Malware detection for SMS/MMS based attacks

US 9,064,112 B2
Filed: 12/09/2010
Issued: 06/23/2015
Est. Priority Date: 12/09/2010
Status: Active Grant

First Claim

Patent Images

1. A mobile device comprising:

a processor; and

a memory storing a lightweight agent logic, the lightweight agent logic comprising instructions which, when executed by the processor, cause the processor to perform operations comprisinginserting a lightweight agent into a plurality of contacts stored on the memory to create a contact list, the lightweight agent comprising an address of an agent server on a network, wherein the lightweight agent is disguised as one of the plurality of contacts so that a malware on-board the mobile device recognizes the lightweight agent as one of the plurality of contacts,receiving a request for a contact,determining whether the request for the contact was received via a contacts interface,in response to determining that the request was not received via the contacts interface, providing the contact list with the lightweight agent of the contact list provided in a manner that is not distinguishable from the plurality of contacts of the contact list to enable the lightweight agent to be selected by the malware on board the mobile device, wherein the malware sends a message to the agent server, the message being aimed at spreading the malware, andin response to determining that the request was received via the contacts interface, providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods are disclosed which utilize lightweight agents on a mobile device to detect message-based attacks. In exemplary configurations, the lightweight agents are included as contacts on the mobile device addressed to an agent server on a network. A malware onboard the mobile device, intending to propagate, unknowingly addresses the lightweight agents, sending messages to the agent server. The agent server analyzes the messages received from the mobile device of the deployed lightweight agents. The agent server then generates attack signatures for the malware. Using malware propagation models, the system estimates how many active mobile devices are infected as well as the total number of infected mobile devices in the network. By understanding the malware propagation, the service provider can decide how to deploy a mitigation plan on crucial locations. In further configurations, the mechanism may be used to detect message and email attacks on other devices.

15 Citations

View as Search Results

20 Claims

1. A mobile device comprising:
- a processor; and
  
  a memory storing a lightweight agent logic, the lightweight agent logic comprising instructions which, when executed by the processor, cause the processor to perform operations comprisinginserting a lightweight agent into a plurality of contacts stored on the memory to create a contact list, the lightweight agent comprising an address of an agent server on a network, wherein the lightweight agent is disguised as one of the plurality of contacts so that a malware on-board the mobile device recognizes the lightweight agent as one of the plurality of contacts,receiving a request for a contact,determining whether the request for the contact was received via a contacts interface,in response to determining that the request was not received via the contacts interface, providing the contact list with the lightweight agent of the contact list provided in a manner that is not distinguishable from the plurality of contacts of the contact list to enable the lightweight agent to be selected by the malware on board the mobile device, wherein the malware sends a message to the agent server, the message being aimed at spreading the malware, andin response to determining that the request was received via the contacts interface, providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The mobile device of claim 1, wherein the agent server receives the message from the mobile device and alerts a service provider, and wherein the agent server determines a signature of the malware, the signature of the malware comprising at least one of a content of the message or a sender of the message.
  - 3. The mobile device of claim 1, wherein the message is at least one of a short message service message or a multimedia messaging service message.
  - 4. The mobile device of claim 1, wherein the lightweight agent is loaded on the memory in response to a user input.
  - 5. The mobile device of claim 1, wherein the lightweight agent is loaded on the memory by a manufacturer of the mobile device.
  - 6. The mobile device of claim 1, wherein providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts comprises one of providing the contact list with the lightweight agent of the contact list displayed in a first color different from a second color used to display the plurality of contacts of the contact list or providing the contact list with the lightweight agent of the contact list displayed in a first contrast different from a second contrast used to display the plurality of contacts of the contact list.

7. A memory storing a lightweight agent logic comprising instructions that, when executed by a processor of a mobile device, cause the processor to perform operations comprising:
- inserting a lightweight agent into a plurality of contacts stored on the memory to create a contact list, the lightweight agent comprising an address of an agent server on a network, wherein the lightweight agent is disguised as one of the plurality of contacts so that a malware on-board the mobile device recognizes the lightweight agent as one of the plurality of contacts;
  
  receiving a request for a contact;
  
  determining whether the request for the contact was received via a contacts interface;
  
  in response to determining that the request for the contact was not received via the contacts interface, providing the contact list with the lightweight agent of the contact list provided in a manner that is not distinguishable from the plurality of contacts of the contact list to enable the lightweight agent to be selected by the malware on board the mobile device, wherein the malware sends a message, the message being aimed at spreading the malware; and
  
  in response to determining that the request was received via the contacts interface, providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The memory of claim 7, wherein providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts comprises one of providing the contact list with the lightweight agent of the contact list displayed in a first color different from a second color used to display the plurality of contacts of the contact list or providing the contact list with the lightweight agent of the contact list displayed in a first contrast different from a second contrast used to display the plurality of contacts of the contact list.
  - 9. The memory of claim 7, wherein the agent server alerts a service provider.
  - 10. The memory of claim 7, wherein the agent server receives the message from the malware and determines a signature of the malware, the signature of the malware comprising at least one of a content of the message or a sender of the message, and wherein the agent server compares the signature of the message with previous signatures.
  - 11. The memory of claim 10, wherein the previous signatures are stored in an agent database.
  - 12. The memory of claim 7, wherein the message is at least one of a short message service message or a multimedia messaging service message.

13. A method comprising:
- inserting a lightweight agent, using a lightweight agent logic executing on a mobile device, into a plurality of contacts stored on a memory of the mobile device to create a contact list, the lightweight agent comprising an address of an agent server on a network, wherein the lightweight agent is disguised as one of the plurality of contacts so that a malware on-board the mobile device recognizes the lightweight agent as one of the plurality of contacts;
  
  receiving, at the mobile device, a request for a contact;
  
  determining, using the lightweight agent logic executing on the mobile device, whether the request for the contact was received via a contacts interface;
  
  in response to determining that the request for the contact was not received via the contacts interface, providing, by the mobile device, the contact list with the lightweight agent of the contact list provided in a manner that is not distinguishable from the plurality of contacts of the contact list to enable the lightweight agent to be selected by the malware on board the mobile device, wherein the malware sends a message to the agent server, the message being aimed at spreading the malware; and
  
  in response to determining that the request was received via the contacts interface, providing, by the mobile device, the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the agent server receives the message from the malware and determines a signature of the malware, the signature of the malware comprising at least one of a content of the message or a sender of the message, and wherein the method further comprises comparing the signature to a previous signature of a previously received message.
  - 15. The method of claim 14, further comprising storing the signature of the malware.
  - 16. The method of claim 14, wherein the previous signature of the previously received message is stored in an agent database.
  - 17. The method of claim 13, further comprising alerting a service provider upon receiving the message at the agent server.
  - 18. The method of claim 17, further comprising alerting the service provider of a state of propagation of the malware.
  - 19. The method of claim 13, wherein providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts comprises one of providing the contact list with the lightweight agent of the contact list displayed in a first color different from a second color used to display the plurality of contacts of the contact list or providing the contact list with the lightweight agent of the contact list displayed in a first contrast different from a second contrast used to display the plurality of contacts of the contact list.
  - 20. The method of claim 13, wherein inserting the lightweight agent, using the lightweight agent logic executing on the mobile device, into the plurality of contacts stored on the memory of the mobile device comprises inserting the lightweight agent, using the lightweight agent logic executing on the mobile device, into the plurality of contacts stored on the memory of the mobile device in response to a manufacturer input.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Wang, Wei, Xu, Gang
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
MEJIA, FELICIANO S

Application Number

US12/964,015
Publication Number

US 20120151588A1
Time in Patent Office

1,657 Days
Field of Search

726 22- 25, 709/220, 709/224, 709/229, 455/466, 455/412.1
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 2221/2123   Dummy operation

H04L 51/212   using filtering or selectiv...

H04L 51/58   Message adaptation for wire...

H04L 63/1491   using deception as counterm...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Malware detection for SMS/MMS based attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection for SMS/MMS based attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links