MALWARE DETECTION METHOD AND MOBILE TERMINAL REALIZING THE SAME

US 20120222120A1
Filed: 05/03/2011
Published: 08/30/2012
Est. Priority Date: 02/24/2011
Status: Abandoned Application

First Claim

Patent Images

1. A malware detection method for a mobile terminal, the method comprising:

extracting, when a platform Application Programming Interface (API) is called by an application, an action of the application from the platform API;

determining, when the extracted action comprises a preset trigger action, whether the application comprises a malware program by comparing the extracted action with a malware pattern file; and

outputting, when the application comprises a malware program, an alert message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware detection method and a mobile terminal realizing the same are provided. The method monitors execution of applications on the mobile terminal, notifies a user of perceived malicious behavior and guides handling of a detected malicious application. The malware detection method includes extracting, when a platform Application Programming Interface (API) is called by an application, an action of the application from the platform API, determining, when the extracted action is a preset trigger action, whether the application is a malware program by comparing the extracted action with a malware pattern file, and outputting, when the application is a malware program, an alert message.

175 Citations

20 Claims

1. A malware detection method for a mobile terminal, the method comprising:
- extracting, when a platform Application Programming Interface (API) is called by an application, an action of the application from the platform API;
  
  determining, when the extracted action comprises a preset trigger action, whether the application comprises a malware program by comparing the extracted action with a malware pattern file; and
  
  outputting, when the application comprises a malware program, an alert message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the extracting of the action of the application comprises:
    - identifying, when the platform API is called by the application, a called API routine; and
      
      extracting an application action, an object used by the application action and a method used by the application action from the identified API routine, and classifying the extracted action, object and method.
  - 3. The method of claim 2, wherein the determining of whether the application comprises the malware program comprises:
    - determining whether the application is present in a malware program list;
      
      determining, when the application is not present in the malware program list, whether the extracted action comprises a preset trigger action;
      
      determining, when the extracted action comprises the trigger action, whether the object used by the action is present in a whitelist; and
      
      comparing, when the object used by the extracted action is not present in the whitelist, the extracted action with the malware pattern file.
  - 4. The method of claim 3, wherein the determining of whether the extracted action comprises the preset trigger action comprises determining the extracted action to comprise the trigger action when the extracted action corresponds to one of object disclosure, object creation, object movement, object deletion, object reading, object setting, object modification, object downloading, service subscription, object execution, inducing payment, inducing spamming, phishing, advertisement, sound recording, video recording and spreading.
  - 5. The method of claim 3, wherein the determining of whether the application comprises the malware program further comprises creating, when the application is determined to comprise the malware program, a log file to be sent to an analysis server, andwherein the log file contains the extracted action and the object and method used by the action.
  - 6. The method of claim 5, wherein the outputting of the alert message comprises:
    - displaying, when the application comprises the malware program, the alert message; and
      
      sending the log file to the analysis server.
  - 7. The method of claim 6, wherein the outputting of the alert message further comprises uninstalling the application when a delete command is entered from an input unit after displaying the alert message.
  - 8. The method of claim 6, wherein the sending of the log file to the analysis server comprises transmitting, in response to a transmit command from an input unit, the log file to the analysis server.
  - 9. The method of claim 6, wherein the sending of the log file to the analysis server comprises transmitting, after Wireless-Fidelity (Wi-Fi) connection setup, the log file to the analysis server through the Wi-Fi connection.

10. A mobile terminal comprising:
- an extraction part for extracting, when a platform Application Programming Interface (API) is called by an application, an action of the application from the API;
  
  a collection part for collecting the application action extracted by the extraction part;
  
  a monitoring part for receiving the application action from the collection part, for determining whether the application action comprises a preset trigger action, for reading, when the application action comprises the trigger action, a malware pattern file from a storage unit, and for determining whether the application comprises a malware program by comparing the application action with the malware pattern file; and
  
  a security User Interface (UI) part for outputting, when an alert signal is received from the monitoring part, an alert message about the application.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The mobile terminal of claim 10, wherein, in a hierarchy of layers including a hardware layer, an operating system layer, a platform layer and an application layer, the extraction part, the collection part and the monitoring part belong to the platform layer.
  - 12. The mobile terminal of claim 11, wherein the extraction part identifies, when the platform API is called by the application, a called API routine, extracts an application action, an object used by the action and a method used by the action from the identified API routine, and classifies the extracted action, object and method.
  - 13. The mobile terminal of claim 12, wherein the monitoring part determines whether the application comprises the malware program by:
    - determining whether the application is present in a malware program list;
      
      determining, when the application is not present in the malware program list, whether the extracted action comprises a preset trigger action;
      
      determining, when the extracted action comprises a trigger action, whether the object used by the action is present in a whitelist; and
      
      comparing, when the object used by the extracted action is not present in the whitelist, the extracted action with the malware pattern file.
  - 14. The mobile terminal of claim 13, wherein the monitoring part determines the extracted action to comprise the trigger action when the extracted action corresponds to one of object disclosure, object creation, object movement, object deletion, object reading, object setting, object modification, object downloading, service subscription, object execution, inducing payment, inducing spamming, phishing, advertisement, sound recording, video recording and spreading.
  - 15. The mobile terminal of claim 13, wherein the monitoring part stores the malware program list and the malware pattern file received from an analysis server in the storage unit.
  - 16. The mobile terminal of claim 13, wherein the monitoring part creates, when the application is determined to comprise the malware program, a log file to be sent to an analysis server, andwherein the log file contains the extracted action and the object and method used by the action.
  - 17. The mobile terminal of claim 16, wherein the security UI part controls, in response to a transmit command from an input unit, a wireless communication unit to transmit the log file to the analysis server.
  - 18. The mobile terminal of claim 16, wherein the security UI part controls, after Wireless-Fidelity (Wi-Fi) connection setup, a wireless communication unit to transmit the log file to the analysis server through the Wi-Fi connection.
  - 19. The mobile terminal of claim 10, wherein the security UI part controls, when an alert signal is received from the monitoring part, a display unit to display the alert message about the application.
  - 20. The mobile terminal of claim 19, wherein the security UI part uninstalls the application when a delete command is entered from an input unit after displaying the alert message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
RIM, Heung Soon, LEE, Kyung Hee, JUNG, Hyung Chul, LEE, Ji Hyun, CHO, Sung Kyu

Application Number

US13/099,705
Publication Number

US 20120222120A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

MALWARE DETECTION METHOD AND MOBILE TERMINAL REALIZING THE SAME

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

175 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE DETECTION METHOD AND MOBILE TERMINAL REALIZING THE SAME

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links