条件上下文敏感的安卓恶意虚拟化应用检测方法  

作　　者：孟昭逸 黄文超[2] 张威楠 熊焰[2] MENG Zhao-yi;HUANG Wen-chao;ZHANG Wei-nan;XIONG Yan(School of Computer Science and Technology,Anhui University,Hefei,Anhui 230601,China;School of Computer Science and Technology,University of Science and Technology of China,Hefei,Anhui 230026,China)

机构地区：[1]安徽大学计算机科学与技术学院,安徽合肥230601 [2]中国科学技术大学计算机科学与技术学院,安徽合肥230026

出　　处：《电子学报》2024年第11期3669-3683,共15页Acta Electronica Sinica

基　　金：国家自然科学基金(No.62102385);安徽省自然科学基金(No.2108085QF262)。

摘　　要：安卓虚拟化应用作为宿主程序,支持以插件形式动态加载用户所需功能模块.恶意开发者可利用上述应用特性将其真实攻击意图隐藏在插件程序的执行中,以躲避针对宿主程序的检测.然而,插件程序数量众多且难以获取与分析,并且现有基于既定模式的安卓恶意虚拟化应用检测方案存在可检测应用类型有限的问题.本文提出一种条件上下文敏感的安卓恶意虚拟化应用检测方法并实现了原型工具MVFinder.该方法以安卓虚拟化应用代码中触发插件程序加载或调用行为的上下文环境为切入点,挖掘出隐藏的恶意性,避免耗费大量资源去尝试实时获取不同种类的插件程序或逐一解析插件的加载与运行模式.同时,该方法利用异常检测技术,发现与大多数善意应用的条件上下文存在较大差异的数据样本,进而识别出目标恶意应用,避免基于既定规则进行检测的局限性.实验结果表明,本方法对安卓恶意虚拟化应用检测的准确率和F1分数均优于当前学术界的代表性方案VAHunt、Drebin与Difuzer.此外,相较于VAHunt,MVFinder可识别出HummingBad和PluginPhantom恶意应用家族的变种.Android virtualization applications is host applications and support dynamic loading of functional modules required by users in the form of plugins.Malicious developers use the above application features to hide their real attack in⁃tents in plugin applications for avoiding detection against the host applications.However,plugins are numerous and difficult to obtain and analyze,and existing pattern-based Android malicious virtualization application detection solutions have the problem of limited detectable application types.We propose a method based on contexts of conditional statements for de⁃tecting Android malicious virtualization applications and implement a prototype tools named MVFinder.The method takes the contextual environment in the Android virtualized application code that triggers loading or calling behaviors of plugin programs as the entry point to uncover the hidden maliciousness,for avoiding the need to consume a large amount of re⁃sources to try to obtain different kinds of plugin programs in real time or to parse the loading and running mode of the pl⁃ugins one by one.At the same time,the method leverages the anomaly detection technique to discover data samples that dif⁃fer significantly from the conditional contexts of most benignware,and thus identify the targeted malware,for avoiding the limitations of detecting with predefined rules.The experimental results show that this method outperforms the current repre⁃sentative schemes including VAHunt,Drebin,and Difuzer,in terms of accuracy and F1 score for detecting Android mali⁃cious virtualization application.Compared to VAHunt,MVFinder achieves identification of variants of HummingBad and PluginPhantom malicious application families.

关 键 词：移动安全 安卓虚拟化应用 恶意代码 上下文信息 静态分析 异常检测 

分 类 号：TP309.5[自动化与计算机技术—计算机系统结构]