Behavioral scanning of mobile applications
First Claim
Patent Images
1. A method comprising:
- obtaining an application;
executing the application in an emulated environment, the emulated environment including a user interface exerciser configured to generate a stream of simulated events as inputs to the application;
analyzing behavior signals of the application responsive to the stream of simulated events;
calculating a likelihood of maliciousness for each of the signals;
calculating a combined likelihood of maliciousness for the application based on the likelihood of maliciousness for each of the signals; and
classifying the application as malicious or not malicious based on the combined likelihood of maliciousness.
4 Assignments
0 Petitions
Accused Products
Abstract
Behavioral analysis of a mobile application is performed to determine whether the application is malicious. During analysis, various user interactions are simulated in an emulated environment to activate many possible resulting behaviors of an application. The behaviors are classified as hard or soft signals. A probability of the application being malicious is determined through combining soft signals, and the application is classified as malicious or non-malicious. Users of the application, the developer of the application, or a distributor of the application are notified of the application classification to enable responsive action.
31 Citations
21 Claims
-
1. A method comprising:
-
obtaining an application; executing the application in an emulated environment, the emulated environment including a user interface exerciser configured to generate a stream of simulated events as inputs to the application; analyzing behavior signals of the application responsive to the stream of simulated events; calculating a likelihood of maliciousness for each of the signals; calculating a combined likelihood of maliciousness for the application based on the likelihood of maliciousness for each of the signals; and classifying the application as malicious or not malicious based on the combined likelihood of maliciousness. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising; obtaining an application; executing the application in an emulated environment, the emulated environment including a user interface exerciser configured to generate a stream of simulated events as inputs to the application; analyzing behavior signals of the application responsive to the stream of simulated events; calculating a likelihood of maliciousness for each of the signals; calculating a combined likelihood of maliciousness for the application based on the likelihood of maliciousness for each of the signals; and classifying the application as malicious or not malicious based on the combined likelihood of maliciousness. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. One or more non-transitory computer-readable storage media encoded with instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising:
-
obtaining an application; executing the application in an emulated environment, the emulated environment including a user interface exerciser configured to generate a stream of simulated events as inputs to the application; analyzing behavior signals of the application responsive to the stream of simulated events; calculating a likelihood of maliciousness for each of the signals; calculating a combined likelihood of maliciousness for the application based on the likelihood of maliciousness for each of the signals; and classifying the application as malicious or not malicious based on the combined likelihood of maliciousness. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification