Method and device for extracting characteristic code of APK virus

US 9,600,668 B2
Filed: 03/12/2013
Issued: 03/21/2017
Est. Priority Date: 03/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method for extracting a characteristic code of APK virus, comprising:

scanning a designated file in an Android installation package APK;

extracting an operation instruction in the designated file, and determining whether the operation instruction contains virus information; and

generating a virus characteristic code according to the operation instruction when the operation instruction contains virus information;

wherein, the designated file comprises an executable file, and the method further comprises;

extracting a constant in a constant pool of the executable file, and determining whether the constant contains virus information;

generating the virus characteristic code according to the constant when the constant contains virus information;

extracting header information of the executable file, and determining whether the header information contains virus information; and

generating the virus characteristic code according to the header information when the header information contains virus information,wherein the header information of the executable file includes summary information checksum and signature information Signature, and the determining whether the header information includes the virus information includes;

determining whether the summary information checksum and/or signature information Signature include a pre-defined illegal character string; and

generating the virus characteristic code according to the header information comprises generating the summary information checksum and/or signature information Signature as the virus characteristic code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are a method and a device for extracting a characteristic code of an APK virus. The method comprises: scanning a designated file in an Android installation package APK; extracting an operation instruction in the designated file, and judging whether the operation instruction contains virus information; and if yes, generating a characteristic code of the virus according to the operation instruction. In the application, the characteristic code of the virus APK can be accurately and effectively extracted, so as to facilitate improvement of efficiency and accuracy of identification of the virus APK and a variation thereof, thereby improving the security of an APK application.

12 Citations

15 Claims

1. A method for extracting a characteristic code of APK virus, comprising:
- scanning a designated file in an Android installation package APK;
  
  extracting an operation instruction in the designated file, and determining whether the operation instruction contains virus information; and
  
  generating a virus characteristic code according to the operation instruction when the operation instruction contains virus information;
  
  wherein, the designated file comprises an executable file, and the method further comprises;
  
  extracting a constant in a constant pool of the executable file, and determining whether the constant contains virus information;
  
  generating the virus characteristic code according to the constant when the constant contains virus information;
  
  extracting header information of the executable file, and determining whether the header information contains virus information; and
  
  generating the virus characteristic code according to the header information when the header information contains virus information,wherein the header information of the executable file includes summary information checksum and signature information Signature, and the determining whether the header information includes the virus information includes;
  
  determining whether the summary information checksum and/or signature information Signature include a pre-defined illegal character string; and
  
  generating the virus characteristic code according to the header information comprises generating the summary information checksum and/or signature information Signature as the virus characteristic code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein the executable file comprises a Dex file, the Dex file comprises a classes.dex file, a file with an extension name .jar, and a file in Dex format.
  - 3. The method according to claim 1, wherein the operation instruction comprises opcode and operand, and the determining whether the operation instruction contains virus information comprises:
    - determining whether the operand includes a pre-defined illegal operand;
      
      and/ordetermining whether the combination of the opcode and operand complies with a predefined illegal combination rule.
  - 4. The method according to claim 3, wherein the generating the virus characteristic code according to the operation instruction comprises:
    - regarding the operation instruction itself as the virus characteristic code;
      
      and/orregarding the opcode of the operation instruction and a character string or wildcard of the operand as the virus characteristic code.
  - 5. The method according to claim 1, wherein the constants in the constant pool in the executable file include constants in character strings, types, fields and methods, and the determining whether constants contain virus information comprises:
    - determining whether constants in the character strings contain pre-defined malicious web address information, malicious file names or malicious number information;
      
      and/ordetermining whether constants in the types, fields, and methods invoke a self-defined class name, a self-defined function name, an Android system SDK class name, or an Android system function name; and
      
      generating the virus characteristic code according to the constant is regarding the virus information in the constant as the virus characteristic code.
  - 6. The method according to claim 1, wherein the designated file further comprises a text file, and the operation instruction is a linux command,the determining whether the operation instruction includes the virus information is determining whether the linux command complies with a preset malicious linux command;
    - andthe generating the virus characteristic code according to the operation instruction is regarding the linux command as the virus characteristic code.
  - 7. The method according to claim 1, wherein the method further comprises:
    - storing the virus characteristic code in a database.
  - 8. The method according to claim 7, wherein the virus characteristic code comprises:
    - header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, and class name function name characteristic code;
      
      the storing the virus characteristic code in the database comprising;
      
      storing the header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, and class name function name characteristic code respectively in different storage areas of the database;
      
      orstoring the header information characteristic code, constant characteristic code, operand characteristic code, instruction characteristic code, instruction characteristic code sequence, and class name function name characteristic code in the database, and marking a classification tag respectively.

9. A device for extracting a characteristic code of APK virus, comprising:
- a memory having instructions stored thereon;
  
  a processor to execute the instructions to perform operations for extracting a characteristic code of APK virus, the operations comprising;
  
  scanning a designated file in an Android installation package APK;
  
  extracting an operation instruction in the designated file;
  
  determining whether the operation instruction contains virus information; and
  
  generating a virus characteristic code according to the operation instruction if the operation instruction contains the virus information;
  
  wherein, the designated file comprises an executable file, the operations further comprising;
  
  extracting a constant in a constant pool of the executable file;
  
  determining whether the constant includes virus information; and
  
  generating the virus characteristic code according to the constant if the constant contains the virus information;
  
  extracting header information in the executable file;
  
  determining whether the header information includes virus information; and
  
  generating the virus characteristic code according to the header information if the header information contains the virus information,wherein the header information of the executable file includes summary information checksum and signature information Signature, and the determining whether the header information includes the virus information includes;
  
  determining whether the summary information checksum and/or signature information Signature include a pre-defined illegal character string; and
  
  generating the virus characteristic code according to the header information comprises generating the summary information checksum and/or signature information Signature as the virus characteristic code.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The device according to claim 9, wherein the executable file comprises a Dex file, the Dex file comprises a classes.dex file, a file with an extension name .jar, and a file in Dex format.
  - 11. The device according to claim 9, wherein the operation instruction comprises opcode and operand, and the operation for determining whether the operation instruction contains virus information further comprises:
    - determining whether the operand includes a pre-defined illegal operand;
      
      and/ordetermining whether the combination of the opcode and operand complies with a predefined illegal combination rule.
  - 12. The device according to claim 11, wherein the operation for generating the virus characteristic code according to the operation instruction further comprises:
    - regarding the operation instruction itself as the virus characteristic code;
      
      and/orregarding the opcode of the operation instruction and a character string or wildcard of the operand as the virus characteristic code.
  - 13. The device according to claim 9, wherein the constants in the constant pool in the executable file include constants in character strings, types, fields, and methods, and the operation for determining whether the constant includes virus information further comprises:
    - determining whether constants in the character strings contain pre-defined malicious web address information, malicious file names or malicious number information;
      
      and/ordetermining whether constants in the types, fields, and methods invoke a self-defined class name, a self-defined function name, an Android system SDK class name, or an Android system function name.
  - 14. The device according to claim 9, wherein the designated file further comprises a text file, and the operation instruction is a linux command, and the operation for determining whether the operation instruction contains virus information further comprises:
    - determining whether the linux command complies with a preset malicious linux command.

15. A non-transitory computer readable medium having instructions stored thereon that, when executed by a computing device cause the device to perform operations for extracting a characteristic code of APK virus, the operations comprising:
- scanning a designated file in an Android installation package APK;
  
  extracting an operation instruction in the designated file, and determining whether the operation instruction contains virus information; and
  
  generating a virus characteristic code according to the operation instruction when the operation instruction contains virus information;
  
  wherein, the designated file comprises an executable file, the operations further comprising;
  
  extracting a constant in a constant pool of the executable file, and determining whether the constant contains virus information;
  
  generating the virus characteristic code according to the constant when the constant contains virus information;
  
  extracting header information of the executable file, and determining whether the header information contains virus information; and
  
  generating the virus characteristic code according to the header information when the header information contains virus information,wherein the header information of the executable file includes summary information checksum and signature information Signature, and the determining whether the header information includes the virus information includes;
  
  determining whether the summary information checksum and/or signature information Signature include a pre-defined illegal character string; and
  
  generating the virus characteristic code according to the header information comprises generating the summary information checksum and/or signature information Signature as the virus characteristic code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Inventors
Wang, Xun, Zhang, Xu
Primary Examiner(s)
JHAVERI, JAYESH M

Application Number

US14/386,567
Publication Number

US 20150052611A1
Time in Patent Office

1,470 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

H04L 63/1416   Event detection, e.g. attac...

Method and device for extracting characteristic code of APK virus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for extracting characteristic code of APK virus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links