A Dynamic Code Loading Oriented An-Droid Malware Detection Method Based On Hybrid Analysis

As lots of malware detection technologies applied by App store,the spreading of malware through App store is becoming increasingly difficult.However,dynamic code loading(DCL)technology can help malware developer bypass the detection of App store,and existing malware detection tools do not respond well to this situation,which requires a corresponding improvement of existing malware detection tools.This paper studies a large number of domestic and foreign literatures,analyzes the advantages and disadvantages of the existing malware detection technology.On this basis,for the malicious use of dynamic code loading technology,we have improved the existing control flow graph extension method,and,put forward a kind of malicious software detection method by mixing analysis to generate control flow graph for taint analysis.This method uses the client to intercept the external code that is dynamically loaded by the third-party application.The two control flow graphs generated by the external code and application are merged on the server side,and the missing edges are added by dynamic analysis,and then the taint analysis is carried out to detect the malicious behavior in the dynamically loaded external code.In addition,this method also combines the black and white list mechanism to realize the protection mechanism for the user device.In this paper,an Android malware detection method based on hybrid analysis is proposed,and a prototype system is designed and implemented according to the method.The experiment shows that the prototype system can display the taint analysis similar to FlowDroid in the data set which is loaded by dynamic code,and the taint analysis precision of the system on the improved DroidBench is up to 87%.Moreover,the system can protect the user's device from the dynamic loading of malicious code,the precision of the behaviors that performed by this system is 90%.Therefore,the proposed method and the prototype system can be used in the actual monitoring of Android malware,which has some theoretical and practical application value.