| In recent years, the utilize of intelligent devices has been on constant expansion along with the rapid development of3G/4G communication technology. Among these, mobile terminals of Android system take the most part of the market. Today, the existence of mobile terminal is not only able to enrich the spiritual and entertainment needs of the consumers, but its branching also functions such as mobile officing, mobile payment as well as mobile finance are turning to be more mature. Increasing amount of affiliated values are added to the utilize of mobile devices. At the same time, information value brought by the speedy development of Android system increases the amount of malicious codes. In the early stages of the Android system, most malicious codes damaged the benefits of the consumers using methods such as adding the user’s expenses with malice or leaking out their internet flows. However, recent malicious codes are seeking for illegal benefits through targeting on malicious extensions, bundling plug-ins, stealing private data (e.g. address book). From which we can find out that information security issues of Android systems should be solved without delay.Nowadays, the main testing methods for malicious codes are scanning static characters and matching the document’s signature, however, these static testing methods have some defects:too many faults are produced, but new types of malicious codes are easy to be missed. In this thesis, the author is going to suggest a design that is combines the advantages of both static and mobility testing systems. The design is based on the data flow diagrams as well as data charts obtained by static testing, then it sends feedback to motive testing sandbox, in order to provide a more accurate hook point of the function and the route traveled by all the programme branches, in this case, the system is able to obtain a complete data for the characteristic of the software and routes for sensitive data.The main work is as follows:(1)Build upon traditional static analysis module, we added graph generator that can generate data flow graph, class graph, API call graph and component call graph. These graphs can accurately reflect runtime behavior information of the malware being analyzed.(2)Build upon traditional sandbox module, we added kernel mode code instrumentation module that dynamically generates Java instrumentation code, which can record detailed runtime information of the malware being analyzed.(3)To construct a solid analysis system, we selected several major malware categories such as root exploit, RAT, and password stealer. We then extracted its runtime behavior, and performed a detailed analysis on the runtime data flow of sensitive data.(4)Building a web system allows the malicious code detection system in the form of web online service available to users. |
PDF Full Text Request