Device, system, and method of detecting overlay malware

US 10,397,262 B2
Filed: 07/20/2017
Issued: 08/27/2019
Est. Priority Date: 07/20/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

automatically detecting that an overlay malware module is active on an electronic device having a touch-screen,wherein the overlay malware module generates a malicious always-on-top masking layer that covers at least a portion of a content displayed by a victim application running on said electronic device;

wherein the detecting comprises;

(a) generating a protective always-on-top layer which is transparent and non-visible to a human user;

(b) automatically generating a non-human touch-event in a particular on-screen location of said touch-screen;

(c) detecting whether or not said non-human touch-event was actually received at said protective always-on-top layer within M milliseconds of performing step (b);

(d) if the detecting of step (c) indicates that said non-human touch-event was not received at said protective always-on-top layer within M milliseconds of performing step (b), then determining that said overlay malware module is active on the electronic device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods to detect malware, particularly an overlay malware that generates a fake, always-on-top, masking layer or an overlay component that attempts to steal passwords or other user credentials. A defensive module protects a victim application, particularly of an electronic device having a touch-screen. The defensive module generates a transparent or invisible always-on-top layer of its own; and periodically injects automatically-generated non-human tap events or touch-gesture events, and checks whether the injected events are indeed received, in order to determine whether an overlay malware is active.

311 Citations

20 Claims

1. A method comprising:
- automatically detecting that an overlay malware module is active on an electronic device having a touch-screen,wherein the overlay malware module generates a malicious always-on-top masking layer that covers at least a portion of a content displayed by a victim application running on said electronic device;
  
  wherein the detecting comprises;
  
  (a) generating a protective always-on-top layer which is transparent and non-visible to a human user;
  
  (b) automatically generating a non-human touch-event in a particular on-screen location of said touch-screen;
  
  (c) detecting whether or not said non-human touch-event was actually received at said protective always-on-top layer within M milliseconds of performing step (b);
  
  (d) if the detecting of step (c) indicates that said non-human touch-event was not received at said protective always-on-top layer within M milliseconds of performing step (b), then determining that said overlay malware module is active on the electronic device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein step (d) further comprises:
    - based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, determining an estimated on-screen size of the overlay malware module.
  - 3. The method of claim 1, wherein step (d) further comprises:
    - based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, determining an estimated on-screen location of the overlay malware module.
  - 4. The method of claim 1, wherein step (d) further comprises:
    - based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, determining which particular User Interface (UI) elements of the victim application, are actually masked by the overlay malware module.
  - 5. The method of claim 1, wherein step (d) further comprises:
    - based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, determining that a first particular User Interface (UI) element of the victim application is actually masked by the overlay malware module, and further determining that a second, different, UI element of the victim application is concurrently non-masked by the overlay malware module.
  - 6. The method of claim 1, wherein step (d) further comprises:
    - based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, determining whether (I) the overlay malware module is active and covers an entirety of the touch-screen of the electronic device, or (II) the overlay malware module is active and covers less than the entirety of the touch-screen of the electronic device.
  - 7. The method of claim 1, wherein step (d) comprises:
    - based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, detecting and distinguishing between;
      
      (I) a first scenario in which the malware module is active and is masking at least a portion of the victim application in order to steal user credentials, and (II) a second scenario in which the victim application is masked by a non-malware always-on-top layer of an application which is not said malware module and is not said victim application.
  - 8. The method of claim 1, wherein step (d) comprises:
    - based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, detecting and distinguishing between;
      
      (I) a first scenario in which the malware module is active and is masking at least a portion of the victim application in order to steal user credentials, and (II) a second scenario in which the victim application is masked by a non-malware always-on-top layer of an application which is not said malware module and is not said victim application; and
      
      (III) a third scenario in which it is determined that no malware module and no other application is currently masking a User Interface of the victim application.
  - 9. The method of claim 1, wherein step (d) comprises:
    - determining one or more attributes of the overlay malware module, based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, at pseudo-random time intervals that are pseudo-randomly selected from a range of permissible time-interval values.
  - 10. The method of claim 1, wherein step (d) comprises:
    - determining one or more attributes of the overlay malware module, based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, at pseudo-random time intervals that are non-pseudo-randomly selected from a pre-defined set of permissible time-interval values.
  - 11. The method of claim 1, wherein step (d) comprises:
    - determining one or more attributes of the overlay malware module, based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, wherein the multiple on-screen locations have a particular pre-defined sequence that indicates in which order said injections are performed in particular on-screen locations.
  - 12. The method of claim 1, wherein step (d) comprises:
    - determining one or more attributes of the overlay malware module, based on a series of multiple non-human injections of touch-events at multiple, different, on-screen locations, wherein the multiple on-screen locations have a particular pre-defined sequence that indicates in which order said injections are performed in a central region of the touch-screen and in corner regions of the touch-screen.
  - 13. The method of claim 1, wherein all of steps (a), (b), (c) and (d) are performed on a non-rooted electronic device.
  - 14. The method of claim 1, wherein all of steps (a), (b), (c) and (d) are performed by a defensive module that does not have root access in said electronic device.
  - 15. The method of claim 1, wherein all of steps (a), (b), (c) and (d) are performed by a defensive module that does not have access to any system logs of the electronic device.
  - 16. The method of claim 1, wherein all of steps (a), (b), (c) and (d) are performed by a defensive module that is implemented as an integral component within said victim application.
  - 17. The method of claim 1, wherein all of steps (a), (b), (c) and (d) are performed by a defensive module that is implemented as an external component which resides in said electronic device and which runs on said electronic device but is a separate application from said victim application.
  - 18. The method of claim 1, wherein if it is determined in step (d) that the overlay malware module is active on the electronic device, then the method comprises activating a local fraud mitigation module that runs locally on said electronic device.
  - 19. The method of claim 1, wherein if it is determined in step (d) that the overlay malware module is active on the electronic device, then the method comprises automatically transmitting an account-locking signal from said electronic device to a remote server, wherein the account-locking signal indicates to said remote server to block access to a particular user-account on said remote server.

20. A system comprising:
- a defensive module configured to run on an electronic device having a touch-screen,wherein the defensive module automatically detects an overlay malware module that is active on said electronic device,wherein the overlay malware module generates a malicious always-on-top masking layer that covers at least a portion of a content displayed by a victim application running on said electronic device;
  
  wherein the defensive module is configured to;
  
  (a) generate a protective always-on-top layer which is transparent and non-visible to a human user;
  
  (b) automatically generate a non-human touch-event in a particular on-screen location of said touch-screen;
  
  (c) detect whether or not said non-human touch-event was actually received at said protective always-on-top layer within M milliseconds of performing step (b); and
  
  (d) if the detecting of step (c) indicates that said non-human touch-event was not received at said protective always-on-top layer within M milliseconds of performing step (b), then determine that said overlay malware module is active on the electronic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocatch Ltd.
Original Assignee
Biocatch Ltd.
Inventors
Karabchevsky, Leonid, Turgeman, Avi
Primary Examiner(s)
Su, Sarah

Application Number

US15/654,731
Publication Number

US 20190028497A1
Time in Patent Office

768 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/032   Protect output to user by s...

G06F 3/0488   using a touch-screen or dig...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04W 12/12   Detection or prevention of ...

Device, system, and method of detecting overlay malware

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

311 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system, and method of detecting overlay malware

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

311 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links