System and method for detecting malware in mobile device software applications

US 10,586,045 B2
Filed: 08/11/2016
Issued: 03/10/2020
Est. Priority Date: 08/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method for testing a mobile device software application, the method comprising:

receiving a list of one or more system calls of interest;

initiating one or more tests on the mobile device software application, wherein the one or more tests include extracting a manifest from the mobile device software application and parsing the extracted manifest to extract information regarding one or more intents and one or more permissions associated with the mobile device software application, wherein the one or more intents are messaging objects used to request an action from one or more components of the mobile device software application;

receiving a system call generated by the mobile device software application in response to the one or more tests;

determining if the received system call matches one or more of the system calls on the received list of system calls of interest; and

if the received system call matches one or more of the system calls of interest on the received list;

hooking the one or more system calls generated by the mobile device software application in response to the one or more initiated tests, wherein hooking the one or more system calls includes recording one or more inputs of the system calls in a log file, calling the one or more system calls, and recording one or more return values of the one or more system calls in the log file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for test a mobile device software application is provided. In one example, a mobile application can interface with an emulation environment or mobile device that has been loaded with a kernel module that is configured to intercept certain system calls made by the mobile application, log the system calls, and generate a report based on the logged system calls. A user of the test environment can interface with the environment via a web browser that can also be used to load one or more tests that can be applied to the mobile device software application.

Citations

24 Claims

1. A method for testing a mobile device software application, the method comprising:
- receiving a list of one or more system calls of interest;
  
  initiating one or more tests on the mobile device software application, wherein the one or more tests include extracting a manifest from the mobile device software application and parsing the extracted manifest to extract information regarding one or more intents and one or more permissions associated with the mobile device software application, wherein the one or more intents are messaging objects used to request an action from one or more components of the mobile device software application;
  
  receiving a system call generated by the mobile device software application in response to the one or more tests;
  
  determining if the received system call matches one or more of the system calls on the received list of system calls of interest; and
  
  if the received system call matches one or more of the system calls of interest on the received list;
  
  hooking the one or more system calls generated by the mobile device software application in response to the one or more initiated tests, wherein hooking the one or more system calls includes recording one or more inputs of the system calls in a log file, calling the one or more system calls, and recording one or more return values of the one or more system calls in the log file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein initiating one or more tests upon the mobile device software application comprises:
    - emulating one or more touch events on the mobile device in response to the mobile device software application requesting a user input.
  - 3. The method of claim 1, wherein conducting one or more tests upon the mobile device software application comprises:
    - receiving a list, wherein the list includes one or more events and one or more pre-defined responses corresponding to each event;
      
      determining if an event generated by the mobile device software application matches one or more of the events on the received list; and
      
      if the event generated by the mobile device software application matches one or more of the events on the received list;
      
      initiating one or more responses to the event generated by the mobile device based on the one or more responses corresponding to the matched event.
  - 4. The method of claim 1, wherein hooking the one or more system calls generated by the mobile device software application comprises:
    - recording one or more call parameters of the system call generated by the mobile device software application; and
      
      executing the one or more system calls generated by the mobile device software application.
  - 5. The method of claim 1 further comprising:
    - transmitting the log of the received system call to one or more external computers.
  - 6. The method of claim 1, wherein the receiving the system call generated by the mobile device software application and the determining if the received system call matches one or more of the system calls on the received list of system calls of interest is implemented on a kernel module of a mobile device emulation environment operating system.
  - 7. The method of claim 1, the method further comprising:
    - generating a report based on the generated log of the system call.
  - 8. The method of claim 7, wherein generating a report based on the generated log of the system call includes determining whether the system call is of a type file system, network, process, or binder.

9. A testing system comprising:
- a memory;
  
  one or more processors;
  
  one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs when executed by the one or more processors cause the processor to;
  
  receive a list of one or more system calls of interest;
  
  initiate one or more tests upon the mobile device software application, wherein the one or more tests include extracting a manifest from the mobile device software application and parsing the extracted manifest to extract information regarding one or more intents and one or more permissions associated with the mobile device software application, wherein the one or more intents are messaging objects used to request an action from one or more components of the mobile device software application;
  
  receive a system call generated by the mobile device software application in response to the one or more initiated tests;
  
  determine if the received system call matches one or more of the system calls of interest on the received list;
  
  if the received system call matches one or more of the system calls of interest on the received list;
  
  hook the one or more system calls generated by the mobile device software application in response to the one or more initiated tests, wherein hooking the one or more system calls includes recording one or more inputs of the system calls in a log file, calling the one or more system calls, and recording one or more return values of the one or more system calls in the log file.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein initiating one or more tests upon the mobile device software application comprises:
    - emulating one or more touch events on the mobile device in response to the mobile device software application requesting a user input.
  - 11. The system of claim 9, wherein conducting one or more tests upon the mobile device software application comprises:
    - receiving a list, wherein the list includes one or more events and one or more responses corresponding to each event;
      
      determining if an event generated by the mobile device software application matches one or more of the events on the received list; and
      
      if the event generated by the mobile device software application matches one or more of the events on the received list;
      
      initiating one or more responses to the event generated by the mobile device based on the one or more responses corresponding to the matched pre-defined event.
  - 12. The system of claim 9, wherein hooking the one or more system calls generated by the mobile device software application comprises:
    - recording one or more call parameters of the system call generated by the mobile device software application; and
      
      executing the one or more system calls generated by the mobile device software application.
  - 13. The system of claim 9, wherein the one or more processors are further configured to:
    - transmit the log of the received system call to one or more external computers.
  - 14. The system of claim 9, wherein the receiving the system call generated by the mobile device software application and the determining if the received system call matches one or more of the system calls on the received list of system calls of interest kernel module of a mobile device operating system.
  - 15. The system of claim 9, wherein the one or more processors are further configured to:
    - generate a report based on the generated log of the system call.
  - 16. The system of claim 15, wherein generating a report based on the generated log of the system call includes determining whether the system call is of a type file system, network, process, or binder.

17. A non-transitory computer readable storage medium having stored thereon a set of instructions for testing a mobile device software application that when executed by a computing device, cause the computing device to:
- receive a list of one or more system calls of interest;
  
  conduct one or more tests on the mobile device software application, wherein the one or more tests include extracting a manifest from the mobile device software application and parsing the extracted manifest to extract information regarding one or more intents and one or more permissions associated with the mobile device software application, wherein the one or more intents are messaging objects used to request an action from one or more components of the mobile device software application;
  
  receive a system call generated by the mobile device software application in response to the one or more tests;
  
  determine if the received system call matches one or more of the system calls on the received list of system calls of interest;
  
  if the received system call matches one or more of the system calls of interest on the received list;
  
  hook the one or more system calls generated by the mobile device software application in response to the one or more initiated tests, wherein hooking the one or more system calls includes recording one or more inputs of the system calls in a log file, calling the one or more system calls, and recording one or more return values of the one or more system calls in the log file.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein initiating one or more tests upon the mobile device software application comprises:
    - emulating one or more touch events on the mobile device in response to the mobile device software application requesting a user input.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein conducting one or more tests upon the mobile device software application comprises:
    - receiving a list, wherein the list includes one or more events and one or more pre-defined responses corresponding to each event;
      
      determining if an event generated by the mobile device software application matches one or more of the events on the received list; and
      
      if the event generated by the mobile device software application matches one or more of the events on the received list;
      
      initiating one or more responses to the event generated by the mobile device based on the one or more responses corresponding to the matched event.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein hooking the one or more system calls generated by the mobile device software application comprises:
    - recording one or more call parameters of the system call generated by the mobile device software application; and
      
      executing the one or more system calls generated by the mobile device software application.
  - 21. The non-transitory computer readable storage medium of claim 17, wherein the computing device is further caused to:
    - transmit the log of the received system call to one or more external computers.
  - 22. The non-transitory computer readable storage medium of claim 17, wherein the receiving the system call generated by the mobile device software application and the determining if the received system call matches one or more of the system calls on the received list of system calls of interest is implemented on a kernel module of a mobile device emulation environment operating system.
  - 23. The non-transitory computer readable storage medium of claim 17, wherein the computing device is further caused to:
    - generate a report based on the generated log of the system call.
  - 24. The non-transitory computer readable storage medium of claim 23, wherein generating a report based on the generated log of the system call includes determining whether the system call is of a type file system, network, process, or binder.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitre Corporation
Original Assignee
Mitre Corporation
Inventors
Pyles, Andrew J., Buttner, Jonathan E., Van Balen, Nicolas
Primary Examiner(s)
King, John B

Application Number

US15/234,328
Publication Number

US 20180046802A1
Time in Patent Office

1,307 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04W 12/128   Anti-malware arrangements, ...

H04W 88/02   Terminal devices

System and method for detecting malware in mobile device software applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting malware in mobile device software applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links