An Implementation Of Malicious Software Behavior Monitoring And Active Defense Technology In Android

With the growing popularity of smart phones of Android platform, the mobile Internet has deeply influenced all aspects of our life. However, the number of malicious software on Android platform is also increasing. People are facing the increasingly serious privacy security problem, while they are enjoying the convenience of the mobile Internet. In order to further enhance the security of the Android platform, this thesis proposes a malicious software behavior monitoring and active defense technology involved both the Android application layer and the application framework layer.After analyzing the working principle of Android security mechanism, this thesis points out the potential vulnerabilities and risks in Android security mechanism. The main work of the thesis is divided into two parts. The first part is to modify the application framework layer, by inserting monitoring points in the key code of system or system APIs, which switch the running process of malicious behaviors to the security policy-part we designed in this paper. This newly introduced mechanism can real-timely monitor and protect the system from the malicious behaviors of applications, in a real time manner. The second part is the design and implementation of the application named Guard_Droid. Using this application, users can customize the more specific security policy. Guard_Droid uses LocalSocket communications to receive data about sensitive behaviors, which comes from monitoring points in the application framework layer. It then returns the processed result based on the security policy back to the monitoring points. Users can use the application to view and manage application permissions and the numbers in blacklists and whitelists and logs that record intercept information as well.We perform functional testing and performance testing on the Nexus 4 platform, which is a mobile phone with Android4.0.3 OS. The test results show that:In terms of functions, the technology processes the malicious software behaviors correctly according to the specific security policy users customized, to achieve the purposes of real-time monitoring of malicious software behavior and active intercept.In terms of performance, when applications execute sensitive behaviors, the consuming time of security policy review is about 200ms. Because the sensitive behaviors that the technology monitor, such as sending text messages, making phone calls and so on, are time consuming behaviors, the extent hundred millisecond delay is acceptable.