DETECTION AND PREVENTION OF INSTALLATION OF MALICIOUS MOBILE APPLICATIONS

US 20130283377A1
Filed: 04/18/2012
Published: 10/24/2013
Est. Priority Date: 04/18/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium comprising computer executable instructions stored thereon to cause a processor to:

intercept a request to install an application on a mobile device;

generate a key that uniquely identifies the application;

send the key over a network connection to a server application;

receive a response over the network connection indicating a status of the application; and

block an installation of the application on the mobile device when the status indicates the application is malicious.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device'"'"'s operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application'"'"'s status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application.

95 Citations

View as Search Results

20 Claims

1. A non-transitory computer readable medium comprising computer executable instructions stored thereon to cause a processor to:
- intercept a request to install an application on a mobile device;
  
  generate a key that uniquely identifies the application;
  
  send the key over a network connection to a server application;
  
  receive a response over the network connection indicating a status of the application; and
  
  block an installation of the application on the mobile device when the status indicates the application is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the processor to intercept a request to install an application on a mobile device comprise instructions to cause the processor to register a shim application as a background service on the mobile device.
  - 3. The non-transitory computer readable medium of claim 2, wherein the instructions to cause the processor to register the shim application as the background service on the mobile device comprise instructions to register the shim application to intercept an invocation of an application programming interface that is utilized to initiate an installation of the application on the mobile device.
  - 4. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the processor to generate a key that uniquely identifies the application comprise instructions to cause the processor to apply a hash algorithm to an application setup file that initiates an installation of the application.
  - 5. The non-transitory computer readable medium of claim 1, further comprising instructions to cause the processor to encrypt the key before the key is sent over the network to the server application.
  - 6. The non-transitory computer readable medium of claim 1, further comprising instructions to cause the processor to compile metadata associated with the application.
  - 7. The non-transitory computer readable medium of claim 6, wherein the metadata associated with the application comprises at least one of a publisher of the application, a source of the application, and a digital signature used to sign the application.
  - 8. The non-transitory computer readable medium of claim 6, further comprising instructions to cause the processor to send the metadata, with the key, over the network connection to the server application.
  - 9. The non-transitory computer readable medium of claim 1, further comprising instructions to cause the processor to determine a communication protocol to utilize to send the key over the network connection to the server application.
  - 10. The non-transitory computer readable medium of claim 9, wherein the instructions to cause the processor to determine a communication protocol comprise instructions to cause the processor to identify a communication protocol from a priority list that is configurable by a user of the mobile device.
  - 11. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the processor to send the key over a network connection comprise instructions to cause the processor to communicate the key over a telephony specific communications channel.
  - 12. The non-transitory computer readable medium of claim 11, wherein the instructions to cause the processor to send the key over a telephony specific communications channel comprise instructions to cause the processor to send the key as a short message service (SMS) message to a predefined telephone number.

13. A method, comprising:
- intercepting, utilizing a processor in a mobile device, a request to install an application on the mobile device;
  
  generating, utilizing the processor, a key that uniquely identifies the application;
  
  sending, utilizing the processor, the key over a network connection to a server application;
  
  receiving, utilizing the processor, a response over the network connection indicating a status of the application; and
  
  blocking, utilizing the processor, an installation of the application when the status indicates that the application is malicious.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the act of intercepting a request to install an application on the mobile device comprises registering a shim application as a background service on the mobile device.
  - 15. The method of claim 14, wherein the act of registering the shim application as a background service on the mobile device comprises registering the shim application to intercept an invocation of an application programming interface that is utilized to initiate an installation of the application on the mobile device.

16. A mobile device, comprising:
- a memory;
  
  a network interface; and
  
  a processor operatively coupled to the memory and the network interface, the processor adapted to execute program code stored in the memory to;
  
  intercept a request to install a mobile application on the mobile device;
  
  generate a key that uniquely identifies the mobile application;
  
  send the key, utilizing the network interface, to a server application;
  
  receive a response, utilizing the network interface, indicating a status of the mobile application; and
  
  block an installation of the mobile application on the mobile device when the status indicates that the mobile application is malicious.

17. A method to identify a status of an application, comprising:
- receiving, at a server application executing on a back-end server processor, an application identifier from a mobile device over a network connection;
  
  utilizing, by the server application, the application identifier to determine a status of the application from a database of records including a plurality of analyzed applications;
  
  sending, by the server application, the status of the application to the mobile device over the network connection.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the application identifier comprises a key that uniquely identifies the application and metadata associated with the application.
  - 19. The method of claim 18, wherein the act of utilizing the application identifier to determine the status of the application comprises searching the database to determine if a record matching the key exists in the database.
  - 20. The method of claim 19, wherein the act of utilizing the application identifier to determine the status of the application comprises utilizing the metadata to imply the status of the application from the records in the database when it is determined that no record matching the key exists in the database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Das, Sudeep, Divakarla, Jayasankar, Sharma, Pramod

Granted Patent

US 9,152,784 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 16/955   using information identifie...

G06F 21/51   at application loading time...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

DETECTION AND PREVENTION OF INSTALLATION OF MALICIOUS MOBILE APPLICATIONS

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION AND PREVENTION OF INSTALLATION OF MALICIOUS MOBILE APPLICATIONS

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links