Detecting malware on mobile devices

US 9,202,049 B1
Filed: 06/20/2011
Issued: 12/01/2015
Est. Priority Date: 06/21/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a mobile device, data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application;

determining, by the mobile device, a type for the application, wherein the type for the application corresponds to a set of expected elements of the mobile device to which applications of that type have access upon installation; and

based on a comparison of the set of application permissions for the application and the set of expected elements of the mobile device to which the type for the application corresponds, determining, by the mobile device, whether the application includes malware.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, a mobile device includes a network interface configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, and a processing unit configured to determine a type for the application and, based on an analysis of the set of application permissions and the type for the application, determine whether the application includes malware.

181 Citations

35 Claims

1. A method comprising:
- receiving, by a mobile device, data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application;
  
  determining, by the mobile device, a type for the application, wherein the type for the application corresponds to a set of expected elements of the mobile device to which applications of that type have access upon installation; and
  
  based on a comparison of the set of application permissions for the application and the set of expected elements of the mobile device to which the type for the application corresponds, determining, by the mobile device, whether the application includes malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein determining whether the received application includes malware comprises executing a malware detection application by a processor of the mobile device, the method further comprising:
    - storing instructions for the received application in a region on a storage medium of the mobile device to which other applications, including the malware detection application, do not have read access,wherein determining whether the received application includes malware comprises determining whether the received application includes malware without inspecting the stored instructions for the received application.
  - 3. The method of claim 1, further comprising, after determining that the application includes malware, mitigating the malware.
  - 4. The method of claim 3, wherein mitigating the malware comprises at least one of removing the application and quarantining the application.
  - 5. The method of claim 3, wherein mitigating the malware comprises presenting a user with an alert that the application is suspected of including malware and requesting that the user remove the application.
  - 6. The method of claim 1, wherein determining whether the application includes malware comprises:
    - comparing each of the set of application permissions to a set of concerning permissions associated with the type for the application; and
      
      determining that the application includes malware when at least one of the set of application permissions is included in the set of concerning permissions associated with the type for the application.
  - 7. The method of claim 6, wherein the set of concerning permissions includes one or more permissions that will at least one of allow the application to access a coarse location of the mobile device, allow the application to access a fine location of the mobile device, allow the application to disable the mobile device, allow the application to initiate a phone call without presenting a dialer user interface by which the mobile device receives confirmation of the call to be placed from a user, allow interaction with or notification of user driven events, allow the application to call any phone number without presenting the dialer user interface, allow the application to access a list of accounts in an accounts service, allow the application to open network sockets, allow the application to monitor, modify, or abort outgoing calls, allow the application to read calendar data of the mobile device, allow the application to read contacts data of the mobile device, allow the application to read data associated with an owner of the mobile device, allow the application to read short message service (SMS) messages, allow the application to monitor incoming multimedia message service (MMS) messages, allow the application to process SMS and MMS messages, allow the application to record audio, allow the application to send SMS messages, allow the application to request authentication tokens from an account manager, allow the application to write to external storage, allow the application to write browsing history data for the mobile device, allow the application to write bookmark data for the mobile device, and allow the application to write to the data associated with the owner for the mobile device.
  - 8. The method of claim 1, further comprising:
    - receiving a set of allowed permissions associated with the type for the application from a management console; and
      
      preventing execution of the application when a comparison of the set of application permissions and the set of allowed permissions indicates that the application is not allowed.
  - 9. The method of claim 1, wherein determining whether the application includes malware comprises:
    - comparing a set of normal permissions for the type for the application and the set of application permissions to determine whether there exists a subset of the application permissions that is not included in the set of normal permissions;
      
      when the subset exists;
      
      determining for each permission in the subset whether the permission is concerning; and
      
      determining that the application includes malware when at least one of the permissions in the subset is concerning.
  - 10. The method of claim 1, wherein receiving the data comprises receiving the data prior to installation of the application, and wherein determining comprises determining whether the application includes malware prior to installation of the application.
  - 11. The method of claim 10, further comprising, in response to determining that the application includes malware, preventing installation of the application.
  - 12. The method of claim 1, wherein the comparison includes a comparison of the set of application permissions describing the elements of the mobile device to which the application will have access upon installation of the application to the set of expected elements of the mobile device to which applications of that type have access upon installation, and wherein determining comprises determining that the received application includes malware when at least one of the set of application permissions describes an element of the mobile device that is not included in the set of expected elements of the mobile device to which applications of that type have access upon installation.

13. A mobile device comprising:
- a network interface configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, wherein the type for the application corresponds to a set of expected elements of the mobile device to which applications of that type have access upon installation; and
  
  a processing unit configured to determine a type for the application and, based on a comparison of the set of application permissions for the application and the set of expected elements of the mobile device to which the type for the application corresponds, determine whether the application includes malware.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The mobile device of claim 13, further comprising a storage medium comprising a region for storing data for applications, wherein the mobile device prevents access to data stored in the region by the applications, and wherein the region comprises instructions for a malware detection application, wherein the processing unit is configured to store the data for the received application in the region, and wherein the processing unit is configured to execute the instructions for the malware detection application to determine whether the received application includes malware without inspecting the stored instructions for the application.
  - 15. The mobile device of claim 13, wherein the processing unit is configured to, after determining that the application includes malware, mitigate the malware.
  - 16. The mobile device of claim 15, wherein to mitigate the malware, the processing unit is configured to at least one of remove the application and quarantine the application.
  - 17. The mobile device of claim 15, wherein to mitigate the malware, the processing unit is configured to present a user with an alert that the application is suspected of including malware and request that the user remove the application.
  - 18. The mobile device of claim 13, wherein to determine whether the application includes malware, the processing unit is configured to compare each of the set of application permissions to a set of concerning permissions associated with the type for the application, and determine that the application includes malware when at least one of the set of application permissions is included in the set of concerning permissions associated with the type for the application.
  - 19. The mobile device of claim 13, wherein the network interface is configured to receive a set of allowed permissions associated with the type for the application from a management console, and wherein the processing unit is configured to prevent execution of the application when a comparison of the set of application permissions and the set of allowed permissions indicates that the application is not allowed.
  - 20. The mobile device of claim 13, wherein to determine whether the application includes malware, the processing unit is configured to compare a set of normal permissions for the type for the application and the set of application permissions to determine whether there exists a subset of the application permissions that is not included in the set of normal permissions, and when the subset exists, to determine for each permission in the subset whether the permission is concerning, and to determine that the application includes malware when at least one of the permissions in the subset is concerning.
  - 21. The mobile device of claim 13, wherein the comparison includes a comparison of the set of application permissions describing the elements of the mobile device to which the application will have access upon installation of the application to the set of expected elements of the mobile device to which applications of that type have access upon installation, and wherein the processing unit is configured to determine that the received application includes malware when at least one of the set of application permissions describes an element of the mobile device that is not included in the set of expected elements of the mobile device to which applications of that type have access upon installation.

22. A system comprising:
- a plurality of mobile devices; and
  
  a threat management center configured to determine sets of permissions associated with various types of applications and to distribute the determined sets of permissions to the plurality of mobile devices,wherein each of the plurality of mobile devices is configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, to determine a type for the application, wherein the type for the application corresponds to a set of expected elements of the mobile device to which applications of that type have access upon installation, and, based on a comparison of the set of application permissions for the application and the set of expected elements of the mobile device to which the type for the application corresponds, determine whether the application includes malware.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The system of claim 22, wherein the sets of permissions comprise sets of normal permissions for the various types of applications, and wherein the mobile devices are configured to compare the set of normal permissions for the type for the application and the set of application permissions to determine whether there exists a subset of the application permissions that is not included in the set of normal permissions, and when the subset exists, to determine for each permission in the subset whether the permission is concerning, and to determine that the application includes malware when at least one of the permissions in the subset is concerning.
  - 24. The system of claim 22, wherein the sets of permissions comprise a set of allowed permissions associated with the type for the application, and wherein the mobile devices are configured to prevent execution of the application when a comparison of the set of application permissions and the set of allowed permissions indicates that the application is not allowed.
  - 25. The system of claim 22, wherein the sets of permissions comprise sets of concerning permissions, and wherein to determine whether the application comprises malware, the mobile devices are configured to compare each of the set of application permissions to the set of concerning permissions associated with the type for the application, and determine that the application includes malware when at least one of the set of application permissions is included in the set of concerning permissions associated with the type for the application.
  - 26. The system of claim 22, further comprising a management console configured to establish sets of allowed permissions associated with the various types of the applications and to distribute the sets of allowed permissions to the plurality of mobile devices, wherein each of the plurality of mobile devices is configured to prevent execution of an application when a comparison of a set of application permissions and the sets of allowed permissions indicate that the application is not allowed.
  - 27. The system of claim 22, wherein the comparison includes a comparison of the set of application permissions describing the elements of the mobile device to which the application will have access upon installation of the application to the set of expected elements of the mobile device to which applications of that type have access upon installation, and wherein each of the mobile devices is configured to determine that the received application includes malware when at least one of the set of application permissions describes an element of the mobile device that is not included in the set of expected elements of the mobile device to which applications of that type have access upon installation.

28. A non-transitory computer-readable storage medium comprising instructions that, when executed, cause a processor of a mobile device to:
- receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application;
  
  determine a type for the application, wherein the type for the application corresponds to a set of expected elements of the mobile device to which applications of that type have access upon installation; and
  
  based on a comparison of the set of application permissions for the application and the set of expected elements of the mobile device to which the type for the application corresponds, determine whether the application includes malware.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. The non-transitory computer-readable storage medium of claim 28, wherein the instructions that cause the processor to determine whether the received application includes malware comprise instructions for malware detection application;
    - wherein the instructions that cause the processor to receive the data for the application comprise instructions that cause the processor to store instructions for the received application in a region on a storage medium of the mobile device to which other applications, including the malware detection application, do not have read access, andwherein the instructions for the malware detection application comprise instructions that cause the processor to determine whether the received application include malware without inspecting the stored instructions for the received application.
  - 30. The non-transitory computer-readable storage medium of claim 28, further comprising instructions that cause the processor to, after determining that the application includes malware, at least one of remove the application and quarantine the application.
  - 31. The non-transitory computer-readable storage medium of claim 28, further comprising instructions that cause the processor to present a user with an alert that the application is suspected of including malware and request that the user remove the application.
  - 32. The non-transitory computer-readable storage medium of claim 28, further comprising instructions that cause the processor to determine whether the application includes malware comprise instructions that cause the processor to:
    - compare each of the set of application permissions to a set of concerning permissions associated with the type for the application; and
      
      determine that the application includes malware when at least one of the set of application permissions is included in the set of concerning permissions associated with the type for the application.
  - 33. The non-transitory computer-readable storage medium of claim 28, further comprising instructions that cause the processor to:
    - receive a set of allowed permissions associated with the type for the application from a management console; and
      
      prevent execution of the application when a comparison of the set of application permissions and the set of allowed permissions indicates that the application is not allowed.
  - 34. The non-transitory computer-readable storage medium of claim 28, further comprising instructions that cause the processor to determine whether the application includes malware comprise instructions that cause the processor to:
    - compare a set of normal permissions for the type for the application and the set of application permissions to determine whether there exists a subset of the application permissions that is not included in the set of normal permissions;
      
      when the subset exists;
      
      determine for each permission in the subset whether the permission is concerning; and
      
      determine that the application includes malware when at least one of the permissions in the subset is concerning.
  - 35. The non-transitory computer-readable storage medium of claim 28, wherein the comparison includes a comparison of the set of application permissions describing the elements of the mobile device to which the application will have access upon installation of the application to the set of expected elements of the mobile device to which applications of that type have access upon installation, and wherein the instructions that cause the processor to determine comprise instructions that cause the processor to determine that the received application includes malware when at least one of the set of application permissions describes an element of the mobile device that is not included in the set of expected elements of the mobile device to which applications of that type have access upon installation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Book, Neil, Hoffman, Daniel V.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US13/164,627
Time in Patent Office

1,625 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/57   Certifying or maintaining t...

G06F 2221/033   Test or assess software

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04W 12/128   Anti-malware arrangements, ...

Detecting malware on mobile devices

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malware on mobile devices

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links