Research On Application Behavior Analysis Technology For Android Virtualization Framework

Currently,Android applications have become an essential part of people’s lives.In order to meet people’s demand for multiple applications,technicians have designed Android applications based on the Android virtualization framework.Android application virtualization technology not only brings convenience to people’s work and life,but also brings security risks.Since 2017,the number of repackaging attack samples based on Android virtualization technology has exceeded the number of traditional repackaging attack samples,and the gap between the two has gradually increased.The representative malware family,HummingBad,had already infected millions of Android devices before being taken off the Google market.Recently,some researchers have proposed corresponding detection schemes for Android virtualization frameworks and malicious behaviors implemented based on them.However,the current Android virtualization framework detection solution relies on observing open source frameworks and cannot accurately detect commercial Android virtualization programs that do not have open source in the market.Meanwhile,in the face of malicious behavior by attackers using the Android virtualization framework,existing detection schemes can only detect hidden loads and cannot accurately detect malicious behaviors such as information hijacking and advertising fraud.To address this issue,this thesis design an Android virtualization program detection method based on heterogeneous information networks,which can accurately detect different types of Android virtualization programs in the market.Meanwhile,this thesis utilizes stain analysis technology and anomaly detection technology to accurately identify different malicious behaviors based on Android virtualization technology.The main work of this thesis is as follows:1.Detection of Android virtualization program based on heterogeneous information network.This work design an Android virtualization program detection method based on heterogeneous information networks and implements a prototype system called Aiplugin.Based on the characteristics of Android virtualization programs,four types of static program features(floating permissions,similar components,feature APIs,and feature methods)are extracted,and program features are mapped onto heterogeneous information networks to associate different programs in the form of meta paths.In order to accurately represent the behavior information between programs and use these behavior information for classification,this work uses heterogeneous graph attention network representation algorithm and OC-SVM algorithm to integrate the Semantic information of programs from different views to realize the representation and classification of Android virtualization programs.Compared to the current representative static detection method VAHunt,this method can effectively detect more types of Android virtualization programs,including commercial closed source software parallel spaces.The accuracy of the prototype system Aiplugin achieved is 92.43%,the accuracy is 98.46%,and the recall rate is 80.91%.2.Detection of Android malicious virtualization programs based on stain analysis.This work systematically analyzes malicious software based on the Android virtualization framework,design a detection method for Android malicious virtualization programs based on static stain analysis technology and implements a prototype system MalPlugDroid.This work systematically analyzes the context information of malicious software triggering malicious plugins(i.e.external variables passed to trigger parameters and API information within trigger branches),and uses stain analysis technology for data flow analysis to obtain program trigger context information.Detect malicious virtualization programs on Android by collecting suspicious contextual information to characterize triggers.Compared to current Android malicious virtualization program detection work,this method can effectively detect more malicious behavior beyond hidden loading.The prototype system MalPlugDroid achieved an accuracy rate of 93.17%,an accuracy rate of 92.81%,and a recall rate of 85.96%.In summary,this thesis design an Android virtualization program detection method based on heterogeneous information networks,which can detect multiple virtualization programs and provide support for downstream security personnel to analyze the security risks brought by Android virtualization technology.On the basis of the above work,this thesis further proposes a malicious virtualization program detection method for Android based on stain analysis,which can effectively detect multiple types of malicious behavior.