[go: up one dir, main page]

CN111092993B - Method and system for detecting hijacking behavior of apk file - Google Patents

Method and system for detecting hijacking behavior of apk file Download PDF

Info

Publication number
CN111092993B
CN111092993B CN202010198758.6A CN202010198758A CN111092993B CN 111092993 B CN111092993 B CN 111092993B CN 202010198758 A CN202010198758 A CN 202010198758A CN 111092993 B CN111092993 B CN 111092993B
Authority
CN
China
Prior art keywords
application
advertisement
activation
click
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010198758.6A
Other languages
Chinese (zh)
Other versions
CN111092993A (en
Inventor
谭鑫
白冬立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Hot Cloud Technology Co ltd
Original Assignee
Beijing Hot Cloud Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Hot Cloud Technology Co ltd filed Critical Beijing Hot Cloud Technology Co ltd
Priority to CN202010198758.6A priority Critical patent/CN111092993B/en
Publication of CN111092993A publication Critical patent/CN111092993A/en
Application granted granted Critical
Publication of CN111092993B publication Critical patent/CN111092993B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/72Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
    • H04M1/724User interfaces specially adapted for cordless or mobile telephones
    • H04M1/72403User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
    • H04M1/72406User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality by software upgrading or downloading
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/68Gesture-dependent or behaviour-dependent

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Human Computer Interaction (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • General Health & Medical Sciences (AREA)
  • Social Psychology (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a method and a system for detecting hijack behavior of an apk file, wherein the method comprises the steps of recording information into a database, and further comprises the following steps: judging whether the apk file is hijacked or not by using a hijacking working module; outputting a judgment result; and graphically displaying the structured data to the UI interface. The method and the system for detecting the hijacking behavior of the apk file are attributed to the hijacking and the hijacked party, are associated with the advertisement putting activity information, detect and estimate the installation hijacking action in real time, automatically correct a judgment model and reduce the false killing rate.

Description

Method and system for detecting hijacking behavior of apk file
Technical Field
The invention relates to the technical field of text word feature extraction, in particular to a method and a system for detecting hijacking behavior of an apk file.
Background
With the popularization of smart phones, more and more software suppliers develop various software for downloading by mobile phones, and publicize in an advertisement mode to guide customers to download applications through browsers. However, when many users download the application through the browser and prepare for installation, the mobile phone pops up a dialog box to prompt that the source of the application is unknown, the application is not downloaded from an official channel, and viruses or unsafe factors are possible to suggest to download from the official channel; alternatively, after downloading, the system prompts for an advertising plug-in labeled "potentially risky". After seeing similar prompts, most users can go to the application market of the mobile phone to download the application according to the guidance. In the process, the mobile phone application store conducts drainage to the application store by using the convenience of the authority, the application downloading amount of the application store is increased, and the purposes of completing achievement and improving propaganda and popularization effects are achieved.
The method is introduced into a mobile internet advertisement promotion service, a user downloads an app from a browser, possibly by clicking an advertisement of relevant content, and the promotion of the advertisement is that an application developer, as an advertisement promotion demander (hereinafter referred to as an advertiser), entrusts a plurality of advertisement providers (hereinafter referred to as advertisement platforms) to distribute the advertisement to mobile phone terminals of the users, after the users watch the advertisement, if the users are interested in the advertisement and strongly intend to know the content expressed by the advertisement, the areas where the advertisement materials are located are clicked, and according to the logic of mobile internet advertisement distribution, the situation described at the beginning of an article will occur: the user downloads an application in a browser, and generally, an advertiser embeds a customized tag (channel _ id) in a terminal file (apk file) of the application before launching, and gives the apk package promoted to each advertisement platform, wherein the channel _ id is different and globally unique, that is to say, the advertiser can judge the effect of advertisement distribution by the advertisement platform by observing the download amount of the apk packages with different channel _ ids. However, the mobile phone app store will guide the user to the mobile phone app store to download the app through excessive reminding and distorted guidance, and the app in the app store belongs to the app on the shelf of the app store, and there is no channel _ id of the advertisement platform in the apk file, and after the user opens the app for the first time, the amount of downloading will be recorded as what the mobile phone app store brings. The behavior of inducing a user to download a non-target file (application) is called as android application store installation hijacking (hereinafter referred to as installation hijacking) in the industry, the behavior of inducing the user to download the non-target file (application) is maliciously interfered, the user is prevented from downloading and installing other application distribution software, the behavior of intercepting and guiding the software to a software store carried by the mobile phone can form illegal competition, a plurality of mobile phone equipment manufacturers are also proposed for lawsuits many times, and a judicial department brightens the attitude-a new illegal competition law starting to be implemented in 1 month and 1 day of 2019, so that illegal competition of the internet is increased for the first time, and an operator misleads the user by using a network technology, interferes with the normal operation of other operators and other behaviors, and is subjected to legal punishment and accountability. However, even if legal constraints exist, the actual situation is not optimistic, the problem of installation hijacking still exists, and the user experience and the advertisement effectiveness measurement of an advertiser are influenced.
Because the mobile phone application store belongs to the sub-application under the mobile phone equipment manufacturer system, the whole scene of hijacking action, and other external company products or plug-ins, including advertisers and third-party statistics monitoring companies, are not authorized to sense and detect, which also becomes a technical difficulty for solving the problem; due to technical barriers, the technical logic related to installation hijacking detection of other existing companies is not disclosed to the outside of every company, but the defects of lack of real-time performance, high false kill rate and necessary analysis dimension on the product function cause low working efficiency of the installation hijacking detection function.
The invention patent application with publication number CN109905390A discloses an APP hijacking detection method, an API package and a storage medium, wherein the method comprises the following steps: monitoring a view focus event in a global mode; calling a simulation click event API when the view loses focus; performing exception capture on the simulation click event API code; if capturing the abnormality, judging that the abnormality is hijacked; and if the abnormity is not captured, the safety is judged. The method has the disadvantages that 1, the patent is not embodied in the application in the mobile internet advertising industry, and attribution calculation and channel index analysis of the advertisements are not carried out; 2. the simulated click event is not the click event actually reported by the user, and the calculation precision and accuracy are greatly reduced; 3. the abnormal judgment rule is not dynamic, different apps of different customers use the product, and the effect has errors; 4. the lack of an early warning mechanism is detection only.
Disclosure of Invention
In order to solve the technical problems, the method and the system for detecting the hijacking behavior of the apk file, which are provided by the invention, attribute to the hijacking and the hijacked party, are associated with the advertisement putting activity information, detect and estimate the installation hijacking action in real time, automatically correct a judgment model and reduce the false kill rate.
The first purpose of the invention is to provide a method for detecting hijacking behavior of an apk file, which comprises the following steps of recording information into a database:
step 1: judging whether the apk file is hijacked or not by using a hijacking working module;
step 2: outputting a judgment result;
and step 3: graphically displaying the structured data to a UI interface;
the information includes advertisement click data and App activation data.
Preferably, the step 1 comprises the following sub-steps:
step 11: matching one click closest to the activation time with the input App activation data according to the equipment attribution and/or the fingerprint information attribution;
step 12: judging the time difference between the click time and the activation time;
step 13: and judging whether the download address of the advertisement promotion activity to which the click belongs is consistent with the download address to which the package _ name belongs in the activation data.
In any of the above aspects, preferably, the step 12 includes:
1) when determined from the device attribution, the time difference is less than a first time threshold T1;
2) when the determination is made based on the attribution of fingerprint information, the time difference is less than a second time threshold T2.
In any of the above schemes, preferably, the step 12 includes judging by using a self-correction mechanism and a prevention mechanism; the self-correction mechanism is that in the app promotion process within 7 days of cyclic observation according to normal distribution, the backtracking valid period T is equally divided into n sections within the activation backtracking valid period T set by an advertiser, the average value of activation time difference clicked in the section with the largest attribution data amount is taken, the backtracking valid period T is used as a refresh frequency, and the threshold value of the time difference is updated, wherein n is a natural number; the prevention mechanism is used for marking app with the hijack frequency larger than a frequency threshold value and an application market and prompting an advertiser to adjust an advertisement putting plan.
In any of the above schemes, preferably, the hijacking frequency determination method is that in advertisement promotion for 3 consecutive days, activation greater than or equal to the first proportional threshold is hijacked by an application market, and a platform greater than or equal to the second proportional threshold is affected by the activation.
In any of the above schemes, preferably, the step 13 includes marking the attribution result as packageType =1 when the inconsistency is determined, that is, determining that the app store is hijacked.
In any of the above schemes, preferably, the step 2 includes placing the attribution result marked as packageType =1 in a new table, generating structured data.
In any of the above schemes, preferably, the method for acquiring advertisement click data includes the steps of:
step a 1: the user browses the advertisement in the application A, the advertisement is displayed to the user in the application A by an advertiser A1 entrusted an advertisement platform A2, the user is interested in the content displayed by the advertisement, and corresponding advertisement materials are clicked;
step a 2: after the advertisement is clicked, sending a click URL from an application A client, wherein the click URL carries detailed information of the clicked advertisement, and a background receives click data;
step a 3: and attributing the click data, and extracting attribution data of the click end.
In any of the above schemes, preferably, the method for acquiring App activation data includes the following steps:
step b 1: clicking an advertisement by a user;
step b 2: skipping to the browser to prepare for downloading the application A;
step b 3: the application store changes the download address A1 of the application A to a download address B1, and the user downloads the application B from the download address B1 without perception;
step b 4: the user installs and opens application B for the first time;
step b 5: after the user opens the application B for the first time, the SDK completes the initialization of the SDK and collects the information of related equipment;
the application A and the application B are the same application, and the difference is that the download addresses stored in the application A and the application B are different.
The second purpose of the invention is to provide a system for detecting hijacking behavior of an apk file, which comprises a database for inputting information, and further comprises the following modules:
a hijacking working module: used for judging whether the apk file is hijacked or not;
an output module: used for outputting the judged result;
a display module: the system is used for graphically displaying the structured data to the UI interface;
the information comprises advertisement click data and App activation data;
the system detects the hijacking behavior of the apk file according to the method described in the first aim.
In any of the above schemes, preferably, the operation of the hijacking operation module includes the following sub-steps:
step 11: matching one click closest to the activation time with the input App activation data according to the equipment attribution and/or the fingerprint information attribution;
step 12: judging the time difference between the click time and the activation time;
step 13: and judging whether the download address of the advertisement promotion activity to which the click belongs is consistent with the download address to which the package _ name belongs in the activation data.
In any of the above aspects, it is preferable that the step 12 includes that the time difference is smaller than the first time threshold T1 when the judgment is made according to the device attribution.
In any of the above schemes, preferably, the step 12 further includes that the time difference is smaller than a second time threshold T2 when the judgment is made according to the attribution of the fingerprint information.
In any of the above embodiments, step 12 preferably includes determining using a self-correction mechanism and a prevention mechanism.
In any of the above schemes, preferably, the self-correction mechanism is that the active backtracking valid period T set by the advertiser is equally divided into n sections according to normal distribution, an average value of activation time differences clicked in one section with the largest attribution data amount is taken, and the threshold of the time differences is updated with the backtracking valid period T as a refresh frequency, where n is a natural number.
In any of the above schemes, preferably, the prevention mechanism is to mark apps and application markets, where the frequency of hijacking is greater than a frequency threshold, and prompt an advertiser to adjust an advertisement delivery plan.
In any of the above schemes, preferably, the hijacking frequency determination method is that in advertisement promotion for 3 consecutive days, activation greater than or equal to the first proportional threshold is hijacked by an application market, and a platform greater than or equal to the second proportional threshold is affected by the activation.
In any of the above schemes, preferably, the step 13 includes marking the attribution result as packageType =1 when the inconsistency is determined, that is, determining that the app store is hijacked.
In any of the above schemes, preferably, the step 2 includes placing the attribution result marked as packageType =1 in a new table, generating structured data.
In any of the above schemes, preferably, the method for acquiring advertisement click data includes the steps of:
step a 1: clicking an advertisement by a user;
step a 2: the background receives click data;
step a 3: and attributing the click data, and extracting attribution data of the click end.
In any of the above solutions, preferably, the step a1 includes the user browsing the advertisement in application a, and the advertiser a1 entrusts the advertising platform a2 to show the advertisement to the user in application a, and the user is interested in the content shown by the advertisement and clicks the corresponding advertisement material.
In any of the above solutions, preferably, the step a2 includes sending a click URL from the application a client after the advertisement is clicked, where the click URL carries details of the advertisement clicked this time.
In any of the above schemes, preferably, the method for acquiring App activation data includes the following steps:
step b 1: clicking an advertisement by a user;
step b 2: skipping to the browser to prepare for downloading the application A;
step b 3: the application store changes the download address A1 of the application A to a download address B1, and the user downloads the application B from the download address B1 without perception;
step b 4: the user installs and opens application B for the first time;
step b 5: after the user opens the application B for the first time, the SDK completes the initialization of the SDK and collects the information of related equipment;
the application A and the application B are the same application, and the difference is that the download addresses stored in the application A and the application B are different.
The invention provides a method and a system for detecting hijacking behaviors of an apk file, which can detect the amount of hijacking, but by observing the change trend of promotion and activation before and after an advertiser uses an installation hijacking function, the advertiser can recover, mark and prevent about 10-30% of advertisement promotion effect.
Apk is an abbreviation of Android package, i.e., an application software installation package of the Android system.
App refers to software installed on a smartphone.
The package _ name refers to an application entry integrated within the client SDK, which may be defined by the advertiser itself, and the apps that are on-shelf at different app stores, which may differ in value. For determining the source of activation (which application store, or channel).
The packagetType is an activation mark used for marking whether the activation is hijacking activation, 1 is hijacking activation, and 0 is normal activation. .
Drawings
FIG. 1 is a flow chart of a preferred embodiment of the method for detecting hijacking behavior of an apk file according to the present invention.
FIG. 2 is a flowchart of a preferred embodiment of a hijacking job module determining method of the method for detecting hijacking behavior of an apk file according to the present invention.
FIG. 3 is a flowchart of a preferred embodiment of the method for acquiring advertisement click data according to the method for detecting hijacking behavior of an apk file of the present invention.
Fig. 4 is a flowchart of a preferred embodiment of the method for acquiring App activation data of the method for detecting hijacking behavior of an apk file according to the present invention.
FIG. 5 is a block diagram of a preferred embodiment of a system for detecting hijacking of apk files in accordance with the present invention.
FIG. 6 is a flowchart of a preferred embodiment of the user interaction steps and technical process of the method for detecting hijacking behavior of an apk file according to the present invention.
FIG. 7 is a flowchart of a preferred embodiment of the hijacking module logic of the system for detecting the hijacking behavior of the apk file according to the present invention.
Detailed Description
The invention is further illustrated with reference to the figures and the specific examples.
Example one
As shown in fig. 1, step 100 is performed to enter information into a database. The information includes advertisement click data and App activation data. As shown in fig. 2, the method for acquiring advertisement click data includes the following steps: step 1a1 is executed, the user clicks on the advertisement; the user browses the advertisement in application a, and the advertiser a1 entrusts the advertisement platform a2 to present the advertisement to the user in application a, and the user is interested in the content presented by the advertisement and clicks the corresponding advertisement material. Step 1a2 is executed, and the background receives click data; and after the advertisement is clicked, sending a click URL from the application A client, wherein the click URL carries the detailed information of the clicked advertisement. And step 1a3 is executed, the click data is attributed, and attribution data of the click end is extracted. As shown in fig. 3, the method for acquiring App activation data includes the following steps: step 1b1, the user clicks on an advertisement. Step 1b2, jump to the browser to prepare for downloading application A. Step 1B3, the application store changes the download address A1 of the application A to the download address B1, and the user downloads the application B from the download address B1 without perception. Step 1B4, the user installs and opens application B for the first time. Step 1B5, after the user opens application B for the first time, the SDK completes the SDK initialization and collects the related device information. The application A and the application B are the same application, and the difference is that the download addresses stored in the application A and the application B are different.
Step 110 is executed, and the hijacking working module is used to determine whether the apk file is hijacked. In this step, the device attribution and/or fingerprint information attribution is used to match the one click closest to the activation time, respectively. As shown in fig. 4, when device attribution is adopted, step 111 is executed first, and the entered App activation data matches the one click closest to the activation time according to the device attribution. Step 113 is executed to determine whether the time difference between the click time and the activation time is smaller than a first time threshold T1 (in this embodiment, T1=30 minutes). The step adopts a self-correction mechanism and a prevention mechanism for judgment. The self-correction mechanism is that the backtracking effective period T is equally divided into n sections within the activation backtracking effective period T set by an advertiser according to normal distribution, the average value of the activation time difference clicked within the section with the most attributive data amount is taken, and the threshold value of the time difference is updated by taking the backtracking effective period T as the refresh frequency, wherein n is a natural number. In the present embodiment, the activation backtracking validity period T is set to 7 days, and the 7 days are equally divided into 336 sections, that is, each section has a duration of 30 minutes. Recording the number of attribution data flying within each thirty minutes, finding a time zone with the maximum number of attributions, extracting the time difference from clicking to activating in each attribution data, and averaging after accumulation to serve as a self-correction value. The prevention mechanism is to mark apps and application markets with hijacking frequencies greater than a frequency threshold value and prompt an advertiser to adjust an advertisement delivery plan, wherein the hijacking frequencies = hijacking activation number/total activation number, and the activation numbers can be subdivided according to dimensions of market quote and app promotion. The judgment method of the hijacking frequency is that in the advertisement promotion of 3 continuous days, the activation which is greater than or equal to the first proportional threshold is hijacked by the application market, and the platform which is greater than or equal to the second proportional threshold is influenced by the activation. If the time between the click time and the activation time is not less than the first time threshold T1, step 114 is executed, and the activation data is a normal activation. If the time of the click time and the activation time is less than the first time threshold T1, step 115 is executed to determine whether the download address of the advertisement promotion activity to which the click belongs is consistent with the download address to which the package _ name belongs in the activation data. If the download address of the advertisement promotion activity to which the click belongs is consistent with the download address to which the package _ name belongs in the activation data, step 116 is executed, and the attribution result is marked as packageType =0, that is, it is determined that the application store is not hijacked. If the download address of the advertisement promotion activity to which the click belongs is not consistent with the download address to which the package _ name belongs in the activation data, step 117 is executed, and the attribution result is marked as packageType =1, that is, it is determined that the application store is hijacked.
As shown in fig. 4, when device attribution is adopted, step 112 is executed first, and the entered App activation data matches the one click closest to the activation time according to the fingerprint information attribution. Step 113 is executed to determine whether the time between the click time and the activation time is less than a first time threshold T1 (in this embodiment, T1=30 minutes). The step adopts a self-correction mechanism and a prevention mechanism for judgment. The self-correction mechanism is that the backtracking effective period T is equally divided into n sections within the activation backtracking effective period T set by an advertiser according to normal distribution, the average value of the activation time difference clicked within the section with the most attributive data amount is taken, and the threshold value of the time difference is updated by taking the backtracking effective period T as the refresh frequency, wherein n is a natural number. In the present embodiment, the activation backtracking validity period T is set to 7 days, and the 7 days are equally divided into 336 sections, that is, each section has a duration of 30 minutes. Recording the number of attribution data flying within each thirty minutes, finding a time zone with the maximum number of attributions, extracting the time difference from clicking to activating in each attribution data, and averaging after accumulation to serve as a self-correction value. The prevention mechanism is to mark apps and application markets with hijacking frequencies greater than a frequency threshold value and prompt an advertiser to adjust an advertisement delivery plan. The judgment method of the hijacking frequency is that in the advertisement promotion of 3 continuous days, the activation which is greater than or equal to the first proportional threshold is hijacked by the application market, and the platform which is greater than or equal to the second proportional threshold is influenced by the activation. If the time between the click time and the activation time is not less than the first time threshold T1, step 114 is executed, and the activation data is a normal activation. If the time of the click time and the activation time is less than the first time threshold T1, step 115 is executed to determine whether the download address of the advertisement promotion activity to which the click belongs is consistent with the download address to which the package _ name belongs in the activation data. If the download address of the advertisement promotion activity to which the click belongs is consistent with the download address to which the package _ name belongs in the activation data, step 116 is executed, and the attribution result is marked as packageType =0, that is, it is determined that the application store is not hijacked. If the download address of the advertisement promotion activity to which the click belongs is not consistent with the download address to which the package _ name belongs in the activation data, step 117 is executed, and the attribution result is marked as packageType =1, that is, it is determined that the application store is hijacked.
Step 120 is executed to output the judgment result, and place the attribution result marked as packageType =1 in a new table to generate structured data.
Step 130 is executed to graphically display the structured data to the UI interface.
Example two
As shown in FIG. 5, a system for detecting hijacking behavior of an apk file comprises a database 200, a hijacking working module 210, an output module 220 and a presentation module 230.
The database 200: for entering information. The information includes advertisement click data and App activation data. The method for acquiring the advertisement click data comprises the following steps: step a 1: clicking an advertisement by a user; the user browses the advertisement in application a, and the advertiser a1 entrusts the advertisement platform a2 to present the advertisement to the user in application a, and the user is interested in the content presented by the advertisement and clicks the corresponding advertisement material. Step a 2: the background receives click data; and after the advertisement is clicked, sending a click URL from the application A client, wherein the click URL carries the detailed information of the clicked advertisement. Step a 3: and attributing the click data, and extracting attribution data of the click end. The method for acquiring the App activation data comprises the following steps: step b 1: clicking an advertisement by a user; step b 2: skipping to the browser to prepare for downloading the application A; step b 3: the application store changes the download address A1 of the application A to a download address B1, and the user downloads the application B from the download address B1 without perception; step b 4: the user installs and opens application B for the first time; step b 5: and after the user opens the application B for the first time, the SDK completes the initialization of the SDK and collects related equipment information. The application A and the application B are the same application, and the difference is that the download addresses stored in the application A and the application B are different.
Hijacking job module 210: for determining whether the apk file is hijacked. The operation of hijacking operation module 210 includes the following substeps: step 11: and matching the input App activation data with the one click closest to the activation time according to the equipment attribution and/or the fingerprint information attribution. Step 12: and judging the time difference between the click time and the activation time. When judged from the device attribution, the time difference is less than a first time threshold T1. When the determination is made based on the attribution of fingerprint information, the time difference is less than a second time threshold T2. In this step, a self-correction mechanism and a prevention mechanism are adopted for judgment. The self-correction mechanism is that the backtracking effective period T is equally divided into n sections within the activation backtracking effective period T set by an advertiser according to normal distribution, the average value of the activation time difference clicked within the section with the most attributive data amount is taken, and the threshold value of the time difference is updated by taking the backtracking effective period T as the refresh frequency, wherein n is a natural number. In the present embodiment, the activation backtracking validity period T is set to 7 days, and the 7 days are equally divided into 336 sections, that is, each section has a duration of 30 minutes. Recording the number of attribution data flying within each thirty minutes, finding a time zone with the maximum number of attributions, extracting the time difference from clicking to activating in each attribution data, and averaging after accumulation to serve as a self-correction value. The prevention mechanism is to mark apps and application markets with hijacking frequencies greater than a frequency threshold value and prompt an advertiser to adjust an advertisement delivery plan. The judgment method of the hijacking frequency is that in the advertisement promotion of 3 continuous days, the activation which is greater than or equal to the first proportional threshold is hijacked by the application market, and the platform which is greater than or equal to the second proportional threshold is influenced by the activation. Step 13: and judging whether the download address of the advertisement promotion activity to which the click belongs is consistent with the download address to which the package _ name belongs in the activation data. When it is determined to be inconsistent, the attribution result is marked as packageType =1, that is, it is determined to be hijacked by the application store.
The output module 220: for outputting the judgment result. The attribution result, labeled packageType =1, is placed in a new table, generating structured data.
The display module 230: the method is used for graphically showing the structured data to the UI interface.
EXAMPLE III
Because the mobile phone application store belongs to the sub-application under the mobile phone equipment manufacturer system, the whole scene of hijacking action, and other external company products or plug-ins, including advertisers and third-party statistics monitoring companies, are not authorized to sense and detect, which also becomes a technical difficulty for solving the problem; due to technical barriers, the technical logic related to installation hijacking detection of other existing companies is not disclosed to the outside of every company, but the defects of lack of real-time performance, high false kill rate and necessary analysis dimension on the product function cause low working efficiency of the installation hijacking detection function.
The application provides a method for detecting hijacking behavior of an apk file, and solves the following technical problems:
1. the attribution hijacking is associated with the hijacked party and with the advertisement delivery activity information.
In the products on the market, almost no one can identify the hijacked party and the hijacked party for single installation and associate information related to advertisement putting activities, such as an advertisement activity id, an advertisement material id, an advertisement click id, a device id and the like.
2. And detecting and predicting the installation hijacking action in real time.
In the prior art, the installation hijacking can be detected in real time (corresponding service results are returned within a very short time of the occurrence time of user behaviors or within a time range required by a service partner).
3. And the judgment model is automatically corrected, so that the false killing rate is reduced.
Because a mobile phone manufacturer cannot directly judge whether the installation is hijacked by an application store, products on the market have a certain proportion of false killings (namely judgment errors).
The technical scheme of the application is shown in figure 6.
1. The user clicks on the advertisement: the user browses the advertisement in the application A, the advertisement is sent to the advertisement platform A by the advertiser A, the advertisement is displayed for the user in the application A, the user is interested in the content displayed by the advertisement, and corresponding advertisement materials are clicked;
receiving click data: after the advertisement is clicked, a click URL is sent from the application A client side, and the click URL carries the detailed information of the clicked advertisement, wherein the information is shown in the table 1.
Figure 415549DEST_PATH_IMAGE001
TABLE 1
2b, jumping to the browser to prepare for downloading the application A: clicking URL to redirect to the downloading address A configured in the background by the advertiser A in advance;
extracting information required for advertisement attribution: 2a, the information is the information needed by advertising attribution;
inserting advertisement click data into a click database;
4. the application store changes the download address A1 of the application A to a download address B1, and the user downloads the application B from the download address B1 without perception;
5. the user installs and opens application B for the first time;
after the SDK opens application B for the first time, the SDK initialization is completed and related device information is collected, the main information being shown in table 2.
The application A and the application B are the same application, and the difference is that the download addresses stored in the application A and the application B are different.
Figure 159645DEST_PATH_IMAGE002
TABLE 2
6b, inserting the activation data reported by the SDK into an activation database;
7. and installing a hijack work module. Firstly, matching newly inserted activation data with the latest click away from activation time according to device _ id (attributed to equipment and highest priority), ip and ua (ip + ua information combination comparison, named as fingerprint information attribution and second priority); secondly, judging the time difference between the click time and the activation time, if the time difference is attributed to the equipment and is less than 30 minutes, listing the time difference into the next judgment condition of the module, and judging the threshold value of the hijacking time difference to be 15 minutes according to the data attributed to the fingerprint information; thirdly, judging whether the clicked download address of the advertisement promotion activity is consistent with the download address of the package _ name in the activation data or not, and according to the situation, the clicked download address A is different from the package _ name of the download address B; finally, marking the attribution result as packageType =1, namely judging that the attribution result is hijacked by the application store;
8. the hijacking record marked packageType =1 is put into a new table (database) which, as shown in table 3, contains the following fields:
Figure 241871DEST_PATH_IMAGE003
TABLE 3
9. And graphically displaying the structured data, wherein the advertisement platform A brings about the activation conversion of the application A for the advertiser A for a period of time, and the activation conversion is hijacked by the installation of an application store.
Because the hijacking of the android application store is a behavior occurring at the level of an android system, Only Equipment Manufacturers (OEMs) or related developers of the OEMs learn the actual real total hijacking amount, so that for a third-party detection company, when the total hijacking magnitude cannot be learned, how much hijacking amount can be detected, the change trend observation of promotion and activation can be carried out before and after the advertiser uses the installation hijacking function, about 10% -30% of advertisement promotion effects can be traced, marked and prevented for the advertiser, and the specific detectable ratio is different due to the conditions of the promotion channel, the promotion period, the promotion intensity and the specific situation of the advertiser.
Example four
The installation hijacking work module logic flow is shown in fig. 7:
and (I) inputting the click data and the activation data into an attribution module and outputting an attribution result.
(II) if the activation is not brought by the advertisement, the processing is not carried out; if the advertisement promotion is activated, the advertisement promotion is input into the installation hijack module.
1. The time difference from click to activation is calculated.
2. Determining attribution type
3. And self-corrects the threshold.
4. And judging a hijacking time difference threshold value.
5. And judging whether the time difference between the click and the activation is within a preset threshold range, wherein if the click and the activation are matched through device _ id, the time difference is 30 minutes, and if the click and the activation are matched through fingerprint information, the time difference is 15 minutes, because the matching accuracy of the fingerprint information is lower than the matching accuracy of the device _ id (equipment unique identification code). And calculating the expected time from the time when the user clicks the advertisement to the time when the user downloads the installation app based on the probability, and correcting the hijacking time difference threshold. If the current state is not within the hijacking time difference threshold range, no processing is carried out.
6. If the data is in the hijacking time difference threshold range, whether the data is the same as the activation source marked in the activation is judged by clicking the download address of the advertisement promotion activity to which the data belongs. If the sources are the same, no processing is done.
7. If the sources are not the same, the hijacking database is entered.
8. After the hijacking behavior reaches a certain magnitude or frequency, a punishment early warning mechanism is used for helping an advertiser to make a decision in the aspect of installation hijacking. And judging by adopting a self-correction mechanism and a prevention mechanism in the work of the hijack work module.
One, self-correction mechanism
Judging the time difference between the click time and the activation time in the hijack working module, wherein the threshold of the hijack time difference is set as follows by default: the hijacking time difference threshold attributed to the device ID is 30 minutes, and the hijacking time difference threshold attributed to the fingerprint information is 15 minutes. The factors influencing this time difference are:
1. network factor
App download duration
3. User behavior habits
Therefore, the default value is not necessarily applicable to all situations, so that the time difference section with the largest probability of occurrence of the time difference from clicking to activating in the app promotion process within 7 days of loop observation is averaged according to normal distribution, the threshold value of the time difference is updated by taking 7 days as a refresh frequency, and the previous 7 days are cold start stages, so that the previous 7 days are defaulted to be 30 minutes and 15 minutes, and the value is obtained by the algorithm according to the data released in the previous period.
The self-correction of the hijack activation time difference threshold is introduced, so that the misjudgment caused by the fact that the judgment standard is single and unchanged due to the diversification and differentiation of the example samples can be greatly reduced. The self-correction module can really calculate the correct judgment standard based on the practical popularization condition of each application and by combining the use habits of the user.
Second, prevention mechanism
The app with the hijack frequency larger than the frequency threshold value and the application market are marked to prompt an advertiser to adjust an account delivery plan as soon as possible, and the judgment method of the hijack frequency comprises the following steps:
1. in a 3-day continuous advertising campaign, 50% of the activations are hijacked by the application market and 80% of the platforms are affected by it
2. After the judgment condition is met, the app and the application market are marked to hijack the high-risk object, and the advertiser is notified in the form of a mail and an in-account notification.
The installation hijacking data magnitude is subjected to duty ratio early warning according to the app and the application market, judgment of an advertiser on the hijacking situation can be rapidly improved, action and adjustment are performed in advance, and larger loss is avoided.
EXAMPLE five
In the present market example, the database and related content are illustrated. The click database is shown in table 4, the link _ id corresponding relation library is shown in table 5, the package _ channle corresponding relation library is shown in table 6, the activation database is shown in table 7, and the installation hijacking database is shown in table 8.
Figure 277085DEST_PATH_IMAGE004
TABLE 4
Figure 659525DEST_PATH_IMAGE005
TABLE 5
Figure 417265DEST_PATH_IMAGE006
TABLE 6
Figure 957093DEST_PATH_IMAGE007
TABLE 7
Figure 294534DEST_PATH_IMAGE008
TABLE 8
The following noun explanations are included in this application:
1. and (4) attributing. After a newly added activation is put into a warehouse, firstly, device _ id, ip and ua information in an activation database is taken to be matched with click data in a click database, and it can be seen that the activation time is 2020-1-111: 05, the Click time of the Click (Last Click) closest to the activation time is 2020-1-111: 00, and the device _ id, ip, ua information match, we determine that activation with activation sequence number a is brought by click with click sequence number 2.
2. The click-to-activation time interval is calculated. Subtracting the click time from the activation time install time, the time interval between clicks to activation can be found as: mtti, which in this example is 5.
3. A determination is made as to the attribution type and whether it is within a hijacking time difference threshold. Since the click and activation are attributed through device _ id, the hijacking time difference threshold decision criterion is 30 minutes, while mtti in this example is 5, so the rule is hit.
4. And judging the downloading source. The method includes the steps that a package _ channle corresponding to a package _ name carried in a database is activated to be a view, cid corresponding to a click with a click serial number of 2 in click data is baidu, the click package _ name is default, and the activated package _ name is a VIVO app store. The instance will be determined to be installation hijacking.
5. And attributing the data. The activation data that matches a click is referred to as attribution data.
For a better understanding of the present invention, the foregoing detailed description has been given in conjunction with specific embodiments thereof, but not with the intention of limiting the invention thereto. Any simple modifications of the above embodiments according to the technical essence of the present invention still fall within the scope of the technical solution of the present invention. In the present specification, each embodiment is described with emphasis on differences from other embodiments, and the same or similar parts between the respective embodiments may be referred to each other. For the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

Claims (8)

1. A method for detecting hijacking behavior of an apk file comprises the steps of inputting information into a database, wherein the information comprises advertisement click data and App activation data, and the method is characterized by further comprising the following steps:
step 1: judging whether the apk file is hijacked or not by using a hijacking working module; the step 1 comprises the following substeps:
step 11: matching one click closest to the activation time with the input App activation data according to the equipment attribution and/or the fingerprint information attribution;
step 12: judging the time difference between the click time and the activation time; judging by adopting a self-correction mechanism and a prevention mechanism; the self-correction mechanism is that the backtracking effective period T is equally divided into n sections within the activation backtracking effective period T set by an advertiser according to normal distribution, the average value of the activation time difference clicked within the section with the most attributive data amount is taken, and the threshold value of the time difference is updated by taking the backtracking effective period T as the refresh frequency, wherein n is a natural number; the prevention mechanism is used for marking app with the hijack frequency larger than a frequency threshold value and an application market and prompting an advertiser to adjust an advertisement putting plan;
step 13: judging whether the downloading address of the clicked advertisement promotion activity is consistent with the downloading address of the package _ name in the activation data;
step 2: outputting a judgment result;
and step 3: and graphically displaying the structured data to the UI interface.
2. The method for detecting hijacking behavior of an apk file as claimed in claim 1, wherein said step 12 comprises:
1) when determined from the device attribution, the time difference is less than a first time threshold T1;
2) when the determination is made based on the attribution of fingerprint information, the time difference is less than a second time threshold T2.
3. The method of claim 2, wherein the hijacking frequency is determined by that in 3 consecutive days of advertising promotion, activation greater than or equal to a first proportional threshold is hijacked by an application market, and platforms greater than or equal to a second proportional threshold are affected by the activation.
4. The method of detecting hijacking behavior of an apk file as claimed in claim 3, wherein said step 13 includes marking the attribution result as packageType =1, i.e. determined as being hijacked by the application store, when it is determined as inconsistent.
5. The method of detecting hijacking behavior of an apk file as claimed in claim 4, wherein said step 2 includes placing the attribution result marked as packageType =1 in a new table, generating structured data.
6. The method for detecting hijacking behavior of an apk file as claimed in claim 5, wherein said method for obtaining advertisement click data comprises the steps of:
step a 1: the user browses the advertisement in the application A, the advertisement is displayed to the user in the application A by an advertiser A1 entrusted an advertisement platform A2, the user is interested in the content displayed by the advertisement, and corresponding advertisement materials are clicked;
step a 2: after the advertisement is clicked, sending a click URL from an application A client, wherein the click URL carries detailed information of the clicked advertisement, and a background receives click data;
step a 3: and attributing the click data, and extracting attribution data of the click end.
7. The method for detecting the hijacking behavior of the apk file as claimed in claim 6, wherein the method for acquiring the App activation data comprises the following steps:
step b 1: clicking an advertisement by a user;
step b 2: skipping to the browser to prepare for downloading the application A;
step b 3: the application store changes the download address A1 of the application A to a download address B1, and the user downloads the application B from the download address B1 without perception;
step b 4: the user installs and opens application B for the first time;
step b 5: after the user opens the application B for the first time, the SDK completes the initialization of the SDK and collects the information of related equipment;
the application A and the application B are the same application, and the difference is that the download addresses stored in the application A and the application B are different.
8. A system for detecting hijacking behavior of an apk file comprises a database for inputting information, wherein the information comprises advertisement click data and App activation data, and is characterized by further comprising the following modules:
a hijacking working module: used for judging whether the apk file is hijacked or not; the work of the hijack work module comprises the following substeps:
step 11: matching one click closest to the activation time with the input App activation data according to the equipment attribution and/or the fingerprint information attribution;
step 12: judging the time difference between the click time and the activation time;
step 13: judging whether the downloading address of the clicked advertisement promotion activity is consistent with the downloading address of the package _ name in the activation data; judging by adopting a self-correction mechanism and a prevention mechanism; the self-correction mechanism is that the backtracking effective period T is equally divided into n sections within the activation backtracking effective period T set by an advertiser according to normal distribution, the average value of the activation time difference clicked within the section with the most attributive data amount is taken, and the threshold value of the time difference is updated by taking the backtracking effective period T as the refresh frequency, wherein n is a natural number; the prevention mechanism is used for marking app with the hijack frequency larger than a frequency threshold value and an application market and prompting an advertiser to adjust an advertisement putting plan;
an output module: used for outputting the judged result;
a display module: the system is used for graphically displaying the structured data to the UI interface;
the system performs detection of apk file hijacking behavior according to the method of claim 1.
CN202010198758.6A 2020-03-20 2020-03-20 Method and system for detecting hijacking behavior of apk file Active CN111092993B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010198758.6A CN111092993B (en) 2020-03-20 2020-03-20 Method and system for detecting hijacking behavior of apk file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010198758.6A CN111092993B (en) 2020-03-20 2020-03-20 Method and system for detecting hijacking behavior of apk file

Publications (2)

Publication Number Publication Date
CN111092993A CN111092993A (en) 2020-05-01
CN111092993B true CN111092993B (en) 2020-06-30

Family

ID=70400586

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010198758.6A Active CN111092993B (en) 2020-03-20 2020-03-20 Method and system for detecting hijacking behavior of apk file

Country Status (1)

Country Link
CN (1) CN111092993B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111784380B (en) * 2020-06-05 2024-05-24 北京沃东天骏信息技术有限公司 Advertisement putting attribution method and device
CN112286736B (en) * 2020-12-25 2021-06-22 北京邮电大学 Method for recovering equipment infected by suspicious application and related equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108171547A (en) * 2017-12-27 2018-06-15 平安普惠企业管理有限公司 User behavior method for tracing, device, equipment and storage medium
WO2018133326A1 (en) * 2017-01-22 2018-07-26 华为技术有限公司 Method and device for application download monitoring
US10110618B1 (en) * 2016-01-28 2018-10-23 Symantec Corporation System and methods to detect mobile credential leaks during dynamic analysis
WO2019108919A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators
CN109905390A (en) * 2019-02-26 2019-06-18 北京智游网安科技有限公司 APP kidnaps detection method, API packet and storage medium
CN110071924A (en) * 2019-04-24 2019-07-30 广州知弘科技有限公司 Big data analysis method and system based on terminal
CN110149298A (en) * 2018-02-12 2019-08-20 北京京东尚科信息技术有限公司 A kind of method and apparatus for kidnapping detection

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10110618B1 (en) * 2016-01-28 2018-10-23 Symantec Corporation System and methods to detect mobile credential leaks during dynamic analysis
WO2018133326A1 (en) * 2017-01-22 2018-07-26 华为技术有限公司 Method and device for application download monitoring
WO2019108919A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators
CN108171547A (en) * 2017-12-27 2018-06-15 平安普惠企业管理有限公司 User behavior method for tracing, device, equipment and storage medium
CN110149298A (en) * 2018-02-12 2019-08-20 北京京东尚科信息技术有限公司 A kind of method and apparatus for kidnapping detection
CN109905390A (en) * 2019-02-26 2019-06-18 北京智游网安科技有限公司 APP kidnaps detection method, API packet and storage medium
CN110071924A (en) * 2019-04-24 2019-07-30 广州知弘科技有限公司 Big data analysis method and system based on terminal

Also Published As

Publication number Publication date
CN111092993A (en) 2020-05-01

Similar Documents

Publication Publication Date Title
CA2712325C (en) Web site trigger optimization system driving cross-channel operations
Cadariu et al. Tracking known security vulnerabilities in proprietary software systems
CN117852003B (en) Account monitoring early warning management method based on data analysis
US20160042388A1 (en) Tracking and analyzing mobile device activity related to mobile display campaigns
CN115292163B (en) Application detection methods, devices, and computer-readable storage media
US11948169B1 (en) Methods and systems for detecting fraudulent advertisements in pay-per-call advertising
CN109728969B (en) Abnormal user detection method of application software, monitoring server and storage medium
CN111092993B (en) Method and system for detecting hijacking behavior of apk file
CN109120428B (en) Method and system for wind control analysis
CN109544014B (en) Anti-fraud method and device based on historical data playback
CN108399565A (en) Financial product recommendation apparatus, method and computer readable storage medium
CN114840853B (en) Digital business analysis method based on big data and cloud server
CN113761519A (en) Detection method and device for Web application program and storage medium
CN113297609A (en) Method and device for monitoring privacy acquisition behaviors for small programs
CN109543409B (en) Method, device and equipment for detecting malicious application and training detection model
CN114022183A (en) Advertisement information attribution method, system, equipment and storage medium
CN111341072A (en) Accurate and rapid weather early warning analysis pushing reminding system and method
CN112507041B (en) Equipment model identification method and device, electronic equipment and storage medium
CN107729407B (en) User behavior analysis method and server
CN114238036A (en) Method and device for monitoring abnormity of SAAS (software as a service) platform in real time
CN119624543A (en) A method and system for optimizing precise advertising delivery
CN108257011B (en) Drop list processing method and device
CN113421104A (en) Method and device for identifying channel conflict behavior, electronic equipment and storage medium
CN117009202A (en) Buried data processing method, buried data processing device, buried data processing equipment and storage medium
CN116488842A (en) Abnormal user access behavior detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant