Malware detection for SMS/MMS based attacks
First Claim
1. A mobile device comprising:
- a processor; and
a memory storing a lightweight agent logic, the lightweight agent logic comprising instructions which, when executed by the processor, cause the processor to perform operations comprisinginserting a lightweight agent into a plurality of contacts stored on the memory to create a contact list, the lightweight agent comprising an address of an agent server on a network, wherein the lightweight agent is disguised as one of the plurality of contacts so that a malware on-board the mobile device recognizes the lightweight agent as one of the plurality of contacts,receiving a request for a contact,determining whether the request for the contact was received via a contacts interface,in response to determining that the request was not received via the contacts interface, providing the contact list with the lightweight agent of the contact list provided in a manner that is not distinguishable from the plurality of contacts of the contact list to enable the lightweight agent to be selected by the malware on board the mobile device, wherein the malware sends a message to the agent server, the message being aimed at spreading the malware, andin response to determining that the request was received via the contacts interface, providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts.
1 Assignment
0 Petitions
Accused Products
Abstract
Devices, systems, and methods are disclosed which utilize lightweight agents on a mobile device to detect message-based attacks. In exemplary configurations, the lightweight agents are included as contacts on the mobile device addressed to an agent server on a network. A malware onboard the mobile device, intending to propagate, unknowingly addresses the lightweight agents, sending messages to the agent server. The agent server analyzes the messages received from the mobile device of the deployed lightweight agents. The agent server then generates attack signatures for the malware. Using malware propagation models, the system estimates how many active mobile devices are infected as well as the total number of infected mobile devices in the network. By understanding the malware propagation, the service provider can decide how to deploy a mitigation plan on crucial locations. In further configurations, the mechanism may be used to detect message and email attacks on other devices.
15 Citations
20 Claims
-
1. A mobile device comprising:
-
a processor; and a memory storing a lightweight agent logic, the lightweight agent logic comprising instructions which, when executed by the processor, cause the processor to perform operations comprising inserting a lightweight agent into a plurality of contacts stored on the memory to create a contact list, the lightweight agent comprising an address of an agent server on a network, wherein the lightweight agent is disguised as one of the plurality of contacts so that a malware on-board the mobile device recognizes the lightweight agent as one of the plurality of contacts, receiving a request for a contact, determining whether the request for the contact was received via a contacts interface, in response to determining that the request was not received via the contacts interface, providing the contact list with the lightweight agent of the contact list provided in a manner that is not distinguishable from the plurality of contacts of the contact list to enable the lightweight agent to be selected by the malware on board the mobile device, wherein the malware sends a message to the agent server, the message being aimed at spreading the malware, and in response to determining that the request was received via the contacts interface, providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A memory storing a lightweight agent logic comprising instructions that, when executed by a processor of a mobile device, cause the processor to perform operations comprising:
-
inserting a lightweight agent into a plurality of contacts stored on the memory to create a contact list, the lightweight agent comprising an address of an agent server on a network, wherein the lightweight agent is disguised as one of the plurality of contacts so that a malware on-board the mobile device recognizes the lightweight agent as one of the plurality of contacts; receiving a request for a contact; determining whether the request for the contact was received via a contacts interface; in response to determining that the request for the contact was not received via the contacts interface, providing the contact list with the lightweight agent of the contact list provided in a manner that is not distinguishable from the plurality of contacts of the contact list to enable the lightweight agent to be selected by the malware on board the mobile device, wherein the malware sends a message, the message being aimed at spreading the malware; and in response to determining that the request was received via the contacts interface, providing the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
inserting a lightweight agent, using a lightweight agent logic executing on a mobile device, into a plurality of contacts stored on a memory of the mobile device to create a contact list, the lightweight agent comprising an address of an agent server on a network, wherein the lightweight agent is disguised as one of the plurality of contacts so that a malware on-board the mobile device recognizes the lightweight agent as one of the plurality of contacts; receiving, at the mobile device, a request for a contact; determining, using the lightweight agent logic executing on the mobile device, whether the request for the contact was received via a contacts interface; in response to determining that the request for the contact was not received via the contacts interface, providing, by the mobile device, the contact list with the lightweight agent of the contact list provided in a manner that is not distinguishable from the plurality of contacts of the contact list to enable the lightweight agent to be selected by the malware on board the mobile device, wherein the malware sends a message to the agent server, the message being aimed at spreading the malware; and in response to determining that the request was received via the contacts interface, providing, by the mobile device, the contact list with the lightweight agent of the contact list displayed differently from the plurality of contacts of the contact list so that the lightweight agent is distinguishable from the plurality of contacts. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification