Research On The Method Of Malicious Behavior Detection For Android Platform Application

In recent years, along with the rapid development of Android platform, there is a burst increasing of Android malicious applications. The main way of spreading malicious application is through third-party applications market and download, while there is not effective means to check the upload malicious behavior, and the existed malware detection method have many problems like the one-sided behavior trigger ,behavior monitoring and test results, etc.To solve these problems, this paper presents a AMBDS malicious behavior testing framework. For the comprehensive extraction of runtime behavior information, AMBDS framework modifies the Android source code, uses the compiled Android emulator to monitor Java calls, local method calls and network behavior, and catches application runtime behavior from the multiple level. To identify malicious behavior more accurately and to help users finding misstatement or omission,AMBDS framework extracts the features and parameters based on behavior logs, and identify the malicious behavior by feature matching. At the same time, behavior detection report of multiple kinds of detail level will be provided, making it easy for users to found omission or misstatement of malicious behavior, therefore fix the behavior characteristics library to enhance the malicious behavior recognition accuracy of AMBDS framework. To deal with the problems of poor behavior trigger, this paper designed DroidRunner behavior trigger model, which uses multi-combine equilibrium traversal algorithm and special event trigger library to boost the coverage rate of application's inner route and sensitive behavior, therefore achieved effective trigger of malicious behavior.To test and verify the correctness and feasibility of AMBDS framework, this paper, by using the Python language and Java language, realized AMBDS malicious behavior testing framework. Results show that the modified simulator promoted the demand of CPU and memory, but achieved the expected effect of application behavior monitoring. Compared Monkey with Monkeyrunner, results showed DroidRunner boosted the coverage level of application's inner runtime behavior,and more sensitive to malicious behavior. Finally,by the detection of self-edited and network malicious sample, result shown AMBDS framework can be more efficient and accurate identification of malicious behavior of the application.