System and method for server-coupled malware prevention

US 8,347,386 B2
Filed: 08/25/2010
Issued: 01/01/2013
Est. Priority Date: 10/21/2008
Status: Active Grant

First Claim

Patent Images

1. A method for assessing a data object present on a mobile communication device, the assessment provided by a server computer, the method comprising:

before receiving data identifying at least a portion of the data object present on the mobile communication device at the server computer, determining if previously stored definition information stored in a local store at the mobile communication device corresponds to the data identifying at least a portion of the data object present on the mobile communication device, the local store storing a corresponding assessment for the previously stored definition information;

if the previously stored definition information in the local store at the mobile communication device does not correspond to the data identifying at least a portion of the data object present on the mobile communication device, then at the server computer, receiving data identifying at least a portion of the data object present on the mobile communication device;

at the server, determining if previously stored definition information for a data object corresponds to the received data, the definition information stored in a data store accessible by the server, the data store storing a corresponding assessment for the definition information;

if the previously stored definition information corresponds to the received data from the mobile communication device, then at the server, providing the assessment of the data object present on the mobile communication device corresponding to the previously stored definition information.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure is directed to a system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices (e.g., smartphones, netbooks, and tablets). A mobile communication device uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces an assessment for the application, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmits notifications to devices that have installed applications that are discovered to be undesirable. The server receives data about applications from many devices, using the combined data to minimize false positives and provide comprehensive protection against known and unknown threats.

Citations

38 Claims

1. A method for assessing a data object present on a mobile communication device, the assessment provided by a server computer, the method comprising:
- before receiving data identifying at least a portion of the data object present on the mobile communication device at the server computer, determining if previously stored definition information stored in a local store at the mobile communication device corresponds to the data identifying at least a portion of the data object present on the mobile communication device, the local store storing a corresponding assessment for the previously stored definition information;
  
  if the previously stored definition information in the local store at the mobile communication device does not correspond to the data identifying at least a portion of the data object present on the mobile communication device, then at the server computer, receiving data identifying at least a portion of the data object present on the mobile communication device;
  
  at the server, determining if previously stored definition information for a data object corresponds to the received data, the definition information stored in a data store accessible by the server, the data store storing a corresponding assessment for the definition information;
  
  if the previously stored definition information corresponds to the received data from the mobile communication device, then at the server, providing the assessment of the data object present on the mobile communication device corresponding to the previously stored definition information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the data identifying at least a portion of the data object present on the mobile communication device is application data for the data object present on the mobile communication device.
  - 3. The method of claim 1, wherein the data identifying at least a portion of the data object present on the mobile communication device is behavioral data for the data object present on the mobile communication device.
  - 4. The method of claim 1, wherein the data identifying at least a portion of the data object present on the mobile communication device is metadata for the data object present on the mobile communication device.
  - 5. The method of claim 1, wherein the data identifying at least a portion of the data object present on the mobile communication device includes at least a portion of the data object present on the mobile communication device.
  - 6. The method of claim 1, wherein the previously stored definition information includes a hash identifier for the data object present on the mobile communication device.
  - 7. The method of claim 1, wherein the previously stored definition information includes a package name for the data object present on the mobile communication device.
  - 8. The method of claim 1, wherein the previously stored definition information includes at least a portion of the data object present on the mobile communication device.
  - 9. The method of claim 1, wherein the previously stored definition information includes an identifier for the data object present on the mobile communication device.
  - 10. The method of claim 1, further comprising:
    - if the data identifying at least a portion of the data object present on the mobile communication device does not correspond to previously stored definition information stored in the data store accessible to the server, then analyzing, by the server, at least a portion of the data identifying at least a portion of the data object present on the mobile communication device to determine an assessment corresponding to the data identifying at least a portion of the data object present on the mobile communication device; and
      
      ,storing the assessment corresponding to the data identifying at least a portion of the data object present on the mobile communication device in the data store accessible to the server.
  - 11. The method of claim 10, wherein analyzing at least a portion of the data identifying at least a portion of the data object present on the mobile communication device comprises analyzing by a decision component accessible by the server.
  - 12. The method of claim 1, further comprising:
    - if the data identifying at least a portion of the data object present on the mobile communication device does not correspond to definition information stored in the data store accessible to the server, then analyzing, by the server, at least a portion of the data identifying at least a portion of the data object present on the mobile communication device to determine an assessment corresponding to the data identifying at least a portion of the data object present on the mobile communication device;
      
      requesting, by the server, additional data pertaining to the data object present on the mobile communication device;
      
      analyzing, by the server, at least a portion of the additional data pertaining to the data object present on the mobile communication device to determine an assessment corresponding to the data object present on the mobile communication device; and
      
      storing the determined assessment in the data store accessible to the server.
  - 13. The method of claim 1, further comprising, after the step of providing the assessment, if the assessment indicates that the data object present on the mobile communication device is undesirable, then at the server, transmitting instructions to the mobile communication device to prevent the mobile communication device from accessing the data object present on the mobile communication device.
  - 14. The method of claim 1, further comprising, after the step of providing the assessment, if the assessment indicates that the data object present on the mobile communication device is undesirable, then at the server, transmitting a notification to the mobile communication device.
  - 15. The method of claim 14, wherein the notification is a warning.
  - 16. The method of claim 14, wherein the notification is an instruction to uninstall the data object.

17. A method for assessing a data object present on a mobile communication device by a server computer comprising:
- receiving data from the mobile communication device by the server computer, the received data identifying the data object present on the mobile communication device;
  
  at the server computer, analyzing the received data by a known good component resident on the server computer to provide an assessment of the data object present on the mobile communication device;
  
  if the analysis of the received data by the known good component on the server computer results in an assessment that the data object is allowed, then at the server computer, transmitting instructions to the mobile communication device allowing the mobile communication device to access the assessed data object present on the mobile communication device;
  
  if, at the server computer, the analysis of the received data by the known good component on the server computer does not result in an assessment that the data object is allowed, then, at the server computer, analyzing the received data by a known bad component resident on the server computer to provide an assessment of the data object present on the mobile communication device; and
  
  if, at the server computer, the analysis of the received data by the known bad component on the server computer results in an assessment that the data object is undesirable, then, at the server computer, transmitting instructions to the mobile communication device preventing the mobile communication device from accessing the data object present on the mobile communication device.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The method of claim 17, wherein the received data identifying the data object present on the mobile communication device is application data for the data object present on the mobile communication device.
  - 19. The method of claim 17, wherein the received data identifying the data object present on the mobile communication device is behavioral data for the data object present on the mobile communication device.
  - 20. The method of claim 17, wherein the received data identifying the data object present on the mobile communication device is metadata for the data object present on the mobile communication device.
  - 21. The method of claim 17, wherein the received data identifying at least a portion of the data object present on the mobile communication device includes at least a portion of the data object present on the mobile communication device.
  - 22. The method of claim 17, further comprising:
    - prior to receiving data identifying the data object present on the mobile communication device by the server computer, at the mobile communication device, analyzing the data identifying the data object present on the mobile communication device by a known good component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device; and
      
      ,prior to receiving data identifying the data object present on the mobile communication device, if the analysis of the data identifying the data object present on the mobile communication device by the known good component on the mobile communication device does not result in an assessment that the data object is allowed, then, at the mobile communication device, transmitting metadata for the data identifying the data object present on the mobile communication device to the server computer, and, at the server computer, proceeding with analyzing the received metadata by the known good component on the server computer.
  - 23. The method of claim 17, further comprising:
    - prior to receiving data identifying the data object present on the mobile communication device by the server computer, at the mobile communication device, analyzing the data identifying the data object present on the mobile communication device by a known bad component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device; and
      
      ,if the analysis of the data identifying the data object present on the mobile communication device by the known bad component on the mobile communication device does not result in an assessment that the data object is undesirable, then, at the mobile communication device transmitting metadata for the data identifying the data object present on the mobile communication device to the server, and proceeding with analyzing the metadata to provide an assessment of the data object present on the mobile communication device.
  - 24. The method of claim 17, further comprising:
    - prior to receiving data identifying the data object present on the mobile communication device by the server computer, at the mobile communication device, analyzing the data identifying the data object present on the mobile communication device by a known good component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device;
      
      if the analysis of the data identifying the data object present on the mobile communication device by the known good component on the mobile communication device does not result in an assessment that the data object is allowed, then analyzing the data identifying the data object present on the mobile communication device by a known bad component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device; and
      
      ,if the analysis of the data identifying the data object present on the mobile communication device by the known bad component on the mobile communication device does not result in assessment that the data object is undesirable, then transmitting at least a portion of the data identifying the data object present on the mobile communication device to the server, and at the server, proceeding with analyzing the received data to provide an assessment of the data object present on the mobile communication device.
  - 25. The method of claim 17, further comprising:
    - prior to receiving data identifying the data object present on the mobile communication device by the server computer, at the mobile communication device, analyzing the data identifying the data object present on the mobile communication device by a known bad component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device;
      
      if the analysis of the data identifying the data object present on the mobile communication device by the known bad component on the mobile communication device does not result in an assessment that the data object is undesirable, then analyzing the data by a known good component resident on the mobile communication device to provide an assessment of the data object present on the mobile communication device; and
      
      ,if the analysis of the data identifying the data object present on the mobile communication device by the known good component on the mobile communication device does not result in an assessment that the data object is allowed, then transmitting at least a portion of the data identifying the data object present on the mobile communication device to the server, and at the server, proceeding with analyzing the received data to provide an assessment of the data object present on the mobile communication device.
  - 26. The method of claim 17, further comprising:
    - if the assessment of the data identifying the data object present on the mobile communication device by the known good component resident on the mobile communication device does not result in a positive assessment that the data object is allowed, and if the analysis of the data identifying the data object present on the mobile communication device by the known bad component resident on the mobile communication device does not result in assessment that the data object is undesirable, thenanalyzing the data identifying the data object present on the mobile communication device by the server to provide an assessment identifying the data object present on the mobile communication device; and
      
      ,storing the assessment of the data identifying the data object present on the mobile communication device on a data store accessible by the server.

27. A method for assessing a data object present on a mobile communication device, the assessment provided by a server computer, the method comprising:
- at the mobile communication device, determining, by the mobile communication device, if previously stored definition information in a local store corresponds to the data object present on the mobile communication device;
  
  if the determination at the mobile communication device shows that the previously stored definition information in the local store does not correspond to the data object present on the mobile communication device, then, at a server computer, receiving data identifying at least a portion of the data object present on the mobile communication device;
  
  determining, by the server computer, if previously stored definition information for a data object corresponds to the received data, the definition information stored in a data store accessible to the server, the data store storing a corresponding assessment for the definition information;
  
  if the previously stored definition information corresponds to the received data, then, at the server, providing the assessment corresponding to the previously stored definition information; and
  
  ,if the previously stored definition information in the data store accessible to the server does not correspond to the received data, then analyzing, by the server, at least a portion of the received data identifying at least a portion of the data object present on the mobile communication device to determine an assessment corresponding to the data object present on the mobile communication device.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 28. The method of claim 27, wherein the data identifying at least a portion of the data object present on the mobile communication device is application data for the data object present on the mobile communication device.
  - 29. The method of claim 27, wherein the data identifying at least a portion of the data object present on the mobile communication device is behavioral data for the data object present on the mobile communication device.
  - 30. The method of claim 27, wherein the data identifying at least a portion of the data object present on the mobile communication device is metadata for the data object present on the mobile communication device.
  - 31. The method of claim 27, wherein the data identifying at least a portion of the data object present on the mobile communication device includes at least a portion of the data object present on the mobile communication device.
  - 32. The method of claim 27, wherein analyzing at least a portion of the received data identifying at least a portion of the data object present on the mobile communication device, by the server, to determine the assessment comprises analyzing the data by a decision component accessible by the server.
  - 33. The method of claim 27, further comprising:
    - requesting, by the server, additional data pertaining to the data object present on the mobile communication device; and
      
      ,analyzing the additional data to determine an assessment corresponding to the data object present on the mobile communication device.
  - 34. The method of claim 27, further comprising, after the step of providing the assessment, if the assessment indicates that the data object present on the mobile communication device is undesirable, then at the server, transmitting instructions to the mobile communication device to prevent the mobile communication device from accessing the data object present on the mobile communication device.
  - 35. The method of claim 27, further comprising, after the step of providing the assessment, if the assessment indicates that the data object on the mobile communication device is undesirable, then at the server, transmitting a notification to the mobile communication device.
  - 36. The method of claim 27, wherein the notification is a warning.
  - 37. The method of claim 27, wherein the notification is an instruction to uninstall the data object.
  - 38. The method of claim 27, wherein the notification is an instruction preventing the mobile communication device from accessing the data object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Burgess, James David, Golombek, David, Wyatt, Timothy Micheal, Lineberry, Anthony McKay, Barton, Kyle, Evans, Daniel Lee, Richardson, David Luke, Salomon, Ariel
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US12/868,669
Publication Number

US 20110047620A1
Time in Patent Office

860 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/57   Certifying or maintaining t...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

System and method for server-coupled malware prevention

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for server-coupled malware prevention

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links