| With the quick development of mobile Internet,smart mobile terminals have risen rapidly in the consumer market and become an indispensable tool in people's lives.As an intelligent operating system for the mobile terminals,Android has successfully replaced other mobile phone systems since 2011,and has dominated the global mobile operating system market for many years.As of May 2020 the market share of Android Operating System has exceeded 70%,and it has found its way into every family to change people's lifestyles.At the same time,due to the defects of Android system in system security policy and app store management,Android related security events are frequently seen in newspapers,such as malicious fee deduction,privacy theft,tariff consumption,system damage,etc.This poses a threat to the privacy and property security of Android users,and also requires higher standards for the detection techniques of Android malwares.We noticed a considerable number of Android malwares using obfuscation,encryption,packer,and anti debugging techniques to evade anti-virus engines when analyze Android malwares.To some extent,these techniques can prevent malwares from being reverse-engineered,thus avoiding the detection of anti-virus engines.Among these techniques,packer technique is one of the most effective countermeasures.Packers usually encrypt the original code of the app and only restores the code by dynamic loading at runtime.Conventional malware detection methods do not consider the challenges of packer technique.And it is difficult for them to achieve good detection results.In this thesis,we study the key techniques regarding packed malwares when conducting Android malware detection,including the Android packers recognition,Android packers unpacking,and Android malwares detection.And for each research problem,we put forward the corresponding solutions,respectively.The specific work and contribution of this thesis are as follows:(1)Aiming at the problem that Android packers interfere with the au-tomatic static analysis of large-scale apps,and the existing packer detec-tion frameworks have low accuracy,we propose an Android packer detec-tion method based on the idea of weighted entropy in this thesis.Our method uses weighted entropy technology to improve the accuracy of packer detection method.In addition,since the identifier obfuscation technique can significantly change the information entropy of an app,our method also uses a variety of fea-tures independent of the information entropy to ensure the stability of the detec-tion results.In this thesis,model selection and hyper-parameter optimization are used to obtain the optimal classifier.Through experiments,we prove that the weighted entropy can significantly improve the recognition rate of packers.Through comparison,our proposed method is much better than other similar methods.(2)At present,there are various defense methods adopted by Android packer.But the development of existing unpacking framework is complex,and the effectiveness of existing unpacking frameworks is not ideal.Therefore,we propose an Android unpacking method based on a two-tier architecture in this thesis.Our method can crack the defense techniques of Android packers and realize rapid development and deployment.Our method uses a double-layer ar-chitecture design,which can reduce the coupling between different modules of the unpacker.With such architecture,researchers have no need to recompile the Android kernel or even restart the system when updating the unpacking logic.In addition,the design based on the two-tier architecture makes the unpacker compatible with different versions of Android system,and can adapt to the latest packing techniques through rapid upgrade.In order to systematically verify the performance of our method,we propose the first unpacking performance met-rics named IRR(Item Recovery Ratio).Through experiments,we demonstrate that the performance of our method is better than other related schemes and supports the mainstream packing techniques in the market.Through practice,our proposed method can be applied to Android malware detection,Android vulnerability mining and other related researches.(3)Currently,Android malwares use packer technology to hide malicious code,and the existing malware detection methods based on static analysis tech-nology have low code coverage and low accuracy.We propose an automatic Android malware detection method which can resist the packer technology in this thesis.Our method combines packer recognition technique,dynamic un-packing technique,and static analysis based malware detection technique,so as to realize the automatic analysis of packed Android malwares.On the one hand,our method uses static analysis technique to ensure the efficiency in dealing with large-scale malwares detection;on the other hand,our method uses packer recognition technique to filter the packed apps,and uses dynamic unpacking technique to restore their source code.So as to improve the code coverage of samples for the malware detection system.In addition,the best classification model is finally determined by performing feature selection,model selection and hyper-parameter optimization.Through experiments,we verify that un-packing technique can improve the accuracy of malware detection system.And through comparison,our method is better than other similar schemes. |
PDF Full Text Request