Monitoring for fraudulent or harmful behavior in applications being installed on user devices
First Claim
Patent Images
1. A system, comprising:
- a data repository storing known behaviors associated with known software code components of at least one application associated with at least one user device;
at least one processor; and
memory storing instructions configured to instruct the at least one processor to;
monitor at least one application, including a first application, for installation on user devices including a first user device;
evaluate authenticity of the first application to provide a result, the evaluating comprising;
determining a plurality of software code components of the first application, the components including a first component and a second component,attributing a first behavior to the first component,attributing a second behavior to the second component,comparing, by accessing the data repository, behaviors associated with each of the software code components with the known behaviors, the comparing comprising comparing the first behavior to a first known behavior and comparing the second behavior to a second known behavior,assessing a context of the first user device when a signing identifier used to sign the first application is observed, the context based on trust factors corresponding to a state of the first user device, wherein the trust factors comprise a first factor directed to whether the first user device is protected by an anti-malware software application, a second factor directed to identifying a third application being accessed by a web browser running on the first user device, and determining whether the third application being accessed by the web browser is a security threat, and a third factor related to a security feature of the first application,determining a usage history of the signing identifier, the history comprising signing of a second application by the signing identifier, the second application installed on a second user device, andcomparing, by accessing the data repository, at least one behavior of the first application and a stored known behavior of the second application; and
in response to the result, sending a report to a computing device other than the first user device, the report including an identification of an undesired behavior of the first application based on the result from the evaluating.
8 Assignments
0 Petitions
Accused Products
Abstract
Software applications to be installed on user devices are monitored. Authenticity of the applications is evaluated using a plurality of inputs to provide a result. The plurality of inputs may include trust factors. The trust factors may be used to generate a security evaluation. In response to the result, an action is performed such as providing a notification to a developer of a fraudulent version of an application or providing a security assessment for an application.
-
Citations
17 Claims
-
1. A system, comprising:
-
a data repository storing known behaviors associated with known software code components of at least one application associated with at least one user device; at least one processor; and memory storing instructions configured to instruct the at least one processor to; monitor at least one application, including a first application, for installation on user devices including a first user device; evaluate authenticity of the first application to provide a result, the evaluating comprising; determining a plurality of software code components of the first application, the components including a first component and a second component, attributing a first behavior to the first component, attributing a second behavior to the second component, comparing, by accessing the data repository, behaviors associated with each of the software code components with the known behaviors, the comparing comprising comparing the first behavior to a first known behavior and comparing the second behavior to a second known behavior, assessing a context of the first user device when a signing identifier used to sign the first application is observed, the context based on trust factors corresponding to a state of the first user device, wherein the trust factors comprise a first factor directed to whether the first user device is protected by an anti-malware software application, a second factor directed to identifying a third application being accessed by a web browser running on the first user device, and determining whether the third application being accessed by the web browser is a security threat, and a third factor related to a security feature of the first application, determining a usage history of the signing identifier, the history comprising signing of a second application by the signing identifier, the second application installed on a second user device, and comparing, by accessing the data repository, at least one behavior of the first application and a stored known behavior of the second application; and in response to the result, sending a report to a computing device other than the first user device, the report including an identification of an undesired behavior of the first application based on the result from the evaluating. - View Dependent Claims (2, 3, 4, 5, 16, 17)
-
-
6. A method, comprising:
-
storing, in a data repository, known behaviors associated with known software code components of at least one application associated with at least one user device; receiving, over a network, data pertaining to at least one application to be installed on a plurality of user devices; monitoring, by a first computing device, installation of the at least one application; evaluating, using the data pertaining to the at least one application, authenticity of the at least one application, the evaluating comprising; determining a plurality of software code components of each application, the components including a first component and a second component, attributing a first behavior to the first component, attributing a second behavior to the second component, comparing, by accessing the known behaviors in the data repository, the first behavior to a first known behavior and the second behavior to a second known behavior, assessing a context of a first user device when a signing identifier used to sign a first application is received from the first user device, the context based on trust factors corresponding to a state of the first user device, wherein the trust factors comprise a first factor directed to whether the first user device is protected by an anti-malware software application, a second factor directed to identifying a third application being accessed by a web browser running on the first user device, and determining whether the third application being accessed by the web browser is a security threat, and a third factor related to a security feature of the first application, and determining a usage history of the signing identifier, the history comprising signing of a second application by the signing identifier; and sending, over the network, a report to a second computing device, the report including an identification of an undesired behavior of the at least one application to be installed based on at least one result from the evaluating of the authenticity. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A system, comprising:
-
a data repository storing known behaviors associated with known software code components of at least one application associated with at least one user device; at least one processor; and memory storing instructions configured to instruct the at least one processor to; receive, over a network, data regarding applications to be installed on user devices, the applications comprising a new application to be installed on a first user device of the user devices; check for harmful behavior of the new application; determine a first set of the applications that is similar to a first application, the determining based at least in part on identified behavior for each of a plurality of software code components of the new application, the components including a first component and a second component, and the identified behavior comprising a first behavior associated with the first component, and a second behavior associated with the second component; compare, by accessing the known behaviors stored in the data repository, the first behavior to a first known behavior and the second behavior to a second known behavior; assess a context of the first user device when a signing identifier used to sign the new application is observed, the context based on trust factors corresponding to a state of the first user device, wherein the trust factors comprise a first factor directed to whether the first user device is protected by an anti-malware software application, and a second factor directed to identifying a second application being accessed by a web browser running on the first user device, and determining whether the second application being accessed by the web browser is a security threat, and a third factor related to a security feature of the new application; and send, over the network, a notification to a computing device, the notification identifying the first set and an undesired behavior of the new application. - View Dependent Claims (13, 14, 15)
-
Specification