Design And Implementation Of Android Detection System Based On Object Reference Graph

Android system based smart mobile devices are becoming more and more popular, however, the openness of the Android system make it a major disaster area of malicious software, which seriously threatens the development of the Android system and Android users. For the security situation of the Android system, this paper proposes a two-step malware detection algorithm combining with the existing research. First, use the Android application permissions and system class to filter and classify the application, and then employ the object reference graph detecting algorithm based on VF2 to conduct the subgraph isomorphism matching, finally determine whether a program to be detected as one type of malicious programs or not.This article first introduces the frame structure of the Android system, including the program structure, the security mechanism and insufficiency of the security mechanism. There is a detailed analysis about the behavior characteristics and attack methods of malware on Android platform. In addition, the graph isomorphism mode and graph isomorphism algorithm are presented. Combined with the actual situation of this system, it is decided to adopt the object reference graph detecting algorithm based on VF2 to solve the problem of subgraph isomorphism testing. Meanwhile, the permission and system class are employed to reduce the times of subgraph isomorphism matching. At last, this paper gives a clear explanation of the design and implementation of system, and proves the validity and usability of malware detection test through the experimental validation.The experimental results show that filter and classification of the application by the use of Android application permissions and system class can effectively reduce the times of subgraph isomorphism matching, so it is helpful to improve the efficiency of the system. The improved VF2 algorithm can efficiently detect the subgraph isomorphism between object references graphs. Overall detection system can achieve a relatively low false positives rate and false negative rate. Since the average detecting time is quite short, it is possible to meet the demand for actual use. Moreover, the system can effectively resist obfuscated attacks and detect the variants of known malware.