The Research Of Android Malware Static Detection Technology Based On Characteristic Tree

With the rapid development of mobile internet technology and the popularizations of smart devices(smart phone, PAD, etc.), increasing number of people tend to use smart device in their entertainment, work, learning and socializing, more and more enterprises expend even transplant their business platform to the mobile internet. There are many sensitive information of users will be involved when they use smart device access to the mobile internet. At the same time, the mobile application market has a large number of malicious applications. Therefore, the security problem of applications in the smart devices has drawn more and more attentions. So far, the Android operating system has occupied the majority of market share of smart phone operating system market. Compared to other operating system, Android operating system has many unique advantages, for example easy-to-use, high extensibility, open-source code, using Java as a development language and reverse technology mature, etc. These features not only won the support of numbers research and development of mobile device manufacturers, but also attracted a large numbers of software developers. However, these features also make Android system has become an important target of malicious software. Consequently, it is very necessary and urgent to find an effective method to detect whether an application is malicious in order to protect Android smart phone users’ information security.At present, the Android application detection method can be mainly divided into three categories: static detection, dynamic detection and cloud detection. Because static detection is easy to implement and can be processed in parallel, this kind of detection method is worth of further researching. Current popular static-analysis practice on Android application package(APK) mainly uses the methods based on characteristics as MD5 hash, permissions, data flows, API(Application Programming Interface) calls, etc. However, such methods lack consideration on the organization and ierarchy of APK code, and thus they may be ineffective in detecting and predicting an APK’S application behaviors and maliciousness.Based on existing research achievements in the area of API calls hierarchically, a modified detection method based on characteristic tree is realized and detects the API’s maliciousness by describing the characteristics of API sample. The realization principle of this detection method is: firstly, extract the distribution information of API calls in the level of class-method in APK file; then combine with the information of permission of accessibility in AndroidManifest.xml; finally, express whole information effectively with a four layers of tree structure of permission-class-method-API. In experiment, similarity is calculated by compareing the similar characteristic tree of different malicious softwares layer-by-layer, and it is be used to reveal the differences of API calls characteristic of repackaging malicious applications due to the difference of type and family. Therefore, a new effective approach is provided for static detection of Android applications. In the terms of actural method’s correctness verification, some real-world Android malicious samples and a noemal legal samples are collected; inside detection metod of sample set and new sample detection method are designed respectively; then to verify the the detection method’s correctness and the effect of system implementation. Finally, the method ddetection capacity is analized in different levels and different detection environment, and the future reaearch direction is dicussed.