Research On Android Malware Static Detection System

In recent years, with the appearance of mobile Internet and the increasing popularity of the smartphone, mobile phone has become an indispensable part of people’s daily life. In most of smartphone operating systems, Android operating system with the characteristic of free and open source has the highest market share. As the Android mobile phone is gained popularity, malicious software on this platform is increasing as well, it is causing a high risk of economic loss and privacy disclosure to the user. Therefore, how to effectively detect Android malicious software has become the focus of the current Android security research.Firstly, the thesis studys the Android system architecture and security mechanism, introduce s the Android classification of malicious software in detail, and analyzes the key technologies of the Android software.Secondly,according to the characteristics of Android system and malicious software, the thesis proposes an Android malware detection scheme, detecting malicious software in the view of repackaging, static analysis and machine learning. Through the establishment of the official application signature database, matching application package name and signature of the MD5 value to detect repackaged applications. The scheme improves the detecting method of traditional signature, extracts classes and functions related to malicious behavior from malicious software to join in the feature library, and uses the features as the judgment basis of malicious software. As a result, this mechanism has the capability to detect known malware variants. And the scheme uses data flow analysis technique to detect the existence of privacy disclosure. Through the introduction of machine learning techniques,the scheme uses mutual information to select the features, based on the connections between application permissions, the information of API calls and malicious behaviors. By the naive Bayes classification, the scheme can determine whether an application is malicious or not.Finally, using malware collected fro m the internet as test data, the thesis verifies and evaluates the scheme. The experimental results show that the scheme has fine detection ability, and it has the ability to detect unknown malicious software.