Android is an open source code operating system based on Linux and mainly used for mobile terminals such as mobile phones, and does not have a uniform Chinese equivalent term to date. An Android platform consists of an operating system, middleware, a user interface and application software.
APK is an abbreviation of Android application package file, namely, Android installation package, and it may also be understood as application software installed on the Android terminal. APK is in a file format similar to Symbian Sis or Sisx. The APK file may be installed by being directly delivered to an Android simulator or Android terminal and executed. Like sis, the apk file packages an android sdk compiling project into an installation program file in an apk format. The APK file is in fact in a zip format with an extension name being modified to apk, and it is decompressed by Unzip to get a Dex file. Dex represents Dalvik VM executes, namely, an Android Dalvik execution program, not a standard Java byte code but a Dalvik byte code. Upon running a program, Android first needs to decompress by using UnZip and then directly run it like Symbian, different from a PE file in Windows Mobile.
Specifically, the structure of the APK file is shown in the following table:
META-INF\Store files CERT.RSA, CERT.SF, andMANIFEST.MFres\Store APK-related source filesAndroidManifest.xmlAPK global configuration fileclasses.dexDalvik Executable (Dalvik virtual machineexecutable file)resources.arscBinary resource file after compilation
Upon specific application, APK may be imported into a mobile terminal via a data line or via wireless data transmission, or directly downloaded and installed through a market (tool software such as Android market) or webpages. As Android terminals get popularized and developed, various APK come into being and include virus APK, for example, some APK do harm to a user's rights and interests by malicious behaviors such as short message customization payment service, dialing charged telephone or backing up sensitive data in the user's mobile phone to a specific server.
Currently, there already occur some mobile terminal-specific security software (e.g., mobile phone antivirus software) for checking and killing these viruses APK. Methods for checking and killing the virus APK by these current security software mainly include the following two kinds:
The first kind is identifying the virus APK by means of HASH, signature, package name of the APK file on the principle of extracting a KEY for APK by using HASH algorithm, and then identifying virus APK according to the KEY, or identifying it through the virus APK maker's APK digital signature and package name.
However, the above current manner of identifying based on HASH of the APK file probably, by re-confusing or adding a new source file to the APK file or even modifying the code, causes the KEY extracted through HASH algorithm to change and thereby causes failure to identify; the above current signature-based identifying manner may be evaded by changing the signature; the above current package name-based identifying manner may be evaded by changing the package name. Furthermore, it is very easy for virus maker to change the confusion manner, modify APK file (adding or deleting resource, code or the like) or change the signature. Hence, the virus maker can very easily make a new virus variation and thereby evade the identification of the security software.
The second kind is identifying the virus APK through a class name in classes.dex in the APK file on the principle of identifying by analyzing classes in the classes.dex and then extracting names of several classes as virus characteristic codes, and then parsing the classes.dex file in the virus APK to see whether it contains specific class names.
However, this identifying manner by scanning class names might cause mis-reporting as only checking class names on the one hand, and on the other hand, it is very easily evaded by the virus maker by confusing or directly modifying the class name.
Hence, a technical problem to be solved by those skilled in the art currently is to provide a virus APK identifying mechanism to rapidly, accurately and effectively identify the virus APK and a variation thereof, thereby improving the security of an APK application.