WO2021053647A1 - Detection of use of malicious tools on mobile devices - Google Patents
Detection of use of malicious tools on mobile devices Download PDFInfo
- Publication number
- WO2021053647A1 WO2021053647A1 PCT/IB2020/058801 IB2020058801W WO2021053647A1 WO 2021053647 A1 WO2021053647 A1 WO 2021053647A1 IB 2020058801 W IB2020058801 W IB 2020058801W WO 2021053647 A1 WO2021053647 A1 WO 2021053647A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- tools
- malicious
- library
- malicious tools
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Definitions
- This disclosure generally relates to the device intelligence field. More particularly, some embodiments relate to methods for identifying the use of malicious tools on mobile devices.
- Digital platforms in the form of mobile applications on mobile devices have come to rely on identifying a user's mobile device and its attributes to establish customer trust and prevent fraud. This is conventionally done through device fingerprinting, which enables the digital platform to assign an identifier to the mobile device, as well as record the device attributes of that device.
- Fraudsters can circumvent these defense mechanisms by using device modification tools.
- Fraudsters can use device modification tools to modify various attributes, including but not limited to device hardware, user interface, connectivity, network, sensor, and media and graphics attributes. These malicious tools are being developed with high frequency and can be obtained by would-be fraudsters from both public domains (e.g. app marketplaces) and private domains (e.g. dark web).
- a device that has been modified by such malicious tools can not only render mobile device identification techniques ineffective, it can also confound platforms regarding the user's actual device attributes (such as physical location or brand/model of the device). Detecting the use of such malicious tools on mobile devices is therefore important to establishing the extent that a user's device has been modified, and the subsequent risk of the user committing fraudulent acts with such said device.
- a method for detecting in real-time the use of malicious tools on a suspected device that purports to be a mobile device.
- the method includes: receiving device information extracted from the suspected device; comparing the information extracted from the suspected device to a library of malicious tools; and generating in real-time outputs indicating risk that malicious tools are being used by the suspected device, based at least in part on the comparing extracted information to the library, wherein the library of malicious tools is maintained by a method comprising: collecting information associated with potentially malicious tools from; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating the library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating the collecting, performing and updating.
- the method for maintaining the library of malicious tools further comprises assigning a series of labels to each of one or more sets of device attributes and their corresponding malicious tool usage, regarding their purpose, maliciousness, and level of risk.
- the received device information is extracted using a software development kit included within a mobile app running on the suspected device.
- the malicious tools are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; custom firmware; and emulators.
- the outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators.
- the outputs can also include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
- the malicious tools can be used for fraudulent purposes of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; and credit application fraud.
- the comparing and generating are performed in less than one second. According to some embodiments, the comparing and generating are performed in less than one hundred milliseconds.
- the information associated with potentially malicious tools is collected using one or more mobile application programming interfaces, and includes (1) information indicating pre-installed system packages and user-installed applications, and (2) device-specific information. [0016] According to some embodiments, a method is described for maintaining a library of malicious tools.
- the method includes: collecting information associated with potentially malicious tools; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating the library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating the collecting, performing and updating, wherein the library is configured to facilitate real-time detecting of the use of malicious tools on a suspected device based at least in part on a comparison of information extracted from the suspected device and the library.
- the collected information includes information indicating pre-installed system packages and user-installed applications, using one or more mobile application programming interfaces.
- the information can include: vendor name, application name, timestamp of installation, timestamp of recent updates, and user permissions given.
- the collected information includes device-specific information collected using one or more mobile application programming interfaces.
- the device-specific information can include: CPU information, build Information, network information, battery information, graphics information, device settings, and unique identification strings.
- a system for detecting the use of malicious tools on a device.
- the system includes: a mobile application running on a plurality of suspected devices, the mobile application configured to extract information from the suspected device relating to potential malicious tools and transmit the extracted information to a processing platform; and an autonomous risk assessment processing platform configured to receive the extracted information from the suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious tools.
- library and “database” are used interchangeably, and both terms refer herein to a collections of digital content and/or data that is stored and can be accessed electronically from a computer system.
- tool is sometimes understood to be designed for a specific use case, and the term “application” is sometimes understood to refer to a larger, more complex piece of software, as used herein the terms “tool” and “application” are used interchangeably.
- FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where the use of malicious tools can be assessed, according to some embodiments;
- FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments;
- FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices an associated device attributes, according to some embodiments;
- FIG. 4 is a block diagram illustrating some aspects of detecting and assessing the use of malicious tools on mobile devices, according to some embodiments.
- FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where the use of malicious tools can be assessed, according to some embodiments.
- Mobile device 110 in this example is a smart phone, includes an mobile application (“mobile app”) 112 provided to the user of device 110 by an organization 150.
- Mobile app 112 can in general provide any functionality including facilitating transactions and/or communication with organization 150 and/or other entities.
- Organization 150 has an interest in assessing the risk that the user of mobile app 112, using device 110, is not committing fraud or other malicious activity.
- Organization 150 hires, retains, subscribes or otherwise contracts with cyber protection company 160 to aid organization 150 in detecting and reducing risks associated with fraudulent or malicious activity.
- a software development kit (SDK) 114 obtained from cyber protection company 160 can be included within mobile app 112.
- the SDK 114 is configured to facilitate the extraction of information from the device on which the mobile app is running.
- smartphone 110 is a legitimate user of app 112 while the users of laptop 120 and smartphone 130 are employing one or more malicious tools or applications to commit fraud.
- the user has installed a malicious spoofing tool 126 that allows laptop 120 to emulate or appear to be a smartphone.
- malicious tool 136 can be installed to provides some other type of masking or spoofing (e.g.
- sets of data are collected from devices 110, 120 and 130 and transmitted via network 100 (e.g. the internet) to cyber protection company 160.
- Protection company 160 processes the sets of data and generates a corresponding set of outputs. Categories of data collected include both device hardware and software attributes, including but not limited to hardware, user interface, connectivity, network, sensor, media and graphics attributes.
- the outputs can be processed to produce actionable device intelligence in the form of malicious indicators, including but not limited to the use of app cloners, network/location spoofers and various modification tools.
- An overall score can be derived through a weighted approach and assigned to the user device or user activity to indicate the level of risk associated with the device/activity.
- the techniques for assessing malicious tool usage described herein can facilitate assessment of fraudulent activity.
- types of such fraudulent activity account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse.
- app being run through an app cloner; app being run through an emulator; app signatures being tampered; app being run with network or location spoofers; and app has been modified by masking tools.
- data can be collected for the malicious tools usage analysis (1) collect information about pre-installed system packages and user-installed applications through mobile APIs (such as Android and iOS), including but not limited to vendor names, application names, timestamps of installation, timestamps of recent updates and user permissions given; and (2) collect device-specific information through mobile APIs (such as Android and iOS), including but not limited to CPU information, build information, network information, battery information, graphics information, device settings and unique identification strings.
- mobile APIs such as Android and iOS
- Examples of the types of data collected include: (1) system packages and user applications; (2) device identifiers; (3) network-related and location-related device information; and (4) other device attributes such as CPU tasks, build, battery etc.
- a database, collection or library of malicious tools and associated device attributes variations 162 is generated.
- Device information is fed into a machine learning algorithm to perform feature extraction and dimensionality reduction to identify obscure software/hardware traits linked to the usage of different malicious tools.
- Containerization, virtualization and spoofing approaches are recognized by the intelligence platform through feature selection and classified under specific malicious tools.
- Established features and the corresponding weights and biases are fed into the global device intelligence library to detect the usage of malicious tools from incoming device fingerprints in real-time.
- library 162 includes a trained model comprised of features (e.g. vectors of coefficients and weightings) and procedures (logic) to identify the usage of malicious tools.
- processing system 164 of protection company 160 uses one or more machine learning model(s).
- one or more malicious indicators 152 can be generated and transmitted to company 150.
- the malicious indicators 152 can be in the form of true/false flags to be incorporated into the approval process of a client’s platform.
- the indicators 152 can also include a weighted score to indicate the level of risk associated with the device/activity.
- the indicators 152 can also include a recommended risk decision to allow/block an activity based on predefined policies to cater to business use cases of organization 150.
- the protection company 160 functionality can be part of the organization 150 and the two can be part of the same organization.
- servers are depicted in FIG. 1, in general the processing functionality can reside in one or more different physical locations.
- FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments.
- the user’s device 110 is a smart phone, such as an iOS or Android mobile device and the organization is a merchant 150.
- the device 110 includes an app with an SDK (such as shown in FIG. 1) that provides transfer from the device 110 via iOS/Android APIs 212 of “device fingerprint” information 214.
- Information 214 contains non-sensitive device information and passive biometrics.
- the information 214 is transmitted for real time algorithmic processing 224.
- Processing 224 includes a comparison of the information 214 with a library 162 of malicious tools and applications.
- the library 162 includes two portions: device intelligence library and model 216 and pattern recognition library and model 236.
- the results of the real-time processing 224 include risk score / device intelligence 152 that provides merchant 150 with real-time risk analysis information on which it can make decisions. As shown, the real-time processing 224 also takes inputs from transaction information 234 and from pattern recognition library and model 236. According to some embodiments, results of processing 224 are included in risk analysis component 220 as “historical data.” According to some embodiment risk analysis component 220 is includes machine learning and is configured to update, “retrain” and/or “tune” the device intelligence library and model 216 and the pattern recognition library and model 236, as shown. In this way the library 162 is continually updated with transaction information and user device information so that it can maintain up-to-date status. [0036] FIG.
- FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices and associated device attributes, according to some embodiments.
- the blocks shown in FIG. 3 can take place at a remote autonomous risk intelligence platform, such as on the servers of a cyber protection company such as shown in FIG. 1.
- information about pre-installed system packages and user-installed applications are collected through mobile APIs (such as Android and iOS).
- the collected information can include, but is not limited to: vendor names; application names; timestamps of installation; and timestamps of recent updates and user permissions given.
- device-specific information is collected through mobile APIs (such as Android and iOS).
- the collected information can include, but is not limited to: CPU information, build Information, network information, battery information, graphics information, device settings and unique identification strings.
- device information is fed into the machine learning algorithm to perform feature extraction and dimensionality reduction to identify obscure software/hardware traits linked to the usage of different malicious tools.
- containerization, virtualization and spoofing approaches are recognized by the intelligence platform through feature selection and classified under specific malicious tools.
- established features and the corresponding weights and biases are fed into a global device intelligence library (e.g. library 162 in FIGs.
- the flow from blocks 310 and 311 through to block 314 is performed repeatedly (e.g. either continuously, frequently, or regularly) so that the library is kept up-to-date. By ensuring the library is continuously updated, the risk associated output can be performed relatively quickly and in real-time.
- FIG. 4 is a block diagram illustrating some aspects of detecting and assessing the use of malicious tools on mobile devices, according to some embodiments.
- the mobile app on the device is configured with API(s) that allow for the collection and transmission of assessment information (e.g. the device fingerprint information 214 in FIG. 2) to an assessment platform (e.g. servers of a cyber protection company 160 shown in FIG. 1).
- assessment information e.g. the device fingerprint information 214 in FIG. 2
- an assessment platform e.g. servers of a cyber protection company 160 shown in FIG.
- this functionality is provided by SDK 114 within mobile app 112.
- the device information is extracted or collected.
- the device information is compared with the current library of malicious tools and associated device attribute variations (e.g. library 162 in FIGs. 1 and 2).
- the output are generated and sent to the client organization (e.g. organization 150 in FIG. 1).
- information can be returned for updating the library according the process described in FIG. 3.
- the continuously (or frequently) updated library can provide for real-time processing of threats, and in practice the blocks 412, 414 and 416 can be carried out very quickly.
- the blocks 414 and 416 can be carried out in less than one second.
- the blocks 414 and 416 can be carried out in less than one hundred milliseconds.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The use of malicious tools on a suspected mobile device is detected in real-time. The method includes receiving device information extracted from the suspected device and comparing the information to a library of malicious tools. The outputs indicate risk that malicious tools are being used by the suspected device. The library of malicious tools is maintained by a collecting information associated with potentially malicious tools and performing feature extraction on the information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute. The library is updated based on machine learning of the determined device attributes and range of normal and deviant values.
Description
DETECTION OF USE OF MALICIOUS TOOLS ON MOBILE DEVICES
REFERENCE TO RELATED APPLICATIONS [0001] This patent application incorporates by reference and claims the benefit of each of the following U.S. Provisional patent applications:
U.S. Prov. Ser. No. 62/950,007 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,993 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,987 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,979 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,974 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,965 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,828 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,816 filed December 18, 2019;
U.S. Prov. Ser. No. 62/903,798 filed September 21, 2019;
U.S. Prov. Ser. No. 62/903,797 filed September 21, 2019; and U.S. Prov. Ser. No. 62/903,796 filed September 21, 2019.
[0002] This patent application is related to and incorporates by reference the following International Patent Application: Int’l Pat. Appl. Ser. No. PCT/IB2020/058799 filed on September 21, 2020 (Attorney Docket No. Shield- 012-PCT).
[0003] All of the above-referenced patent applications, international and provisional are collectively referenced herein as “the commonly assigned incorporated applications.”
FIELD
[0004] This disclosure generally relates to the device intelligence field. More particularly, some embodiments relate to methods for identifying the use of malicious tools on mobile devices.
BACKGROUND
[0005] Digital platforms in the form of mobile applications on mobile devices have come to rely on identifying a user's mobile device and its attributes to
establish customer trust and prevent fraud. This is conventionally done through device fingerprinting, which enables the digital platform to assign an identifier to the mobile device, as well as record the device attributes of that device.
[0006] Fraudsters can circumvent these defense mechanisms by using device modification tools. Fraudsters can use device modification tools to modify various attributes, including but not limited to device hardware, user interface, connectivity, network, sensor, and media and graphics attributes. These malicious tools are being developed with high frequency and can be obtained by would-be fraudsters from both public domains (e.g. app marketplaces) and private domains (e.g. dark web).
[0007] A device that has been modified by such malicious tools can not only render mobile device identification techniques ineffective, it can also confound platforms regarding the user's actual device attributes (such as physical location or brand/model of the device). Detecting the use of such malicious tools on mobile devices is therefore important to establishing the extent that a user's device has been modified, and the subsequent risk of the user committing fraudulent acts with such said device.
SUMMARY
[0008] According to some embodiments, a method is described for detecting in real-time the use of malicious tools on a suspected device that purports to be a mobile device. The method includes: receiving device information extracted from the suspected device; comparing the information extracted from the suspected device to a library of malicious tools; and generating in real-time outputs indicating risk that malicious tools are being used by the suspected device, based at least in part on the comparing extracted information to the library, wherein the library of malicious tools is maintained by a method comprising: collecting information associated with potentially malicious tools from; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating the library based in part on machine learning of
the determined device attributes and range of normal and deviant values; and automatically repeating the collecting, performing and updating.
[0009] According to some embodiments, the method for maintaining the library of malicious tools further comprises assigning a series of labels to each of one or more sets of device attributes and their corresponding malicious tool usage, regarding their purpose, maliciousness, and level of risk.
[0010] According to some embodiments, the received device information is extracted using a software development kit included within a mobile app running on the suspected device.
[0011] According to some embodiments, the malicious tools are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; custom firmware; and emulators.
[0012] According to some embodiments, the outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators. The outputs can also include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
[0013] According to some embodiments, the malicious tools can be used for fraudulent purposes of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; and credit application fraud.
[0014] According to some embodiments, the comparing and generating are performed in less than one second. According to some embodiments, the comparing and generating are performed in less than one hundred milliseconds. [0015] According to some embodiments, the information associated with potentially malicious tools is collected using one or more mobile application programming interfaces, and includes (1) information indicating pre-installed system packages and user-installed applications, and (2) device-specific information.
[0016] According to some embodiments, a method is described for maintaining a library of malicious tools. The method includes: collecting information associated with potentially malicious tools; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating the library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating the collecting, performing and updating, wherein the library is configured to facilitate real-time detecting of the use of malicious tools on a suspected device based at least in part on a comparison of information extracted from the suspected device and the library.
[0017] According to some embodiments, the collected information includes information indicating pre-installed system packages and user-installed applications, using one or more mobile application programming interfaces. The information can include: vendor name, application name, timestamp of installation, timestamp of recent updates, and user permissions given. According to some embodiments, the collected information includes device-specific information collected using one or more mobile application programming interfaces. The device-specific information can include: CPU information, build Information, network information, battery information, graphics information, device settings, and unique identification strings.
[0018] According to some embodiments, a system is described for detecting the use of malicious tools on a device. The system includes: a mobile application running on a plurality of suspected devices, the mobile application configured to extract information from the suspected device relating to potential malicious tools and transmit the extracted information to a processing platform; and an autonomous risk assessment processing platform configured to receive the extracted information from the suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious tools.
[0019] As used herein, the grammatical conjunctions “and”, “or” and “and/or” are all intended to indicate that one or more of the cases, object or subjects they connect may occur or be present. In this way, as used herein the term “or” in all cases indicates an “inclusive or” meaning rather than an “exclusive or” meaning. [0020] As used herein the terms “library” and “database” are used interchangeably, and both terms refer herein to a collections of digital content and/or data that is stored and can be accessed electronically from a computer system. As used herein, the terms “library” and ’’database” can also refer to models such as trained models that include features (e.g. vectors of coefficients and weightings) and procedures (logic) that can be used to identify the presence and/or usage of malicious tools.
[0021] Although the term “tool” is sometimes understood to be designed for a specific use case, and the term “application” is sometimes understood to refer to a larger, more complex piece of software, as used herein the terms “tool” and “application” are used interchangeably.
BRIEF DESCRIPTION OF THE DRAWINGS [0022] To further clarify the above and other advantages and features of the subject matter of this patent specification, specific examples of embodiments thereof are illustrated in the appended drawings. It should be appreciated that these drawings depict only illustrative embodiments, and are therefore not to be considered limiting of the scope of this patent specification or the appended claims. The subject matter hereof will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:
[0023] FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where the use of malicious tools can be assessed, according to some embodiments;
[0024] FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments;
[0025] FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices an associated device attributes, according to some embodiments; and
[0026] FIG. 4 is a block diagram illustrating some aspects of detecting and assessing the use of malicious tools on mobile devices, according to some embodiments.
DETAILED DESCRIPTION
[0027] A detailed description of examples of preferred embodiments is provided below. While several embodiments are described, it should be understood that the new subject matter described in this patent specification is not limited to any one embodiment or combination of embodiments described herein, but instead encompasses numerous alternatives, modifications, and equivalents.
In addition, while numerous specific details are set forth in the following description in order to provide a thorough understanding, some embodiments can be practiced without some or all of these details. Moreover, for the purpose of clarity, certain technical material that is known in the related art has not been described in detail in order to avoid unnecessarily obscuring the new subject matter described herein. It should be clear that individual features of one or several of the specific embodiments described herein can be used in combination with features of other described embodiments or with other features. Further, like reference numbers and designations in the various drawings indicate like elements.
[0028] FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where the use of malicious tools can be assessed, according to some embodiments. Mobile device 110, in this example is a smart phone, includes an mobile application (“mobile app”) 112 provided to the user of device 110 by an organization 150. Mobile app 112 can in general provide any functionality including facilitating transactions and/or communication with organization 150 and/or other entities. Organization 150 has an interest in assessing the risk that the user of mobile app 112, using device 110, is not committing fraud or other malicious activity. Organization 150 hires, retains, subscribes or otherwise contracts with cyber protection company 160 to aid organization 150 in detecting
and reducing risks associated with fraudulent or malicious activity. According to some embodiments, a software development kit (SDK) 114 obtained from cyber protection company 160 can be included within mobile app 112. The SDK 114 is configured to facilitate the extraction of information from the device on which the mobile app is running. In the simple example shown in FIG. 1, there are three devices running mobile app 112, namely smart phones 110 and 130 and laptop computer 120. In this example, smartphone 110 is a legitimate user of app 112 while the users of laptop 120 and smartphone 130 are employing one or more malicious tools or applications to commit fraud. In the case of laptop 120, the user has installed a malicious spoofing tool 126 that allows laptop 120 to emulate or appear to be a smartphone. In the case of smartphone 130, malicious tool 136 can be installed to provides some other type of masking or spoofing (e.g. email, caller ID, messaging, location) or other malicious tool or application. In some cases the devices 120 and/or 130 can include a plurality of malicious tools or applications [0029] According to some embodiments, sets of data are collected from devices 110, 120 and 130 and transmitted via network 100 (e.g. the internet) to cyber protection company 160. Protection company 160 processes the sets of data and generates a corresponding set of outputs. Categories of data collected include both device hardware and software attributes, including but not limited to hardware, user interface, connectivity, network, sensor, media and graphics attributes. The outputs can be processed to produce actionable device intelligence in the form of malicious indicators, including but not limited to the use of app cloners, network/location spoofers and various modification tools. An overall score can be derived through a weighted approach and assigned to the user device or user activity to indicate the level of risk associated with the device/activity.
[0030] According to some embodiments, the techniques for assessing malicious tool usage described herein can facilitate assessment of fraudulent activity. Following are some examples of types of such fraudulent activity: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash
sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse.
[0031] According to some embodiments, following are examples of some types of malicious tool usage scenarios that can be detected: app being run through an app cloner; app being run through an emulator; app signatures being tampered; app being run with network or location spoofers; and app has been modified by masking tools.
[0032] According to some embodiments, following are examples of how data can be collected for the malicious tools usage analysis: (1) collect information about pre-installed system packages and user-installed applications through mobile APIs (such as Android and iOS), including but not limited to vendor names, application names, timestamps of installation, timestamps of recent updates and user permissions given; and (2) collect device-specific information through mobile APIs (such as Android and iOS), including but not limited to CPU information, build information, network information, battery information, graphics information, device settings and unique identification strings. Examples of the types of data collected include: (1) system packages and user applications; (2) device identifiers; (3) network-related and location-related device information; and (4) other device attributes such as CPU tasks, build, battery etc.
[0033] According to some embodiments, a database, collection or library of malicious tools and associated device attributes variations 162 is generated.
Device information is fed into a machine learning algorithm to perform feature extraction and dimensionality reduction to identify obscure software/hardware traits linked to the usage of different malicious tools. Containerization, virtualization and spoofing approaches are recognized by the intelligence platform through feature selection and classified under specific malicious tools. Established features and the corresponding weights and biases are fed into the global device intelligence library to detect the usage of malicious tools from incoming device fingerprints in real-time. According to some embodiments, library 162 includes a trained model comprised of features (e.g. vectors of coefficients and weightings) and procedures (logic) to identify the usage of malicious tools. According to some embodiments,
processing system 164 of protection company 160 uses one or more machine learning model(s).
[0034] Based on the results of the comparisons with the current library 162, one or more malicious indicators 152 can be generated and transmitted to company 150. The malicious indicators 152 can be in the form of true/false flags to be incorporated into the approval process of a client’s platform. The indicators 152 can also include a weighted score to indicate the level of risk associated with the device/activity. The indicators 152 can also include a recommended risk decision to allow/block an activity based on predefined policies to cater to business use cases of organization 150. According to some embodiments, the protection company 160 functionality can be part of the organization 150 and the two can be part of the same organization. Although servers are depicted in FIG. 1, in general the processing functionality can reside in one or more different physical locations. [0035] FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments. In this example, the user’s device 110 is a smart phone, such as an iOS or Android mobile device and the organization is a merchant 150. The device 110 includes an app with an SDK (such as shown in FIG. 1) that provides transfer from the device 110 via iOS/Android APIs 212 of “device fingerprint” information 214. Information 214 contains non-sensitive device information and passive biometrics. The information 214 is transmitted for real time algorithmic processing 224. Processing 224 includes a comparison of the information 214 with a library 162 of malicious tools and applications. In this case the library 162 includes two portions: device intelligence library and model 216 and pattern recognition library and model 236. The results of the real-time processing 224 include risk score / device intelligence 152 that provides merchant 150 with real-time risk analysis information on which it can make decisions. As shown, the real-time processing 224 also takes inputs from transaction information 234 and from pattern recognition library and model 236. According to some embodiments, results of processing 224 are included in risk analysis component 220 as “historical data.” According to some embodiment risk analysis component 220 is includes machine learning and is configured to update, “retrain” and/or “tune” the device
intelligence library and model 216 and the pattern recognition library and model 236, as shown. In this way the library 162 is continually updated with transaction information and user device information so that it can maintain up-to-date status. [0036] FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices and associated device attributes, according to some embodiments. The blocks shown in FIG. 3 can take place at a remote autonomous risk intelligence platform, such as on the servers of a cyber protection company such as shown in FIG. 1. In block 310, information about pre-installed system packages and user-installed applications are collected through mobile APIs (such as Android and iOS). The collected information can include, but is not limited to: vendor names; application names; timestamps of installation; and timestamps of recent updates and user permissions given. In block 311, device-specific information is collected through mobile APIs (such as Android and iOS). The collected information can include, but is not limited to: CPU information, build Information, network information, battery information, graphics information, device settings and unique identification strings.
[0037] In block 312, device information is fed into the machine learning algorithm to perform feature extraction and dimensionality reduction to identify obscure software/hardware traits linked to the usage of different malicious tools. In block 313, containerization, virtualization and spoofing approaches are recognized by the intelligence platform through feature selection and classified under specific malicious tools. In block 314, established features and the corresponding weights and biases are fed into a global device intelligence library (e.g. library 162 in FIGs.
1 and 2) to allow for the detection of the usage of malicious tools from incoming device fingerprints in real-time. According to some embodiments, the flow from blocks 310 and 311 through to block 314 is performed repeatedly (e.g. either continuously, frequently, or regularly) so that the library is kept up-to-date. By ensuring the library is continuously updated, the risk associated output can be performed relatively quickly and in real-time.
[0038] FIG. 4 is a block diagram illustrating some aspects of detecting and assessing the use of malicious tools on mobile devices, according to some embodiments. In block 410, the mobile app on the device is configured with API(s)
that allow for the collection and transmission of assessment information (e.g. the device fingerprint information 214 in FIG. 2) to an assessment platform (e.g. servers of a cyber protection company 160 shown in FIG. 1). In FIG. 1, this functionality is provided by SDK 114 within mobile app 112. Referring to block 412 of FIG. 4, the device information is extracted or collected. In block 414, the device information is compared with the current library of malicious tools and associated device attribute variations (e.g. library 162 in FIGs. 1 and 2). In block 416 the output are generated and sent to the client organization (e.g. organization 150 in FIG. 1). In block 418, information can be returned for updating the library according the process described in FIG. 3. As mentioned, the continuously (or frequently) updated library can provide for real-time processing of threats, and in practice the blocks 412, 414 and 416 can be carried out very quickly. According to some embodiments, the blocks 414 and 416 can be carried out in less than one second. According to some further embodiments, the blocks 414 and 416 can be carried out in less than one hundred milliseconds.
[0039] Although the foregoing has been described in some detail for purposes of clarity, it will be apparent that certain changes and modifications may be made without departing from the principles thereof. It should be noted that there are many alternative ways of implementing both the processes and apparatuses described herein. Accordingly, the present embodiments are to be considered as illustrative and not restrictive, and the body of work described herein is not to be limited to the details given herein, which may be modified within the scope and equivalents of the appended claims.
Claims
1. A method for detecting in real-time the use of malicious tools on a suspected device, the method comprising: receiving device information extracted from the suspected device; comparing said information extracted from the suspected device to a library of malicious tools; and generating in real-time one or more outputs indicating risk that malicious tools are being used by the suspected device, based at least in part on the comparing extracted information to said library, wherein said the library of malicious tools is maintained by a method comprising: collecting information associated with potentially malicious tools; performing feature extraction on the collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating said library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating said collecting, performing and updating.
2. The method of claim 1 , wherein method for maintaining said library of malicious tools further comprises assigning a series of labels to each of one or more sets of device attributes and their corresponding malicious tool usage, regarding their purpose, maliciousness, and level of risk.
3. The method of claim 1 , wherein the suspected device purports to be a mobile device.
4. The method of claim 1 , where the received device information is extracted using of a software development kit included within a mobile app running on the suspected device.
5. The method of claim 1 , wherein said malicious tools are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; custom firmware; and emulators.
6. The method of claim 1 , wherein said one or more outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators.
7. The method of claim 1 , wherein said outputs include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
8. The method of claim 1 , wherein said malicious tools can be used for fraudulent purposed of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse.
9. The method of claim 1 , wherein the said malicious tools can be used for fraudulent purposed of one or more types selected from a group consisting of: account takeover; fake registration; fraudulent transfer; fraudulent payment; reward point abuse; ad fraud; credit application fraud; and platform abuse.
10. The method of claim 1, wherein said comparing and said generating are performed in less than one second.
11. The method of claim 1 , wherein said comparing and said generating are performed in less than one hundred milliseconds.
12. The method of claim 1 wherein information associated with potentially malicious tools is collected using one or more mobile application programming interfaces, and includes (1) information indicating pre-installed system packages and user-installed applications, and (2) device-specific information.
13. A method for maintaining a library of malicious tools comprising: collecting information associated with potentially malicious tools; performing feature extraction on the collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating said library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating said collecting, performing and updating, wherein said library is configured to facilitate real-time detecting of the use of malicious tools on a suspected device based at least in part on a comparison of information extracted from said suspected device and said library.
14. The method of claim 13, wherein the collected information includes information indicating pre-installed system packages and user-installed applications, using one or more mobile application programming interfaces.
15. The method of claim 14, wherein said information indicating pre-installed system packages and user-installed applications includes information of one
or more of the following types: vendor name, application name, timestamp of installation, timestamp of recent updates, and user permissions given.
16. The method of claim 13, wherein the collected information includes device specific information collected using one or more mobile application programming interfaces, the device-specific information including one or more of the following types: CPU information, build Information, network information, battery information, graphics information, device settings, and unique identification strings.
17. A system for detecting the use of malicious tools on a device, the system comprising: a mobile application running on a plurality of suspected devices, the mobile application configured to extract information from the suspected device relating to potential malicious tools and transmit said extracted information to a processing platform; and an autonomous risk assessment processing platform configured to receive said extracted information from said suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious tools.
18. The system of claim 17, wherein said library of malicious tools is configured to be maintained at least in part by: collecting information associated with potentially malicious tools; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating said library based in part on machine learning of the determined device attributes and range of normal and
deviant values; and automatically repeating said collecting, performing and updating.
Applications Claiming Priority (22)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201962903798P | 2019-09-21 | 2019-09-21 | |
US201962903797P | 2019-09-21 | 2019-09-21 | |
US201962903796P | 2019-09-21 | 2019-09-21 | |
US62/903,797 | 2019-09-21 | ||
US62/903,798 | 2019-09-21 | ||
US62/903,796 | 2019-09-21 | ||
US201962949987P | 2019-12-18 | 2019-12-18 | |
US201962949974P | 2019-12-18 | 2019-12-18 | |
US201962949965P | 2019-12-18 | 2019-12-18 | |
US201962949993P | 2019-12-18 | 2019-12-18 | |
US201962949816P | 2019-12-18 | 2019-12-18 | |
US201962949828P | 2019-12-18 | 2019-12-18 | |
US201962950007P | 2019-12-18 | 2019-12-18 | |
US201962949979P | 2019-12-18 | 2019-12-18 | |
US62/949,987 | 2019-12-18 | ||
US62/949,965 | 2019-12-18 | ||
US62/949,993 | 2019-12-18 | ||
US62/949,816 | 2019-12-18 | ||
US62/949,828 | 2019-12-18 | ||
US62/949,974 | 2019-12-18 | ||
US62/949,979 | 2019-12-18 | ||
US62/950,007 | 2019-12-18 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021053647A1 true WO2021053647A1 (en) | 2021-03-25 |
Family
ID=72644524
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2020/058799 WO2021053646A1 (en) | 2019-09-21 | 2020-09-21 | Detection of presence of malicious tools on mobile devices |
PCT/IB2020/058801 WO2021053647A1 (en) | 2019-09-21 | 2020-09-21 | Detection of use of malicious tools on mobile devices |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2020/058799 WO2021053646A1 (en) | 2019-09-21 | 2020-09-21 | Detection of presence of malicious tools on mobile devices |
Country Status (1)
Country | Link |
---|---|
WO (2) | WO2021053646A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022071881A1 (en) | 2020-09-29 | 2022-04-07 | Cashshield Pte. Ltd. | Continuous risk assessment for mobile devices |
WO2023014299A3 (en) * | 2021-08-04 | 2023-04-13 | Grabtaxi Holdings Pte. Ltd. | Apparatus and method for determining a location-spoofing application |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114996708B (en) * | 2022-08-08 | 2022-12-20 | 中国信息通信研究院 | Method and device for studying and judging fraud-related mobile phone application, electronic equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012075336A1 (en) * | 2010-12-01 | 2012-06-07 | Sourcefire, Inc. | Detecting malicious software through contextual convictions, generic signatures and machine learning techniques |
US20140215621A1 (en) * | 2013-01-25 | 2014-07-31 | REMTCS Inc. | System, method, and apparatus for providing network security |
US20150039513A1 (en) * | 2014-02-14 | 2015-02-05 | Brighterion, Inc. | User device profiling in transaction authentications |
US20190109868A1 (en) * | 2015-08-31 | 2019-04-11 | Splunk Inc. | Method and System for Generating An Interactive Kill Chain View for Training A Machine Learning Model for Identifying Threats |
-
2020
- 2020-09-21 WO PCT/IB2020/058799 patent/WO2021053646A1/en active Application Filing
- 2020-09-21 WO PCT/IB2020/058801 patent/WO2021053647A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012075336A1 (en) * | 2010-12-01 | 2012-06-07 | Sourcefire, Inc. | Detecting malicious software through contextual convictions, generic signatures and machine learning techniques |
US20140215621A1 (en) * | 2013-01-25 | 2014-07-31 | REMTCS Inc. | System, method, and apparatus for providing network security |
US20150039513A1 (en) * | 2014-02-14 | 2015-02-05 | Brighterion, Inc. | User device profiling in transaction authentications |
US20190109868A1 (en) * | 2015-08-31 | 2019-04-11 | Splunk Inc. | Method and System for Generating An Interactive Kill Chain View for Training A Machine Learning Model for Identifying Threats |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022071881A1 (en) | 2020-09-29 | 2022-04-07 | Cashshield Pte. Ltd. | Continuous risk assessment for mobile devices |
WO2023014299A3 (en) * | 2021-08-04 | 2023-04-13 | Grabtaxi Holdings Pte. Ltd. | Apparatus and method for determining a location-spoofing application |
Also Published As
Publication number | Publication date |
---|---|
WO2021053646A1 (en) | 2021-03-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10965668B2 (en) | Systems and methods to authenticate users and/or control access made by users based on enhanced digital identity verification | |
US11276022B2 (en) | Enhanced system and method for identity evaluation using a global score value | |
US11277437B1 (en) | Automated device data retrieval and analysis platform | |
US8880435B1 (en) | Detection and tracking of unauthorized computer access attempts | |
US10346845B2 (en) | Enhanced automated acceptance of payment transactions that have been flagged for human review by an anti-fraud system | |
WO2020192184A1 (en) | Gang fraud detection based on graph model | |
US20220114593A1 (en) | Probabilistic anomaly detection in streaming device data | |
US8458090B1 (en) | Detecting fraudulent mobile money transactions | |
US20180075454A1 (en) | Fraud detection engine and method of using the same | |
US20180097790A1 (en) | Systems and methods to authenticate users and/or control access made by users on a computer network based on scanning elements for inspection according to changes made in a relation graph | |
CN111201528B (en) | System and method for integrating network fraud intelligence and payment risk decisions | |
US20210150531A1 (en) | Systems and methods of providing security in an electronic network | |
WO2021053647A1 (en) | Detection of use of malicious tools on mobile devices | |
WO2018075314A1 (en) | Systems and methods to authenticate users and/or control access made by users on a computer network using a graph score | |
WO2017196609A1 (en) | User authentication and access control using identity services | |
US11610206B2 (en) | Analysis platform for actionable insight into user interaction data | |
US20150170148A1 (en) | Real-time transaction validity verification using behavioral and transactional metadata | |
US11785030B2 (en) | Identifying data processing timeouts in live risk analysis systems | |
CN112685774B (en) | Payment data processing method based on big data and block chain finance and cloud server | |
CN107918911A (en) | System and method for performing safe web bank transaction | |
US11700250B2 (en) | Voice vector framework for authenticating user interactions | |
CN112330355A (en) | Consumption ticket transaction data processing method, device, equipment and storage medium | |
Fedotova et al. | Increase of economic security of internet systems of credit organizations | |
US20220101328A1 (en) | Systems, methods, and devices for assigning a transaction risk score | |
US20200273039A1 (en) | Systems and methods for automated fraud-type identification and decisioning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20785604 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20785604 Country of ref document: EP Kind code of ref document: A1 |