Application malware filtering for advertising networks

US 9,374,386 B2
Filed: 03/31/2015
Issued: 06/21/2016
Est. Priority Date: 08/22/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A system for application (“

app”

) malware filtering for advertising (“

ad”

) networks, comprising;

a hardware processor of a cloud service for ad network providers for automatically detecting malware apps being distributed through an ad network, the hardware processor configured to;

receive ad content;

generate a hash of the ad content;

determine whether the ad content has been previously analyzed by the cloud service based on a match of the hash of the ad content;

if the ad content has not been previously analyzed by the cloud service, then process the ad content, comprising;

determine whether the ad content includes a link to an app; and

in the event that the ad content includes the link to the app, scan the app, comprising;

determine an attribute of the app, wherein the attribute includes at least one of a behavior, a feature, or a category;

determine whether the ad content is associated with a malicious app based on the processing of the ad content and based on a policy, comprising to;

perform a dynamic analysis of the ad content to determine whether the ad content is associated with the malicious app, comprising to;

monitor internal and external app application program interface (API) calls performed by the app during execution to monitor at least one behavior of the app; and

determine whether the at least one monitored behavior exceeds or is outside scope of authorization of the app; and

perform an action based on the policy; and

a memory coupled to the hardware processor and configured to provide the hardware processor with instructions.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Application malware filtering for advertising networks is disclosed. For example, techniques for providing a system and process for detecting malicious ad content (e.g., or other undesirable ad content) distributed by advertising (ad) networks are disclosed. In some embodiments, application (“app”) malware filtering for advertising networks includes receiving ad content; processing the ad content; and automatically determining whether the ad content is associated with a malicious app.

Citations

21 Claims

1. A system for application (“
- app”
  
  ) malware filtering for advertising (“
  
  ad”
  
  ) networks, comprising;
  
  a hardware processor of a cloud service for ad network providers for automatically detecting malware apps being distributed through an ad network, the hardware processor configured to;
  
  receive ad content;
  
  generate a hash of the ad content;
  
  determine whether the ad content has been previously analyzed by the cloud service based on a match of the hash of the ad content;
  
  if the ad content has not been previously analyzed by the cloud service, then process the ad content, comprising;
  
  determine whether the ad content includes a link to an app; and
  
  in the event that the ad content includes the link to the app, scan the app, comprising;
  
  determine an attribute of the app, wherein the attribute includes at least one of a behavior, a feature, or a category;
  
  determine whether the ad content is associated with a malicious app based on the processing of the ad content and based on a policy, comprising to;
  
  perform a dynamic analysis of the ad content to determine whether the ad content is associated with the malicious app, comprising to;
  
  monitor internal and external app application program interface (API) calls performed by the app during execution to monitor at least one behavior of the app; and
  
  determine whether the at least one monitored behavior exceeds or is outside scope of authorization of the app; and
  
  perform an action based on the policy; and
  
  a memory coupled to the hardware processor and configured to provide the hardware processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21)
- - 2. The system recited in claim 1, wherein the hardware processor is further configured to:
    - if the ad content has been previously analyzed by the cloud service, then determine a previous result of the analysis of the ad content previously performed by the cloud service.
  - 3. The system recited in claim 2, wherein the hardware processor is further configured to:
    - if the ad content has been previously analyzed by the cloud service, then determine whether to process the ad content to generate an updated result or to return a previous result of the analysis of the ad content previously performed by the cloud service.
  - 4. The system recited in claim 1, wherein the hardware processor is further configured to:
    - determine whether the app is unsafe or on a blacklist based on the policy.
  - 5. The system recited in claim 1, wherein determine whether the ad content is associated with a malicious app based on the processing of the ad content, further comprises:
    - assign a probability score to the ad content based on the attribute of the app;
      
      determine whether the probability score exceeds a threshold value; and
      
      in the event that the probability score exceeds the threshold value, determine the ad content is associated with the malicious app.
  - 6. The system recited in claim 1, wherein the hardware processor is further configured to:
    - determine that the ad content is associated with an in-app purchase that is associated with the malicious app, the in-app purchase relating to a purchase made within the malicious app.
  - 7. The system recited in claim 1, wherein the policy comprises an enterprise policy configured for an entity, and wherein the hardware processor is further configured to:
    - determine that the ad content is associated with malicious or undesirable content based on the enterprise policy, wherein the enterprise policy comprises a plurality of rules for apps based on one or more allowable features or behaviors of apps.
  - 8. The system recited in claim 1, wherein the hardware processor is further configured to:
    - perform a static analysis of the ad content.
  - 9. The system recited in claim 1, wherein perform a dynamic analysis of the ad content further comprises identify any linked to apps associated with a Uniform Resource Locator (URL) embedded in the ad content, wherein the URL is a dynamically resolved URL.
  - 10. The system recited in claim 1, wherein perform a dynamic analysis of the ad content further comprises identify any linked to apps associated with a Uniform Resource Locator (URL) embedded in the ad content.
  - 11. The system recited in claim 1, wherein the hardware processor is further configured to:
    - determine whether the malicious app attempts to thwart malware app detection by using the ad network for app distribution.
  - 12. The system recited in claim 1, wherein the hardware processor is further configured to:
    - receive the ad content from a mobile device, wherein the mobile device is associated with an enterprise that is subscribed to the cloud service.
  - 13. The system recited in claim 1, wherein the hardware processor is further configured to:
    - receive the ad content from an ad network provider.
  - 14. The system recited in claim 1, wherein the hardware processor is further configured to:
    - receive the ad content from an ad network provider, wherein the ad content comprises a plurality of ads for analysis by the cloud service to perform batch processing of the ad content.
  - 15. The system recited in claim 1, wherein the feature includes app origin/source information, comments associated with the source, executable code, script or source code, an included file, a HyperText Markup Language (HTML) file, a text file, an image file, a video file, an audio file, an embedded file, a compressed archive, a certificate/signed file, an advertising identifier, a software development kit (SDK) used in the app, an authentication server identifier, or a graphical user interface (GUI)/screen shot of the app during execution.
  - 16. The system recited in claim 1, wherein the behavior includes toll fraud, wherein toll fraud comprises sending one or more SMS messages to premium telephone numbers without consent or permission of an end user of a mobile device.
  - 17. The system recited in claim 1, wherein the behavior includes at least one of location tracking, recording, access to content, or toll fraud.
  - 18. The system recited in claim 1, wherein the action comprises blocking or filtering the ad content based on a violation of the policy.
  - 19. The system recited in claim 1, wherein the action comprises tagging the ad content for further analysis by the cloud service.
  - 21. The system recited in claim 1, wherein the hardware processor is further configured to:
    - perform a static analysis of the ad content, comprising to;
      
      inspect byte code or assembly language of the app to determine what the app does.

20. A method of application (“
- app”
  
  ) malware filtering for advertising (“
  
  ad”
  
  ) networks, comprising;
  
  receiving ad content;
  
  generating a hash of the ad content;
  
  determining whether the ad content has been previously analyzed by a cloud service based on a match of the hash of the ad content;
  
  if the ad content has not been previously analyzed by the cloud service, then processing the ad content using a processor of a cloud service for ad network providers for automatically detecting malware apps being distributed through an ad network, comprising;
  
  determining whether the ad content includes a link to an app; and
  
  in the event that the ad content includes the link to the app, scanning the app, comprising;
  
  determining an attribute of the app, wherein the attribute includes at least one of a behavior, a feature, or a category;
  
  determining whether the ad content is associated with a malicious app based on the processing of the ad content and based on a policy, comprising;
  
  performing a dynamic analysis of the ad content to determine whether the ad content is associated with the malicious app, comprising to;
  
  monitoring internal and external app application program interface (API) calls performed by the app during execution to monitor at least one behavior of the app; and
  
  determining whether the at least one monitored behavior exceeds or is outside scope of authorization of the app; and
  
  performing an action based on the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Appthority Incorporated (Gen Digital Inc.)
Inventors
Watkins, Kevin, Bettini, Anthony John, Guerra, Domingo J., Eyberg, Ian
Primary Examiner(s)
Lee, Jason

Application Number

US14/675,327
Publication Number

US 20150281258A1
Time in Patent Office

448 Days
Field of Search

726/23, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06Q 30/0277   Online advertisement

H04L 63/145   the attack involving the pr...

Application malware filtering for advertising networks

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Application malware filtering for advertising networks

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links