The popularity of smart phones have greatly stimulated the spread of malicious software, because of its huge market share and revenue characteristics, the Android platform has become the preferred target of attackers. Since the traditional signature-based antivirus software can effectively detect known malicious software, the unknown malware is powerless. In this paper, we proposed a novel dynamic analysis scheme of Android malware based on sandbox, which is used to analyze unknown malware effectively. The scheme implements the Android sandbox by installing Android x86 virtual machine in the virtualization software Oracle VM VirtualBox, while using a command-line tool provide by VirtualBox to control the Android sandbox. The Android application performs the corresponding action by calling the appropriate API. We determine the behavioral characteristics by monitoring the API information called by Android application. We make the Android application to run automatically by inserting monitoring codes in the application package and transmit different user lfow of events to simulate real operations of users on the application. Experiments show that the proposed scheme is feasible.%智能手机的普及极大地刺激了恶意软件的广泛传播,Android平台因其巨大的市场占有率和开源特性,已成为攻击者首选的攻击目标。针对传统的基于签名的反病毒软件仅能检测已知恶意软件的缺点,文章提出基于沙盒的Android恶意软件动态分析方案,用于有效地分析未知恶意软件的行为。文章通过在虚拟化软件Oracle VM VirtualBox中安装Android x86虚拟机的方式来实现Android沙盒,利用VirtualBox提供的命令行工具来控制Android沙盒。Android应用程序通过调用相应系统API来完成对应的行为,文中方案通过在应用程序包中插入API监视代码的方法监测Android应用程序调用的系统API,并通过脚本程序向Android沙盒发送不同的用户事件流来模拟用户对应用程序的真实操作,控制Android应用程序在沙盒中自动运行,实验证明文中提出的方法切实可行。
展开▼
