面向应用商店的移动智能终端恶意软件检测关键技术研究

Online application stores are the hub of mobile application distribution systems, and play an important role in the malware detection mechanism. Because the target applications are newly developed and submitted by the developers to application stores, they are unknown to the public, malware detection by antivirus software or human analysis, which is commonly adopted by application stores, faces big effectiveness and efficiency problems. In this proposal, we conduct research on key technology of malware detection in application stores, mainly using dynamic analysis technology based on virtualization environment. Our research includes the following parts: a) Research on high fidelity virtualized smart device and analysis environment building methods; we try to reduce the differences between virtualized and physical devices, which are common drawbacks in previous works. b) Research on identification methods of execution paths representing sensitive behaviors and analysis methods of execution path constraints; we try to decrease the number of execution paths that need be analyzed in dynamic analysis, and improve the analysis efficiency. c) Research on dynamic analysis approaches of interactive behaviors, by solving the problem of actively triggering conditional triggered dynamic behaviors, we can get a more complete analysis result than before. d) Research on behavioral semantic inference and behavior legitimacy judgment methods, we try to make it easier to distinguish authorized behaviors from unauthorized ones. We expect our research work can effectively improve analysis efficiency and detection accuracy of mobile malware, and it’s also helpful to enhance the security situation of smart devices and mobile internet.

作为移动终端应用软件的分发中心，应用商店是检测恶意软件的关键环节。由于应用商店面对的是开发者提交的全新的、未知的应用软件，目前基于杀毒软件、人工分析的方案在检测率、分析效率方面不能满足应用商店的需求。为此，本项目提出了以基于虚拟化的动态分析方法为核心，开展面向应用商店的恶意软件检测技术研究的方案，包括：研究高仿真度的移动智能终端虚拟分析环境构建技术，解决现有方案存在的软硬件环境仿真度过低的问题；研究敏感行为路径识别和路径约束条件分析技术，减少动态分析需要分析的路径空间，提高分析效率和针对性；研究交互行为动态分析技术，解决依赖特定条件的动态行为触发问题，提高分析全面性；研究行为语义推断和行为合法性判定技术，解决已授权行为与未授权行为难以区分的问题。本项目研究预期可有效提高对智能终端恶意软件的分析能力和检测准确性，对提升智能终端安全性、改善移动互联网的安全状况具有重要意义。

为了提高移动智能终端的安全性，更好地检测和分析恶意软件，本项目开展了基于虚拟化的动态分析方法的移动智能终端恶意软件检测技术研究，基于硬件模拟器和虚拟硬件与物理板卡相结合的方式，构建了高仿真度的移动智能终端虚拟分析环境，解决现有方案存在的软硬件环境仿真度过低的问题；提出了语义敏感的UI操作方法，设计了不修改、不重打包目标应用软件的动态分析方案，提高了动态行为触发率和分析方案的适配性；提出了敏感行为路径识别和路径约束条件分析技术，减少了动态分析需要分析的路径空间，提高了分析效率和针对性；提出了交互行为动态分析技术，解决了依赖特定条件的动态行为触发问题，提高分析全面性；提出了行为语义推断和行为合法性判定技术，解决了已授权行为与未授权行为难以区分的问题。.本项目取得研究成果19项，包括论文专著8项，发明专利6项，发现Android系统悬浮窗DoS漏洞、JGRE耗尽漏洞、权限绕过漏洞、软件Setting安全问题、ADB调试安全问题等5大类系统和软件安全缺陷，研制原型系统1套。