Detection and prevention of installation of malicious mobile applications

US 9,152,784 B2
Filed: 04/18/2012
Issued: 10/06/2015
Est. Priority Date: 04/18/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that, when executed, cause a processor to:

intercept a request to install an application on a mobile device, the request initiated by a first portion of a mobile application setup file on the mobile device, wherein the mobile application setup file includes a second portion including program code of the application to be installed;

generate a key based on at least a portion of the second portion of the mobile application setup file, wherein the key uniquely identifies the application;

send the key over a network connection to a server application;

receive a response over the network connection from the server application before the application is installed on the mobile device, the response to include a status of the application that indicates whether the application is malicious; and

block the first portion of the mobile application setup file from executing to install the application on the mobile device when the status indicates the application is malicious.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device'"'"'s operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application'"'"'s status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application.

52 Citations

View as Search Results

20 Claims

1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that, when executed, cause a processor to:
- intercept a request to install an application on a mobile device, the request initiated by a first portion of a mobile application setup file on the mobile device, wherein the mobile application setup file includes a second portion including program code of the application to be installed;
  
  generate a key based on at least a portion of the second portion of the mobile application setup file, wherein the key uniquely identifies the application;
  
  send the key over a network connection to a server application;
  
  receive a response over the network connection from the server application before the application is installed on the mobile device, the response to include a status of the application that indicates whether the application is malicious; and
  
  block the first portion of the mobile application setup file from executing to install the application on the mobile device when the status indicates the application is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18)
- - 2. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the processor to intercept the request to install the application on the mobile device comprise instructions to cause the processor to register a shim application as a background service on the mobile device.
  - 3. The non-transitory computer readable medium of claim 2, wherein the shim application is to intercept an invocation of an application programming interface that is utilized by the mobile application setup file to initiate an installation of the application on the mobile device.
  - 4. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the processor to generate the key based on at least a portion of the mobile application setup file comprise instructions to cause the processor to apply a hash algorithm to the at least a portion of the second portion of the mobile application setup file.
  - 5. The non-transitory computer readable medium of claim 1, further comprising instructions to cause the processor to encrypt the key before the key is sent over the network to the server application.
  - 6. The non-transitory computer readable medium of claim 1, further comprising instructions to cause the processor to compile metadata associated with the application.
  - 7. The non-transitory computer readable medium of claim 6, wherein the metadata associated with the application comprises at least one of a publisher of the application, a source of the application, and a digital signature used to sign the application.
  - 8. The non-transitory computer readable medium of claim 6, further comprising instructions to cause the processor to send the metadata, with the key, over the network connection to the server application.
  - 9. The at least one non-transitory computer readable medium of claim 1, further comprising instructions to cause the processor to:
    - select a communication protocol to send the key over the network connection to the server application, wherein the communication protocol is to be selected based on a priority list of communication protocols and on a current availability of the communication protocols identified in the priority list.
  - 10. The non-transitory computer readable medium of claim 1, wherein the instructions to cause the processor to send the key over the network connection comprise instructions to cause the processor to communicate the key over a telephony specific communications channel.
  - 11. The non-transitory computer readable medium of claim 10, wherein the instructions to cause the processor to send the key over the telephony specific communications channel comprise instructions to cause the processor to send the key as a short message service (SMS) message to a predefined telephone number.
  - 18. The non-transitory computer readable medium of claim 9, wherein the priority list is configurable by a user of the mobile device.

12. A method, comprising:
- intercepting, utilizing a processor in a mobile device, a request to install an application on the mobile device, the request initiated by a first portion of a mobile application setup file on the mobile device, wherein the mobile application setup file includes a second portion including program code of the application to be installed;
  
  generating, utilizing the processor, a key based on at least a portion of the second portion of the mobile application setup file, wherein the key uniquely identifies the application;
  
  sending, utilizing the processor, the key over a network connection to a server application;
  
  receiving, utilizing the processor, a response over the network connection from the server application before the application is installed on the mobile device, the response to include a status of the application that indicates whether the application is malicious; and
  
  blocking, utilizing the processor, the first portion of the mobile application setup file from executing to install the application when the status indicates that the application is malicious.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, wherein the act of intercepting the request to install an application on the mobile device comprises registering a shim application as a background service on the mobile device.
  - 14. The method of claim 13, wherein the shim application is to intercept an invocation of an application programming interface that is utilized by the mobile application setup file to initiate an installation of the application on the mobile device.

15. A mobile device, comprising:
- a memory including instructions;
  
  a network interface; and
  
  a processor operatively coupled to the memory and the network interface, the processor adapted to execute the instructions stored in the memory to;
  
  intercept a request to install an application on the mobile device, the request initiated by a first portion of a mobile application setup file on the mobile device, wherein the mobile application setup file includes a second portion including program code of the application to be installed;
  
  generate a key based on at least a portion of the second portion of the mobile application setup file, wherein the key uniquely identifies the mobile application;
  
  send the key, utilizing the network interface, to a server application;
  
  receive a response, utilizing the network interface, from the server application before the application is installed on the mobile device, the response to include a status of the application that indicates whether the application is malicious; and
  
  block the first portion of the mobile application setup file from executing to install the mobile application on the mobile device when the status indicates that the mobile application is malicious.
- View Dependent Claims (16, 17, 19, 20)
- - 16. The mobile device of claim 15, wherein the processor is adapted to execute the instructions stored in the memory to:
    - register a shim application.
  - 17. The mobile device of claim 15, wherein the processor is adapted to execute the instructions stored in the memory to send the key over a telephony specific communications channel.
  - 19. The mobile device of claim 15, wherein the processor is adapted to execute the instructions stored in the memory to compile metadata associated with the application, wherein the metadata is included in the mobile application setup file.
  - 20. The mobile device of claim 16, wherein the shim application is to intercept an invocation of an application programming interface that is utilized by the mobile application setup file to initiate an installation of the application on the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Das, Sudeep, Divakarla, Jayasankar, Sharma, Pramod
Primary Examiner(s)
RAHIM, MONJUR

Application Number

US13/449,751
Publication Number

US 20130283377A1
Time in Patent Office

1,266 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 16/955   using information identifie...

G06F 21/51   at application loading time...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Detection and prevention of installation of malicious mobile applications

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and prevention of installation of malicious mobile applications

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links