Systems and methods for detecting malware on mobile platforms

US 8,782,792 B1
Filed: 10/27/2011
Issued: 07/15/2014
Est. Priority Date: 10/27/2011
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:

receive an application;

receive a request from a mobile computing platform to evaluate the application for malware, wherein the mobile computing platform places a limitation on an ability of third-party software to inspect application behavior;

receive emulation information from the mobile computing platform, the emulation information relating to emulating the mobile computing platform, the emulation information comprising an emulation credential;

look up the emulation credential in a database to retrieve hardware and/or software details of the mobile computing platform;

evaluate the application for malware by;

executing the application within an emulation of the mobile computing platform based on the hardware and/or software details of the mobile computing platform retrieved from the database by looking up the emulation credential received from the mobile computing platform in the database;

circumventing the limitation on the ability of third-party software to inspect application behavior by performing a behavioral analysis on the application executing within the emulation of the mobile computing platform;

transmit a result of evaluating the application for malware to the mobile computing platform.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting malware on mobile platforms may include (1) identifying an application on a mobile computing platform subject to a malware evaluation, (2) transmitting the application to a security server, (3) providing emulation information to the security server, the emulation information relating to emulating the mobile computing platform, (4) receiving a result of the malware evaluation as performed by the security server, the malware evaluation including the security server using the emulation information to execute the application within an emulation of the mobile computing platform, and (5) performing a security action based on the result of the malware evaluation. Various other methods, systems, and computer-readable media are also disclosed.

248 Citations

20 Claims

1. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- receive an application;
  
  receive a request from a mobile computing platform to evaluate the application for malware, wherein the mobile computing platform places a limitation on an ability of third-party software to inspect application behavior;
  
  receive emulation information from the mobile computing platform, the emulation information relating to emulating the mobile computing platform, the emulation information comprising an emulation credential;
  
  look up the emulation credential in a database to retrieve hardware and/or software details of the mobile computing platform;
  
  evaluate the application for malware by;
  
  executing the application within an emulation of the mobile computing platform based on the hardware and/or software details of the mobile computing platform retrieved from the database by looking up the emulation credential received from the mobile computing platform in the database;
  
  circumventing the limitation on the ability of third-party software to inspect application behavior by performing a behavioral analysis on the application executing within the emulation of the mobile computing platform;
  
  transmit a result of evaluating the application for malware to the mobile computing platform.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The non-transitory computer-readable-storage medium of claim 1, wherein receiving the emulation information comprises receiving information that identifies the mobile computing platform.
  - 3. The non-transitory computer-readable-storage medium of claim 1, wherein evaluating the application comprises performing a behavioral analysis on the application executing within the emulation of the mobile computing platform.
  - 4. The non-transitory computer-readable-storage medium of claim 1, wherein the emulation of the mobile computing platform comprises an emulation of a computing platform with sufficient similarity to the mobile computing platform to detect a malicious behavior in the application when executed in the emulation of the mobile computing platform.
  - 5. The non-transitory computer-readable-storage medium of claim 1, wherein the one or more computer-executable instructions, when executed by at least one processor of a computing device, further cause the computing device to select an emulator compatible with the application by selecting an emulator providing cross-platform compatibility with the mobile computing platform.

6. A computer-implemented method for detecting malware on mobile platforms, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- receiving an application;
  
  receiving a request from a mobile computing platform to evaluate the application for malware, wherein the mobile computing platform places a limitation on an ability of third-party software to inspect application behavior;
  
  receiving emulation information from the mobile computing platform, the emulation information relating to emulating the mobile computing platform, the emulation information comprising an emulation credential;
  
  looking up the emulation credential in a database to retrieve hardware and/or software details of the mobile computing platform;
  
  evaluating the application for malware by;
  
  executing the application within an emulation of the mobile computing platform based on the hardware and/or software details of the mobile computing platform retrieved from the database by looking up the emulation credential received from the mobile computing platform in the database;
  
  circumventing the limitation on the ability of third-party software to inspect application behavior by performing a behavioral analysis on the application executing within the emulation of the mobile computing platform;
  
  transmitting a result of evaluating the application for malware to the mobile computing platform.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The computer-implemented method of claim 6, wherein receiving the emulation information comprises receiving information that identifies the mobile computing platform.
  - 8. The computer-implemented method of claim 6, wherein evaluating the application comprises performing a behavioral analysis on the application executing within the emulation of the mobile computing platform.
  - 9. The computer-implemented method of claim 6, wherein the emulation of the mobile computing platform comprises an emulation of a computing platform with sufficient similarity to the mobile computing platform to detect a malicious behavior in the application when executed in the emulation of the mobile computing platform.
  - 10. The computer-implemented method of claim 6, further comprising selecting an emulator compatible with the application by selecting an emulator providing cross-platform compatibility with the mobile computing platform.
  - 11. The computer-implemented method of claim 6, wherein the evaluating the application for malware further comprises at least one of:
    - scanning the application for at least one malware signature;
      
      checking the application against a malware blacklist;
      
      checking the application against a malware whitelist.

12. A system for detecting malware on mobile platforms, the system comprising:
- a receiving module programmed to;
  
  receive an application;
  
  receive a request from a mobile computing platform to evaluate the application for malware, wherein the mobile computing platform places a limitation on an ability of third-party software to inspect application behavior;
  
  receive emulation information from the mobile computing platform, the emulation information relating to emulating the mobile computing platform, the emulation information comprising an emulation credential;
  
  look up the emulation credential in a database to retrieve hardware and/or software details of the mobile computing platform;
  
  an evaluation module programmed to evaluate the application for malware by;
  
  executing the application within an emulation of the mobile computing platform based on the hardware and/or software details of the mobile computing platform retrieved from the database by looking up the emulation credential received from the mobile computing platform in the database;
  
  circumventing the limitation on the ability of third-party software to inspect application behavior by performing a behavioral analysis on the application executing within the emulation of the mobile computing platform;
  
  a transmission module programmed to transmit a result of evaluating the application for malware to the mobile computing platform;
  
  at least one processor configured to execute the receiving module, the evaluation module, and the transmission module.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the receiving module is programmed to receive the application from the mobile computing platform.
  - 14. The system of claim 12, wherein the receiving module is programmed to:
    - receive information that identifies a source of the application from the mobile computing platform, where the mobile computing platform had previously received the application from the source;
      
      receive the application from the source using the information that identifies the source.
  - 15. The system of claim 12, wherein the receiving module is programmed to receive an identifier of the application from the mobile computing platform.
  - 16. The system of claim 12, wherein the receiving module is programmed to receive the emulation information by receiving information that identifies the mobile computing platform.
  - 17. The system of claim 12, wherein the evaluation module is programmed to evaluate the application by performing a behavioral analysis on the application executing within the emulation of the mobile computing platform.
  - 18. The system of claim 12, wherein the emulation has sufficient similarity to the mobile computing platform for the evaluation module to detect a malicious behavior in the application when executed in the emulation of the mobile computing platform.
  - 19. The system of claim 12, wherein the evaluation module is further programmed to select an emulator compatible with the application by selecting an emulator providing cross-platform compatibility with the mobile computing platform.
  - 20. The system of claim 12, wherein the evaluation module is further programmed to evaluate the application for malware by at least one of:
    - scanning the application for at least one malware signature;
      
      checking the application against a malware blacklist;
      
      checking the application against a malware whitelist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bodke, Anand
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US13/282,709
Time in Patent Office

992 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

H04W 12/128   Anti-malware arrangements, ...

Systems and methods for detecting malware on mobile platforms

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

248 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting malware on mobile platforms

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

248 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links