WO2021053647A1 - Detection of use of malicious tools on mobile devices - Google Patents

Detection of use of malicious tools on mobile devices Download PDF

Info

Publication number
WO2021053647A1
WO2021053647A1 PCT/IB2020/058801 IB2020058801W WO2021053647A1 WO 2021053647 A1 WO2021053647 A1 WO 2021053647A1 IB 2020058801 W IB2020058801 W IB 2020058801W WO 2021053647 A1 WO2021053647 A1 WO 2021053647A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
tools
malicious
library
malicious tools
Prior art date
Application number
PCT/IB2020/058801
Other languages
French (fr)
Inventor
Wee Chian LIE
Original Assignee
Cashshield Pte. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cashshield Pte. Ltd. filed Critical Cashshield Pte. Ltd.
Publication of WO2021053647A1 publication Critical patent/WO2021053647A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • This disclosure generally relates to the device intelligence field. More particularly, some embodiments relate to methods for identifying the use of malicious tools on mobile devices.
  • Digital platforms in the form of mobile applications on mobile devices have come to rely on identifying a user's mobile device and its attributes to establish customer trust and prevent fraud. This is conventionally done through device fingerprinting, which enables the digital platform to assign an identifier to the mobile device, as well as record the device attributes of that device.
  • Fraudsters can circumvent these defense mechanisms by using device modification tools.
  • Fraudsters can use device modification tools to modify various attributes, including but not limited to device hardware, user interface, connectivity, network, sensor, and media and graphics attributes. These malicious tools are being developed with high frequency and can be obtained by would-be fraudsters from both public domains (e.g. app marketplaces) and private domains (e.g. dark web).
  • a device that has been modified by such malicious tools can not only render mobile device identification techniques ineffective, it can also confound platforms regarding the user's actual device attributes (such as physical location or brand/model of the device). Detecting the use of such malicious tools on mobile devices is therefore important to establishing the extent that a user's device has been modified, and the subsequent risk of the user committing fraudulent acts with such said device.
  • a method for detecting in real-time the use of malicious tools on a suspected device that purports to be a mobile device.
  • the method includes: receiving device information extracted from the suspected device; comparing the information extracted from the suspected device to a library of malicious tools; and generating in real-time outputs indicating risk that malicious tools are being used by the suspected device, based at least in part on the comparing extracted information to the library, wherein the library of malicious tools is maintained by a method comprising: collecting information associated with potentially malicious tools from; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating the library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating the collecting, performing and updating.
  • the method for maintaining the library of malicious tools further comprises assigning a series of labels to each of one or more sets of device attributes and their corresponding malicious tool usage, regarding their purpose, maliciousness, and level of risk.
  • the received device information is extracted using a software development kit included within a mobile app running on the suspected device.
  • the malicious tools are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; custom firmware; and emulators.
  • the outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators.
  • the outputs can also include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
  • the malicious tools can be used for fraudulent purposes of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; and credit application fraud.
  • the comparing and generating are performed in less than one second. According to some embodiments, the comparing and generating are performed in less than one hundred milliseconds.
  • the information associated with potentially malicious tools is collected using one or more mobile application programming interfaces, and includes (1) information indicating pre-installed system packages and user-installed applications, and (2) device-specific information. [0016] According to some embodiments, a method is described for maintaining a library of malicious tools.
  • the method includes: collecting information associated with potentially malicious tools; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating the library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating the collecting, performing and updating, wherein the library is configured to facilitate real-time detecting of the use of malicious tools on a suspected device based at least in part on a comparison of information extracted from the suspected device and the library.
  • the collected information includes information indicating pre-installed system packages and user-installed applications, using one or more mobile application programming interfaces.
  • the information can include: vendor name, application name, timestamp of installation, timestamp of recent updates, and user permissions given.
  • the collected information includes device-specific information collected using one or more mobile application programming interfaces.
  • the device-specific information can include: CPU information, build Information, network information, battery information, graphics information, device settings, and unique identification strings.
  • a system for detecting the use of malicious tools on a device.
  • the system includes: a mobile application running on a plurality of suspected devices, the mobile application configured to extract information from the suspected device relating to potential malicious tools and transmit the extracted information to a processing platform; and an autonomous risk assessment processing platform configured to receive the extracted information from the suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious tools.
  • library and “database” are used interchangeably, and both terms refer herein to a collections of digital content and/or data that is stored and can be accessed electronically from a computer system.
  • tool is sometimes understood to be designed for a specific use case, and the term “application” is sometimes understood to refer to a larger, more complex piece of software, as used herein the terms “tool” and “application” are used interchangeably.
  • FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where the use of malicious tools can be assessed, according to some embodiments;
  • FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments;
  • FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices an associated device attributes, according to some embodiments;
  • FIG. 4 is a block diagram illustrating some aspects of detecting and assessing the use of malicious tools on mobile devices, according to some embodiments.
  • FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where the use of malicious tools can be assessed, according to some embodiments.
  • Mobile device 110 in this example is a smart phone, includes an mobile application (“mobile app”) 112 provided to the user of device 110 by an organization 150.
  • Mobile app 112 can in general provide any functionality including facilitating transactions and/or communication with organization 150 and/or other entities.
  • Organization 150 has an interest in assessing the risk that the user of mobile app 112, using device 110, is not committing fraud or other malicious activity.
  • Organization 150 hires, retains, subscribes or otherwise contracts with cyber protection company 160 to aid organization 150 in detecting and reducing risks associated with fraudulent or malicious activity.
  • a software development kit (SDK) 114 obtained from cyber protection company 160 can be included within mobile app 112.
  • the SDK 114 is configured to facilitate the extraction of information from the device on which the mobile app is running.
  • smartphone 110 is a legitimate user of app 112 while the users of laptop 120 and smartphone 130 are employing one or more malicious tools or applications to commit fraud.
  • the user has installed a malicious spoofing tool 126 that allows laptop 120 to emulate or appear to be a smartphone.
  • malicious tool 136 can be installed to provides some other type of masking or spoofing (e.g.
  • sets of data are collected from devices 110, 120 and 130 and transmitted via network 100 (e.g. the internet) to cyber protection company 160.
  • Protection company 160 processes the sets of data and generates a corresponding set of outputs. Categories of data collected include both device hardware and software attributes, including but not limited to hardware, user interface, connectivity, network, sensor, media and graphics attributes.
  • the outputs can be processed to produce actionable device intelligence in the form of malicious indicators, including but not limited to the use of app cloners, network/location spoofers and various modification tools.
  • An overall score can be derived through a weighted approach and assigned to the user device or user activity to indicate the level of risk associated with the device/activity.
  • the techniques for assessing malicious tool usage described herein can facilitate assessment of fraudulent activity.
  • types of such fraudulent activity account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse.
  • app being run through an app cloner; app being run through an emulator; app signatures being tampered; app being run with network or location spoofers; and app has been modified by masking tools.
  • data can be collected for the malicious tools usage analysis (1) collect information about pre-installed system packages and user-installed applications through mobile APIs (such as Android and iOS), including but not limited to vendor names, application names, timestamps of installation, timestamps of recent updates and user permissions given; and (2) collect device-specific information through mobile APIs (such as Android and iOS), including but not limited to CPU information, build information, network information, battery information, graphics information, device settings and unique identification strings.
  • mobile APIs such as Android and iOS
  • Examples of the types of data collected include: (1) system packages and user applications; (2) device identifiers; (3) network-related and location-related device information; and (4) other device attributes such as CPU tasks, build, battery etc.
  • a database, collection or library of malicious tools and associated device attributes variations 162 is generated.
  • Device information is fed into a machine learning algorithm to perform feature extraction and dimensionality reduction to identify obscure software/hardware traits linked to the usage of different malicious tools.
  • Containerization, virtualization and spoofing approaches are recognized by the intelligence platform through feature selection and classified under specific malicious tools.
  • Established features and the corresponding weights and biases are fed into the global device intelligence library to detect the usage of malicious tools from incoming device fingerprints in real-time.
  • library 162 includes a trained model comprised of features (e.g. vectors of coefficients and weightings) and procedures (logic) to identify the usage of malicious tools.
  • processing system 164 of protection company 160 uses one or more machine learning model(s).
  • one or more malicious indicators 152 can be generated and transmitted to company 150.
  • the malicious indicators 152 can be in the form of true/false flags to be incorporated into the approval process of a client’s platform.
  • the indicators 152 can also include a weighted score to indicate the level of risk associated with the device/activity.
  • the indicators 152 can also include a recommended risk decision to allow/block an activity based on predefined policies to cater to business use cases of organization 150.
  • the protection company 160 functionality can be part of the organization 150 and the two can be part of the same organization.
  • servers are depicted in FIG. 1, in general the processing functionality can reside in one or more different physical locations.
  • FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments.
  • the user’s device 110 is a smart phone, such as an iOS or Android mobile device and the organization is a merchant 150.
  • the device 110 includes an app with an SDK (such as shown in FIG. 1) that provides transfer from the device 110 via iOS/Android APIs 212 of “device fingerprint” information 214.
  • Information 214 contains non-sensitive device information and passive biometrics.
  • the information 214 is transmitted for real time algorithmic processing 224.
  • Processing 224 includes a comparison of the information 214 with a library 162 of malicious tools and applications.
  • the library 162 includes two portions: device intelligence library and model 216 and pattern recognition library and model 236.
  • the results of the real-time processing 224 include risk score / device intelligence 152 that provides merchant 150 with real-time risk analysis information on which it can make decisions. As shown, the real-time processing 224 also takes inputs from transaction information 234 and from pattern recognition library and model 236. According to some embodiments, results of processing 224 are included in risk analysis component 220 as “historical data.” According to some embodiment risk analysis component 220 is includes machine learning and is configured to update, “retrain” and/or “tune” the device intelligence library and model 216 and the pattern recognition library and model 236, as shown. In this way the library 162 is continually updated with transaction information and user device information so that it can maintain up-to-date status. [0036] FIG.
  • FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices and associated device attributes, according to some embodiments.
  • the blocks shown in FIG. 3 can take place at a remote autonomous risk intelligence platform, such as on the servers of a cyber protection company such as shown in FIG. 1.
  • information about pre-installed system packages and user-installed applications are collected through mobile APIs (such as Android and iOS).
  • the collected information can include, but is not limited to: vendor names; application names; timestamps of installation; and timestamps of recent updates and user permissions given.
  • device-specific information is collected through mobile APIs (such as Android and iOS).
  • the collected information can include, but is not limited to: CPU information, build Information, network information, battery information, graphics information, device settings and unique identification strings.
  • device information is fed into the machine learning algorithm to perform feature extraction and dimensionality reduction to identify obscure software/hardware traits linked to the usage of different malicious tools.
  • containerization, virtualization and spoofing approaches are recognized by the intelligence platform through feature selection and classified under specific malicious tools.
  • established features and the corresponding weights and biases are fed into a global device intelligence library (e.g. library 162 in FIGs.
  • the flow from blocks 310 and 311 through to block 314 is performed repeatedly (e.g. either continuously, frequently, or regularly) so that the library is kept up-to-date. By ensuring the library is continuously updated, the risk associated output can be performed relatively quickly and in real-time.
  • FIG. 4 is a block diagram illustrating some aspects of detecting and assessing the use of malicious tools on mobile devices, according to some embodiments.
  • the mobile app on the device is configured with API(s) that allow for the collection and transmission of assessment information (e.g. the device fingerprint information 214 in FIG. 2) to an assessment platform (e.g. servers of a cyber protection company 160 shown in FIG. 1).
  • assessment information e.g. the device fingerprint information 214 in FIG. 2
  • an assessment platform e.g. servers of a cyber protection company 160 shown in FIG.
  • this functionality is provided by SDK 114 within mobile app 112.
  • the device information is extracted or collected.
  • the device information is compared with the current library of malicious tools and associated device attribute variations (e.g. library 162 in FIGs. 1 and 2).
  • the output are generated and sent to the client organization (e.g. organization 150 in FIG. 1).
  • information can be returned for updating the library according the process described in FIG. 3.
  • the continuously (or frequently) updated library can provide for real-time processing of threats, and in practice the blocks 412, 414 and 416 can be carried out very quickly.
  • the blocks 414 and 416 can be carried out in less than one second.
  • the blocks 414 and 416 can be carried out in less than one hundred milliseconds.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The use of malicious tools on a suspected mobile device is detected in real-time. The method includes receiving device information extracted from the suspected device and comparing the information to a library of malicious tools. The outputs indicate risk that malicious tools are being used by the suspected device. The library of malicious tools is maintained by a collecting information associated with potentially malicious tools and performing feature extraction on the information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute. The library is updated based on machine learning of the determined device attributes and range of normal and deviant values.

Description

DETECTION OF USE OF MALICIOUS TOOLS ON MOBILE DEVICES
REFERENCE TO RELATED APPLICATIONS [0001] This patent application incorporates by reference and claims the benefit of each of the following U.S. Provisional patent applications:
U.S. Prov. Ser. No. 62/950,007 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,993 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,987 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,979 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,974 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,965 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,828 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,816 filed December 18, 2019;
U.S. Prov. Ser. No. 62/903,798 filed September 21, 2019;
U.S. Prov. Ser. No. 62/903,797 filed September 21, 2019; and U.S. Prov. Ser. No. 62/903,796 filed September 21, 2019.
[0002] This patent application is related to and incorporates by reference the following International Patent Application: Int’l Pat. Appl. Ser. No. PCT/IB2020/058799 filed on September 21, 2020 (Attorney Docket No. Shield- 012-PCT).
[0003] All of the above-referenced patent applications, international and provisional are collectively referenced herein as “the commonly assigned incorporated applications.”
FIELD
[0004] This disclosure generally relates to the device intelligence field. More particularly, some embodiments relate to methods for identifying the use of malicious tools on mobile devices.
BACKGROUND
[0005] Digital platforms in the form of mobile applications on mobile devices have come to rely on identifying a user's mobile device and its attributes to establish customer trust and prevent fraud. This is conventionally done through device fingerprinting, which enables the digital platform to assign an identifier to the mobile device, as well as record the device attributes of that device.
[0006] Fraudsters can circumvent these defense mechanisms by using device modification tools. Fraudsters can use device modification tools to modify various attributes, including but not limited to device hardware, user interface, connectivity, network, sensor, and media and graphics attributes. These malicious tools are being developed with high frequency and can be obtained by would-be fraudsters from both public domains (e.g. app marketplaces) and private domains (e.g. dark web).
[0007] A device that has been modified by such malicious tools can not only render mobile device identification techniques ineffective, it can also confound platforms regarding the user's actual device attributes (such as physical location or brand/model of the device). Detecting the use of such malicious tools on mobile devices is therefore important to establishing the extent that a user's device has been modified, and the subsequent risk of the user committing fraudulent acts with such said device.
SUMMARY
[0008] According to some embodiments, a method is described for detecting in real-time the use of malicious tools on a suspected device that purports to be a mobile device. The method includes: receiving device information extracted from the suspected device; comparing the information extracted from the suspected device to a library of malicious tools; and generating in real-time outputs indicating risk that malicious tools are being used by the suspected device, based at least in part on the comparing extracted information to the library, wherein the library of malicious tools is maintained by a method comprising: collecting information associated with potentially malicious tools from; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating the library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating the collecting, performing and updating.
[0009] According to some embodiments, the method for maintaining the library of malicious tools further comprises assigning a series of labels to each of one or more sets of device attributes and their corresponding malicious tool usage, regarding their purpose, maliciousness, and level of risk.
[0010] According to some embodiments, the received device information is extracted using a software development kit included within a mobile app running on the suspected device.
[0011] According to some embodiments, the malicious tools are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; custom firmware; and emulators.
[0012] According to some embodiments, the outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators. The outputs can also include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
[0013] According to some embodiments, the malicious tools can be used for fraudulent purposes of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; and credit application fraud.
[0014] According to some embodiments, the comparing and generating are performed in less than one second. According to some embodiments, the comparing and generating are performed in less than one hundred milliseconds. [0015] According to some embodiments, the information associated with potentially malicious tools is collected using one or more mobile application programming interfaces, and includes (1) information indicating pre-installed system packages and user-installed applications, and (2) device-specific information. [0016] According to some embodiments, a method is described for maintaining a library of malicious tools. The method includes: collecting information associated with potentially malicious tools; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating the library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating the collecting, performing and updating, wherein the library is configured to facilitate real-time detecting of the use of malicious tools on a suspected device based at least in part on a comparison of information extracted from the suspected device and the library.
[0017] According to some embodiments, the collected information includes information indicating pre-installed system packages and user-installed applications, using one or more mobile application programming interfaces. The information can include: vendor name, application name, timestamp of installation, timestamp of recent updates, and user permissions given. According to some embodiments, the collected information includes device-specific information collected using one or more mobile application programming interfaces. The device-specific information can include: CPU information, build Information, network information, battery information, graphics information, device settings, and unique identification strings.
[0018] According to some embodiments, a system is described for detecting the use of malicious tools on a device. The system includes: a mobile application running on a plurality of suspected devices, the mobile application configured to extract information from the suspected device relating to potential malicious tools and transmit the extracted information to a processing platform; and an autonomous risk assessment processing platform configured to receive the extracted information from the suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious tools. [0019] As used herein, the grammatical conjunctions “and”, “or” and “and/or” are all intended to indicate that one or more of the cases, object or subjects they connect may occur or be present. In this way, as used herein the term “or” in all cases indicates an “inclusive or” meaning rather than an “exclusive or” meaning. [0020] As used herein the terms “library” and “database” are used interchangeably, and both terms refer herein to a collections of digital content and/or data that is stored and can be accessed electronically from a computer system. As used herein, the terms “library” and ’’database” can also refer to models such as trained models that include features (e.g. vectors of coefficients and weightings) and procedures (logic) that can be used to identify the presence and/or usage of malicious tools.
[0021] Although the term “tool” is sometimes understood to be designed for a specific use case, and the term “application” is sometimes understood to refer to a larger, more complex piece of software, as used herein the terms “tool” and “application” are used interchangeably.
BRIEF DESCRIPTION OF THE DRAWINGS [0022] To further clarify the above and other advantages and features of the subject matter of this patent specification, specific examples of embodiments thereof are illustrated in the appended drawings. It should be appreciated that these drawings depict only illustrative embodiments, and are therefore not to be considered limiting of the scope of this patent specification or the appended claims. The subject matter hereof will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:
[0023] FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where the use of malicious tools can be assessed, according to some embodiments;
[0024] FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments; [0025] FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices an associated device attributes, according to some embodiments; and
[0026] FIG. 4 is a block diagram illustrating some aspects of detecting and assessing the use of malicious tools on mobile devices, according to some embodiments.
DETAILED DESCRIPTION
[0027] A detailed description of examples of preferred embodiments is provided below. While several embodiments are described, it should be understood that the new subject matter described in this patent specification is not limited to any one embodiment or combination of embodiments described herein, but instead encompasses numerous alternatives, modifications, and equivalents.
In addition, while numerous specific details are set forth in the following description in order to provide a thorough understanding, some embodiments can be practiced without some or all of these details. Moreover, for the purpose of clarity, certain technical material that is known in the related art has not been described in detail in order to avoid unnecessarily obscuring the new subject matter described herein. It should be clear that individual features of one or several of the specific embodiments described herein can be used in combination with features of other described embodiments or with other features. Further, like reference numbers and designations in the various drawings indicate like elements.
[0028] FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where the use of malicious tools can be assessed, according to some embodiments. Mobile device 110, in this example is a smart phone, includes an mobile application (“mobile app”) 112 provided to the user of device 110 by an organization 150. Mobile app 112 can in general provide any functionality including facilitating transactions and/or communication with organization 150 and/or other entities. Organization 150 has an interest in assessing the risk that the user of mobile app 112, using device 110, is not committing fraud or other malicious activity. Organization 150 hires, retains, subscribes or otherwise contracts with cyber protection company 160 to aid organization 150 in detecting and reducing risks associated with fraudulent or malicious activity. According to some embodiments, a software development kit (SDK) 114 obtained from cyber protection company 160 can be included within mobile app 112. The SDK 114 is configured to facilitate the extraction of information from the device on which the mobile app is running. In the simple example shown in FIG. 1, there are three devices running mobile app 112, namely smart phones 110 and 130 and laptop computer 120. In this example, smartphone 110 is a legitimate user of app 112 while the users of laptop 120 and smartphone 130 are employing one or more malicious tools or applications to commit fraud. In the case of laptop 120, the user has installed a malicious spoofing tool 126 that allows laptop 120 to emulate or appear to be a smartphone. In the case of smartphone 130, malicious tool 136 can be installed to provides some other type of masking or spoofing (e.g. email, caller ID, messaging, location) or other malicious tool or application. In some cases the devices 120 and/or 130 can include a plurality of malicious tools or applications [0029] According to some embodiments, sets of data are collected from devices 110, 120 and 130 and transmitted via network 100 (e.g. the internet) to cyber protection company 160. Protection company 160 processes the sets of data and generates a corresponding set of outputs. Categories of data collected include both device hardware and software attributes, including but not limited to hardware, user interface, connectivity, network, sensor, media and graphics attributes. The outputs can be processed to produce actionable device intelligence in the form of malicious indicators, including but not limited to the use of app cloners, network/location spoofers and various modification tools. An overall score can be derived through a weighted approach and assigned to the user device or user activity to indicate the level of risk associated with the device/activity.
[0030] According to some embodiments, the techniques for assessing malicious tool usage described herein can facilitate assessment of fraudulent activity. Following are some examples of types of such fraudulent activity: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse.
[0031] According to some embodiments, following are examples of some types of malicious tool usage scenarios that can be detected: app being run through an app cloner; app being run through an emulator; app signatures being tampered; app being run with network or location spoofers; and app has been modified by masking tools.
[0032] According to some embodiments, following are examples of how data can be collected for the malicious tools usage analysis: (1) collect information about pre-installed system packages and user-installed applications through mobile APIs (such as Android and iOS), including but not limited to vendor names, application names, timestamps of installation, timestamps of recent updates and user permissions given; and (2) collect device-specific information through mobile APIs (such as Android and iOS), including but not limited to CPU information, build information, network information, battery information, graphics information, device settings and unique identification strings. Examples of the types of data collected include: (1) system packages and user applications; (2) device identifiers; (3) network-related and location-related device information; and (4) other device attributes such as CPU tasks, build, battery etc.
[0033] According to some embodiments, a database, collection or library of malicious tools and associated device attributes variations 162 is generated.
Device information is fed into a machine learning algorithm to perform feature extraction and dimensionality reduction to identify obscure software/hardware traits linked to the usage of different malicious tools. Containerization, virtualization and spoofing approaches are recognized by the intelligence platform through feature selection and classified under specific malicious tools. Established features and the corresponding weights and biases are fed into the global device intelligence library to detect the usage of malicious tools from incoming device fingerprints in real-time. According to some embodiments, library 162 includes a trained model comprised of features (e.g. vectors of coefficients and weightings) and procedures (logic) to identify the usage of malicious tools. According to some embodiments, processing system 164 of protection company 160 uses one or more machine learning model(s).
[0034] Based on the results of the comparisons with the current library 162, one or more malicious indicators 152 can be generated and transmitted to company 150. The malicious indicators 152 can be in the form of true/false flags to be incorporated into the approval process of a client’s platform. The indicators 152 can also include a weighted score to indicate the level of risk associated with the device/activity. The indicators 152 can also include a recommended risk decision to allow/block an activity based on predefined policies to cater to business use cases of organization 150. According to some embodiments, the protection company 160 functionality can be part of the organization 150 and the two can be part of the same organization. Although servers are depicted in FIG. 1, in general the processing functionality can reside in one or more different physical locations. [0035] FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments. In this example, the user’s device 110 is a smart phone, such as an iOS or Android mobile device and the organization is a merchant 150. The device 110 includes an app with an SDK (such as shown in FIG. 1) that provides transfer from the device 110 via iOS/Android APIs 212 of “device fingerprint” information 214. Information 214 contains non-sensitive device information and passive biometrics. The information 214 is transmitted for real time algorithmic processing 224. Processing 224 includes a comparison of the information 214 with a library 162 of malicious tools and applications. In this case the library 162 includes two portions: device intelligence library and model 216 and pattern recognition library and model 236. The results of the real-time processing 224 include risk score / device intelligence 152 that provides merchant 150 with real-time risk analysis information on which it can make decisions. As shown, the real-time processing 224 also takes inputs from transaction information 234 and from pattern recognition library and model 236. According to some embodiments, results of processing 224 are included in risk analysis component 220 as “historical data.” According to some embodiment risk analysis component 220 is includes machine learning and is configured to update, “retrain” and/or “tune” the device intelligence library and model 216 and the pattern recognition library and model 236, as shown. In this way the library 162 is continually updated with transaction information and user device information so that it can maintain up-to-date status. [0036] FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices and associated device attributes, according to some embodiments. The blocks shown in FIG. 3 can take place at a remote autonomous risk intelligence platform, such as on the servers of a cyber protection company such as shown in FIG. 1. In block 310, information about pre-installed system packages and user-installed applications are collected through mobile APIs (such as Android and iOS). The collected information can include, but is not limited to: vendor names; application names; timestamps of installation; and timestamps of recent updates and user permissions given. In block 311, device-specific information is collected through mobile APIs (such as Android and iOS). The collected information can include, but is not limited to: CPU information, build Information, network information, battery information, graphics information, device settings and unique identification strings.
[0037] In block 312, device information is fed into the machine learning algorithm to perform feature extraction and dimensionality reduction to identify obscure software/hardware traits linked to the usage of different malicious tools. In block 313, containerization, virtualization and spoofing approaches are recognized by the intelligence platform through feature selection and classified under specific malicious tools. In block 314, established features and the corresponding weights and biases are fed into a global device intelligence library (e.g. library 162 in FIGs.
1 and 2) to allow for the detection of the usage of malicious tools from incoming device fingerprints in real-time. According to some embodiments, the flow from blocks 310 and 311 through to block 314 is performed repeatedly (e.g. either continuously, frequently, or regularly) so that the library is kept up-to-date. By ensuring the library is continuously updated, the risk associated output can be performed relatively quickly and in real-time.
[0038] FIG. 4 is a block diagram illustrating some aspects of detecting and assessing the use of malicious tools on mobile devices, according to some embodiments. In block 410, the mobile app on the device is configured with API(s) that allow for the collection and transmission of assessment information (e.g. the device fingerprint information 214 in FIG. 2) to an assessment platform (e.g. servers of a cyber protection company 160 shown in FIG. 1). In FIG. 1, this functionality is provided by SDK 114 within mobile app 112. Referring to block 412 of FIG. 4, the device information is extracted or collected. In block 414, the device information is compared with the current library of malicious tools and associated device attribute variations (e.g. library 162 in FIGs. 1 and 2). In block 416 the output are generated and sent to the client organization (e.g. organization 150 in FIG. 1). In block 418, information can be returned for updating the library according the process described in FIG. 3. As mentioned, the continuously (or frequently) updated library can provide for real-time processing of threats, and in practice the blocks 412, 414 and 416 can be carried out very quickly. According to some embodiments, the blocks 414 and 416 can be carried out in less than one second. According to some further embodiments, the blocks 414 and 416 can be carried out in less than one hundred milliseconds.
[0039] Although the foregoing has been described in some detail for purposes of clarity, it will be apparent that certain changes and modifications may be made without departing from the principles thereof. It should be noted that there are many alternative ways of implementing both the processes and apparatuses described herein. Accordingly, the present embodiments are to be considered as illustrative and not restrictive, and the body of work described herein is not to be limited to the details given herein, which may be modified within the scope and equivalents of the appended claims.

Claims

CLAIMS What it claimed is:
1. A method for detecting in real-time the use of malicious tools on a suspected device, the method comprising: receiving device information extracted from the suspected device; comparing said information extracted from the suspected device to a library of malicious tools; and generating in real-time one or more outputs indicating risk that malicious tools are being used by the suspected device, based at least in part on the comparing extracted information to said library, wherein said the library of malicious tools is maintained by a method comprising: collecting information associated with potentially malicious tools; performing feature extraction on the collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating said library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating said collecting, performing and updating.
2. The method of claim 1 , wherein method for maintaining said library of malicious tools further comprises assigning a series of labels to each of one or more sets of device attributes and their corresponding malicious tool usage, regarding their purpose, maliciousness, and level of risk.
3. The method of claim 1 , wherein the suspected device purports to be a mobile device.
4. The method of claim 1 , where the received device information is extracted using of a software development kit included within a mobile app running on the suspected device.
5. The method of claim 1 , wherein said malicious tools are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; custom firmware; and emulators.
6. The method of claim 1 , wherein said one or more outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators.
7. The method of claim 1 , wherein said outputs include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
8. The method of claim 1 , wherein said malicious tools can be used for fraudulent purposed of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse.
9. The method of claim 1 , wherein the said malicious tools can be used for fraudulent purposed of one or more types selected from a group consisting of: account takeover; fake registration; fraudulent transfer; fraudulent payment; reward point abuse; ad fraud; credit application fraud; and platform abuse.
10. The method of claim 1, wherein said comparing and said generating are performed in less than one second.
11. The method of claim 1 , wherein said comparing and said generating are performed in less than one hundred milliseconds.
12. The method of claim 1 wherein information associated with potentially malicious tools is collected using one or more mobile application programming interfaces, and includes (1) information indicating pre-installed system packages and user-installed applications, and (2) device-specific information.
13. A method for maintaining a library of malicious tools comprising: collecting information associated with potentially malicious tools; performing feature extraction on the collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating said library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating said collecting, performing and updating, wherein said library is configured to facilitate real-time detecting of the use of malicious tools on a suspected device based at least in part on a comparison of information extracted from said suspected device and said library.
14. The method of claim 13, wherein the collected information includes information indicating pre-installed system packages and user-installed applications, using one or more mobile application programming interfaces.
15. The method of claim 14, wherein said information indicating pre-installed system packages and user-installed applications includes information of one or more of the following types: vendor name, application name, timestamp of installation, timestamp of recent updates, and user permissions given.
16. The method of claim 13, wherein the collected information includes device specific information collected using one or more mobile application programming interfaces, the device-specific information including one or more of the following types: CPU information, build Information, network information, battery information, graphics information, device settings, and unique identification strings.
17. A system for detecting the use of malicious tools on a device, the system comprising: a mobile application running on a plurality of suspected devices, the mobile application configured to extract information from the suspected device relating to potential malicious tools and transmit said extracted information to a processing platform; and an autonomous risk assessment processing platform configured to receive said extracted information from said suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious tools.
18. The system of claim 17, wherein said library of malicious tools is configured to be maintained at least in part by: collecting information associated with potentially malicious tools; performing feature extraction on the automatically collected information to determine device attributes relevant to the detection of usage of malicious tools and a range of normal and deviant values for each device attribute; updating said library based in part on machine learning of the determined device attributes and range of normal and deviant values; and automatically repeating said collecting, performing and updating.
PCT/IB2020/058801 2019-09-21 2020-09-21 Detection of use of malicious tools on mobile devices WO2021053647A1 (en)

Applications Claiming Priority (22)

Application Number Priority Date Filing Date Title
US201962903798P 2019-09-21 2019-09-21
US201962903797P 2019-09-21 2019-09-21
US201962903796P 2019-09-21 2019-09-21
US62/903,797 2019-09-21
US62/903,798 2019-09-21
US62/903,796 2019-09-21
US201962949987P 2019-12-18 2019-12-18
US201962949974P 2019-12-18 2019-12-18
US201962949965P 2019-12-18 2019-12-18
US201962949993P 2019-12-18 2019-12-18
US201962949816P 2019-12-18 2019-12-18
US201962949828P 2019-12-18 2019-12-18
US201962950007P 2019-12-18 2019-12-18
US201962949979P 2019-12-18 2019-12-18
US62/949,987 2019-12-18
US62/949,965 2019-12-18
US62/949,993 2019-12-18
US62/949,816 2019-12-18
US62/949,828 2019-12-18
US62/949,974 2019-12-18
US62/949,979 2019-12-18
US62/950,007 2019-12-18

Publications (1)

Publication Number Publication Date
WO2021053647A1 true WO2021053647A1 (en) 2021-03-25

Family

ID=72644524

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/IB2020/058799 WO2021053646A1 (en) 2019-09-21 2020-09-21 Detection of presence of malicious tools on mobile devices
PCT/IB2020/058801 WO2021053647A1 (en) 2019-09-21 2020-09-21 Detection of use of malicious tools on mobile devices

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/IB2020/058799 WO2021053646A1 (en) 2019-09-21 2020-09-21 Detection of presence of malicious tools on mobile devices

Country Status (1)

Country Link
WO (2) WO2021053646A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022071881A1 (en) 2020-09-29 2022-04-07 Cashshield Pte. Ltd. Continuous risk assessment for mobile devices
WO2023014299A3 (en) * 2021-08-04 2023-04-13 Grabtaxi Holdings Pte. Ltd. Apparatus and method for determining a location-spoofing application

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114996708B (en) * 2022-08-08 2022-12-20 中国信息通信研究院 Method and device for studying and judging fraud-related mobile phone application, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012075336A1 (en) * 2010-12-01 2012-06-07 Sourcefire, Inc. Detecting malicious software through contextual convictions, generic signatures and machine learning techniques
US20140215621A1 (en) * 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security
US20150039513A1 (en) * 2014-02-14 2015-02-05 Brighterion, Inc. User device profiling in transaction authentications
US20190109868A1 (en) * 2015-08-31 2019-04-11 Splunk Inc. Method and System for Generating An Interactive Kill Chain View for Training A Machine Learning Model for Identifying Threats

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012075336A1 (en) * 2010-12-01 2012-06-07 Sourcefire, Inc. Detecting malicious software through contextual convictions, generic signatures and machine learning techniques
US20140215621A1 (en) * 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security
US20150039513A1 (en) * 2014-02-14 2015-02-05 Brighterion, Inc. User device profiling in transaction authentications
US20190109868A1 (en) * 2015-08-31 2019-04-11 Splunk Inc. Method and System for Generating An Interactive Kill Chain View for Training A Machine Learning Model for Identifying Threats

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022071881A1 (en) 2020-09-29 2022-04-07 Cashshield Pte. Ltd. Continuous risk assessment for mobile devices
WO2023014299A3 (en) * 2021-08-04 2023-04-13 Grabtaxi Holdings Pte. Ltd. Apparatus and method for determining a location-spoofing application

Also Published As

Publication number Publication date
WO2021053646A1 (en) 2021-03-25

Similar Documents

Publication Publication Date Title
US10965668B2 (en) Systems and methods to authenticate users and/or control access made by users based on enhanced digital identity verification
US11276022B2 (en) Enhanced system and method for identity evaluation using a global score value
US11277437B1 (en) Automated device data retrieval and analysis platform
US8880435B1 (en) Detection and tracking of unauthorized computer access attempts
US10346845B2 (en) Enhanced automated acceptance of payment transactions that have been flagged for human review by an anti-fraud system
WO2020192184A1 (en) Gang fraud detection based on graph model
US20220114593A1 (en) Probabilistic anomaly detection in streaming device data
US8458090B1 (en) Detecting fraudulent mobile money transactions
US20180075454A1 (en) Fraud detection engine and method of using the same
US20180097790A1 (en) Systems and methods to authenticate users and/or control access made by users on a computer network based on scanning elements for inspection according to changes made in a relation graph
CN111201528B (en) System and method for integrating network fraud intelligence and payment risk decisions
US20210150531A1 (en) Systems and methods of providing security in an electronic network
WO2021053647A1 (en) Detection of use of malicious tools on mobile devices
WO2018075314A1 (en) Systems and methods to authenticate users and/or control access made by users on a computer network using a graph score
WO2017196609A1 (en) User authentication and access control using identity services
US11610206B2 (en) Analysis platform for actionable insight into user interaction data
US20150170148A1 (en) Real-time transaction validity verification using behavioral and transactional metadata
US11785030B2 (en) Identifying data processing timeouts in live risk analysis systems
CN112685774B (en) Payment data processing method based on big data and block chain finance and cloud server
CN107918911A (en) System and method for performing safe web bank transaction
US11700250B2 (en) Voice vector framework for authenticating user interactions
CN112330355A (en) Consumption ticket transaction data processing method, device, equipment and storage medium
Fedotova et al. Increase of economic security of internet systems of credit organizations
US20220101328A1 (en) Systems, methods, and devices for assigning a transaction risk score
US20200273039A1 (en) Systems and methods for automated fraud-type identification and decisioning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20785604

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20785604

Country of ref document: EP

Kind code of ref document: A1