Search

CN-121997324-A - Counterfeit application detection method, equipment and medium

CN121997324ACN 121997324 ACN121997324 ACN 121997324ACN-121997324-A

Abstract

The embodiment of the invention provides a counterfeit application detection method, equipment and medium. The method comprises the steps of carrying out icon similarity analysis on the application program to be detected and a white sample in a sample library, obtaining peak signal-to-noise ratio and structure similarity results, obtaining key signature information and keyhash values of the application program to be detected based on the peak signal-to-noise ratio and the structure similarity results, comparing the key signature information and keyhash values with key signature information and keyhash values of the white sample, and if the comparison results are inconsistent, comparing the authority of the application program to be detected and the authority of the white sample, and if the authority of the application program to be detected is inconsistent, judging that the application program to be detected is counterfeit. The embodiment of the invention can be applied to the rapid detection of large-scale counterfeit application and has the characteristics of large scale, comprehensiveness, accuracy and high efficiency.

Inventors

  • PAN XUANCHEN
  • XU LIBIN
  • ZHAO XING

Assignees

  • 武汉安天信息技术有限责任公司

Dates

Publication Date
20260508
Application Date
20260119

Claims (8)

  1. 1. A counterfeit application detection method, comprising: Icon similarity analysis is carried out on the application program to be detected and the white sample in the sample library, and peak signal-to-noise ratio and structure similarity results are obtained; Based on the peak signal-to-noise ratio and the structure similarity result, acquiring key signature information and keyhash values of the application program to be detected, and comparing the key signature information and keyhash values with key signature information and keyhash values of a white sample; And if the comparison result is inconsistent, comparing the authority of the application program to be detected with that of the white sample, and if the application program to be detected has the authority which is inconsistent, judging that the application program to be detected is a counterfeit application.
  2. 2. The method for detecting counterfeit applications according to claim 1, wherein the performing icon similarity analysis on the application to be detected and the white samples in the sample library to obtain peak signal-to-noise ratio and structure similarity results comprises: Carrying out standardized processing on icons of the application program to be detected, and obtaining icon images with uniform size, color and brightness; Respectively obtaining PSNR peak signal-to-noise ratios of the application program icon to be detected and each white sample icon in a sample library, and obtaining N white samples with PSNR peak signal-to-noise values from high to low, wherein N is an integer, and N is greater than or equal to 1; And respectively calculating SSIM structure similarity values of the application program icon to be detected and the N white sample icons to obtain N PSNR peak signal-to-noise values and N SSIM structure similarity values.
  3. 3. The method for detecting a counterfeit application according to claim 2, wherein the obtaining key signature information and keyhash values of the application to be detected based on the peak signal-to-noise ratio and the structure similarity result, and comparing the key signature information and keyhash values with key signature information and keyhash values of a white sample, comprises: Based on the N PSNR peak signal-to-noise values and the N SSIM structure similarity values, M white samples of which the PSNR peak signal-to-noise values and the SSIM structure similarity values are in a preset range are obtained, wherein M is an integer; if M is greater than 0, acquiring a certificate signature of the application program to be detected, extracting key signature information in the certificate signature, and calculating keyhash values of the application program to be detected based on the certificate signature; And comparing the key signature information and keyhash values of the application program to be detected with the key signature information and keyhash values of the M white samples.
  4. 4. A counterfeit application detection method according to claim 3, wherein said calculating keyhash values of said application to be detected based on said certificate signature comprises: analyzing public key bytes in the certificate signature; carrying out hash operation on the public key bytes through a standard encryption hash algorithm to obtain a hash value with fixed length; And performing Base64 coding on the hash value with the fixed length to generate keyhash character strings of the application program to be detected.
  5. 5. The method for detecting a counterfeit application according to claim 3 or 4, wherein if the comparison result is inconsistent, comparing the authority of the application to be detected with that of the white sample, and if the comparison result is inconsistent, determining that the application to be detected is a counterfeit application, comprises: if the certificate signature and keyhash values of the application program to be detected are inconsistent with the comparison result of at least one white sample in the M white samples, extracting all right declarations of the application program to be detected, and recording an API calling event and a right requesting event during operation; Comparing all right claims of the application program to be detected with the right list of the at least one white sample one by one; And if the permission comparison result is not met and/or the API call event and the permission request event are not met with the permission statement of the application program to be detected, judging that the application program to be detected is a counterfeit application.
  6. 6. The method for detecting counterfeit applications according to claim 5, wherein said performing icon similarity analysis on the application to be detected and the white samples in the sample library further comprises: acquiring a preset number of legal application icons and certificate signatures, and carrying out standardized processing on all icons; Acquiring key signature information in a certificate signature of the legal application program, wherein the key signature information comprises a certificate fingerprint and developer identity information; calculating keyhash values of the legal application program based on the certificate signature of the legal application program; And storing the icons, the key signature information and keyhash values of the legal application programs with the preset number and the standardized icons, the key signature information and the keyhash values of the standardized icons into a sample library.
  7. 7. An electronic device, comprising: At least one processor, and At least one memory communicatively coupled to the processor, wherein: The memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1-6.
  8. 8. A non-transitory computer readable storage medium storing computer instructions that cause the computer to perform the method of any one of claims 1 to 6.

Description

Counterfeit application detection method, equipment and medium Technical Field The embodiment of the invention relates to the technical field of computer application, in particular to a counterfeit application detection method, equipment and medium. Background With the rapid growth of the mobile internet we are witnessing the unprecedented explosive growth in the number and types of mobile applications. Today, applications (apps) released in mobile application stores are very diverse, ranging from basic communication tools to sophisticated online education, telemedicine, e-commerce, etc., and mobile internet applications have been deep into every corner of people's life, greatly enriching the user's function selection and service experience. However, the prosperous side is that some bad developers use familiarity and trust of users on the trending App, and the users download and use are misled by the carefully designed imitation App, so that the behavior may not only bring property loss and information leakage to the users, but also may cause wider security threat. For example, the counterfeit App may pose a serious threat to the privacy and security of the user by implanting malicious codes, excessively collecting personal information, obtaining mobile phone rights by rule violating, and the like. The village App is not always put on shelf in a regular application store, and the security compliance audit is avoided, so that the user is at risk of being stolen personal information, online banking, payment passwords and the like under the condition of blindness. At present, various detection methods of counterfeit applications are concentrated on static behavior detection, dynamic behavior detection, image detection and the like, and various problems exist, so that the detection methods of the counterfeit applications are further enhanced. Disclosure of Invention Aiming at the problems existing in the prior art, the embodiment of the invention provides a counterfeit application detection method, equipment and medium. In a first aspect, an embodiment of the present invention provides a method for detecting a counterfeit application, including: Icon similarity analysis is carried out on the application program to be detected and the white sample in the sample library, and peak signal-to-noise ratio and structure similarity results are obtained; Based on the peak signal-to-noise ratio and the structure similarity result, acquiring key signature information and keyhash values of the application program to be detected, and comparing the key signature information and keyhash values with key signature information and keyhash values of a white sample; And if the comparison result is inconsistent, comparing the authority of the application program to be detected with that of the white sample, and if the application program to be detected has the authority which is inconsistent, judging that the application program to be detected is a counterfeit application. In a second aspect, an embodiment of the present invention provides an electronic device, including: At least one processor, and At least one memory communicatively coupled to the processor, wherein: the memory stores program instructions executable by the processor, and the processor invokes the program instructions to perform the method for detecting a counterfeit application according to the first aspect of the embodiment of the present invention and the method according to any of the alternative embodiments thereof. In a third aspect, embodiments of the present invention provide a non-transitory computer readable storage medium storing computer instructions for performing the method for detecting a counterfeit application of the first aspect of embodiments of the present invention and the method of any of the alternative embodiments thereof. The counterfeit application detection method provided by the embodiment of the invention comprises the steps of firstly carrying out icon similarity analysis on an application program to be detected and a white sample in a sample library to obtain peak signal-to-noise ratio and structure similarity results, further comparing key signature information and keyhash values of the suspicious counterfeit application similar to the icons with key signature information and keyhash values of the white sample, judging that the application program to be detected is highly counterfeit application if the key signature information and/or keyhash values are inconsistent, further carrying out authority analysis comparison on the application program to be detected and the white sample, and judging that the application program to be detected is counterfeit application if authorities which are inconsistent with the authority of the white sample exist. The embodiment of the invention avoids the possible misjudgment and missed judgment problems of single analysis judgment through multidimensional imitation analysis such as icon similarity ana