Detection and prevention of installation of malicious mobile applications

US 9,596,257 B2
Filed: 09/11/2015
Issued: 03/14/2017
Est. Priority Date: 04/18/2012
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable medium comprising computer executable instructions stored thereon that, when executed, cause at least one processor to:

receive an application identifier from a mobile device over a network connection, the application identifier comprising a key uniquely identifying an application for which a call to an installation operation has been intercepted on the mobile device, wherein the key is a hash computed from at least a portion of a mobile application setup file associated with the application;

utilize at least a portion of the application identifier to determine a status of the application from a database of records including statuses of a plurality of analyzed applications, wherein the application identifier comprises metadata associated with the application; and

send the status of the application and one or more properties of the application to the mobile device over the network connection, wherein the one or more properties indicate functionality of the application to be enabled when the application is installed on the mobile device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device'"'"'s operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application'"'"'s status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application.

65 Citations

View as Search Results

18 Claims

1. At least one non-transitory computer readable medium comprising computer executable instructions stored thereon that, when executed, cause at least one processor to:
- receive an application identifier from a mobile device over a network connection, the application identifier comprising a key uniquely identifying an application for which a call to an installation operation has been intercepted on the mobile device, wherein the key is a hash computed from at least a portion of a mobile application setup file associated with the application;
  
  utilize at least a portion of the application identifier to determine a status of the application from a database of records including statuses of a plurality of analyzed applications, wherein the application identifier comprises metadata associated with the application; and
  
  send the status of the application and one or more properties of the application to the mobile device over the network connection, wherein the one or more properties indicate functionality of the application to be enabled when the application is installed on the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The at least one non-transitory computer readable medium of claim 1, wherein the computer executable instructions, when executed, cause the at least one processor to:
    - search the database for a record corresponding to the key to determine the status of the application.
  - 3. The at least one non-transitory computer readable medium of claim 1, wherein the computer executable instructions, when executed, cause the at least one processor to:
    - utilize the metadata to determine the status of the application from the records in the database if no record corresponding to the key exists in the database.
  - 4. The at least one non-transitory computer readable medium of claim 3, wherein the metadata indicates a source of the application, wherein the computer executable instructions, when executed, cause the at least one processor to:
    - determine the application is malicious based, at least in part, on a threshold corresponding to other applications associated with the source and known to be malicious.
  - 5. The at least one non-transitory computer readable medium of claim 1, wherein the computer executable instructions, when executed, cause the at least one processor to:
    - extract, from the application identifier, the key and the metadata associated with the application.
  - 6. The at least one non-transitory computer readable medium of claim 5, wherein the extracting is to include decrypting the application identifier.
  - 7. The at least one non-transitory computer readable medium of claim 1, wherein the application identifier is received via a short message service (SMS) to a predefined telephone number.
  - 8. The at least one non-transitory computer readable medium of claim 1, wherein the application identifier is received via one of dual-tone multi-frequency signaling or interactive voice response (IVR) messaging if communication is initiated between the mobile device and a predefined telephone number.

9. An apparatus, the apparatus comprising:
- at least one hardware processor; and
  
  a server application coupled to the at least one hardware processor and when running on the at least one hardware processor, the server application is to;
  
  receive an application identifier from a mobile device over a network connection, the application identifier comprising a key uniquely identifying an application for which a call to an installation operation has been intercepted on the mobile device, wherein the key is a hash computed from at least a portion of a mobile application setup file associated with the application;
  
  utilize at least a portion of the application identifier to determine a status of the application from a database of records including statuses of a plurality of analyzed applications, wherein the application identifier comprises metadata associated with the application; and
  
  send the status of the application and one or more properties of the application to the mobile device over the network connection, wherein the one or more properties indicate a functionality of the application to be enabled when the application is installed on the mobile device.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus of claim 9, wherein when running on the at least one hardware processor, the server application is to:
    - search the database for a record corresponding to the key to determine the status of the application.
  - 11. The apparatus of claim 9, wherein when running on the at least one hardware processor, the server application is to:
    - utilize the metadata to determine the status of the application from the records in the database if no record corresponding to the key exists in the database.
  - 12. The apparatus of claim 11, wherein when running on the at least one hardware processor, the server application is to:
    - determine the application is malicious based, at least in part, on a threshold corresponding to other applications known to be malicious and associated with a source of the application, wherein the metadata indicates the source of the application.
  - 13. The apparatus of claim 9, wherein when running on the at least one hardware processor, the server application is to:
    - extract, from the application identifier, the key and the metadata associated with the application.
  - 14. The apparatus of claim 13, wherein the extracting is to include decrypting the application identifier.

15. A method, comprising:
- receiving, at a server application utilizing at least one hardware processor, an application identifier from a mobile device over a network connection, the application identifier comprising a key uniquely identifying an application for which a call to an installation operation has been intercepted on the mobile device, wherein the key is a hash computed from at least a portion of a mobile application setup file associated with the application;
  
  utilizing at least a portion of the application identifier to determine a status the application from a database of records including statuses of a plurality of analyzed applications, wherein the application identifier comprises metadata associated with the application; and
  
  sending the status of the application and one or more properties of the application to the mobile device over the network connection, wherein the one or more properties indicate a functionality of the application to be enabled when the application is installed on the mobile device.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, further comprising:
    - searching the database for a record corresponding to the key to determine the status of the application.
  - 17. The method of claim 15, further comprising:
    - utilizing the metadata to determine the status of the application from the records in the database if no record corresponding to the key exists in the database.
  - 18. The method of claim 17, further comprising:
    - determining the application is malicious based, at least in part, on a threshold corresponding to other applications known to be malicious and associated with a source of the application, wherein the metadata indicates the source of the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Das, Sudeep, Divakarla, Jayasankar, Sharma, Pramod
Primary Examiner(s)
RAHIM, MONJUR

Application Number

US14/851,619
Publication Number

US 20160006757A1
Time in Patent Office

550 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 16/955   using information identifie...

G06F 21/51   at application loading time...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Detection and prevention of installation of malicious mobile applications

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Detection and prevention of installation of malicious mobile applications

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others