[go: up one dir, main page]

CN105320886B - Detect the method and mobile terminal that whether there is Malware in mobile terminal - Google Patents

Detect the method and mobile terminal that whether there is Malware in mobile terminal Download PDF

Info

Publication number
CN105320886B
CN105320886B CN201510609599.3A CN201510609599A CN105320886B CN 105320886 B CN105320886 B CN 105320886B CN 201510609599 A CN201510609599 A CN 201510609599A CN 105320886 B CN105320886 B CN 105320886B
Authority
CN
China
Prior art keywords
mobile terminal
information
software
timestamp
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510609599.3A
Other languages
Chinese (zh)
Other versions
CN105320886A (en
Inventor
胡超博
刘云鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201510609599.3A priority Critical patent/CN105320886B/en
Publication of CN105320886A publication Critical patent/CN105320886A/en
Application granted granted Critical
Publication of CN105320886B publication Critical patent/CN105320886B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephone Function (AREA)
  • Stored Programmes (AREA)

Abstract

本发明公开了一种检测移动终端中是否存在恶意软件的方法和移动终端。该方法包括:检测所述移动终端的缓存中是否存在记录上次收集信息的时间戳的文件;根据检测结果收集所述移动终端中已安装软件的信息;以及将所收集的信息发送至服务器进行检测,其中所述服务器预设有非恶意软件的信息,以用于与所收集的信息进行比较。根据该方法可将所有通过认证或检测的非恶意软件的信息预设在服务器中,通过收集移动终端中安装的软件的信息,并发送至服务器进行比较,可确定移动终端中所安装的软件是否都是非恶意软件。

The invention discloses a method for detecting whether malicious software exists in a mobile terminal and the mobile terminal. The method includes: detecting whether there is a file recording the time stamp of the last collected information in the cache of the mobile terminal; collecting information on installed software in the mobile terminal according to the detection result; and sending the collected information to a server for further processing. detection, wherein the server is preset with non-malicious software information for comparison with the collected information. According to this method, the information of all non-malicious software that has passed authentication or detection can be preset in the server, and by collecting the information of the software installed in the mobile terminal and sending it to the server for comparison, it can be determined whether the software installed in the mobile terminal is All are non-malware.

Description

检测移动终端中是否存在恶意软件的方法和移动终端Method for detecting whether malicious software exists in mobile terminal and mobile terminal

技术领域technical field

本发明涉及移动终端,具体涉及一种检测移动终端中是否存在恶意软件的方法和移动终端。The invention relates to a mobile terminal, in particular to a method for detecting whether malicious software exists in a mobile terminal and the mobile terminal.

背景技术Background technique

近年来,智能手机越来越普及,智能手机已能够实现越来越多的功能,其已成为人们生活中越来越不可或缺的一部分。在人们的日常生活中,不仅仅使用智能手机进行通话和发送消息以实现移动终端的基本功能,还会使用智能手机上网、购物、听音乐、玩游戏等等。移动终端的这些功能均是通过在其内安装各种应用而实现的。In recent years, smart phones have become more and more popular, and smart phones have been able to achieve more and more functions, and have become an increasingly indispensable part of people's lives. In people's daily life, they not only use smart phones to make calls and send messages to realize the basic functions of mobile terminals, but also use smart phones to surf the Internet, shop, listen to music, play games and so on. These functions of the mobile terminal are realized by installing various applications therein.

然而,一些恶意软件也随着用于移动终端的应用的发展应运而生。有些恶意软件会不断地通过移动终端给用户推送各种广告。另一些恶意软件会误导移动终端的用户进行误操作,从而莫名其妙地绑定一些服务或功能。还有一些恶意软件甚至会窃取用户通过移动终端输入的密码,例如银行卡密码,从而给用户带来很大的金融风险。However, some malware also emerges with the development of applications for mobile terminals. Some malicious software will continuously push various advertisements to users through mobile terminals. Other malware can mislead mobile terminal users to perform misoperations, thereby binding some services or functions inexplicably. Some malicious software may even steal passwords entered by users through mobile terminals, such as bank card passwords, thereby bringing great financial risks to users.

由于恶意软件给移动终端的用户带来了极大的不便和风险。如何检测移动终端中是否存在恶意软件已成为目前亟待解决的问题。Because malicious software has brought great inconvenience and risk to the user of mobile terminal. How to detect whether there is malware in a mobile terminal has become an urgent problem to be solved.

发明内容Contents of the invention

有鉴于此,本发明提出了一种检测移动终端中是否存在恶意软件的方法和移动终端。In view of this, the present invention proposes a method and a mobile terminal for detecting whether malicious software exists in a mobile terminal.

根据本发明的一个方面,提供了一种检测移动终端中是否存在恶意软件的方法,包括:检测所述移动终端的缓存中是否存在记录上次收集信息的时间戳的文件;根据检测结果收集所述移动终端中已安装软件的信息;以及将所收集的信息发送至服务器进行检测,其中所述服务器预设有非恶意软件的信息,以用于与所收集的信息进行比较。According to one aspect of the present invention, there is provided a method for detecting whether malicious software exists in a mobile terminal, including: detecting whether there is a file recording the time stamp of the last collected information in the cache of the mobile terminal; information about installed software in the mobile terminal; and sending the collected information to a server for detection, wherein the server is preset with information about non-malicious software for comparison with the collected information.

根据一个实施方式,若缓存中不存在记录上次收集信息的时间戳的文件,则对所述移动终端中所有已安装软件进行全量扫描以收集信息;以及若缓存中存在记录上次收集信息的时间戳的文件,则根据缓存中所述文件记录的上次全量扫描时间戳和上次增量扫描时间戳与当前时间戳收集所述移动终端中已安装软件的信息。According to one embodiment, if there is no file in the cache that records the time stamp of the last collected information, a full scan is performed on all installed software in the mobile terminal to collect information; and if there is a file that records the last collected information in the cache, For files with timestamps, the information of the installed software in the mobile terminal is collected according to the last full scan timestamp, the last incremental scan timestamp and the current timestamp of the file records in the cache.

根据一个实施方式,根据缓存中所述文件记录的上次全量扫描时间戳和上次增量扫描时间戳与当前时间戳收集所述移动终端中已安装软件的信息包括:比较缓存中所述文件记录的上次全量扫描时间戳与当前时间戳;以及根据比较结果收集所述移动终端中已安装软件的信息。According to one embodiment, collecting the information of the installed software in the mobile terminal according to the last full scan timestamp and the last incremental scan timestamp and the current timestamp of the file records in the cache includes: comparing the files in the cache The recorded last full scan time stamp and the current time stamp; and collecting information of installed software in the mobile terminal according to the comparison result.

根据一个实施方式,根据比较结果收集所述移动终端中已安装软件的信息包括:若当前时间戳晚于缓存中所述文件记录的上次全量扫描时间戳超过预定的第一阈值,则对所述移动终端中所有已安装软件进行扫描以收集信息;以及若当前时间戳晚于缓存中所述文件记录的上次全量扫描时间戳未超过预定的第一阈值,则根据缓存中所述文件记录的上次增量扫描时间戳与当前时间戳收集所述移动终端中已安装软件的信息。According to one embodiment, collecting the information of the installed software in the mobile terminal according to the comparison result includes: if the current timestamp is later than the last full scan timestamp of the file records in the cache and exceeds a predetermined first threshold, then All installed software in the above mobile terminal is scanned to collect information; The time stamp of the last incremental scan and the current time stamp collect the information of the installed software in the mobile terminal.

根据一个实施方式,根据缓存中所述文件记录的上次增量扫描时间戳与当前时间戳收集所述移动终端中已安装软件的信息包括:若当前时间戳晚于缓存中所述文件记录的上次增量扫描时间戳超过预定的第二阈值,则对所述移动终端中已安装软件的信息进行增量扫描以收集信息。According to one embodiment, collecting the installed software information in the mobile terminal according to the last incremental scan timestamp and the current timestamp of the file record in the cache includes: if the current timestamp is later than the file record in the cache If the time stamp of the last incremental scan exceeds the predetermined second threshold, an incremental scan is performed on the information of installed software in the mobile terminal to collect information.

根据一个实施方式,对所述移动终端中已安装软件的信息进行增量扫描以收集信息包括:将所述移动终端中所有已安装软件的时间戳与缓存中所述文件记录的上次增量扫描时间戳进行比较;以及收集所述移动终端中时间戳晚于缓存中所述文件记录的上次增量扫描时间戳的已安装软件的信息。According to one embodiment, performing an incremental scan on the information of installed software in the mobile terminal to collect information includes: comparing the time stamps of all installed software in the mobile terminal with the last increment of the file records in the cache comparing the scanning timestamps; and collecting information on installed software whose timestamps in the mobile terminal are later than the last incremental scan timestamps of the file records in the cache.

根据一个实施方式,每个已安装软件的信息包括软件的五元组信息。According to one embodiment, the information of each installed software includes 5-tuple information of the software.

根据一个实施方式,所述软件的五元组信息包括:app包名、app版本号、app版本名、app文件中META-INF/CERT.RSA的SHA1值以及app文件中AndroidManifest.xml的SHA1值。According to one embodiment, the quintuple information of the software includes: app package name, app version number, app version name, the SHA1 value of META-INF/CERT.RSA in the app file, and the SHA1 value of AndroidManifest.xml in the app file .

根据一个实施方式,根据检测结果收集所述移动终端中已安装软件的信息包括:获取所述移动终端中已安装软件的app包名;根据所述app包名确定已安装软件的安装文件存储路径;根据已安装软件的安装文件存储路径,获取并解压已安装软件的安装文件;以及根据已解压的文件获取app版本号、app版本名、app文件中META-INF/CERT.RSA的SHA1值以及app文件中AndroidManifest.xml的SHA1值。According to one embodiment, collecting the information of the installed software in the mobile terminal according to the detection results includes: obtaining the app package name of the installed software in the mobile terminal; determining the installation file storage path of the installed software according to the app package name ;According to the installation file storage path of the installed software, obtain and decompress the installation file of the installed software; and obtain the app version number, app version name, SHA1 value of META-INF/CERT.RSA in the app file and The SHA1 value of AndroidManifest.xml in the app file.

根据本发明的另一方面,提供了一种移动终端,包括:检测单元,用于检测所述移动终端的缓存中是否存在记录上次收集信息的时间戳的文件;收集单元,用于根据所述检测单元的检测结果收集所述移动终端中已安装软件的信息;以及发送单元,用于将所收集的信息发送至服务器进行检测,其中所述服务器预设有非恶意软件的信息,以用于与所收集的信息进行比较。According to another aspect of the present invention, a mobile terminal is provided, including: a detection unit, configured to detect whether there is a file recording the time stamp of the last collected information in the cache of the mobile terminal; a collection unit, configured to The detection result of the detection unit collects the information of the installed software in the mobile terminal; and the sending unit is used to send the collected information to the server for detection, wherein the server is preset with non-malicious software information for use for comparison with the information collected.

根据一个实施方式,若所述检测单元检测到所述缓存中不存在记录上次收集信息的时间戳的文件,则所述收集单元对所述移动终端中所有已安装软件进行全量扫描以收集信息;以及若所述检测单元检测到所述缓存中存在记录上次收集信息的时间戳的文件,则所述收集单元根据所述缓存中所述文件记录的上次全量扫描时间戳和上次增量扫描时间戳与当前时间戳收集所述移动终端中已安装软件的信息。According to one embodiment, if the detection unit detects that there is no file recording the time stamp of the last collected information in the cache, the collection unit performs a full scan of all installed software in the mobile terminal to collect information and if the detection unit detects that there is a file recording the timestamp of the last collection of information in the cache, the collection unit records the last full scan timestamp and the last increment according to the file record in the cache. The information of the installed software in the mobile terminal is collected through the volume scan time stamp and the current time stamp.

根据一个实施方式,所述收集单元包括:比较子单元,用于比较所述缓存中所述文件记录的上次全量扫描时间戳与当前时间戳;以及收集子单元,用于根据所述比较子单元的比较结果收集所述移动终端中已安装软件的信息。According to one embodiment, the collection unit includes: a comparison subunit, configured to compare the last full scan timestamp of the file record in the cache with the current timestamp; and a collection subunit, configured to The comparison result of the unit collects the information of the installed software in the mobile terminal.

根据一个实施方式,若所述比较子单元比较出当前时间戳晚于所述缓存中所述文件记录的上次全量扫描时间戳超过预定的第一阈值,则所述收集子单元对所述移动终端中所有已安装软件进行扫描以收集信息;以及若所述比较子单元比较出当前时间戳晚于所述缓存中所述文件记录的上次全量扫描时间戳未超过预定的第一阈值,则所述收集子单元根据所述缓存中所述文件记录的上次增量扫描时间戳与当前时间戳收集所述移动终端中已安装软件的信息。According to one embodiment, if the comparison subunit compares that the current timestamp is later than the last full scan timestamp of the file record in the cache and exceeds a predetermined first threshold, the collection subunit All installed software in the terminal scans to collect information; and if the comparison subunit compares that the current timestamp is later than the last full scan timestamp of the file record in the cache and does not exceed a predetermined first threshold, then The collection subunit collects the information of the software installed in the mobile terminal according to the last incremental scanning timestamp and the current timestamp of the file records in the cache.

根据一个实施方式,若所述比较子单元比较出当前时间戳晚于所述缓存中所述文件记录的上次增量扫描时间戳超过预定的第二阈值,则所述收集子单元对所述移动终端中已安装软件的信息进行增量扫描以收集信息。According to one embodiment, if the comparison subunit compares that the current timestamp is later than the last incremental scan timestamp of the file record in the cache and exceeds a predetermined second threshold, the collection subunit The information of installed software in the mobile terminal is incrementally scanned to collect information.

根据一个实施方式,所述比较子单元还用于比较所述移动终端中所有已安装软件的时间戳与所述缓存中所述文件记录的上次增量扫描时间戳,并且所述收集子单元还用于收集所述移动终端中时间戳晚于缓存中所述文件记录的上次增量扫描时间戳的已安装软件的信息。According to one embodiment, the comparison subunit is further configured to compare the timestamps of all installed software in the mobile terminal with the last incremental scan timestamp of the file records in the cache, and the collection subunit It is also used to collect information of installed software in the mobile terminal whose time stamp is later than the last incremental scan time stamp of the file record in the cache.

根据一个实施方式,所述收集单元所收集的每个已安装软件的信息包括软件的五元组信息。According to an embodiment, the information of each installed software collected by the collecting unit includes 5-tuple information of the software.

根据一个实施方式,所述软件的五元组信息包括:app包名、app版本号、app版本名、app文件中META-INF/CERT.RSA的SHA1值以及app文件中AndroidManifest.xml的SHA1值。According to one embodiment, the quintuple information of the software includes: app package name, app version number, app version name, the SHA1 value of META-INF/CERT.RSA in the app file, and the SHA1 value of AndroidManifest.xml in the app file .

根据一个实施方式,所述收集单元包括:获取子单元,用于获取所述移动终端中已安装软件的app包名;确定子单元,用于根据所述获取子单元获取的app包名确定已安装软件的安装文件存储路径;以及解压子单元,用于根据所述确定子单元确定的已安装软件的安装文件存储路径,获取并解压已安装软件的安装文件,其中所述获取子单元根据所述解压子单元解压的文件获取app版本号、app版本名、app文件中META-INF/CERT.RSA的SHA1值以及app文件中AndroidManifest.xml的SHA1值。According to one embodiment, the collection unit includes: an acquisition subunit, configured to acquire the app package name of the installed software in the mobile terminal; a determination subunit, configured to determine the installed software according to the app package name acquired by the acquisition subunit The installation file storage path of the installation software; and the decompression subunit, which is used to obtain and decompress the installation file of the installed software according to the installation file storage path of the installed software determined by the determination subunit, wherein the acquisition subunit is based on the determined subunit. The file decompressed by the decompression subunit obtains the app version number, the app version name, the SHA1 value of META-INF/CERT.RSA in the app file, and the SHA1 value of AndroidManifest.xml in the app file.

根据本发明所提供的技术方案,可将所有通过认证或检测的非恶意软件的信息预设在服务器中,通过收集移动终端中安装的软件的信息,并发送至服务器进行比较,可确定移动终端中所安装的软件是否都是非恶意软件。如果某个软件的信息与服务器中预设的所有信息均不匹配,则说明在移动终端中安装的该软件很可能是恶意软件,从而可提醒用户对该软件进行相应处理,从而确保安全地使用移动终端。According to the technical solution provided by the present invention, the information of all non-malicious software that has passed the authentication or detection can be preset in the server, and by collecting the information of the software installed in the mobile terminal and sending it to the server for comparison, the mobile terminal can be determined Whether all the software installed in is non-malware. If the information of a certain software does not match all the information preset in the server, it means that the software installed in the mobile terminal is likely to be malicious software, which can remind the user to deal with the software accordingly, so as to ensure safe use mobile terminal.

附图说明Description of drawings

参照附图来阅读本发明的各实施方式,将更容易理解本发明的其它特征和优点,在此描述的附图只是为了对本发明的实施方式进行示意性说明的目的,而非全部可能的实施,并且不旨在限制本发明的范围。在附图中:Other features and advantages of the present invention will be more easily understood by reading the various embodiments of the present invention with reference to the accompanying drawings. The accompanying drawings described here are only for the purpose of schematically illustrating the embodiments of the present invention, not all possible implementations , and are not intended to limit the scope of the invention. In the attached picture:

图1示出了根据本发明一个示例性实施方式检测移动终端中是否存在恶意软件的方法的流程图;FIG. 1 shows a flowchart of a method for detecting whether malware exists in a mobile terminal according to an exemplary embodiment of the present invention;

图2示出了根据本发明一个示例性实施方式根据缓存中文件记录的上次全量扫描时间戳和上次增量扫描时间戳与当前时间戳收集移动终端中已安装软件的信息的流程图;FIG. 2 shows a flow chart of collecting information of installed software in a mobile terminal according to the last full scan timestamp and the last incremental scan timestamp and the current timestamp of the file records in the cache according to an exemplary embodiment of the present invention;

图3示出了根据本发明一个示例性实施方式对移动终端中已安装软件的信息进行增量扫描的流程图;FIG. 3 shows a flow chart of incrementally scanning information on installed software in a mobile terminal according to an exemplary embodiment of the present invention;

图4示出了根据本发明一个示例性实施方式收集移动终端中已安装软件的信息的流程图;FIG. 4 shows a flowchart of collecting information of installed software in a mobile terminal according to an exemplary embodiment of the present invention;

图5示出了根据本发明一个示例性实施方式的移动终端的框图;FIG. 5 shows a block diagram of a mobile terminal according to an exemplary embodiment of the present invention;

图6示出了根据本发明一个示例性实施方式的收集单元的框图;以及Figure 6 shows a block diagram of a collection unit according to an exemplary embodiment of the present invention; and

图7示出了根据本发明另一示例性实施方式的收集单元的框图。Fig. 7 shows a block diagram of a collection unit according to another exemplary embodiment of the present invention.

具体实施方式Detailed ways

现参照附图对本发明的实施方式进行详细描述。应注意,以下描述仅仅是示例性的,而并不旨在限制本发明,并且为了简要起见,在以下描述中省略了与现有技术相同的一些部件的具体描述。此外,在以下描述中,将采用相同的附图标号表示不同附图中的相同或相似的部件。在以下描述的不同实施方式中的不同特征,可彼此结合,以形成本发明范围内的其他实施方式。Embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that the following description is only exemplary and not intended to limit the present invention, and for the sake of brevity, specific descriptions of some components that are the same as those in the prior art are omitted in the following description. Also, in the following description, the same reference numerals will be used to designate the same or similar components in different drawings. Different features in different embodiments described below can be combined with each other to form other embodiments within the scope of the present invention.

图1示出了根据本发明一个示例性实施方式检测移动终端中是否存在恶意软件的方法的流程图。如图1所示,该方法1000可包括步骤S1100至S1300。在步骤S1100中,检测移动终端的缓存中是否存在记录上次收集信息的时间戳的文件。在步骤S1200中,根据检测结果收集移动终端中已安装软件的信息。随后,在步骤S1300中,将所收集的信息发送至服务器进行检测。在该服务器中预设有非恶意软件的信息,以用于与所收集的信息进行比较。FIG. 1 shows a flowchart of a method for detecting whether malware exists in a mobile terminal according to an exemplary embodiment of the present invention. As shown in FIG. 1 , the method 1000 may include steps S1100 to S1300. In step S1100, it is detected whether there is a file recording the time stamp of the last collected information in the cache of the mobile terminal. In step S1200, information on installed software in the mobile terminal is collected according to the detection result. Subsequently, in step S1300, the collected information is sent to the server for detection. Information about non-malicious software is preset in the server for comparison with the collected information.

根据本实施方式,可将所有通过认证或检测的非恶意软件的信息预设在服务器中,通过收集移动终端中安装的软件的信息,并发送至服务器进行比较,可确定移动终端中所安装的软件是否都是非恶意软件。如果某个软件的信息与服务器中预设的所有信息均不匹配,则说明在移动终端中安装的该软件很可能是恶意软件,从而可提醒用户对该软件进行相应处理,从而确保安全地使用移动终端。According to this embodiment, the information of all non-malicious software that has passed the authentication or detection can be preset in the server, and by collecting the information of the software installed in the mobile terminal and sending it to the server for comparison, it is possible to determine the information of the software installed in the mobile terminal. Whether the software is all non-malware. If the information of a certain software does not match all the information preset in the server, it means that the software installed in the mobile terminal is likely to be malicious software, which can remind the user to deal with the software accordingly, so as to ensure safe use mobile terminal.

例如,根据本实施方式,可列举出安全、危险、谨慎和木马四个安全级别。其中,各种安全级别的定义如下:安全:该应用是一个正常的应用,没有任何威胁用户手机安全的行为;危险:该应用存在安全风险,有可能该应用本身就是恶意软件,也有可能该应用本来是正规公司发布的正常软件,但是因为存在安全漏洞,导致用户的隐私、手机安全受到威胁;谨慎:该应用是一个正常的应用,但是存在一些问题,例如会让用户不小心被扣费,或者有不友好的广告遭到投诉等,当发现这类应用之后,会提示用户谨慎使用并告知该应用可能的行为,但是由用户自行决定是否清除该应用;木马:该应用是病毒、木马或者其他恶意软件,此处为了简单统称为木马,但并不表示该应用仅仅是木马。例如,对于检测为“木马级别”的Android应用程序,如果恶意行为=3,翻译成二进制就是11,第1位=1,第2位=1,表示的恶意行为是:同时具有后台偷偷下载和私自发送短信的行为。再例如,对于检测为“谨慎级别”的Android应用程序,如果行为描述=4,翻译成二进制就是100,第1位=0,第2位=0,第2位=1,表示的行为是:包含广告。由于这个广告可能是用户允许的,也可能是用户不允许的,所以会提示用户谨慎使用,由用户自行决定是否清除。软件描述信息:通常表示为字符串,是对Android应用程序的说明,如发布者、发布时间等信息。时间戳信息:表明Android应用程序的特征信息(如正常特征、木马特征等)是什么时候入库的。实际应用中,客户端用户界面显示安全检测结果时,可以先弹出安全级别信息,如果用户点击“查看详情”按钮,再为用户展示行为描述信息、软件描述信息和时间戳信息。For example, according to this embodiment, four security levels can be enumerated: safe, dangerous, cautious and Trojan horse. Among them, the definitions of various security levels are as follows: safe: the application is a normal application, and there is no behavior that threatens the security of the user's mobile phone; dangerous: the application has security risks, and the application itself may be malware, or the application may It was originally a normal software released by a regular company, but due to security loopholes, the user's privacy and mobile phone security are threatened; Caution: This application is a normal application, but there are some problems, such as allowing users to be deducted accidentally, Or there are complaints about unfriendly advertisements, etc. When such an application is found, the user will be prompted to use it carefully and inform the possible behavior of the application, but it is up to the user to decide whether to clear the application; Trojan horse: the application is a virus, Trojan or Other malicious software, collectively referred to as Trojans here for simplicity, does not mean that the application is just a Trojan. For example, for an Android application detected as "Trojan horse level", if the malicious behavior=3, it is 11 when translated into binary, the first bit=1, the second bit=1, and the malicious behavior represented is: secretly downloading and downloading in the background at the same time The act of sending text messages privately. For another example, for an Android application detected as "cautious level", if the behavior description = 4, the binary translation is 100, the first bit = 0, the second bit = 0, the second bit = 1, and the indicated behavior is: Contains advertisements. Since this advertisement may or may not be allowed by the user, the user will be prompted to use it with caution, and it is up to the user to decide whether to clear it. Software description information: usually expressed as a character string, which is a description of the Android application, such as the publisher, release time and other information. Timestamp information: indicates when the feature information (such as normal feature, Trojan horse feature, etc.) of the Android application program was put into storage. In practical applications, when the client user interface displays the security detection results, the security level information can be popped up first. If the user clicks the "View Details" button, the behavior description information, software description information and time stamp information will be displayed for the user.

另外,本申请还可以结合机器学习引擎、云端杀毒引擎、本地杀毒引擎等等同时对待监测对象进行扫描,也可以结合主动防御以及其他的安全检测模块进行运行。In addition, this application can also combine machine learning engine, cloud antivirus engine, local antivirus engine, etc. to simultaneously scan objects to be monitored, and can also operate in combination with active defense and other security detection modules.

此外,根据本实施方式,在每次收集移动终端中已安装软件的信息时,均在缓存中记录当前的时间戳。如果在子步骤S1100中检测到缓存中不存在记录上次收集信息的时间戳的文件,则说明移动终端在开机后还未对已安装软件进行过扫描,因此需对移动终端中所有已安装软件进行全量扫描(即,对所有已安装软件全部进行扫描)以收集信息。反之,如果在子步骤S1100中检测到缓存中存在记录上次收集信息的时间戳的文件,则说明曾对移动终端中已安装软件进行过扫描,因此可根据缓存中的文件记录的上次全量扫描时间戳和上次增量扫描时间戳与当前时间戳来确定如何收集移动终端中已安装软件的信息。In addition, according to this embodiment, each time the information of installed software in the mobile terminal is collected, the current time stamp is recorded in the cache. If it is detected in the sub-step S1100 that there is no file recording the time stamp of the last collected information in the cache, it means that the mobile terminal has not yet scanned the installed software after starting up, so it is necessary to scan all the installed software in the mobile terminal. Do a full scan (that is, scan all installed software) to gather information. On the contrary, if it is detected in the sub-step S1100 that there is a file recording the time stamp of the last collected information in the cache, it means that the installed software in the mobile terminal has been scanned, so the last full amount recorded according to the file in the cache can be The scan timestamp and the last incremental scan timestamp and the current timestamp determine how to collect information about installed software in the mobile terminal.

根据上述实施方式,可根据移动终端在开机后是否对已安装软件进行过扫描而区别地进行处理。According to the above implementation manners, the mobile terminal can be processed differently according to whether the installed software is overscanned after the mobile terminal is turned on.

图2示出了根据本发明一个示例性实施方式根据缓存中文件记录的上次全量扫描时间戳和上次增量扫描时间戳与当前时间戳收集移动终端中已安装软件的信息的流程图。如图2所示,当在在子步骤S1100中检测到缓存中存在记录上次收集信息的时间戳的文件时,上述子步骤S1200可包括子步骤S1210和S1220。在子步骤S1210中,比较缓存中的文件记录的上次全量扫描时间戳与当前时间戳。随后,在子步骤S1220中,可根据子步骤S1210的比较结果收集移动终端中已安装软件的信息。FIG. 2 shows a flow chart of collecting installed software information in a mobile terminal according to the last full scan time stamp, last incremental scan time stamp and current time stamp of file records in the cache according to an exemplary embodiment of the present invention. As shown in FIG. 2 , when it is detected in substep S1100 that there is a file recording the time stamp of last collected information in the cache, the above substep S1200 may include substeps S1210 and S1220. In sub-step S1210, the last full scan time stamp of the file records in the cache is compared with the current time stamp. Subsequently, in sub-step S1220, information of installed software in the mobile terminal may be collected according to the comparison result of sub-step S1210.

具体地,如果在子步骤S1210的比较结果是当前时间戳晚于缓存中文件记录的上次全量扫描时间戳已超过了预定的第一阈值,则说明移动终端已有太长时间未进行全量扫描,因此此时需要对移动终端中所有已安装软件进行扫描以收集信息。例如,可将预定的第一阈值设定为1个月,那么如果当前时间戳晚于缓存中文件记录的上次全量扫描时间戳已超过1个月,则说明移动终端已有太长时间未进行全量扫描。Specifically, if the comparison result in sub-step S1210 is that the current timestamp is later than the last full scan timestamp of the file record in the cache and exceeds the predetermined first threshold, it means that the mobile terminal has not performed a full scan for too long , so it is necessary to scan all installed software in the mobile terminal to collect information at this time. For example, the predetermined first threshold can be set to 1 month. If the current timestamp is more than 1 month later than the last full scan timestamp of the file record in the cache, it means that the mobile terminal has not been used for too long. Do a full scan.

反之,如果在子步骤S1210的比较结果是当前时间戳晚于缓存中文件记录的上次全量扫描时间戳未超过预定的第一阈值,则可根据缓存中文件记录的上次增量扫描时间戳与当前时间戳来确定如何收集移动终端中已安装软件的信息。具体地,如果当前时间戳晚于缓存中文件记录的上次增量扫描时间戳超过预定的第二阈值,则说明已有较长时间未对移动终端中安装的软件进行增量扫描(即,对在上次扫描后安装或更新的软件进行扫描),因此需要对移动终端中已安装软件的信息进行增量扫描以收集信息。例如,可将预定的第二阈值设定为1天,那么如果当前时间戳晚于缓存中文件记录的上次增量扫描时间戳已超过1天,则说明移动终端已有较长时间未进行增量扫描。Conversely, if the comparison result in sub-step S1210 is that the current timestamp is later than the last full scan timestamp of the file record in the cache and does not exceed the predetermined first threshold, then the timestamp of the last incremental scan of the file record in the cache can be used and the current timestamp to determine how to collect information about software installed in the mobile terminal. Specifically, if the current timestamp is later than the last incremental scan timestamp of the file record in the cache and exceeds the predetermined second threshold, it means that the software installed in the mobile terminal has not been incrementally scanned for a long time (that is, Scan the software installed or updated after the last scan), so it is necessary to perform incremental scans on the information of installed software in the mobile terminal to collect information. For example, the predetermined second threshold can be set to 1 day, and if the current timestamp is later than the last incremental scan timestamp of the file record in the cache for more than 1 day, it means that the mobile terminal has not been scanned for a long time. Incremental scanning.

根据上述实施方式,通过预设第一阈值和第二阈值,可根据时间戳对移动终端中安装的软件进行全量扫描或增量扫描。这样既保证了扫描的及时性,又不至于过频繁地占用系统资源。According to the above embodiments, by presetting the first threshold and the second threshold, the software installed in the mobile terminal can be fully scanned or incrementally scanned according to the time stamp. This not only ensures the timeliness of scanning, but also does not occupy system resources too frequently.

图3示出了根据本发明一个示例性实施方式对移动终端中已安装软件的信息进行增量扫描的流程图。如图3所示,对移动终端中已安装软件的信息进行的增量扫描可包括子步骤S1221和S1222。在子步骤S1221中,将移动终端中所有已安装软件的时间戳与缓存中文件记录的上次增量扫描时间戳进行比较。随后,在子步骤S1222中,收集移动终端中时间戳晚于缓存中文件记录的上次增量扫描时间戳的已安装软件的信息。Fig. 3 shows a flow chart of incrementally scanning information of installed software in a mobile terminal according to an exemplary embodiment of the present invention. As shown in FIG. 3 , the incremental scan for the information of installed software in the mobile terminal may include sub-steps S1221 and S1222. In sub-step S1221, compare the time stamps of all installed software in the mobile terminal with the last incremental scan time stamp of the file records in the cache. Subsequently, in sub-step S1222, information of installed software in the mobile terminal whose time stamp is later than the last incremental scan time stamp of the file records in the cache is collected.

可以理解,时间戳晚于缓存中文件记录的上次增量扫描时间戳,也就意味着,该软件的安装或更新发生在上次增量扫描之后。因此,根据该过程,可对上次增量扫描后安装或更新的软件的信息进行收集。还可以理解的是,在移动终端中安装或更新某个软件,都会记录时间戳。It can be understood that the time stamp is later than the time stamp of the last incremental scan recorded in the cache, which means that the software is installed or updated after the last incremental scan. Therefore, according to the procedure, information can be collected on software installed or updated since the last incremental scan. It is also understandable that when a certain software is installed or updated in the mobile terminal, the time stamp will be recorded.

根据本发明的一个实施方式,每个已安装软件的信息均包括软件的五元组信息。该五元组信息可包括:app包名、app版本号、app版本名、app文件中META-INF/CERT.RSA的SHA1值以及app文件中AndroidManifest.xml的SHA1值。由上述五元组信息,足以确定安装在移动终端中的某个软件是否为恶意软件。According to an embodiment of the present invention, the information of each installed software includes 5-tuple information of the software. The five-tuple information may include: app package name, app version number, app version name, SHA1 value of META-INF/CERT.RSA in the app file, and SHA1 value of AndroidManifest.xml in the app file. Based on the above five-tuple information, it is enough to determine whether a certain software installed in the mobile terminal is malicious software.

例如,特征一:packageName=com.wbs;特征二:无;特征三:MD5(signature[0])=294f08ae04307a649322524713318543;特征一+特征三:安全级别为“木马”;当检测流程处理到“找到包含特征一、特征三的木马?”时,找到记录,即可返回结果为“木马”。For example, feature one: packageName=com.wbs; feature two: none; feature three: MD5(signature[0])=294f08ae04307a649322524713318543; feature one + feature three: the security level is "Trojan horse"; feature 1, feature 3 Trojan horse?", find the record, and return the result as "Trojan horse".

再例如,可以参考在移动终端设备或云端服务器上设置一预先定义的安全识别库来确定五元组信息中是否存在异常信息,所述预先定义的安全识别库可以包含应用程序白名单、应用程序黑名单、以及应用程序特征数据。所述白名单可以包含已知的受信任的应用程序的名称(包括应用程序的UID(唯一标识符)和应用程序的安装包的包名),所述应用程序黑名单可以包含已知的恶意应用程序的名称(包括应用程序的UID(唯一标识符)和应用程序的安装包的包名),所述应用程序特征数据可以包含已知的恶意特征(例如山寨应用特征)的数据。For another example, it can be determined whether there is abnormal information in the five-tuple information by referring to setting a predefined security identification library on the mobile terminal device or cloud server, and the predefined security identification library can include application program whitelist, application program Blacklist, and application characteristic data. The whitelist can include the names of known trusted applications (including the UID (unique identifier) of the application and the package name of the installation package of the application), and the blacklist of the application can include known malicious applications. The name of the application program (including the UID (unique identifier) of the application program and the package name of the installation package of the application program), the application program feature data may include data of known malicious features (such as copycat application features).

可以理解,上述五元组信息只是待检测的软件信息的一种代表性示例,本申请不仅限于此。例如,还可收集以下信息来进行检测,以判断是否为恶意软件。1)Android安装包包名:packageName;2)Android安装包版本号:versionCode;3)Android安装包的数字签名的MD5:signature[0];4)Android组件receiver;5)classes.dex中的指令;6)ELF文件中的字符串;7)assets,res,lib等目录下各文件的MD5;8)Android组件service,activity。It can be understood that the above five-tuple information is only a representative example of the software information to be detected, and the present application is not limited thereto. For example, the following information can also be collected for detection to determine whether it is malware. 1) Android installation package name: packageName; 2) Android installation package version number: versionCode; 3) MD5 of the digital signature of the Android installation package: signature[0]; 4) Android component receiver; 5) instructions in classes.dex ; 6) Strings in the ELF file; 7) MD5 of each file in the assets, res, lib and other directories; 8) Android component service, activity.

图4示出了根据本发明一个示例性实施方式收集移动终端中已安装软件的信息的流程图。如图4所示,上述步骤S1200可包括子步骤S1250至S1280。在子步骤S1250中,获取移动终端中已安装软件的app包名。在五元组信息中,只有app包名是可直接获得的。随后,在子步骤S1260中,根据该app包名确定已安装软件的安装文件存储路径。并且,在子步骤S1270中,可根据上述已安装软件的安装文件存储路径,获取并解压已安装软件的安装文件。然后,在子步骤S1280中,可根据已解压的文件获取app版本号、app版本名、app文件中META-INF/CERT.RSA的SHA1值以及app文件中AndroidManifest.xml的SHA1值,以获取完整的五元组信息。Fig. 4 shows a flow chart of collecting information of installed software in a mobile terminal according to an exemplary embodiment of the present invention. As shown in FIG. 4, the above step S1200 may include sub-steps S1250 to S1280. In sub-step S1250, the app package name of the installed software in the mobile terminal is acquired. Among the five-tuple information, only the app package name is directly obtainable. Subsequently, in sub-step S1260, the installation file storage path of the installed software is determined according to the app package name. Moreover, in sub-step S1270, the installation file of the installed software may be acquired and decompressed according to the storage path of the installation file of the above-mentioned installed software. Then, in substep S1280, the app version number, app version name, the SHA1 value of META-INF/CERT.RSA in the app file and the SHA1 value of AndroidManifest. The five-tuple information of .

图5示出了根据本发明一个示例性实施方式的移动终端的框图。如图5所示,移动终端5000可包括检测单元5100、收集单元5200和发送单元5300。检测单元5100可检测移动终端5000的缓存中是否存在记录上次收集信息的时间戳的文件。收集单元5200可根据检测单元5100的检测结果收集移动终端5000中已安装软件的信息。发送单元5300可将所收集的信息发送至服务器进行检测。该服务器可预设有非恶意软件的信息,以用于与所收集的信息进行比较。FIG. 5 shows a block diagram of a mobile terminal according to an exemplary embodiment of the present invention. As shown in FIG. 5 , a mobile terminal 5000 may include a detection unit 5100 , a collection unit 5200 and a sending unit 5300 . The detection unit 5100 may detect whether there is a file recording the time stamp of the last collected information in the cache of the mobile terminal 5000 . The collection unit 5200 may collect information of installed software in the mobile terminal 5000 according to the detection result of the detection unit 5100 . The sending unit 5300 can send the collected information to the server for detection. The server may be preset with non-malware information for comparison with the collected information.

根据一个实施方式,如果检测单元5100检测到移动终端5000的缓存中不存在记录上次收集信息的时间戳的文件,则收集单元5200对移动终端5000中所有已安装软件进行全量扫描以收集信息。反之,如果检测单元5100检测到移动终端5000的缓存中存在记录上次收集信息的时间戳的文件,则收集单元5200根据缓存中文件记录的上次全量扫描时间戳和上次增量扫描时间戳与当前时间戳收集移动终端5000中已安装软件的信息。According to one embodiment, if the detection unit 5100 detects that there is no file recording the time stamp of the last collected information in the cache of the mobile terminal 5000, the collection unit 5200 performs a full scan on all installed software in the mobile terminal 5000 to collect information. Conversely, if the detection unit 5100 detects that there is a file recording the time stamp of the last collected information in the cache of the mobile terminal 5000, the collection unit 5200 will scan the time stamp of the last full scan and the last incremental scan according to the file record in the cache. Collect the information of the installed software in the mobile terminal 5000 with the current time stamp.

图6示出了根据本发明一个示例性实施方式的收集单元的框图。如图6所示,收集单元5200可包括比较子单元5210和收集子单元5220。比较子单元5210可比较移动终端5000的缓存中文件记录的上次全量扫描时间戳与当前时间戳。收集子单元5220可根据比较子单元5210的比较结果收集移动终端5000中已安装软件的信息。Fig. 6 shows a block diagram of a collection unit according to an exemplary embodiment of the present invention. As shown in FIG. 6 , the collection unit 5200 may include a comparison subunit 5210 and a collection subunit 5220 . The comparison subunit 5210 may compare the last full scan time stamp of the file records in the cache of the mobile terminal 5000 with the current time stamp. The collection subunit 5220 may collect information of installed software in the mobile terminal 5000 according to the comparison result of the comparison subunit 5210 .

根据一个实施方式,如果比较子单元5210比较出当前时间戳晚于缓存中文件记录的上次全量扫描时间戳超过预定的第一阈值,则收集子单元5220对移动终端5000中所有已安装软件进行扫描以收集信息。According to one embodiment, if the comparison subunit 5210 finds that the current timestamp is later than the last full scan timestamp of the file records in the cache and exceeds a predetermined first threshold, the collection subunit 5220 will perform a check on all installed software in the mobile terminal 5000 Scan to gather information.

反之,如果比较子单元5210比较出当前时间戳晚于所述缓存中文件记录的上次全量扫描时间戳未超过预定的第一阈值,则收集子单元5220根据缓存中文件记录的上次增量扫描时间戳与当前时间戳收集移动终端5000中已安装软件的信息。Conversely, if the comparison subunit 5210 compares that the current timestamp is later than the last full scan timestamp of the file records in the cache and does not exceed the predetermined first threshold, the collection subunit 5220 will The scanning time stamp and the current time stamp collect information of installed software in the mobile terminal 5000 .

具体而言,如果比较子单元5210比较出当前时间戳晚于缓存中文件记录的上次增量扫描时间戳超过预定的第二阈值,则收集子单元5220对移动终端5000中已安装软件的信息进行增量扫描以收集信息。Specifically, if the comparison subunit 5210 compares that the current timestamp is later than the last incremental scan timestamp of the file record in the cache and exceeds the predetermined second threshold, the collection subunit 5220 will collect information about the installed software in the mobile terminal 5000 Incremental scans are performed to gather information.

根据一个实施方式,比较子单元5210还可比较移动终端5000中所有已安装软件的时间戳与缓存中文件记录的上次增量扫描时间戳。收集子单元5220可收集移动终端5000中时间戳晚于缓存中文件记录的上次增量扫描时间戳的已安装软件的信息。According to one embodiment, the comparison subunit 5210 may also compare the timestamps of all installed software in the mobile terminal 5000 with the last incremental scan timestamp of the file records in the cache. The collection subunit 5220 may collect information of installed software in the mobile terminal 5000 whose time stamp is later than the last incremental scan time stamp of the file records in the cache.

根据一个实施方式,上述收集单元5200所收集的每个已安装软件的信息包括软件的五元组信息。具体地,软件的五元组信息可包括:app包名、app版本号、app版本名、app文件中META-INF/CERT.RSA的SHA1值以及app文件中AndroidManifest.xml的SHA1值。According to an embodiment, the information of each installed software collected by the collecting unit 5200 includes 5-tuple information of the software. Specifically, the five-tuple information of the software may include: app package name, app version number, app version name, SHA1 value of META-INF/CERT.RSA in the app file, and SHA1 value of AndroidManifest.xml in the app file.

图7示出了根据本发明另一示例性实施方式的收集单元的框图。如图7所示,收集单元5200可包括获取子单元5250、确定子单元5260和解压子单元5270。获取子单元5250可获取移动终端5000中已安装软件的app包名。确定子单元5260可根据获取子单元5250获取的app包名确定已安装软件的安装文件存储路径。解压子单元5270可根据确定子单元5260确定的已安装软件的安装文件存储路径,获取并解压已安装软件的安装文件。获取子单元5250还可根据解压子单元5270解压的文件获取app版本号、app版本名、app文件中META-INF/CERT.RSA的SHA1值以及app文件中AndroidManifest.xml的SHA1值。Fig. 7 shows a block diagram of a collection unit according to another exemplary embodiment of the present invention. As shown in FIG. 7 , the collection unit 5200 may include an acquisition subunit 5250 , a determination subunit 5260 and a decompression subunit 5270 . The obtaining subunit 5250 can obtain the app package name of the installed software in the mobile terminal 5000 . The determination subunit 5260 may determine the installation file storage path of the installed software according to the app package name acquired by the acquisition subunit 5250 . The decompression subunit 5270 may obtain and decompress the installation file of the installed software according to the storage path of the installation file of the installed software determined by the determination subunit 5260 . The obtaining subunit 5250 can also obtain the app version number, app version name, SHA1 value of META-INF/CERT.RSA in the app file and SHA1 value of AndroidManifest.xml in the app file according to the file decompressed by the decompression subunit 5270.

以上对本发明各实施方式的描述是为了更好地理解本发明,其仅仅是示例性的,而非旨在对本发明进行。应注意,在以上描述中,针对一种实施方式描述和/或示出的特征可以以相同或类似的方式在一个或更多个其它实施方式中使用,与其它实施方式中的特征相组合,或替代其它实施方式中的特征。本领域技术人员可以理解,在不脱离本发明的构思的情况下,针对以上所描述的实施方式进行的各种变化和修改,均属于本发明的范围内。The above descriptions of various embodiments of the present invention are for a better understanding of the present invention, which are only exemplary rather than intended to implement the present invention. It should be noted that in the above description, features described and/or illustrated for one embodiment can be used in the same or similar manner in one or more other embodiments, in combination with features in other embodiments, Or replace the features in other embodiments. Those skilled in the art can understand that without departing from the concept of the present invention, various changes and modifications made to the above-described implementation manners all fall within the scope of the present invention.

Claims (16)

1. a kind of detect with the presence or absence of the method for Malware in mobile terminal, including:
Detect the file for the timestamp for collecting information in the caching of the mobile terminal with the presence or absence of record last time, the timestamp For the entry time of the characteristic information of application program;
The information that software has been installed in the mobile terminal is collected according to testing result, if specifically, record is not present in caching Last time collects the file of the timestamp of information, then carries out full dose scanning to all softwares of having installed in the mobile terminal to collect Information;If caching in exist record last time collect information timestamp file, the file record according to caching it is upper Secondary full dose sweep time stamp and last time incremental sweep timestamp are collected in the mobile terminal with current time stamp and have installed software Information;
Collected information is sent to server and detected, will install software according to testing result is divided into safety, danger Danger, careful and four level of securitys of wooden horse;
Wherein described server is preset with the information of non-malicious software, for compared with collected information.
2. the method as described in claim 1, wherein the full dose sweep time last time stamp of the file record according to caching and Last time incremental sweep timestamp includes with having installed the information of software in the current time stamp collection mobile terminal:
Compare the full dose sweep time last time stamp and current time stamp of file record described in caching;And
The information that software has been installed in the mobile terminal is collected according to comparative result.
3. method as claimed in claim 2, wherein collecting the letter that software has been installed in the mobile terminal according to comparative result Breath includes:
If the full dose sweep time last time stamp that current time stamp is later than file record described in caching exceedes predetermined first threshold, Then all softwares of having installed in the mobile terminal are scanned to collect information;And
If full dose sweep time last time that current time stamp is later than file record described in caching is stabbed not less than the first predetermined threshold Value, then the last time incremental sweep timestamp of the file record according to caching and current time stamp are collected in the mobile terminal The information of software has been installed.
4. method as claimed in claim 3, wherein the last time incremental sweep timestamp of the file record according to caching with The information of software has been installed in the current time stamp collection mobile terminal to be included:
If the last time incremental sweep timestamp that current time stamp is later than file record described in caching exceedes predetermined Second Threshold, Incremental sweep then is carried out to collect information to the information that software has been installed in the mobile terminal.
5. method as claimed in claim 4, wherein carrying out incremental sweep to the information that software has been installed in the mobile terminal Included with collecting information:
By all last time incremental sweeps for having installed file record described in the timestamp and caching of software in the mobile terminal Timestamp is compared;And
Collect the peace that timestamp in the mobile terminal is later than the last time incremental sweep timestamp of file record described in caching Fill the information of software.
6. such as the method any one of claim 1-5, wherein each information for having installed software includes five yuan of software Group information.
7. method as claimed in claim 6, wherein the five-tuple information of the software includes:App bags name, app version numbers, AndroidManifest.xml in META-INF/CERT.RSA SHA1 values and app files in app versions name, app files SHA1 values.
8. method as claimed in claim 7, wherein collecting the letter that software has been installed in the mobile terminal according to testing result Breath includes:
Obtain the app bag names that software has been installed in the mobile terminal;
Determined that the installation file store path of software has been installed according to the app bags name;
According to the installation file store path for having installed software, the installation file for having installed software is obtained and decompressed;And
According to decompressed file acquisition app version numbers, app versions name, in app files META-INF/CERT.RSA SHA1 AndroidManifest.xml SHA1 values in value and app files.
9. a kind of mobile terminal, including:
Detection unit, the text of the timestamp of information was collected in the caching for detecting the mobile terminal with the presence or absence of record last time Part, the timestamp are the entry time of the characteristic information of application program;
Collector unit, the letter of software is installed for being collected according to the testing result of the detection unit in the mobile terminal Breath, if being specially the file that the detection unit detects the timestamp that record last time collection information is not present in the caching, Then the collector unit carries out full dose scanning to collect information to all softwares of having installed in the mobile terminal, if the detection Unit detects the file for the timestamp that record last time collection information in the caching be present, then the collector unit is according to The full dose sweep time last time stamp and last time incremental sweep timestamp of file record described in caching collect institute with current time stamp State the information that software has been installed in mobile terminal;
Transmitting element, detected for collected information to be sent to server, software will have been installed according to testing result It is divided into safety, dangerous, careful and four level of securitys of wooden horse;
Wherein described server is preset with the information of non-malicious software, for compared with collected information.
10. mobile terminal as claimed in claim 9, wherein the collector unit includes:
Comparing subunit, full dose sweep time last time stamp and current time for file record described in the caching Stamp;And
Subelement is collected, software has been installed for being collected according to the comparative result of the comparing subunit in the mobile terminal Information.
11. mobile terminal as claimed in claim 10, wherein
If the comparing subunit compares the last time full dose scanning that current time stamp is later than file record described in the caching Timestamp exceedes predetermined first threshold, then the collection subelement is swept to all softwares of having installed in the mobile terminal Retouch to collect information;And
If the comparing subunit compares the last time full dose scanning that current time stamp is later than file record described in the caching Timestamp is not less than predetermined first threshold, then the last time increasing for collecting subelement file record according to the caching Amount sweep time stamp collects the information that software has been installed in the mobile terminal with current time stamp.
12. mobile terminal as claimed in claim 11, wherein
If the comparing subunit compares the last time incremental sweep that current time stamp is later than file record described in the caching Timestamp exceedes predetermined Second Threshold, then the subelement of collecting is carried out to the information that software has been installed in the mobile terminal Incremental sweep is to collect information.
13. mobile terminal as claimed in claim 12, wherein the comparing subunit is additionally operable in mobile terminal described in comparison The last time incremental sweep timestamp of all timestamps for having installed software and file record described in the caching, and the receipts Collection subelement be additionally operable to collect timestamp in the mobile terminal be later than caching described in file record last time incremental sweep when Between the information for having installed software stabbed.
14. such as the mobile terminal any one of claim 9-13, wherein each collected by the collector unit having pacified The information of dress software includes the five-tuple information of software.
15. mobile terminal as claimed in claim 14, wherein the five-tuple information of the software includes:App bags name, app versions This number, app versions name, in app files in META-INF/CERT.RSA SHA1 values and app files AndroidManifest.xml SHA1 values.
16. mobile terminal as claimed in claim 15, wherein the collector unit includes:
Subelement is obtained, the app bag names of software have been installed for obtaining in the mobile terminal;
Determination subelement, the installation file that the app bags name for being obtained according to the acquisition subelement determines to have installed software are deposited Store up path;And
Subelement is decompressed, for the installation file store path for having installed software determined according to the determination subelement, is obtained And the installation file for having installed software is decompressed,
The wherein described subelement that obtains is according to the file acquisition app version numbers of the decompression subelement decompression, app versions name, app In file in META-INF/CERT.RSA SHA1 values and app files AndroidManifest.xml SHA1 values.
CN201510609599.3A 2015-09-22 2015-09-22 Detect the method and mobile terminal that whether there is Malware in mobile terminal Active CN105320886B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510609599.3A CN105320886B (en) 2015-09-22 2015-09-22 Detect the method and mobile terminal that whether there is Malware in mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510609599.3A CN105320886B (en) 2015-09-22 2015-09-22 Detect the method and mobile terminal that whether there is Malware in mobile terminal

Publications (2)

Publication Number Publication Date
CN105320886A CN105320886A (en) 2016-02-10
CN105320886B true CN105320886B (en) 2018-04-06

Family

ID=55248251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510609599.3A Active CN105320886B (en) 2015-09-22 2015-09-22 Detect the method and mobile terminal that whether there is Malware in mobile terminal

Country Status (1)

Country Link
CN (1) CN105320886B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763554A (en) * 2016-03-28 2016-07-13 努比亚技术有限公司 Network detection method, client, and network detection system
CN105787373B (en) * 2016-05-17 2018-08-21 武汉大学 Android terminal data leakage prevention method in a kind of mobile office system
CN106407799A (en) * 2016-10-26 2017-02-15 北京金山安全软件有限公司 Malicious file installation detection method and device, terminal and server
CN106850590B (en) * 2017-01-13 2020-10-23 北京神州泰岳信息安全技术有限公司 Software white list management method and system
CN108595956B (en) * 2018-04-26 2023-02-17 腾讯科技(深圳)有限公司 Method and device for identifying embezzlement of digital signature, electronic equipment and storage medium
CN113934625B (en) * 2021-09-18 2024-09-13 深圳市富匙科技有限公司 Software detection method, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101002156A (en) * 2004-07-20 2007-07-18 联想(新加坡)私人有限公司 Method and apparatus for speeding scan to undesirable or malicious code
CN101227379A (en) * 2008-01-25 2008-07-23 中兴通讯股份有限公司 Method and system for implementation of data synchronization
CN102541940A (en) * 2010-12-31 2012-07-04 上海可鲁系统软件有限公司 Method for controlling data integrity of industrial database
US8607345B1 (en) * 2008-12-16 2013-12-10 Trend Micro Incorporated Method and apparatus for generic malware downloader detection and prevention
CN104081408A (en) * 2011-11-09 2014-10-01 凯普瑞克安全公司 System and method for bidirectional trust between downloaded applications and mobile devices including a secure charger and malware scanner

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101002156A (en) * 2004-07-20 2007-07-18 联想(新加坡)私人有限公司 Method and apparatus for speeding scan to undesirable or malicious code
CN101227379A (en) * 2008-01-25 2008-07-23 中兴通讯股份有限公司 Method and system for implementation of data synchronization
US8607345B1 (en) * 2008-12-16 2013-12-10 Trend Micro Incorporated Method and apparatus for generic malware downloader detection and prevention
CN102541940A (en) * 2010-12-31 2012-07-04 上海可鲁系统软件有限公司 Method for controlling data integrity of industrial database
CN104081408A (en) * 2011-11-09 2014-10-01 凯普瑞克安全公司 System and method for bidirectional trust between downloaded applications and mobile devices including a secure charger and malware scanner

Also Published As

Publication number Publication date
CN105320886A (en) 2016-02-10

Similar Documents

Publication Publication Date Title
CN105320886B (en) Detect the method and mobile terminal that whether there is Malware in mobile terminal
AU2018217323B2 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US9483644B1 (en) Methods for detecting file altering malware in VM based analysis
CN101924760B (en) Method and system for downloading executable file securely
US8713684B2 (en) Quantifying the risks of applications for mobile devices
US8726387B2 (en) Detecting a trojan horse
US11188635B2 (en) File authentication method and apparatus
CN102819713B (en) A kind of method and system detecting bullet window safe
US9288226B2 (en) Detection of rogue software applications
CN103595774A (en) System application uninstalling method and device with terminal based on server side
KR20150044490A (en) A detecting device for android malignant application and a detecting method therefor
JP6711000B2 (en) Information processing apparatus, virus detection method, and program
CN109165514A (en) A kind of risk checking method
KR101286711B1 (en) System and method for preventing malicious codes of mobile terminal
Zhang et al. ScanMe mobile: a cloud-based Android malware analysis service
KR20170083494A (en) Technique for Detecting Malicious Electronic Messages
CN104239798B (en) Mobile terminal, server end in mobile office system and its virus method and system
KR20160031589A (en) Malicious application detecting method and computer program executing the method
CN105791250A (en) App detection method and device
US9239907B1 (en) Techniques for identifying misleading applications
CN105207842B (en) The method and system of the plug-in feature detection of Android
CN112149126B (en) System and method for determining trust level of file
CN110865774A (en) Information security detection method and device for printing equipment
CN108920956B (en) Machine learning method and system based on context awareness
CN112217762B (en) Malicious encrypted traffic identification method and device based on purpose

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220712

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co., Ltd