Device, system, and method of detecting overlay malware
First Claim
Patent Images
1. A method comprising:
- automatically detecting that an overlay malware module is active on an electronic device having a touch-screen,wherein the overlay malware module generates a malicious always-on-top masking layer that covers at least a portion of a content displayed by a victim application running on said electronic device;
wherein the detecting comprises;
(a) generating a protective always-on-top layer which is transparent and non-visible to a human user;
(b) automatically generating a non-human touch-event in a particular on-screen location of said touch-screen;
(c) detecting whether or not said non-human touch-event was actually received at said protective always-on-top layer within M milliseconds of performing step (b);
(d) if the detecting of step (c) indicates that said non-human touch-event was not received at said protective always-on-top layer within M milliseconds of performing step (b), then determining that said overlay malware module is active on the electronic device.
4 Assignments
0 Petitions
Accused Products
Abstract
Devices, systems, and methods to detect malware, particularly an overlay malware that generates a fake, always-on-top, masking layer or an overlay component that attempts to steal passwords or other user credentials. A defensive module protects a victim application, particularly of an electronic device having a touch-screen. The defensive module generates a transparent or invisible always-on-top layer of its own; and periodically injects automatically-generated non-human tap events or touch-gesture events, and checks whether the injected events are indeed received, in order to determine whether an overlay malware is active.
311 Citations
20 Claims
-
1. A method comprising:
-
automatically detecting that an overlay malware module is active on an electronic device having a touch-screen, wherein the overlay malware module generates a malicious always-on-top masking layer that covers at least a portion of a content displayed by a victim application running on said electronic device; wherein the detecting comprises; (a) generating a protective always-on-top layer which is transparent and non-visible to a human user; (b) automatically generating a non-human touch-event in a particular on-screen location of said touch-screen; (c) detecting whether or not said non-human touch-event was actually received at said protective always-on-top layer within M milliseconds of performing step (b); (d) if the detecting of step (c) indicates that said non-human touch-event was not received at said protective always-on-top layer within M milliseconds of performing step (b), then determining that said overlay malware module is active on the electronic device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
a defensive module configured to run on an electronic device having a touch-screen, wherein the defensive module automatically detects an overlay malware module that is active on said electronic device, wherein the overlay malware module generates a malicious always-on-top masking layer that covers at least a portion of a content displayed by a victim application running on said electronic device; wherein the defensive module is configured to;
(a) generate a protective always-on-top layer which is transparent and non-visible to a human user;
(b) automatically generate a non-human touch-event in a particular on-screen location of said touch-screen;
(c) detect whether or not said non-human touch-event was actually received at said protective always-on-top layer within M milliseconds of performing step (b); and
(d) if the detecting of step (c) indicates that said non-human touch-event was not received at said protective always-on-top layer within M milliseconds of performing step (b), then determine that said overlay malware module is active on the electronic device.
-
Specification