Recently, cellular phones that support various functions such as a wireless Internet function and the like, as well as a simple call function, have become prevalent due to the advancement of mobile communication technologies as well as wired/wireless Internet. In particular, widespread smartphones allow for installation of various application programs (hereinafter, abbreviated as “applications”) operating in a mobile operating system, and for this reason, users use smartphones for various purposes.
A mobile operating system such as Android, iOS, or a window mobile is installed in these smartphones, and applications executable in various mobile operating systems have been actively developed.
Among such mobile operating systems, an Android platform is an open source platform revealed by open handset alliance (OHA) led by Google Inc., which refers to a software package that includes all of Linux kernel, virtual machine (VM), framework, and application.
Recently, an increase in users' expectation on the Android platform and a fervent response of terminal manufacturers and mobile carriers have promoted the use of Android platform in portable terminals such as smartphones, activating the Android application market and increasing demand for supply of high-quality Android application.
Meanwhile, as smartphones equipped with the Android platform have been increasingly used, malicious codes targeting an Android operating system has also increased, and Android malicious code creators have developed Android malicious applications based on various techniques acquired in the conventional PC environment, at a faster rate than those of PCs.
FIG. 1 is a tree structure diagram illustrating an example of an Android package (APK) file as an execution file for installing and operating an application that is driven in an Android platform.
As illustrated in FIG. 1, the Android package file includes a plurality of folders and files in a root, and among the files, an META-INF folder 20, an AndroidManifest.xml file 10, a classes.dex file 30, and a resources.arsc file 40 are essential components. Even if any one of these essential components is not provided, an application cannot be normally installed nor executed. The META-INF folder 20 essentially includes an RSA file 21, an SF file 22, and a MANIFEST.MF file 23 in the lower ranks.
Meanwhile, as a method for creating an Android malicious application, creating an Android malicious application by correcting the AndroidManifest.xml file 10 or the classes.dex file 30 has been typically known.
Thus, in diagnosing a malicious application in a mobile operating system environment according to a related art, hash values of the AndroidManifest.xml file 10 and the classes.dex file 30 determined to be malicious are stored in a signature database in advance, and hash values of the AndroidManifest.xml file 10 and the classes.dex file 30 extracted from an application as a diagnosis target are compared with the signature database, thus diagnosing and determining a malicious application.
According to the related art, a single malicious file may be accurately diagnosed, but a mass of variant files created by using an automation tool or the like cannot be diagnosed whether they are malicious.