欢迎访问中国科学院大学学报,今天是

中国科学院大学学报 ›› 2015, Vol. 32 ›› Issue (5): 689-694.DOI: 10.7523/j.issn.2095-6134.2015.05.016

• 电子认证专栏 • 上一篇    下一篇

一种易部署的Android APP动态行为监控方法

王学强1,2,3, 雷灵光1,2, 王跃武1,2   

  1. 1. 中国科学院信息工程研究所, 北京 100093;
    2. 中国科学院数据与通信保护研究教育中心, 北京 100093;
    3. 中国科学院大学, 北京 100049
  • 收稿日期:2014-08-20 修回日期:2014-11-27 发布日期:2015-09-15
  • 通讯作者: 雷灵光
  • 基金资助:

    国家保密局保密科研项目(BMKY2013B12-2) 资助

An easy-to-deploy behavior monitoring scheme for Android applications

WANG Xueqiang1,2,3, LEI Lingguang1,2, WANG Yuewu1,2   

  1. 1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
    2. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing 100093, China;
    3. University of Chinese Academy of Sciences, Beijing 100049, China
  • Received:2014-08-20 Revised:2014-11-27 Published:2015-09-15

摘要:

Android平台目前已经成为恶意代码攻击的首要目标,超过90%的Android 恶意代码以APP的形式被加载到用户设备.因此,监控APP行为成为对抗Android恶意代码攻击的重要手段.然而,已有的监控手段依赖于对Android系统底层代码的修改.由于不同OEM厂商对Android系统的严重定制,直接改动商用Android系统的底层代码很难由第三方人员部署到用户设备.本文在分析Android进程模型和代码执行特点的基础上,提出一种在应用层实现的程序行为监控方案,通过动态劫持Android虚拟机解释器的方法,实现对应用程序代码执行情况的全面监控.由于不直接对Android系统源码进行任何改动,该方案可以灵活、快速地部署在不同型号、不同版本的Android移动终端上.通过对原型系统的实现和测试,发现该系统易于部署、监控全面并且性能损耗较低.

关键词: Android APP, 行为监控, Dalvik劫持, 动态注入

Abstract:

Malicious applications pose tremendous threats to Android platform. More than 90% of malicious codes are introduced in the form of Android apps. Hence, behavior monitoring scheme for Android applications are required in order to resolve the problem. However, most of the schemes are based on system customization and hard to deploy on devices for Android's fragmentation problem. In this paper, an easy-to-deploy Android application monitoring method on the basis of process hijacking is proposed after analysis of Android process model and code execution details. The method depends on Dalvik interpreter entry point and system call interception. The authors created a fully usable prototype of the system, and the evaluation results show that the system is easy to deploy, provides a whole-scale behavior of Android applications, and incurs little performance overhead.

Key words: Android APP, behavior monitoring, Dalvik hijacking, dynamic instrumentation

中图分类号: