Malware detection system and method for mobile platforms
First Claim
Patent Images
1. A method of detecting malware, comprising:
- selecting, by a mobile device, a first set of hash values hashed from prefixes of a set of malware signatures, each of the prefixes having a first-portion-size, wherein the malware signatures have lengths greater than the first-portion-size;
hashing, by the mobile device, a plurality of strings of a target application to create a plurality of second hash values, each of the strings having the first-portion-size, the target application comprising a downloaded application having a size greater than the first-portion size;
comparing, by the mobile device, the plurality of second hash values to the first hash values to determine if there is a match;
determining, by the mobile device, that the target application is malware-free when there is no match between the plurality of second hash values and the first hash values; and
when there is a match between one of the first set of hash values and one of the second set of hash values;
determining the malware signature of the set of malware signatures from which the one of the first set of hash values was hashed that matched the one of the second set of hash values;
comparing a hash of at least a portion of the determined malware signature to hashes of one or more strings of the target application, each of the strings having lengths equal to the length of the at least portion of the determined malware signature; and
determining whether the target application is malware-infected based on a match between the hash of the at least portion of the determined malware signature and at least one of the strings of the target application having the lengths equal to the length of the at least portion of the determined malware signature.
0 Assignments
0 Petitions
Accused Products
Abstract
In one example, a management server is configured to provide malware protection for one or more client mobile platforms in communication with the management server via a mobile network. In the example, the management server includes a processor configured to detect malware in the mobile network, select a client mobile platform having a malware scanning agent, and, manage the malware scanning agent of the client mobile platform using a device independent secure management protocol based at least in part on the malware detected in the mobile network.
130 Citations
16 Claims
-
1. A method of detecting malware, comprising:
-
selecting, by a mobile device, a first set of hash values hashed from prefixes of a set of malware signatures, each of the prefixes having a first-portion-size, wherein the malware signatures have lengths greater than the first-portion-size; hashing, by the mobile device, a plurality of strings of a target application to create a plurality of second hash values, each of the strings having the first-portion-size, the target application comprising a downloaded application having a size greater than the first-portion size; comparing, by the mobile device, the plurality of second hash values to the first hash values to determine if there is a match; determining, by the mobile device, that the target application is malware-free when there is no match between the plurality of second hash values and the first hash values; and when there is a match between one of the first set of hash values and one of the second set of hash values; determining the malware signature of the set of malware signatures from which the one of the first set of hash values was hashed that matched the one of the second set of hash values; comparing a hash of at least a portion of the determined malware signature to hashes of one or more strings of the target application, each of the strings having lengths equal to the length of the at least portion of the determined malware signature; and determining whether the target application is malware-infected based on a match between the hash of the at least portion of the determined malware signature and at least one of the strings of the target application having the lengths equal to the length of the at least portion of the determined malware signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A mobile device comprising a system for detecting malware, the system comprising:
-
a data store, the data store comprising a plurality of hash values hashed from prefixes of a set of malware signatures, each of the prefixes having a first-portion-size, wherein at least one of the malware signatures has a length greater than the first-portion-size; and one or more processors configured to; select a first set of hash values from the plurality of hash values; hash a plurality of strings of a target application to create a plurality of second hash values, each of the strings having the first-portion-size, the target application comprising a downloaded application having a size greater than the first-portion-size; compare the plurality of second hash values to the first set of hash values to determine if there is a match; determine that the target application is malware-free when there is no match; when there is a match between one of the first set of hash values and one of the second set of hash values; determine the malware signature of the set of malware signatures from which the one of the first set of hash values was hashed; compare a hash of at least a portion of the determined malware signature to hashes of one or more strings of the target application, each of the strings having lengths equal to the length of the at least portion of the determined malware signature; and determine whether the target application is malware-infected based on a match between the hash of the at least portion of the determined malware signature and at least one of the strings of the target application having the lengths equal to the length of the at least portion of the determined malware signature. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed, cause a processor of a mobile device to:
-
select a first set of hash values hashed from prefixes of a set of malware signatures, each of the prefixes having a first-portion-size, wherein the malware signatures have lengths greater than the first-portion-size; hash a plurality of strings of a target application to create a plurality of second hash values, each of the strings having the first-portion-size, the target application comprising a downloaded application having a size greater than the first-portion size; compare the plurality of second hash values to the first hash values to determine if there is a match; determine that the target application is malware-free when there is no match between the plurality of second hash values and the first hash values; and when there is a match between one of the first set of hash values and one of the second set of hash values; determine a malware signature of the set of malware signatures from which the one of the first set of hash values was hashed; compare a hash of at least a portion of the determined malware signature to hashes of one or more strings of the target application, each of the strings having lengths equal to the length of the at least portion of the determined malware signature; and determine whether the target application is malware-infected based on a match between the hash of the at least portion of the determined malware signature and at least one of the strings of the target application having the lengths equal to the length of the at least portion of the determined malware signature.
-
Specification