Android系統上程序自修改的偵測與保護

Abstract

近年來,隨著Android智慧型裝置和應用程式急遽地增加,惡意程式也以 驚人的速度增長當中。雖然Android系統上存在著許多防毒軟體,但惡意程 式會試著使用各種多變的技倆來隱藏自己以迴避偵測。 Android系統上的程序自修改正是一個用來隱藏自己代碼的新技術。在這 篇論文中,我們提出一個偵測方法來協助偵測這種類型的惡意程式,並根 據偵測的結果發展了一套保護機制來避免執行到修改後代碼的風險。 我們自動測試了73,754個從Google Play上下載的應用程式和44,315個已 知的惡意程式,發現有了大約0.07%的應用程式含有程序自修改的行為,而 其中最可疑的一群應用程式被判定含有廣告。雖然到目前為止我們並未偵 測到任何利用程序自修改隱藏自己的惡意程式,但我們希望這份研究在未 來能幫助偵測新類型的程序自修改的惡意程式。

The numbers of Android mobile devices and applications are both increased dramatically these years, but unfortunately, so are malwares. While there are a lot of anti-virus applications on Android systems, malwares usually use various tricks to prevent themselves from being detected. Self-modification is a novel technique on Android system which allows applications to hide its actual code. In this paper, we propose a detection method to help detect this type of malware, and based on the detection result, we further developed a mechanism to protect users from the risk of executing modified code. We evaluate 73,754 applications downloaded from Google Play and 44,315 known malwares with our detection mechanism. In the result, there are about 0.07% applications have self-modification behavior, and the most suspicious ones are measured as adwares. Although we haven’t encountered any self-modifying malware yet, hopefully, this work serves to help detect new types of self-modifying malware in the future.