Mobile devices malware detection

May 9th, 2013

A new method for identification of mobile devices malware, which usually are not detected by the common detection methods, and uses advanced methods of machine learning.

Cellular phones security is an intensively studied area by security companies and research institutions around the world since the release of G1 devices Android based operating system in 2009.

Recently discovered a new and sophisticated type of malware named Dropdialer, which was distributed to the Google apps store. This malware is installed as legitimate software by the user. Hostile code actually installed later using the ability of the “Automatic Update”, which is used by the software and allows it to “pull” independent software updates from a remote server. In this way malware can spread to a large number of devices without being detected. Retrieving hostile code can occur at a future random or fixed time, or as a command received from a remote server. This capability can be implemented in any malicious application.

The standard Antivirus software usually cannot detect this type of malware (self-updating malware) because the original app is completely innocent and therefore can escape from any static analysis method (code analysis without execution) or dynamic analysis (monitoring software at runtime). The difficulty in identifying such malware is also due to the fact that the ability to self-update serves application developers’ legitimate needs such as application version upgrade, adding stages in different games, bug fixes, and more.

The new method for self-updating malware identification uses advanced algorithms of machine learning, which learns the normal behavior of applications, thus allow detecting abnormal behavior in real time which may indicate that the app is malicious. An analysis of mobile smart phone malicious apps shows that about 70% focus on stealing sensitive information. Therefore, in this study we use the characteristics of a network to study the behavior of applications because they can point to information leakage.

The use of a limited number of characteristics (network characteristics) and the machine-learning algorithm allows to perform the learning behavior of applications, the monitoring and identification on the device itself, which is of course resources limited (i.e. battery).

Examples of properties which are used for studying the behavior of applications are: number of bytes sent or received in different time windows, such as 5 minutes or time since the app was active and connected to the net, etc.

The degree of behavior of an application is performed by using an algorithm based on a technique called Cross-Feature Analysis, which “learns” the relationship of each property relative to other properties of a normal behavior. In the monitoring phase, each sample is checked against each feature and whether the same relationship with other properties is maintained. In other words, we calculate each characteristic probability that it is normal given the values of other viewed properties, and take into consideration the probabilities along the value that represents the distance from normal behavior.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta