信息网络安全 ›› 2020, Vol. 20 ›› Issue (6): 17-25.doi: 10.3969/j.issn.1671-1122.2020.06.003

• 技术研究 • 上一篇    下一篇

基于SM3与多特征值的Android恶意软件检测

郑东, 赵月()   

  1. 西安邮电大学无线网络安全技术国家工程实验室,西安 710121
  • 收稿日期:2019-10-15 出版日期:2020-06-10 发布日期:2020-10-21
  • 通讯作者: 赵月 E-mail:1354381563@qq.com
  • 作者简介:郑东(1964—),男,山西,教授,博士,主要研究方向为密码学、云存储安全|赵月(1994—),女,山东,硕士研究生,主要研究方向为移动设备安全
  • 基金资助:
    国家自然科学基金(61772418)

Android Malware Detection Based on SM3 and Multi-feature

ZHENG Dong, ZHAO Yue()   

  1. National Engineering Laboratory for Wireless Security, Xi’an University of Posts and Telecommunications, Xi’an 710121, China
  • Received:2019-10-15 Online:2020-06-10 Published:2020-10-21
  • Contact: ZHAO Yue E-mail:1354381563@qq.com

摘要:

通过Android系统提供的MessageDigest工具类使用 SM3杂凑算法对APK进行完整性计算,得到其Hash值;将得到的Hash值与服务器中正确的Hash值进行比较,若两个Hash值不一致,说明此APK程序已被篡改,可以卸载。同时,文章设计了一种权限静态分析和多特征恶意软件检测模型,通过反编译应用程序,得到AndroidManifest.xml和smali文件,获取权限特征和API方法调用特征。权限静态分析是根据权限比重分数,计算危险权限分数,判断应用程序危险程度。多特征恶意软件检测使用Jaccard距离计算权限特征相似度和API 方法调用特征相似度,识别良性软件和恶意软件。实验结果显示,该方案SM3完整性计算速度是MD5、SHA-1算法速度的3倍左右,检测模型能有效识别恶意软件,并对恶意软件分类,从而保护用户的隐私资料,防止恶意软件窃取用户隐私。

关键词: Android, SM3, 恶意软件, 权限检测

Abstract:

The MessageDigest tool class provided by the Android system uses the SM3 hash algorithm to calculate the integrity of the APK, obtains its hash value, compares the obtained hash value with the correct hash value in the server. IF two Hash values are inconsistent,, indicating that the APK has been tampered and can be uninstalled. The permission static analysis and multi-feature malware detection model are designed. By decompiling the application, the AndroidManifest.xml and smali files are obtained, and the permission feature and API method call feature are obtained. Permission static analysis is to calculate the dangerous permission score according to the permission weight score and judge the application danger degree. Multi-feature malware detection uses Jaccard distance calculation permission feature similarity and API method call feature similarity to identify benign software and malware. The experimental results show that the SM3 integrity calculation speed is about 3 times faster than the MD5 and SHA-1 algorithms. The detection model can effectively identify malicious applications and classify malicious applications, thus protecting users' private data and preventing malware theft. User privacy.

Key words: Android, SM3, malware, permission detection

中图分类号: