Detection of mutated apps and usage thereof

US 9,954,874 B2
Filed: 10/06/2015
Issued: 04/24/2018
Est. Priority Date: 10/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method performed by a processor, wherein the method comprises:

obtaining features of an Application Under Check (AUC);

matching the AUC with a host application, wherein the host application is matched from a repository of applications that are a-priori known to be legitimate applications, wherein said matching comprises comparing the features of the AUC with sets of features of applications to determine the host application of the AUC;

determining an identical portion of the AUC and a remainder portion of the AUC, wherein the identical portion is identical to a corresponding portion in the host application, wherein the remainder portion of the AUC is not identically included in the host application;

analyzing the remainder portion to detect different functionality between the AUC and the host application;

in response to said matching, determining that the AUC is a mutated application of the host application, wherein the mutated application is a variation of the host application, wherein the mutated application is a non-legitimate application, wherein said determining comprises comparing a signature of the AUC with a signature of the host application; and

in response to said determining that the AUC is a mutated application, performing a predetermined action.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, method and product for detection of mutated apps and usage thereof. A method comprises obtaining features of an Application Under Check (AUC); comparing the features with sets of features of applications to determine a host application of the AUC; determining that the AUC is a mutated application of the host application, wherein said determined comprises comparing the AUC with the host application; and in response to said determining, performing a predetermined action. A server may be configured to perform the steps of collecting features relating to trusted applications, wherein the trusted applications are potentially useable as a basis for a mutated application, wherein the features are features that are indicative of a mutated versions of the trusted applications; and retaining the features in a repository, whereby collecting and retaining a list of positive signatures of trusted applications that are useful to approximately identify a host application of a mutated application.

14 Citations

19 Claims

1. A method performed by a processor, wherein the method comprises:
- obtaining features of an Application Under Check (AUC);
  
  matching the AUC with a host application, wherein the host application is matched from a repository of applications that are a-priori known to be legitimate applications, wherein said matching comprises comparing the features of the AUC with sets of features of applications to determine the host application of the AUC;
  
  determining an identical portion of the AUC and a remainder portion of the AUC, wherein the identical portion is identical to a corresponding portion in the host application, wherein the remainder portion of the AUC is not identically included in the host application;
  
  analyzing the remainder portion to detect different functionality between the AUC and the host application;
  
  in response to said matching, determining that the AUC is a mutated application of the host application, wherein the mutated application is a variation of the host application, wherein the mutated application is a non-legitimate application, wherein said determining comprises comparing a signature of the AUC with a signature of the host application; and
  
  in response to said determining that the AUC is a mutated application, performing a predetermined action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the AUC is obtained from a non-trusted application repository.
  - 3. The method of claim 1, wherein the sets of features of applications are retained in a database, wherein the database is updated based on one or more trusted application repositories.
  - 4. The method of claim 1, wherein the sets of features of applications are retained in a database, wherein the database comprises information relating to applications installed on crowdsourced devices.
  - 5. The method of claim 4, wherein the database comprises information relating to popular applications based on installation information from the crowdsourced devices.
  - 6. The method of claim 1, wherein the mutated application is configured to perform a malicious activity that is not included in the host application.
  - 7. The method of claim 1, wherein the mutated application overrides a Digital Rights Management (DRM) mechanism present in the host application.
  - 8. The method of claim 1, wherein the mutated application replaces a module of the host application by a second module.
  - 9. The method of claim 1, wherein the features of the AUC comprise one or more of the following features:
    - a title of the AUC;
      
      an icon of the AUC;
      
      a splash screen content of the AUC;
      
      a look and feel indicator of the AUC;
      
      a name of a file in a distribution of the AUC;
      
      content of a file in a distribution of the AUC, or hash value thereof; and
      
      a resource comprised by a distribution of the AUC.
  - 10. The method of claim 1 further comprises:
    - determining that the mutated application is a different version of the host application, wherein said determining comprises;
      
      comparing, between the host application and the AUC at least one of the following;
      
      versioning information;
      
      vendor identification; and
      
      signing certification.
  - 11. The method of claim 1, wherein the features of the AUC comprise a User Interface (UI) layout of the AUC.

12. A server being connected to a network, wherein the server comprises:
- a memory; and
  
  a processor adapted to perform the steps of;
  
  collecting features relating to trusted applications, wherein the trusted applications are potentially useable as a basis for a mutated application, wherein the mutated application is a variation of a host application selected from the trusted applications, wherein the mutated application is a non-legitimate application, wherein the features are features that are indicative of mutated versions of the trusted applications;
  
  retaining the features in a repository, whereby collecting and retaining a list of positive signatures of trusted applications that are useful to approximately identify a host application of a mutated application, whereby enabling the use of a collection of trusted applications to be used as an indication that an application under check (AUC) is a non-legitimate application, wherein the indication is matching the application under check with a trusted application;
  
  determining an identical portion of the AUC and a remainder portion of the AUC, wherein the identical portion is identical to a corresponding portion in the host application, wherein the remainder portion of the AUC is not identically included in the host application; and
  
  analyzing the remainder portion to detect different functionality between the AUC and the host application.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The server of claim 12, wherein said collecting comprises:
    - downloading the trusted applications from one or more trusted application repositories; and
      
      extracting the features from the downloaded trusted applications.
  - 14. The server of claim 12, wherein said collecting comprises:
    - obtaining indications from a plurality of computing devices relating to applications that are installed on the plurality of computing devices;
      
      identifying one or more applications that have a statistical measurement above a predetermined threshold, wherein the identified one or more applications are the trusted applications; and
      
      obtaining the features of the trusted applications.
  - 15. The server of claim 14, wherein said obtaining the features of the trusted applications comprises:
    - receiving from a computing device the features, wherein the computing device extracts the features from the trusted application installed thereon.
  - 16. The server of claim 14, wherein said obtaining the features of the trusted applications comprises:
    - receiving from one or more additional computing devices the features, wherein the one or more computing devices extract the features from the trusted application installed thereon, wherein a malicious attempt to provide false features is detectable; and
      
      selecting from the obtained features of a same trusted application.
  - 17. The server of claim 14, wherein at least a portion of the applications are purchased applications and are restricted from being transferred to another device.

18. A computer program product comprising a non-transitory computer-readable storage medium retaining program instructions, which program instructions when read by a processor, cause the processor to perform the following:
- obtain features of an Application Under Check (AUC);
  
  match the AUC with a host application, wherein the host application is matched from a repository of applications that are a-priori known to be legitimate applications, wherein the matching comprises comparing the features of the AUC with sets of features of applications to determine the host application of the AUC;
  
  determine an identical portion of the AUC and a remainder portion of the AUC, wherein the identical portion is identical to a corresponding portion in the host application, wherein the remainder portion of the AUC is not identically included in the host application;
  
  analyze the remainder portion to detect different functionality between the AUC and the host application;
  
  in response to matching the AUC with the host application, determine that the AUC is a mutated application of the host application by comparing a signature of the AUC with a signature of the host application; and
  
  in response to said determining that the AUC is a mutated application, perform a predetermined action.
- View Dependent Claims (19)
- - 19. An apparatus comprising the processor and a memory, said memory retaining the program instructions of claim 18.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Amit, Yair
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/876,804
Publication Number

US 20160099956A1
Time in Patent Office

931 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

Detection of mutated apps and usage thereof

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of mutated apps and usage thereof

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links