| The number of malicious applications on the Android platform has been increasing rapidly so that the demand for efficient identification of malicious applications is becoming more and more urgent.Static analysis has the advantages of high speed and accuracy while examining only one application,but costing too much time to detect the malwares among large number of applications,also doing little when encountering obfuscation,code encryption and other protective approaches of application.Dynamic detection can bypass some common methods against static analysis such as code obfuscation,but its result of dynamic detection is not ideal due to the limitation of code coverage,static analysis usually being needed to supplement the result.In order to evaluate the application security more comprehensively and effectively,this paper has proposed and designed an integrated dynamic detection system in combination with multiple detection methods.The system is divided into two functional modules: API monitoring module and data instruction recording module.API monitoring module monitors sensitive API calls of system during the application runs,detecting the malicious behavior based on the behavior model of current malwares,and improving code coverage in the form of Honeypot.In order to evaluate the application security through its principle of implementation and details of execution,a data instruction record module is designed in this paper.This module can record the tracing of sensitive data and its related instruction by combining the methods of taint tracking and instruction monitoring.Then we analyze the recorded data to supplement the result of API monitoring.This system can resist some common protective approaches against static analysis,and by recording sensitive data changes and related instructions,compared with the static decompile code from the malicious logic to locate,efficiency has increased significantly.While implementing the system,Honeypot model was implemented based on customized emulator,which utilizes API hook and anti-anti-emulator.The module of sensitive data tracking and instruction monitoring was based on TaintDroid and Indroid respectively,merging their functions.Moreover,by organizing these functions in the form of modules,the system can be easy to maintain and expand. |
PDF Full Text Request