Android恶意程序行为分析系统设计

提出了一种基于行为的Android恶意程序分析系统（nDroidAS）设计. nDroidAS加入客户端组件监控用户设备上的Android安装包（APK）安装操作，以及时分析待安装应用程序. 服务器端在虚拟环境中安装、运行应用程序，执行动态行为分析检出恶意程序；同时，抓取互联网中的APK程序包并提前分析，建立结果缓存，加快对用户分析请求的响应. 构建了简化的nDroidAS原型系统，分析了部分APK程序样本. 验证结果表明：nDroidAS能有效监控Android设备中的APK安装操作并及时响应客户端分析请求，是一种可行的恶意程序行为分析系统方案.

Design on Android Malware Behavior Analysis System

Consisting of nDroidC (client) and nDroidS(server), a behavior-based Android malware analysis system: nDroidAS is proposed. Application installation events on the Android device are monitored by nDroidC, which generates analysis requests while an application is to be installed. The target application is installed in nDroidS, by which dynamic feature vectors of the application are collected and analyzed to detect the malicious ones. Meanwhile, to pre-analyze applications, an Android package(APK) fetcher is designed in nDroidS to fetch APK samples from app markets. Some key technologies of the system such as feature vectors selection and interaction simulation are also discussed. A simplified prototype of nDroidAS is built, which is able to analyze Android malwares dynamically and fetch APK samples in the wild. Experiments show that the proposed system architecture is feasible.