Detection of malicious mobile apps

US 9,916,448 B1
Filed: 01/21/2016
Issued: 03/13/2018
Est. Priority Date: 01/21/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

creating a plurality of software development kit (SDK) class tree structures of a plurality of malicious SDKs, the SDK class tree structures comprising a plurality of nodes that each represents a class of a corresponding malicious SDK and indicates a class feature of the corresponding malicious SDK that is used in execution of a target mobile app created or repackaged using the corresponding malicious SDK;

receiving a mobile app;

creating an app class tree structure of the mobile app, the app class tree structure comprising a plurality of nodes that each represents a class of the mobile app and indicates a class feature of the mobile app that is used in execution of the mobile app;

comparing the app class tree structure against the plurality of SDK class tree structures to find an SDK class tree structure that matches the app class tree structure;

detecting that the mobile app has been created or repackaged using at least one of the plurality of malicious SDKs based on comparing the app class tree structure against the plurality of SDK class tree structures; and

performing a security action in response to detecting that the mobile app has been created or repackaged using the at least one of the plurality of malicious SDKs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Software development kit (SDK) class tree structures of malicious SDKs are created, with each node of the SDK class tree structures representing a class of a corresponding malicious SDK. An app class tree structure of a mobile app is also created, with each node of the app class tree structure representing a class of the mobile app. To determine if the mobile app has been created (e.g., repackaged or originally created) using at least one of the malicious SDKs, the app class tree structure is compared against the SDK class tree structures to find an SDK class tree structure that matches the app class tree structure. For confirmation, the similarity of classes of the app class tree structure relative to classes of the SDK class tree structure can be determined.

39 Citations

View as Search Results

12 Claims

1. A computer-implemented method comprising:
- creating a plurality of software development kit (SDK) class tree structures of a plurality of malicious SDKs, the SDK class tree structures comprising a plurality of nodes that each represents a class of a corresponding malicious SDK and indicates a class feature of the corresponding malicious SDK that is used in execution of a target mobile app created or repackaged using the corresponding malicious SDK;
  
  receiving a mobile app;
  
  creating an app class tree structure of the mobile app, the app class tree structure comprising a plurality of nodes that each represents a class of the mobile app and indicates a class feature of the mobile app that is used in execution of the mobile app;
  
  comparing the app class tree structure against the plurality of SDK class tree structures to find an SDK class tree structure that matches the app class tree structure;
  
  detecting that the mobile app has been created or repackaged using at least one of the plurality of malicious SDKs based on comparing the app class tree structure against the plurality of SDK class tree structures; and
  
  performing a security action in response to detecting that the mobile app has been created or repackaged using the at least one of the plurality of malicious SDKs.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein the mobile app is received from a smartphone.
  - 3. The computer-implemented method of claim 1, wherein the mobile app is received from a third-party mobile app marketplace.
  - 4. The computer-implemented method of claim 1, further comprising:
    - determining similarity of classes of the app class tree structure relative to classes of the SDK class tree structure that matches the app class tree structure.
  - 5. The computer-implemented method of claim 4, wherein the similarity is determined by weighted similarity matching.

6. A computer system comprising:
- a processor; and
  
  a memory, the memory comprising instructions that when executed by the processor causes the computer system to perform the steps of;
  
  receiving a mobile app;
  
  creating an app class tree structure of the mobile app, the app class tree structure representing a hierarchical tree structure of classes of the mobile app, the app class tree structure comprising a plurality of nodes that each represents a class of the mobile app and indicates a class feature of the mobile app that is employed in execution of the mobile app;
  
  comparing the app class tree structure of the mobile app to a software development kit (SDK) class tree structure of a malicious SDK, the SDK class tree structure representing a hierarchical tree structure of classes of the malicious SDK, the SDK class tree structure comprising a plurality of nodes that each represents a class of the malicious SDK and indicates a class feature of the malicious SDK that is employed in execution of a target mobile app created or repackaged using the malicious SDK;
  
  detecting that the mobile app is a malicious mobile app that has been created or repackaged using the malicious SDK when the app class tree structure matches the SDK class tree structure; and
  
  performing a security action in response to detecting that the mobile app has been created or repackaged using the malicious SDK.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The computer system of claim 6, wherein the computer system receives the mobile app from a third-party mobile app marketplace.
  - 8. The computer system of claim 6, wherein the instructions, when executed by the processor, causes the computer system to further perform the step of:
    - determining similarity of an app class represented as a node in the app class tree structure relative to an SDK class represented as a node in the SDK class tree structure.
  - 9. The computer system of claim 8, wherein the computer system determines the similarity of the app class relative to the SDK class by weighted similarity matching.
  - 10. The computer system of claim 6, wherein the computer system receives the mobile app over the Internet.
  - 11. The computer system of claim 6, wherein the computer system receives the mobile app from a mobile computing device.
  - 12. The computer system of claim 11, wherein the mobile computing device is a smartphone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Zhang, Zhibo, Sun, Liang, Wu, Longping
Primary Examiner(s)
Schmidt, Kari

Application Number

US15/003,562
Time in Patent Office

782 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Detection of malicious mobile apps

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of malicious mobile apps

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links