Method and device for identifying virus APK

US 10,152,594 B2
Filed: 02/23/2017
Issued: 12/11/2018
Est. Priority Date: 03/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method for identifying virus Android application package file (APK), comprising:

presetting a virus database comprising virus characteristic codes, wherein the presetting the virus database further including;

scanning an executable file in a source APK,extracting specific data from the executable file in the source APK,determining whether the specific data contain virus information, wherein the specific data include header information of the executable file, constants in a constant pool of the executable file, or operation instructions in the executable file,in response to a determination that the specific data in the executable file contain virus information, generating the virus characteristic codes, wherein the generating the virus characteristic codes further comprises;

generating the virus characteristic codes using an instruction set in a classes.dex file and a JAR file in the source APK,generating the virus characteristic codes using a specific opcode in the classes.dex file and the JAR file in the source APK and a character string or wildcard of its operand, orgenerating the virus characteristic codes using the instruction set in the classes.dex file in the source APK, the specific opcode in the classes.dex file in the source APK and the character string or wildcard of its operand, andstoring the generated virus characteristic codes to the virus database;

detecting that a designated file in a target APK contains at least one of the generated virus characteristic codes; and

determining that the target APK is a virus APK.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are a method and a device for identifying a virus APK. The method comprises: presetting a virus database comprising virus characteristic codes; detecting that a designated file in a target Android installation package APK contains at least one of the virus characteristic codes; and determining that the target Android installation package APK is a virus APK. In the application, the virus APK and a variation thereof can be rapidly, accurately and effectively identified, thereby improving the security of an APK application.

Citations

15 Claims

1. A method for identifying virus Android application package file (APK), comprising:
- presetting a virus database comprising virus characteristic codes, wherein the presetting the virus database further including;
  
  scanning an executable file in a source APK,extracting specific data from the executable file in the source APK,determining whether the specific data contain virus information, wherein the specific data include header information of the executable file, constants in a constant pool of the executable file, or operation instructions in the executable file,in response to a determination that the specific data in the executable file contain virus information, generating the virus characteristic codes, wherein the generating the virus characteristic codes further comprises;
  
  generating the virus characteristic codes using an instruction set in a classes.dex file and a JAR file in the source APK,generating the virus characteristic codes using a specific opcode in the classes.dex file and the JAR file in the source APK and a character string or wildcard of its operand, orgenerating the virus characteristic codes using the instruction set in the classes.dex file in the source APK, the specific opcode in the classes.dex file in the source APK and the character string or wildcard of its operand, andstoring the generated virus characteristic codes to the virus database;
  
  detecting that a designated file in a target APK contains at least one of the generated virus characteristic codes; and
  
  determining that the target APK is a virus APK.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein the executable file comprises Dex files, the Dex files comprise classes.dex files, files with an extension name .jar, and files in Dex format.
  - 3. The method according to claim 1, wherein the virus characteristic codes comprise:
    - header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, and class name function name characteristic code;
      
      the operation instructions in the executable file comprise two portions;
      
      opcode and operand;
      
      the header information characteristic code, constant characteristic code, operand characteristic code, and class name function name characteristic code are directly generated according to the header information, constant, operand, and class name function name including the virus information;
      
      the instruction characteristic code and the instruction characteristic code sequence are directly generated according to the operation instruction including the virus information, or generated according to the opcode and the character string or wildcard of the operand including the virus information;
      
      the storing the virus characteristic codes to the virus database comprises;
      
      storing the header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, class name function name characteristic code respectively in different storage areas of the database;
      
      orstoring the header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, class name function name characteristic code in the database, and marking a classification tag respectively.
  - 4. The method according to claim 3, wherein the detecting that a designated file in a target APK contains at least one of the generated virus characteristic codes comprises:
    - positioning header information of an executable file in the target APK, matching the head information with the header information characteristic code in the virus database, and judging the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /orpositioning a constant in the constant pool of the executable file in the APK, matching the constant with the constant characteristic code in the virus database, and judging the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /orpositioning an operand in the operation instruction of the executable file in the target APK, matching the operand with the operand characteristic code in the virus database, and judging the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /orpositioning an opcode in the operation instruction of the executable file in the target APK, matching the opcode with the instruction characteristic code in the virus database, and judging the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /orpositioning an opcode in the operation instruction of the executable file in the target APK, matching the opcode with the instruction characteristic code sequence in the virus database, and judging the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /orpositioning class name and/or function name invoked by the constant in the constant pool in the executable file and the operand in the operation instruction in the target APK, matching the class name and/or function name with the class name function name characteristic code in the virus database, and judging the designated file in the target APK includes the virus characteristic code if they are matched.
  - 5. The method according to claim 1, wherein the designated file comprises a text file, the presetting the virus database comprises:
    - extracting a Linux command in the text file and judging whether the command includes virus information;
      
      in response to a determination that the command includes virus information, generating a virus characteristic code according to the command.
  - 6. The method according to claim 5, wherein the virus characteristic codes further comprise a command characteristic code, and the detecting that a designated file in a target APK contains at least one of the virus characteristic codes further comprises:
    - positioning the text file in the target APK, matching the command in the text file with the command characteristic code in the virus database, and judging the designated file in the target APK includes the virus characteristic code if they are matched.
  - 7. The method according to claim 4, wherein constants in the constant pool in the executable file comprise constant in the character strings, types, fields and methods;
    - the header information of the executable file includes summary information checksum and/or signature information.

8. A device for identifying virus Android application package file (APK), comprising:
- a processor; and
  
  a memory communicatively coupled to the processor and storing instructions upon execution by the processor cause the device to;
  
  preset a virus database comprising a virus characteristic codes, wherein instructions upon execution by the processor cause the device to preset a virus database further comprises instructions that upon execution by the processor further cause the device to;
  
  scan an executable file in a source APK;
  
  extract specific data from the executable file in the source APK;
  
  determine whether the specific data contain virus information, wherein the specific data include header information of the executable file, constants in a constant pool of the executable file, or operation instructions in the executable file,in response to a determination that the specific data in the executable file contain virus information, generate the virus characteristic codes according to the specific data, wherein generating the virus characteristic codes further comprises;
  
  generating the virus characteristic codes using an instruction set in a classes.dex file and a JAR file in the source APK,generating the virus characteristic codes using a specific opcode in the classes.dex file and the JAR file in the source APK and a character string or wildcard of its operand, orgenerating the virus characteristic codes using the instruction set in the classes.dex file in the source APK, the specific opcode in the classes.dex file in the source APK and the character string or wildcard of its operand, andstore the generated virus characteristic codes to the virus database;
  
  detect whether a designated file in a target APK contains at least one of the generated virus characteristic codes; and
  
  determine that the target APK is a virus APK when the designated file in the target APK contains at least one of the virus characteristic code.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The device according to claim 8, wherein the executable file comprises Dex files, the Dex files comprise classes.dex files, files with an extension name .jar, and files in Dex format.
  - 10. The device according to claim 9, wherein the virus characteristic codes comprise:
    - header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, and class name function name characteristic code;
      
      the operation instructions in the executable file comprise two portions;
      
      opcode and operand;
      
      the header information characteristic code, constant characteristic code, operand characteristic code, and class name function name characteristic code are directly generated according to the header information, constant, operand, and class name function name including the virus information;
      
      the instruction characteristic code and the instruction characteristic code sequence are directly generated according to the operation instruction including the virus information, or generated according to the opcode and the character string or wildcard of the operand including the virus information;
      
      the storing the virus characteristic codes to the virus database further comprises;
      
      storing the header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, class name function name characteristic code respectively in different storage areas of the database;
      
      orstoring the header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, class name function name characteristic code in the database, and mark a classification tag respectively.
  - 11. The device according to claim 10, wherein the memory further storing instructions that upon execution by the processor cause the device to:
    - position header information of an executable file in the target APK, match the head information with the header information characteristic code in the virus database, and judge the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /or,position a constant in the constant pool of the executable file in the APK, match the constant with the constant characteristic code in the virus database, and judge the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /or,position an operand in the operation instruction of the executable file in the target APK, match the operand with the operand characteristic code in the virus database, and judge the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /or,position an opcode in the operation instruction of the executable file in the target APK, match the opcode with the instruction characteristic code in the virus database, and judge the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /or,position an opcode in the operation instruction of the executable file in the target APK, match the opcode with the instruction characteristic code sequence in the virus database, and judge the designated file in the target APK includes the virus characteristic code if they are matched; and
      
      /or,position class name and/or function name invoked by the constant in the constant pool in the executable file and the operand in the operation instruction in the target APK, match the class name and/or function name with the class name function name characteristic code in the virus database, and judge the designated file in the target APK includes the virus characteristic code if they are matched.
  - 12. The device according to claim 8, wherein the designated file comprises a text file, and the memory further storing instructions that upon execution by the processor cause the device to:
    - extract a command in the text file and judge whether the command includes virus information;
      
      generate a virus characteristic code according to the command when the command includes the virus information.
  - 13. The device according to claim 12, wherein the memory further storing instructions that upon execution by the processor cause the device to:
    - position the text file in the target APK, match the command in the text file with the command characteristic code in the virus database, and judge the designated file in the target APK includes the virus characteristic code if they are matched.
  - 14. The device according to claim 10, wherein constants in the constant pool in the executable file comprise constant in the character strings, types, fields and methods;
    - the header information of the executable file includes summary information checksum and/or signature information.

15. A non-transitory computer readable medium which stores the computer program comprising computer readable code, and running of said computer readable code on a computing device causes said device to carry out a method for identifying virus Android application package file (APK), said method comprising:
- presetting a virus database comprising virus characteristic codes, wherein the presetting the virus database further including;
  
  scanning an executable file in a source APK,extracting specific data from the executable file in the source APK,determining whether the specific data contain virus information, wherein the specific data include header information of the executable file, constants in a constant pool of the executable file, or operation instructions in the executable file,in response to a determination that the specific data in the executable file contain virus information, generating the virus characteristic codes, wherein the generating the virus characteristic codes further comprises;
  
  generating the virus characteristic codes using an instruction set in a classes.dex file and a JAR file in the source APK,generating the virus characteristic codes using a specific opcode in the classes.dex file and the JAR file in the source APK and a character string or wildcard of its operand, orgenerating the virus characteristic codes using the instruction set in the classes.dex file in the source APK, the specific opcode in the classes.dex file in the source APK and the character string or wildcard of its operand, andstoring the generated virus characteristic codes to the virus database;
  
  detecting that a designated file in a target APK contains at least one of the virus characteristic codes; and
  
  determining that the target APK is a virus APK.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Inventors
Wang, Xun, Zhang, Xu
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Gao, Shu C

Application Number

US15/440,901
Publication Number

US 20170161496A1
Time in Patent Office

656 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 2221/033   Test or assess software

H04L 63/20   for managing network securi...

Method and device for identifying virus APK

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for identifying virus APK

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links