Behavioral scanning of mobile applications
First Claim
1. A computer-implemented method for determining a suitability of a mobile application for distribution in a mobile application marketplace, the method comprising:
- receiving a mobile application for distribution in a mobile application marketplace;
performing a static analysis on the mobile application to identify a set of registered application permissions of the mobile application, and determine one or more events that simulate user interaction on the client device based on the identified registered application permissions;
selecting an emulated environment configured to execute the mobile application based on the identified registered application permissions;
executing the mobile application in the selected emulated environment, the emulated environment simulating a mobile device;
recording behaviors of the simulated mobile device in response to providing the one or more events to the mobile application;
classifying the mobile application as malicious or non-malicious based on the recorded behaviors; and
determining, based on the classification, whether to approve or reject the mobile application for distribution in the mobile application marketplace.
4 Assignments
0 Petitions
Accused Products
Abstract
Behavioral analysis of a mobile application is performed to determine whether the application is malicious. During analysis, various user interactions are simulated in an emulated environment to activate many possible resulting behaviors of an application. The behaviors are classified as hard or soft signals. A probability of the application being malicious is determined through combining soft signals, and the application is classified as malicious or non-malicious. Users of the application, the developer of the application, or a distributor of the application are notified of the application classification to enable responsive action.
-
Citations
30 Claims
-
1. A computer-implemented method for determining a suitability of a mobile application for distribution in a mobile application marketplace, the method comprising:
-
receiving a mobile application for distribution in a mobile application marketplace; performing a static analysis on the mobile application to identify a set of registered application permissions of the mobile application, and determine one or more events that simulate user interaction on the client device based on the identified registered application permissions; selecting an emulated environment configured to execute the mobile application based on the identified registered application permissions; executing the mobile application in the selected emulated environment, the emulated environment simulating a mobile device; recording behaviors of the simulated mobile device in response to providing the one or more events to the mobile application; classifying the mobile application as malicious or non-malicious based on the recorded behaviors; and determining, based on the classification, whether to approve or reject the mobile application for distribution in the mobile application marketplace. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product for determining a suitability of a mobile application for distribution in a mobile application marketplace, the computer program product comprising a non-transitory computer-readable storage medium containing computer program instructions for:
-
receiving a mobile application for distribution in a mobile application marketplace; performing a static analysis on the mobile application to identify a set of registered application permissions of the mobile application, and determine one or more events that simulate user interaction on the client device based on the identified registered application permissions; selecting an emulated environment configured to execute the mobile application based on the identified registered application permissions; executing the mobile application in the selected emulated environment, the emulated environment simulating a mobile device; recording behaviors of the simulated mobile device in response to providing one or more events to the mobile application; classifying the mobile application as malicious or non-malicious based on the recorded behaviors; and determining, based on the classification, whether to approve or reject the mobile application for distribution in the mobile application marketplace. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
a computer processor; and a non-transitory computer-readable storage medium containing computer program instructions executed by the computer processor for; receiving a mobile application for distribution in a mobile application marketplace; performing a static analysis on the mobile application to identify a set of registered application permissions of the mobile application, and determine one or more events that simulate user interaction on the client device based on the identified registered application permissions; selecting an emulated environment configured to execute the mobile application based on the identified registered application permissions; executing the mobile application in the selected emulated environment, the emulated environment simulating a mobile device; recording behaviors of the simulated mobile device in response to providing one or more emulated inputs to the mobile application; classifying the mobile application as malicious or non-malicious based on the recorded behaviors; and determining, based on the classification, whether to approve or reject the mobile application for distribution in the mobile application marketplace. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification