Behavioral scanning of mobile applications

US 10,412,115 B1
Filed: 02/12/2018
Issued: 09/10/2019
Est. Priority Date: 04/25/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining an application;

executing the application in an emulated environment, the emulated environment including a user interface exerciser configured to generate a stream of simulated events as inputs to the application;

analyzing behavior signals of the application responsive to the stream of simulated events;

calculating a likelihood of maliciousness for each of the signals;

calculating a combined likelihood of maliciousness for the application based on the likelihood of maliciousness for each of the signals; and

classifying the application as malicious or not malicious based on the combined likelihood of maliciousness.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Behavioral analysis of a mobile application is performed to determine whether the application is malicious. During analysis, various user interactions are simulated in an emulated environment to activate many possible resulting behaviors of an application. The behaviors are classified as hard or soft signals. A probability of the application being malicious is determined through combining soft signals, and the application is classified as malicious or non-malicious. Users of the application, the developer of the application, or a distributor of the application are notified of the application classification to enable responsive action.

31 Citations

View as Search Results

21 Claims

1. A method comprising:
- obtaining an application;
  
  executing the application in an emulated environment, the emulated environment including a user interface exerciser configured to generate a stream of simulated events as inputs to the application;
  
  analyzing behavior signals of the application responsive to the stream of simulated events;
  
  calculating a likelihood of maliciousness for each of the signals;
  
  calculating a combined likelihood of maliciousness for the application based on the likelihood of maliciousness for each of the signals; and
  
  classifying the application as malicious or not malicious based on the combined likelihood of maliciousness.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein a particular behavior signal indicating an action that is indicative of malicious activity in some instances is classified as a soft signal, and wherein such a soft signal is assigned a higher probability of maliciousness when similar applications are unlikely to perform a similar action.
  - 3. The method of claim 1, wherein a particular behavior signal is accessing an address book of a mobile device and wherein the probability that the signal indicates maliciousness is increased based on an amount of address book entries accessed or a pattern in which address book entries are accessed.
  - 4. The method of claim 1, wherein the likelihood of maliciousness for a particular behavior signal is calculated from a detection rate and a false positive rate for the signal, wherein the detection rate indicates a probability that the signal is observed when executing a malicious application and the false positive rate indicates a probability that the signal is observed when executing a legitimate application.
  - 5. The method of claim 1, wherein the simulated events include events generated in successive tests wherein the behavior signals from a prior test are used to modify the simulated events of a subsequent test.
  - 6. The method of claim 1, wherein the emulated environment is determined based on a static analysis of the application, wherein the static analysis of the application includes analyzing a manifest of the application to determine the events the application registers for when it will be executing.
  - 7. The method of claim 1, wherein two or more behavior signals are not independent such that calculating the likelihood that a particular signal is malicious varies depending on other signals that are observed during the analysis.

8. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  obtaining an application;
  
  executing the application in an emulated environment, the emulated environment including a user interface exerciser configured to generate a stream of simulated events as inputs to the application;
  
  analyzing behavior signals of the application responsive to the stream of simulated events;
  
  calculating a likelihood of maliciousness for each of the signals;
  
  calculating a combined likelihood of maliciousness for the application based on the likelihood of maliciousness for each of the signals; and
  
  classifying the application as malicious or not malicious based on the combined likelihood of maliciousness.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein a particular behavior signal indicating an action that is indicative of malicious activity in some instances is classified as a soft signal, and wherein such a soft signal is assigned a higher probability of maliciousness when similar applications are unlikely to perform a similar action.
  - 10. The system of claim 8, wherein a particular behavior signal is accessing an address book of a mobile device and wherein the probability that the signal indicates maliciousness is increased based on an amount of address book entries accessed or a pattern in which address book entries are accessed.
  - 11. The system of claim 8, wherein the likelihood of maliciousness for a particular behavior signal is calculated from a detection rate and a false positive rate for the signal, wherein the detection rate indicates a probability that the signal is observed when executing a malicious application and the false positive rate indicates a probability that the signal is observed when executing a legitimate application.
  - 12. The system of claim 8, wherein the simulated events include events generated in successive tests wherein the behavior signals from a prior test are used to modify the simulated events of a subsequent test.
  - 13. The system of claim 8, wherein the emulated environment is determined based on a static analysis of the application, wherein the static analysis of the application includes analyzing a manifest of the application to determine the events the application registers for when it will be executing.
  - 14. The system of claim 8, wherein two or more behavior signals are not independent such that calculating the likelihood that a particular signal is malicious varies depending on other signals that are observed during the analysis.

15. One or more non-transitory computer-readable storage media encoded with instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising:
- obtaining an application;
  
  executing the application in an emulated environment, the emulated environment including a user interface exerciser configured to generate a stream of simulated events as inputs to the application;
  
  analyzing behavior signals of the application responsive to the stream of simulated events;
  
  calculating a likelihood of maliciousness for each of the signals;
  
  calculating a combined likelihood of maliciousness for the application based on the likelihood of maliciousness for each of the signals; and
  
  classifying the application as malicious or not malicious based on the combined likelihood of maliciousness.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The one or more non-transitory computer-readable storage media of claim 15, wherein a particular behavior signal indicating an action that is indicative of malicious activity in some instances is classified as a soft signal, and wherein such a soft signal is assigned a higher probability of maliciousness when similar applications are unlikely to perform a similar action.
  - 17. The one or more non-transitory computer-readable storage media of claim 15, wherein a particular behavior signal is accessing an address book of a mobile device and wherein the probability that the signal indicates maliciousness is increased based on an amount of address book entries accessed or a pattern in which address book entries are accessed.
  - 18. The one or more non-transitory computer-readable storage media of claim 15, wherein the likelihood of maliciousness for a particular signal is calculated from a detection rate and a false positive rate for the signal, wherein the detection rate indicates a probability that the signal is observed when executing a malicious application and the false positive rate indicates a probability that the signal is observed when executing a legitimate application.
  - 19. The one or more non-transitory computer-readable storage media of claim 15, wherein the simulated events include events generated in successive tests wherein the behavior signals from a prior test are used to modify the simulated events of a subsequent test.
  - 20. The one or more non-transitory computer-readable storage media of claim 15, wherein the emulated environment is determined based on a static analysis of the application, wherein the static analysis of the application includes analyzing a manifest of the application to determine the events the application registers for when it will be executing.
  - 21. The one or more non-transitory computer-readable storage media of claim 15, wherein two or more behavior signals are not independent such that calculating the likelihood that a particular signal is malicious varies depending on other signals that are observed during the analysis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
X Corp. (f/k/a Twitter, Inc.) (X Holdings Corp.)
Original Assignee
X Corp. (f/k/a Twitter, Inc.) (X Holdings Corp.)
Inventors
Daswani, Neilkumar Murli, Ranadive, Ameet, Rizvi, Shariq, Gagnon, Michael, Demir, Tufan, Eisenhaur, Gerald E.
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US15/894,638
Time in Patent Office

575 Days
Field of Search

726 23, 726 25, 713161, 713165, 713168, 713187, 713188
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 3/005   Input arrangements through ...

G06F 3/017   Gesture based interaction, ...

G06F 3/0304   Detection arrangements usin...

G06V 40/11   Hand-related biometrics; Ha...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04M 1/72403   with means for local suppor...

Behavioral scanning of mobile applications

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral scanning of mobile applications

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links