Detection of mutated apps and usage thereof
First Claim
1. A method performed by a processor, wherein the method comprises:
- obtaining features of an Application Under Check (AUC);
matching the AUC with a host application, wherein the host application is matched from a repository of applications that are a-priori known to be legitimate applications, wherein said matching comprises comparing the features of the AUC with sets of features of applications to determine the host application of the AUC;
determining an identical portion of the AUC and a remainder portion of the AUC, wherein the identical portion is identical to a corresponding portion in the host application, wherein the remainder portion of the AUC is not identically included in the host application;
analyzing the remainder portion to detect different functionality between the AUC and the host application;
in response to said matching, determining that the AUC is a mutated application of the host application, wherein the mutated application is a variation of the host application, wherein the mutated application is a non-legitimate application, wherein said determining comprises comparing a signature of the AUC with a signature of the host application; and
in response to said determining that the AUC is a mutated application, performing a predetermined action.
4 Assignments
0 Petitions
Accused Products
Abstract
System, method and product for detection of mutated apps and usage thereof. A method comprises obtaining features of an Application Under Check (AUC); comparing the features with sets of features of applications to determine a host application of the AUC; determining that the AUC is a mutated application of the host application, wherein said determined comprises comparing the AUC with the host application; and in response to said determining, performing a predetermined action. A server may be configured to perform the steps of collecting features relating to trusted applications, wherein the trusted applications are potentially useable as a basis for a mutated application, wherein the features are features that are indicative of a mutated versions of the trusted applications; and retaining the features in a repository, whereby collecting and retaining a list of positive signatures of trusted applications that are useful to approximately identify a host application of a mutated application.
-
Citations
19 Claims
-
1. A method performed by a processor, wherein the method comprises:
-
obtaining features of an Application Under Check (AUC); matching the AUC with a host application, wherein the host application is matched from a repository of applications that are a-priori known to be legitimate applications, wherein said matching comprises comparing the features of the AUC with sets of features of applications to determine the host application of the AUC; determining an identical portion of the AUC and a remainder portion of the AUC, wherein the identical portion is identical to a corresponding portion in the host application, wherein the remainder portion of the AUC is not identically included in the host application; analyzing the remainder portion to detect different functionality between the AUC and the host application; in response to said matching, determining that the AUC is a mutated application of the host application, wherein the mutated application is a variation of the host application, wherein the mutated application is a non-legitimate application, wherein said determining comprises comparing a signature of the AUC with a signature of the host application; and
in response to said determining that the AUC is a mutated application, performing a predetermined action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A server being connected to a network, wherein the server comprises:
-
a memory; and a processor adapted to perform the steps of; collecting features relating to trusted applications, wherein the trusted applications are potentially useable as a basis for a mutated application, wherein the mutated application is a variation of a host application selected from the trusted applications, wherein the mutated application is a non-legitimate application, wherein the features are features that are indicative of mutated versions of the trusted applications; retaining the features in a repository, whereby collecting and retaining a list of positive signatures of trusted applications that are useful to approximately identify a host application of a mutated application, whereby enabling the use of a collection of trusted applications to be used as an indication that an application under check (AUC) is a non-legitimate application, wherein the indication is matching the application under check with a trusted application; determining an identical portion of the AUC and a remainder portion of the AUC, wherein the identical portion is identical to a corresponding portion in the host application, wherein the remainder portion of the AUC is not identically included in the host application; and analyzing the remainder portion to detect different functionality between the AUC and the host application. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A computer program product comprising a non-transitory computer-readable storage medium retaining program instructions, which program instructions when read by a processor, cause the processor to perform the following:
-
obtain features of an Application Under Check (AUC); match the AUC with a host application, wherein the host application is matched from a repository of applications that are a-priori known to be legitimate applications, wherein the matching comprises comparing the features of the AUC with sets of features of applications to determine the host application of the AUC; determine an identical portion of the AUC and a remainder portion of the AUC, wherein the identical portion is identical to a corresponding portion in the host application, wherein the remainder portion of the AUC is not identically included in the host application; analyze the remainder portion to detect different functionality between the AUC and the host application; in response to matching the AUC with the host application, determine that the AUC is a mutated application of the host application by comparing a signature of the AUC with a signature of the host application; and in response to said determining that the AUC is a mutated application, perform a predetermined action. - View Dependent Claims (19)
-
Specification