Design And Implementation Of Unpacking System For Android Malicious Code Detection

Currently,Android system is one of the most popular operating system of smart mobile terminal.However,due to its openness and fragmentation and other reasons,malicious code software is possessed with the following features: wide coverage,high iteration speed and the threat of diversification.Therefore,Malicious code defection of Android platform has become an important branch of current security study.At present,the research of malicious code on Android is generally divided into static defection and dynamic defection.Generally,the former conducts malicious code detection through signature matching,semantic analysis and similarity detection,and the latter is based on model analysis and behavior analysis to conduct malicious code detection.However,as technologies of mixing,consolidating,junk code,and code encryption are strengthened and categories of assembly languages are becoming more complicated in the recent years,traditional static defection now faces many dilemmas and low efficiency problems.This paper will firstly discuss the current situation of malicious code detection and the mainstream analysis methods.Based on the current bottleneck of static defection,a full-coverage unpacking system covering the application and native layer has been proposed.With the cooperation of the double layer,this system could deal with the majority technical means malicious adopts like reinforcement defense and code encryption with ideal effects.Secondly,in order to facilitate large-scale industrial-level deployment,a hook framework module has been built.Based on this,the system innovatively developed an anti-anti-emulator module which could conceal special files and properties of emulator and respond to defection of emulator.Finally,by optimizing the system framework,a large-scale layout,parallel,efficient and stable unpacking architecture has been realized.Experiments shows that the system could effectively and quickly unpack the encryption code of application and native layer,and improve the accuracy and efficiency of static detection.Thus,this system play a good supporting role to the traditional static detection technology.