| Android systems are more vulnerable to be attacked than closed systems such as iOS because of the open nature of the system, while huge market also attracts the attackers' attention. So the malicious software has been overrun on the Android system. The detection method of malicious software under Android system is a subject worthy of study. However, at this stage, most of the researches are focused on the detection of malicious software before infected, which cannot effectively detect of the Android devices have been infected with malicious software.This thesis studies the problem of how to detect malicious software in the infected Android devices. By analyzing the Android device memory image, we can find out the malicious code. The malware might be a hidden process behavior system-level malware, or be an Android application with malicious behavior.For a hidden process behavior system-level malware, we proposed a method to detect the hidden process by comparing the lists of process numbers. Through analyzing the memory image, we can obtain the process lists from different views. And then we find out the hidden process by comparing their differences. For detecting Android applications with malicious behavior, we suggest to get the network links and the loaded private dynamic link library from the memory image, and then combine the Android permissions mechanism. We classify these suspicious applications based on APT calls. The classification method extracts the sensitive API calls from an application executable file, and treats them as the behavioral characteristics. Finally, we use the bagging integrated probabilistic neural network(Bagging_PNN) to classify these suspicious applications.Some malicious applications will use packers, encryption and other methods to prevent reverse analysis, which makes static detection close effectiveness. To solve this problem, combining with the specific testing environment, this thesis proposed a method to search the.dex file from the process dump file. Then we can use the Bagging_PNN to identify the true malicious applications by the sensitive API calls extracted from the dex file which is scanned from the suspicious process.Finally, extensive experiments were performed to verify the methods presented above. The experimental results clearly indicate that: the hidden process detection method based on process compared can find all the hidden processes that are not implemented by the DKOM method, and all the hidden processes in the ready state; the method of searching dex files can get all the files of the suspicious applications, and extract sensitive API calls from them successfully; 87.5% of malicious application is correctly detected by the Bagging_PNN classifier. It can be seen that the proposed method in this thesis can correctly detect the malware from Android devices which has been infected. Then with targeted killing, the device can avoid being suffered from malware continued attack in time. |
PDF Full Text Request