) | Method and apparatus to vet an executable program using a model | |
US9280665B2 (en) | Fast and accurate identification of message-based API calls in application binaries | |
US9747449B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
US20160350525A1 (en) | Application Program Management Method, Device, Terminal, and Computer Storage Medium | |
KR20140074252A (en) | Secure execution of unsecured apps on a device | |
EP2769324A1 (en) | System and method for whitelisting applications in a mobile network environment | |
US10754717B2 (en) | Fast and accurate identification of message-based API calls in application binaries | |
KR20130066901A (en) | Apparatus and method for analyzing malware in data analysis system | |
CN111596971A (en) | Application cleaning method and device, storage medium and electronic equipment | |
KR20160031590A (en) | Malicious app categorization apparatus and malicious app categorization method | |
CN108932199B (en) | Automatic taint analysis system based on user interface analysis | |
WO2015037850A1 (en) | Device and method for detecting url call | |
Wu et al. | Pacs: Pemission abuse checking system for android applictions based on review mining | |
CN110348226A (en) | A kind of scan method of project file, device, electronic equipment and storage medium | |
KR101493820B1 (en) | Mobile Security System | |
JP5865180B2 (en) | Portable communication terminal, data communication detection device, data communication detection method, and program | |
CN111666581A (en) | Data protection method, device, equipment and medium | |
KR20160024719A (en) | Method and device to defend against the phishing of short message service based on operating system | |
CN107567627B (en) | Device with test execution environment | |
Khan et al. | Differences in Inter-App Communication Between Android and iOS Systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |