( 12 ) United States Patent
`Liao
`
`HOWMNALULONNAI
`
`US009800609B2
`
`( 10 ) Patent No . :
`( 45 ) Date of Patent :
`
`US 9 , 800 , 609 B2
`Oct . 24 , 2017
`
`( * ) Notice :
`
`( 54 ) METHOD , DEVICE AND SYSTEM FOR
`DETECTING MALWARE IN
`A MOBILE
`TERMINAL
`( 71 ) Applicant : Tencent Technology ( Shenzhen ) Co . ,
`Ltd . , Shenzhen , Guangdong ( CN )
`( 72 ) Inventor : Chongliang Liao , Guangdong ( CN )
`( 73 ) Assignee : Tencent Technology ( Shenzhen )
`@
`Company Limited , Shenzhen , P . R .
`( CN )
`Subject to any disclaimer , the term of this
`patent is extended or adjusted under 35
`U . S . C . 154 ( b ) by 8 days .
`@ ( 21 ) Appl . No . : 14 / 622 , 074
`( 22 ) Filed :
`Feb . 13 , 2015
`Prior Publication Data
`( 65 )
`US 2015 / 0163232 A1
`Jun . 11 , 2015
`Related U . S . Application Data
`( 63 ) Continuation
`of
`application
`PCT / CN2014 / 080793 , filed on Jun . 26 , 2014 .
`Foreign Application Priority Data
`( 30 )
`Jul . 30 , 2013
`( CN ) . . . . . . . . . . . . . . . . . . . . . 2013 1 03261916
`( 51 )
`Int . CI .
`( 2006 . 01 )
`H04L 29 / 06
`( 2013 . 01 )
`G06F 21 / 56
`G06F 9 / 445
`( 2006 . 01 )
`( 52 ) U . S . CI .
`CPC . . . . . . . . . . . . . . H04L 63 / 145 ( 2013 . 01 ) ; G06F 8 / 61
`( 2013 . 01 ) ; G06F 21 / 563 ( 2013 . 01 ) ; G06F
`21 / 567 ( 2013 . 01 ) ; G06F 2221 / 2115 ( 2013 . 01 )
`( 58 ) Field of Classification Search
`CPC . . . . . . . . . . G06F 8 / 61 ; G06F 21 / 56 - 21 / 568 ; GO6F
`2221 / 2115 ; H04L 63 / 1416 ; H04L
`63 / 1441 - 63 / 145
`See application file for complete search history .
`
`No .
`
`CN
`CN
`
`( 56 )
`
`References Cited
`U . S . PATENT DOCUMENTS
`8 , 281 , 399 B1 10 / 2012 Chen et al .
`2009 / 0282483 A1 * 11 / 2009 Bennett . . . . . . . . . . . . . . . H04L 63 / 1416
`726 / 23
`( Continued )
`FOREIGN PATENT DOCUMENTS
`102123396 A
`7 / 2011
`102663281 A
`9 / 2012
`( Continued )
`OTHER PUBLICATIONS
`Yajin Zhou , Zhi Wang , Wu Zhou , and Xuxian Jiang ( Zhou et al . )
`“ Hey , You , Get Off of My Market : Detecting Malicious Apps in
`Official and Alternative Android Markets ” , 19th Annual Symposium
`on Network and Distributed System Security ( NDSS Symposium
`2012 ) .
`< http : / / www . internetsociety . org / sites / default / files / 07 _ 5 .
`pdf > . Published : Feb . 7 , 2012 . *
`( Continued )
`Primary Examiner — Kevin Bechtel
`( 74 ) Attorney , Agent , or Firm — Brinks Gilson & Lione
`( 57 )
`ABSTRACT
`A method , device and system for detecting malware in a
`mobile terminal are disclosed . The method includes at least
`the following operations : obtaining an installation package
`of a software which is to be checked ; decompressing the
`installation package to obtain a decompressed installation
`package ; detecting the decompressed installation package to
`obtain a first detection result ; sending the decompressed
`installation package to a cloud system ; receiving a second
`detection result returned from the cloud system based upon
`the cloud performing a malware check on the decompressed
`installation package ; determining that the software being
`checked is a malware , if one or both of the following is
`found : the first detection result and the second detection
`result each indicates that the decompressed installation
`package is abnormal .
`15 Claims , 4 Drawing Sheets
`
`obtaining an islaulation package of a soflware
`which is to be checked
`
`decompressing the installation package to obtain a
`decompressed installation package
`
`101
`
`- 102
`
`detecting ihe decongressed installation package to L
`obtain a firs : detection result
`
`sonding the deconipreseed installation package to a
`cloud system
`
`he
`
`
`
`that t
`
`receiving a second detection result returned front
`the cloud systern based upon the cloud oorlooning
`a malware check on the decompressed
`installation package
`
`determining that the software being checked is a
`malware , if one or both of the faitowing is found : the
`first detection result and the second detection result
`each indicates that the decompressed installation
`package is abnormal
`
`105
`
`106
`
`ironSource Exhibit 1014
`
`

`

`US 9 , 800 , 609 B2
`Page 2
`
`( 56 )
`
`References Cited
`U . S . PATENT DOCUMENTS
`2010 / 0333203 A1 * 12 / 2010 Tsviatkou . . . . . . . . . . . . . GO6F 21 / 566
`726 / 23
`2011 / 0145920 A1
`6 / 2011 Mahaffey et al .
`2012 / 0330801 A1 * 12 / 2012 McDougal . . . . . . . . . . . . GO6F 21 / 577
`705 / 32
`2013 / 0263266 A1 * 10 / 2013 Bojaxhi
`. . . . . H04L 63 / 145
`726 / 23
`
`FOREIGN PATENT DOCUMENTS
`102663286 A
`9 / 2012
`102779257 A
`11 / 2012
`103400076 A
`11 / 2013
`
`CN
`CN
`CN
`
`OTHER PUBLICATIONS
`International Preliminary Report on Patentability and Written Opin
`ion received in PCT Application No . PCT / CN2014 / 080793 dated
`Feb . 2 , 2016 .
`International Search Report received in PCT Application No . PCT /
`CN2014 / 080793 dated Sep . 26 , 2014 .
`Fang , " Malware Implementation and Detection on Android , ” Thesis
`Submitted to Nanjing University of Posts and Telecommunications
`for the Degree of Master of Engineering , Jun . 15 , 2013 .
`Wenjun et al . , “ A Detection Method and System Implementation for
`Android Malware , ” Journal of Xi ' an Jiaotong University , vol .
`47 : 10 , Oct . 2013 .
`First Office Action received
`in
`Chinese Application No .
`201310326191 . 6 dated Jul . 1 , 2015 .
`* cited by examiner
`
`

`

`U . S . Patent
`
`Oct . 24 , 2017
`
`Sheet 1 of 4
`
`US 9 , 800 , 609 B2
`
`obtaining an installation package of a software
`which is to be checked
`
`decompressing the installation package to obtain a
`decompressed installation package
`
`detecting the decompressed installation package to
`obtain a first detection result
`
`sending the decompressed installation package to a
`cloud system
`
`receiving a second detection result returned from 1
`the cloud system based upon the cloud performing
`a malware check on the decompressed
`installation package
`
`determining that the software being checked is a
`malware , if one or both of the following is found : the
`first detection result and the second detection result
`each indicates that the decompressed installation
`package is abnormal
`
`Figure 1
`
`102
`
`- 103
`
`104
`
`105
`
`106
`
`

`

`U . S . Patent
`
`Oct . 24 , 2017
`
`Sheet 2 of 4
`
`US 9 , 800 , 609 B2
`
`Server 2222
`
`Sever
`
`200
`
`0224
`
`Etarnak
`
`0
`
`Server
`
`Server
`
`Base station
`226
`
`Mobile Terminal
`
`O
`
`Moblje terminal
`
`Mobile terminal
`
`Ce se
`
`Figure 2a
`
`End system
`( mobile terminat side
`
`224
`
`Cloud system
`
`222
`
`Decompressing
`
`
`
`Heuristic scanning
`
`
`
`Suuues leurs
`
`
`
`
`
`file scanning Authority Limits
`
`
`
`of xmi Secondary analysis
`
`
`
`Similarity comparison
`
`
`
`dex fle analysis
`
`
`
`Dynamic execution
`
`2241
`
`7742
`
`2243
`
`2244
`
`2221
`
`2221
`
`2222
`2222
`
`2223
`2223
`
`2224
`2224
`
`Figure 2b
`
`

`

`atent
`
`Oct . 24 , 2017
`
`Sheet 3 of 4
`
`US 9 , 800 , 609 B2
`
`The mobile terminal obtains an APK to be checked y
`
`- 201
`
`The mobile terminal decompresses the obtained
`APK , and obtains a decompressed APK
`
`202
`
`The mobile terminal checks the obtained
`decompressed APK and obtains a
`first check result
`
`The mobile terminal sends the decompressed
`APK to the cloud system
`
`203
`
`204
`
`The cloud system performs a malware
`check on the decompressed APK and
`obtains a second check result
`
`5205 205
`
`The mobile terminal retums a second
`check result returned by the cloud system
`
`206
`
`The mobile terminal determines that the software
`to be checked is malware if the first check result
`and / or the second check result indicates that the
`decompressed installation package is abnormal
`
`- 107
`
`Figure 2c
`
`

`

`atent
`
`Oct . 24 , 2017
`
`Sheet 4 of 4
`
`US 9 , 800 , 609 B2
`
`Acquisition Unit
`301
`
`Decompressing
`Unit 302
`
`Detecting Unit
`303
`
`robe sent trainingen en anderen van
`
`Sending Unit 304
`
`Memory 308
`
`Receiving Unit
`305
`
`Determining Unit
`306
`
`Device 300
`
`401
`409
`
`Processor Circuitry
`307
`
`Figure 3
`
`Mobile Terminal
`400
`
`Ret dreauty
`
`# # # #
`
`# # # #
`
`RF circuit
`
`wit modo f6407
`
`WiFi module
`
`menn 407
`
`406
`
`408
`
`Power supply
`
`Memory
`
`43 403
`
`meu
`
`Input unit
`
`Processor
`
`Figure 4
`
`Audio circuit
`
`Sensor
`
`405
`
`Display unit
`
`404
`
`

`

`US 9 , 800 , 609 B2
`
`15
`
`METHOD , DEVICE AND SYSTEM FOR
`DETECTING MALWARE IN A MOBILE
`TERMINAL
`
`found : the first detection result and the second detection
`result each indicates that the decompressed installation
`package is abnormal .
`In another embodiment , a device for detecting malware in
`5 a mobile terminal is disclosed . The device operates in
`CROSS - REFERENCE TO RELATED
`conjunction with at least a processor with circuitry and at
`APPLICATIONS
`least a memory which stores instruction codes operable as
`plurality of units , wherein the plurality of units include : an
`The application is a continuation of PCT Application No .
`acquisition unit , which obtains an installation package of a
`PCT / CN2014 / 080793 , filed on Jun . 26 , 2014 , which claims
`software which is to be checked ; a decompressing unit ,
`priority to Chinese Patent Application No . 2013103261916 , "
`which decompresses the installation package to obtain a
`filed on Jul . 30 , 2013 , which may be incorporated by
`reference in their entireties .
`decompressed installation package ; a detecting unit , which
`detects the decompressed installation package to obtain a
`FIELD OF THE TECHNOLOGY
`first detection result ; a sending unit , which sends the decom
`pressed installation package to a cloud system ; a receiving
`unit , which receives a second detection result returned from
`The present disclosure relates to a method , device and
`the cloud system based upon the cloud performing a mal
`system for detecting malware in a mobile terminal in the
`field of communication technology .
`ware check on the decompressed installation package ; a
`20 determining unit , which determines that the software being
`BACKGROUND
`checked is a malware , if one or both of the following is
`found : the first detection result and the second detection
`result each indicates that the decompressed installation
`With rapid development of communication technologies ,
`package is abnormal .
`mobile terminals such as smartphones and tablet PCs are
`In another embodiment , a communication system is dis
`increasingly popular . It seems that mobile terminals have 25
`closed . The communication system may include at least a
`become an integral part of people ' s daily life . While enrich -
`device for detecting malware in a mobile terminal , wherein
`ing people ' s life and bringing great conveniences to people ,
`the mobile device may be in communication with another
`such hi - tech products increasingly need to confront infor -
`mation security problems .
`communication device and a cloud server through a net
`For example , providers of illegal software may spread 30 work , wherein the device operates in conjunction with at
`malware over the Internet to infect mobile devices and
`least a processor with circuitry and at least a memory which
`computers . If a user browses certain malicious websites or
`stores instruction codes operable as plurality of units . The
`plurality of units may include : an acquisition unit , which
`downloads certain information , such malware may run in the
`obtains an installation package of a software which is to be
`cas
`us
`ses mal . 35 checked ; a decompressing unit , which decompresses the
`may harass people personally , in more serious cases , mal - 33
`installation package to obtain a decompressed installation
`ware may hunt for and transmit people ' s personal data ( for
`package ; a detecting unit , which detects the decompressed
`example , account passwords ) to the malware providers , thus
`P installation package to obtain a first detection result ; a
`compromising people ' s privacy and financial security .
`sending unit , which sends the decompressed installation
`Therefore , dealing with and detecting malware effectively is 1840 package to a cloud system ; a receiving unit , which receives
`an urgent issue .
`a second detection result returned from the cloud system
`Due to limited processing capacity of a mobile terminal ' s
`based upon the cloud performing a malware check on the
`decompressed installation package ; a determining unit ,
`CPU , mobile terminal usually adopts simple malware detec -
`which determines that the software being checked is a
`tion methods , such as performing simple binary scanning
`only on feature codes of software application in order to 45 malware , if one or both of the following is found : the first
`determine whether certain software application is indeed a
`detection result and the second detection result each indi
`malware . However , malware usually encrypts its sensitive
`cates that the decompressed installation package is abnor
`fields , thus rendering existing malware detection method
`mal .
`inadequate in accurately directly detecting malware .
`Yet in another embodiment , a non - transitory computer
`50 readable storage medium , wherein the computer readable
`SUMMARY
`storage medium stores a program which comprises codes or
`instructions to cause a processor circuitry to execute opera
`The embodiments of the present disclosure provide a
`tions for detecting malware in
`a mobile terminal . The
`method , device and system for detecting malware in
`a
`operations may include : decompressing the installation
`mobile terminal accurately .
`55 package to obtain a decompressed installation package ;
`In an embodiment , a method for detecting malware in a
`detecting the decompressed installation package to obtain a
`mobile terminal is disclosed . The method includes at least
`first detection result ; sending the decompressed installation
`the following operations : obtaining an installation package
`package to
`a cloud system ; receiving a second detection
`of a software which is to be checked ; decompressing the
`result returned from the cloud system based upon the cloud
`installation package to obtain a decompressed installation 60 performing a malware check on the decompressed installa
`package ; detecting the decompressed installation package to
`tion package ; determining that the software being checked is
`obtain a first detection result ; sending the decompressed
`a malware , if one or both of the following is found : the first
`installation package to a cloud system ; receiving a second
`detection result and the second detection result each indi
`detection result returned from the cloud system based upon
`cates that the decompressed installation package is abnor
`the cloud performing a malware check on the decompressed 65 mal .
`installation package ; determining that the software being
`The various embodiments of the present disclosure
`checked is a malware , if one or both of the following is
`enables the mobile terminal not only detecting malware
`
`

`

`US 9 , 800 , 609 B2
`
`locally , but also detected more accurately by a powerful
`example , a decompressed APK ) , and obtaining a first scan
`cloud system with more processing resources .
`ning result , ( 2 ) performing a binary scanning to feature
`codes contained in the decompressed installation package to
`BRIEF DESCRIPTION OF THE DRAWINGS
`obtain a second scanning result ; ( 3 ) performing a authority
`5 limits file scanning on the decompressed installation pack
`FIG . 1 shows a flowchart which illustrates an exemplary
`age to obtain a third scanning result ; and ( 4 ) indicating in the
`method for detecting malware in a mobile terminal , accord
`first detection result that the decompressed installation pack
`ing to an embodiment of the disclosure .
`age is abnormal , if anyone of the following is found : the first
`FIG . 2a illustrates an exemplary system diagram imple
`scanning result , the second scanning result , and the third
`menting a method for detecting malware in a mobile termi - 10 scanning result each indicates that the decompressed instal
`nal , according to an embodiment of the disclosure .
`lation package is abnormal .
`FIG . 2b is an exemplary system diagram depicting an end
`The heuristic scanning to obtain the first scanning result
`system and a cloud system , according to an embodiment of
`may include scanning ( A ) an installation root directory , ( B )
`the disclosure .
`is resource files , and ( C ) basic dependent library of the decom
`FIG . 2c shows another flowchart which illustrates an 150
`pressed installation package ( such as a decompressed APK )
`exemplary method for detecting malware in a mobile ter
`respectively . More specifically , each of the scanning in step
`minal , according to another embodiment of the disclosure .
`103 may further be described as follows :
`FIG . 3 shows a simplified structure diagram of a mobile
`terminal which detects malware , according to an embodi -
`( A ) The performing of the scanning of each of the
`20 installation root directory , resource files and basic dependent
`ment of the disclosure .
`FIG . 4 shows an exemplary functional structure diagram
`library of the decompressed installation package , respec
`of a mobile terminal which detects malware , according to an
`tively , to obtain the first detection result may include scan
`ning the installation root directory of the decompressed
`embodiment of the disclosure .
`installation package and indicating in the first scanning
`DETAILED DESCRIPTION OF THE
`25 result that the decompressed installation package is abnor
`mal , if anyone of the following takes place : a preset con
`EMBODIMENTS
`ventional file is not found under the installation root direc
`The various embodiments of the present disclosure are
`tory or an abnormal file is found under the installation root
`further described in details in combination with attached
`directory and wherein the abnormal file is an executable
`drawings and embodiments below . It should be understood 30 ( portable ) file , i . e . , the abnormal file is not an Executable and
`that the specific embodiments described here are used only
`Linkable Format ( ELF ) file or Shell file .
`to explain the present disclosure , and are not used to limit the
`The preset conventional file may be set according to
`present disclosure . In addition , for the sake of keeping
`actual needs , for example , the preset conventional file may
`description brief and concise , the newly added features , or
`be an assets file , a res file , a layout file , a dex file , or an
`features that are different from those previously described in
`35 Extensible Markup Language ( xml ) file .
`each new embodiment will be described in details . Similar
`( B ) The scanning resource files contained in the decom
`features may be referenced back to the prior descriptions in
`pressed installation package , and indicating in the first
`a prior numbered drawing or referenced ahead to a higher
`scanning result that the decompressed installation package is
`numbered drawing .
`abnormal , if other types of files exist in addition to the preset
`The embodiments of the present disclosure provide a 40 file type . The preset file type may be set according to actual
`needs , for example , resource files may include XML files ,
`method , a device and a system for detecting malware in a
`mobile terminal , which may be applied to an Android
`PNG files , and MP3 files , so the first scanning result may
`system . Each of the following embodiments illustrates an
`indicate that the decompressed installation package is abnor
`exemplary implementation .
`mal if other types of files exist .
`Embodiment 1 relates to a device which may be inte - 45
`( C ) Scanning the basic dependent library ( for example , a
`lib file ) contained in the decompressed installation package ,
`grated into a mobile terminal for detecting malware in the
`mobile terminal . The mobile terminal may be a smartphone ,
`and indicating in the first scanning result that the decom
`a tablet PC , an e - book reader , a MP3 ( Moving Picture
`pressed installation package is abnormal , if there exist other
`Experts Group Audio Layer III ) player , a MP4 ( Moving
`types of files in addition to the preset file type or if a file
`Picture Experts Group Audio Layer IV ) player , a laptop 50 format does not comply with the preset rules .
`computer , a desktop computer or any electronic device
`In other words , the first scanning result indicates that the
`which runs applications and is capable of connecting to a
`decompressed installation package is abnormal , if anyone or
`network .
`more of the above circumstances exists , wherein the preset
`FIG . 1 shows a flowchart which illustrates an exemplary
`file type and preset rules may be set according to actual
`method for detecting malware in a mobile terminal , accord - 55 needs . An example of the basic dependent library may be a
`ing to an embodiment of the disclosure . The exemplary
`lib folder , a lib folder generally may contain three file
`operations may include at least the following steps :
`directories including armeabi , armeabiv7 , and x86 , and the
`Step 101 : Obtaining an installation package of software
`file format must comply with the ELF rules ; the first
`which is to be checked . For example , the installation pack -
`scanning result indicates that the decompressed installation
`age of the software may be an Android Package ( APK ) .
`60 package is abnormal if there exist other types of files .
`Step 102 : Decompressing the installation package of
`The performing of binary scanning on feature codes
`software to obtain a decompressed installation package ,
`contained in the decompressed installation package ( for
`example , a decompressed APK ) may obtain a second scan
`such as a decompressed APK in the above example .
`Step 103 : Detecting the decompressed installation pack -
`ning result . For example , performing a binary scanning on
`age to obtain a first detection result . The operation may 65 feature codes ( for example , phone numbers and C & C web
`further include the following : ( 1 ) performing a heuristic
`sites ) contained in the decompressed installation package ,
`scanning of the decompressed installation package ( for
`and the second scanning result may indicate that the decom
`
`

`

`US 9 , 800 , 609 B2
`
`mal , if anyone of the following takes place : the analysis
`pressed installation package is abnormal , if there exist
`result , the first comparison result and the second comparison
`feature codes similar to a preset virus sample .
`result each indicates that the decompressed installation
`The performing of an authority limits file scanning on the
`package is abnormal .
`decompressed installation package ( for example , a decom
`Accordingly , the cloud system may indicate in the second
`pressed APK ) may obtain a third scanning result . The 5
`detection result that the decompressed installation package
`performing of the authority limits file scanning on the
`is abnormal , if anyone or more of the following takes place :
`decompressed installation package may indicate in the third
`the analysis result , the first comparison result and the second
`scanning result that the decompressed installation package is
`comparison result each indicates that the decompressed
`abnormal , if there exists a dangerous authority limits com
`bination . The authority limits file may specifically be an 10 installation package is abnormal .
`Android Manifest . xml file , which may contain such infor -
`Furthermore , the cloud system may recompile the Dalvik
`mation as the package name , Activity and Service names ,
`VMware ( a Java VMware ) in the Android 2 . 2 source codes ,
`monitored broadcast type , receiver name , and required
`log the parameters of some APIs in the sensitive framework
`layer by using the Hook technology , and run the target
`authorities .
`The first detection result may indicate that the decom - 15 decompressed installation package ( an APK ) by using the
`pressed installation package is abnormal , if anyone of the
`recompiled Dalvik VMware to obtain related information ,
`following is found : the first scanning result , second scanning
`so as to determine whether the decompressed installation
`result , and / or third scanning result each indicates that the
`package is abnormal .
`Step 105 : Receiving the second detection result returned
`decompressed installation package is abnormal .
`In other words , the first detection result may indicate that 20 from the cloud system based upon the cloud performing a
`the decompressed installation package is abnormal , if any -
`malware check on the decompressed installation package .
`one or more of the following takes place : the first scanning
`Step 106 : Determining that the software being checked is
`result , second scanning result , and third scanning result each
`a malware , if one or both of the following is found : the first
`indicates that the decompressed installation package is
`detection result and the second detection result each indicate
`abnormal .
`25 that the decompressed installation package is abnormal .
`Step 104 : Sending the decompressed installation package
`Otherwise , determining that the software to be checked is
`( for example , a decompressed APK ) to a cloud system ,
`not malware if neither the first detection result nor the
`based upon the cloud system performing a malware detec -
`second detection result indicates that the decompressed
`tion on the decompressed installation package , and for the
`installation package is abnormal .
`convenience of description , the result obtained by the cloud 30
`FIG . 2a illustrates an exemplary system diagram ( 200 )
`system after performing malware detection is called the
`implementing a method for detecting malware in a mobile
`terminal ( 224 ) , according to an embodiment of the disclo
`second detection result .
`Step 104 may further include the following operations :
`sure . In an embodiment , the device may be integrated into
`( 1 ) The cloud system analyzing the authority limits file
`the mobile terminal ( 224 ) , wherein the mobile terminal may
`contained in the decompressed installation package , and 35 run on an Android system , and the software installation
`obtains an analysis result . For example , the cloud system
`package may be an APK .
`may indicate in the analysis result that the decompressed
`As shown in FIG . 2a , the mobile terminal may transfer a
`installation package may be abnormal , if a name of a data
`decompressed installation package to a cloud system ( 222 )
`package in the authority limits file contained in the decom -
`via a base station ( 226 ) . The cloud system ( 222 ) may include
`pressed installation package is the same as or similar to a 40 multiple servers ( 222a to 222d ) , which communicate with
`name of a virus package in a preset database . The cloud
`each other via an Ethernet and process the decompressed
`system may indicate in the analysis result that the decom -
`installation package cooperatively . In other words , malware
`pressed installation package is abnormal , if a combination of
`detection may include at least two parts : one part may be
`authority limits quantity requested by the decompressed
`implemented within the mobile terminal ( 224 ) ( also known
`installation package exceeds the combination of authority 45 as an end system ) , and the other part is implemented in a
`limits quantity provided by the type of software which is to
`cloud system ( 200 ) .
`be checked . The cloud system may indicate in the analysis
`FIG . 2b is an exemplary system diagram depicting an end
`result that the decompressed installation package is abnor -
`system and a cloud system , according to an embodiment of
`mal , if a signature in the authority limits file contained in the
`the disclosure . As shown in FIG . 2b , the end system ( 224 )
`decompressed installation package is the same as or similar 50 ( i . e . , the mobile terminal ) may perform mainly functions
`to a signature of a virus in a preset database .
`such as : decompression ( 2241 ) , heuristic scanning ( 2242 ) ,
`( 2 ) The cloud system cloud system performing similarity
`binary scanning ( 2243 ) , and authority limits file scanning
`comparison between the codes in executable files contained
`( 2244 ) . The cloud system ( 200 ) may mainly perform func
`in the decompressed installation package and codes in a
`tions such as : secondary analysis ( 2221 ) of an authority
`preset sample file , in order to obtain a first comparison 55 limits file ( for example , a xml file ) , similarity comparison
`result . For example , opening a reverse classes . dex file ,
`( 2222 ) of the codes contained in the executable files , and an
`clustering and eliminating similar codes , and comparing the
`analysis of the dex file ( 2223 ) , and dynamic execution
`similarity between the codes in
`a sample and the target
`( 2224 ) .
`codes , wherein the similarity may specifically be indicated
`FIG . 2c shows another flowchart which illustrates an
`by a value in a range from 0 to 1 .
`60 exemplary method for detecting malware in a mobile ter
`( 3 ) The cloud system cloud system performing similarity
`minal ( 224 ) , according to another embodiment of the dis
`comparison between the Application Programming Interface
`closure . The method may include at least the following
`( API ) call a tree of executable files contained in the decom -
`operations :
`pressed installation package and the API call tree in a preset
`Step 201 : The mobile terminal ( 224 ) may obtain an APK
`sample file , in order to obtain a second comparison result . 65 to be checked .
`( 4 ) The cloud system indicating in the second detection
`Step 202 : The mobile terminal decompresses the obtained
`result , that the decompressed installation package is abnor -
`APK to obtain a decompressed APK . For example , the
`
`

`

`US 9 , 800 , 609 B2
`
`broadcast types , receiver name , and required authorities , to
`mobile terminal ( 224 ) may decompress the APK in a ZIP
`name a few . On the mobile terminal side , the scanning may
`format and this step therefore may not consume excessive
`mainly be checking whether the AndroidManifest . xml file
`CPU resources because the APK installation process is only
`a decompression process .
`may contain any dangerous authority limits combination ,
`Step 203 : The mobile terminal checks the decompressed 5 such as virus sample learning , which shows that some
`viruses may monitor short messages and network status . In
`APK to obtain a first detection result . For example , step 203
`may further include the following scanning operations :
`this regard , the analysis of the Android Manifest . xml file may
`( 1 ) Performing a heuristic scanning ( 2242 ) of the decom -
`be mainly to check the combination of short message and
`pressed APK and obtaining a first scanning result , such as
`network authorities . If detected a dangerous authority limits
`scanning the installation root directory , resource files , and 10 combination , indicates in the third scanning result that the
`basic dependent library of the decompressed APK respec -
`decompressed installation package may be abnormal .
`tively , and obtaining a first scanning result .
`( 4 ) The detecting and checking of the decompressed files
`More specifically , scanning the APK root directory con -
`may also include indicating in the first detection result that
`tained in the decompressed APK may detect whether there
`the decompressed APK may be abnormal , if anyone of the
`exists any conventional files ( including assets files , res files , 15 following takes places : the first scanning result , second
`layout files , dex files , and xml files ) under the APK root
`scanning result , and third scanning result each indicates that
`directory . If yes , indicate in the first scanning result that the
`the decompressed installation package is abnormal .
`decompressed installation package is abnormal ; if there exist
`A
`ccordingly , the first detection result may indicate that
`some abnormal files ( files other than the conventional files )
`the decompressed APK is abnormal if anyone or more of the
`under the APK root directory , determining or judging 20 following takes place : the first scanning result , second
`whether the abnormal files are executable files ( portable ) , for
`scanning result , and third scanning result each indicates that
`example , determining whether the abnormal files are ELF
`the decompressed APK is abnormal .
`files or Shell files , and afterwards , indicate in the first
`Step 204 : The mobile terminal ( 224 ) sends the decom
`scanning result that the decompressed installation package
`pressed APK to the cloud system ( 222 ) .
`may be abnormal if the abnormal files are executable files . 25
`