Patent Application
20190080090
Aspects of the disclosure relate generally to a method and apparatus for detecting dynamically-loaded malware with run time predictive analysis.
Application programs (e.g., application programs for a mobile operating system) in a client device may dynamically load payloads at run time. For example, the payloads may include code (e.g., bytecode) and may be downloaded from a server in a network (e.g., the Internet) or obtained from encrypted local files. For example, an application program may initiate such dynamic loading of payloads by calling one or more functions while the application program is running. Such functions may be included in an application programming interface of the client device.
Many types of malware dynamically load payloads to evade static analysis based anti-virus protection. These types of malware may not include harmful code/instructions at installation time (e.g., prior to execution) to avoid being detected by anti-virus software. However, these types of malware may dynamically load payloads including malicious content to damage the client device at run time.
The following presents a simplified summary of some aspects of the disclosure to provide a basic understanding of such aspects. This summary is not an extensive overview of all contemplated features of the disclosure, and is intended neither to identify key or critical elements of all aspects of the disclosure nor to delineate the scope of any or all aspects of the disclosure. Its sole purpose is to present various concepts of some aspects of the disclosure in a simplified form as a prelude to the more detailed description that is presented later.
In an aspect of the present disclosure, a method for an apparatus is disclosed. For example, the apparatus may be a client device. The client device obtains a first payload that is dynamically loaded by an application program of the client device, determines whether the first payload includes malicious content, prevents execution of the first payload when the first payload includes the malicious content, and executes the first payload when the first payload does not include the malicious content. In an aspect of the disclosure, the determination as to whether the first payload includes malicious content includes analyzing at least a software code, a library, or a data structure in the first payload to identify the malicious content. In an aspect of the disclosure, at least the determination as to whether the first payload includes malicious content, the preventing execution of the first payload when the first payload includes the malicious content, or the executing the first payload when the first payload does not include the malicious content is controlled by one or more application programming interfaces of the client device.
In an aspect of the disclosure, the client device obtains a function call flow of the application program, the function call flow indicating a second payload that is to be dynamically loaded by the application program, obtains the second payload before the second payload is dynamically loaded by the application program, determines whether the second payload includes the malicious content, prevents dynamic loading of the second payload when the second payload includes the malicious content, and allows the dynamic loading of the second payload when the second payload does not include the malicious content.
In an aspect of the disclosure, the client device analyzes the application program to determine a value of a confidence metric, prevents the application program from dynamically loading a second payload when the value is below a threshold, and allows the application program to dynamically load the second payload when the value is greater than or equal to the threshold. In an aspect of the disclosure, the client device prevents execution of the second payload when the second payload includes the malicious content, and executes the second payload when the second payload does not include the malicious content.
In an aspect of the disclosure, the client device determines whether the application program at the client device includes the malicious content, determines whether the application program in combination with the first payload includes the malicious content, and provides a message indicating whether any of the application program, the first payload, and the application program in combination with the first payload includes the malicious content.
In an aspect of the disclosure, the application program implements an application programming interface of the client device to dynamically load the first payload, wherein the implementation of the application programming interface triggers the determining whether the first payload includes malicious content.
In an aspect of the disclosure, the first payload is excluded from the application program prior to execution of the application program. In an aspect of the disclosure, the first payload includes at least software code that is executable at the client device. In an aspect of the disclosure, the first payload is dynamically loaded from a network or an external device that is in communication with the client device. In an aspect of the disclosure, the first payload includes software code that has been stored in a local memory of the client device in encrypted form and decrypted by the application program at run time. In an aspect of the disclosure, the preventing execution of the first payload when the first payload includes the malicious content includes halting the application program. In an aspect of the disclosure, the client device provides a notification to a user of the client device regarding a result of the determination. In an aspect of the disclosure, the first payload is compiled for execution during the determining whether the first payload includes malicious content.
These and other aspects of the disclosure will become more fully understood upon a review of the detailed description, which follows. Other aspects, features, and implementations of the disclosure will become apparent to those of ordinary skill in the art, upon reviewing the following description of specific implementations of the disclosure in conjunction with the accompanying figures. While features of the disclosure may be discussed relative to certain implementations and figures below, all implementations of the disclosure can include one or more of the advantageous features discussed herein. In other words, while one or more implementations may be discussed as having certain advantageous features, one or more of such features may also be used in accordance with the various implementations of the disclosure discussed herein. In similar fashion, while certain implementations may be discussed below as device, system, or method implementations it should be understood that such implementations can be implemented in various devices, systems, and methods.
The detailed description set forth below in connection with the appended drawings is intended as a description of various configurations and is not intended to represent the only configurations in which the concepts described herein may be practiced. The detailed description includes specific details for the purpose of providing a thorough understanding of various concepts. However, it will be apparent to those skilled in the art that these concepts may be practiced without these specific details. In some instances, well known structures and components are shown in block diagram form in order to avoid obscuring such concepts.
This disclosure is directed to the detection of malicious content in dynamically loaded payloads and approaches to protect a client device from dynamically loaded payloads that include malicious content. In one example, an application program running on a client device may dynamically load a payload by calling one or more functions of an application programming interface (API) as follows:
DexClassLoader classloader=new DexClassLoader (Path-to-payload, . . . , . . . ) classloader.loadClass(“com.apkbeloaded.Registry”).
As used herein, the term “payload” may include software, code (e.g., source code, machine code, bytecode), code segments, instructions, functions, libraries, data structures, metadata, and/or other types of information that may be used to initiate or control operations of a computing platform. As used herein, the term “application program” may be used interchangeably with the terms host application, host software, software program, application software, or applications (e.g., “apps”)). For example, an application program may be included in an application installation package file, such as an Android™ application package kit (APK) file, that may be purchased and downloaded to a client device from an online application store (e.g., “appstore”). In such example, the application installation package may be used by the client device to install the application program.
As shown in
In one aspect of the disclosure, the application program 108 running on the client device 100 may call a function to dynamically obtain and load a payload (also referred to as a dynamic payload) during run time of the application program 108. In one aspect of the disclosure, the function may be included in one of the API(s) 106. In another aspect of the disclosure, the function may itself be one of the APIs 106. An example of a function that may dynamically obtain and load a payload may be the “LoadDexFile( )” function, which may be supported on the Android™ platform.
In one aspect of the disclosure, and as described in detail herein, when the client device 100 detects that the application program 108 has called a function (e.g., one of the API(s) 106) to dynamically obtain and load a payload for execution on the client device 100, the calling of such function may trigger the client device 100 to analyze one or more portions of the payload for malicious content. In one aspect of the disclosure, one or more security operations of the client device 100 may be included in the API(s) 106 to protect against unauthorized attempts by the application program 108 to dynamically obtain and load a payload that may include malicious content. For example, the one or more security operations may be triggered when the application program 108 attempts to call a function (e.g., one of the API(s) 106) to dynamically obtain and load a payload for execution on the client device 100. An example implementation of such security operations by the client device 100 is described herein with reference to
As shown in
The client device 202 may send a payload request 214 to the external device/server 204 and may obtain the payload 216. The client device 202 may analyze (e.g., using a predictive analysis approach, which may also be referred to as a machine learning based static analysis) the obtained payload for malicious content 218. For example, and in accordance with the aspects described herein, analysis of a payload (and/or an application installation package) for malicious content may involve a determination of one or more APIs implemented by the payload, and comparing the one or more APIs to a library of APIs that are known or likely to be harmful or damaging. For example, APIs that are to be implemented by a payload may be listed in the bytecode included in the payload. In some aspects of the disclosure, the client device 202 may perform statistical analysis to determine whether the one or more APIs implemented by the payload are likely to cause damage to the client device 202. Accordingly, a determination that the one or more APIs implemented by the payload are likely to cause damage to the client device 202 may enable the client device 202 to conclude that the payload contains malicious content. As another example, and in accordance with the aspects described herein, analysis of a payload (and/or an application installation package) for malicious content may involve a determination of the information (e.g., hardcoded URLs, embedded strings) included in the payload, and matching such information to a database that includes information known or likely to be harmful or damaging to the client device 202. For example, the database may include, among other items of information, a list of URLs that are known to be associated with malicious activity. In other aspects, if one or more APIs implemented by a payload appear suspicious or unfamiliar to the client device 202, the client device 202 may conclude that such APIs are malicious.
In the event that the analysis finds malicious content in the obtained payload, the client device 202 may prevent execution 220 of the payload. In an aspect of the disclosure, the client device 202 may provide 222 an alert to the user of the client device 202 that malicious content has been found. In some aspects of the disclosure, the client device 202 may alert other application programs that may be currently running on the client device 202 that a payload including malicious content has been detected. Such an alert may allow the other applications to take protective measure, such as disabling certain features, logging out or ending a session, and/or quitting the application. When the analysis does not find malicious content in the obtained payload, the client device 202 may resume 224 the control flow and the client device 202 may proceed to load and execute 226 the payload.
As shown in
In an aspect of the disclosure, upon loading the obtained payload into memory (e.g., after the LoadDexFile( ) function is called), one or more security operations (e.g., operations 312, 314 in
The client device 100 may perform one or more operations based on the analysis 314. In one aspect, the one or more operations may include halting the application program 108 when the analysis finds malicious content in the loaded payload and/or the application installation package. In another aspect, the one or more operations may include allowing the application program 108 to resume when the analysis does not find malicious content in the loaded payload and/or the application installation package. In some aspects of the disclosure, the one or more operations may include providing a notification to the user of the client device 100 regarding the results of the analysis (e.g., to notify the user that malicious content has been found).
In one aspect of the disclosure, the one or more security operations (e.g., operations 312, 314) of the client device 100 described with respect to
Triggering of the previously described security operations when the client device 100 detects execution of a function (e.g., one of the API(s) 106) for dynamically loading a payload as described with reference to
In one example, the application program 108 may be configured to implement the following function call flow: registerClient( )→getNewPayload( )→downloadNewCode( )→downloadOtherUpdates( )→prepareEnvironmentVars( )→loadDexFile( ). In this example, the call graph screening operation of the client device 100 may analyze the function call flow to determine whether the function call flow will lead to the dynamic loading of a payload. For example, this analysis may be performed before the application program 108 attempts to dynamically load a payload. In an aspect of the disclosure, the call graph screening operation may identify a function in the function call flow that may attempt to dynamically obtain a payload, such as the downloadNewCode( ) function, and may identify a function in the function call flow that may attempt to dynamically load the obtained payload, such as the loadDexFile( ) function. In such aspect, the one or more security operations (e.g., pausing the control flow and analyzing the obtained dynamic payload for malicious content) of the client device 100 may be triggered as early as when the function downloadNewCode( ) returns with a dynamic payload. Accordingly, the client device 100 may analyze the dynamic payload for malicious content in a manner previously described with reference to
In one aspect of the disclosure, one or more of the previously described security operations of the client device 100 may be triggered based on a result of an analysis of an application installation package (e.g., host APK).
When the application program (e.g., the application program 108) is executed (e.g., during the application run time below the dotted line in
Therefore, in accordance with the aspect described with reference to
In some aspects of the disclosure, malicious content may exist in one of three configurations: 1) the malicious content may be included only in the application program (e.g., only the host application program is malicious); 2) the malicious content may be included only in the payload (e.g., only the payload is malicious); or 3) the malicious content may be included in the combination of the application program and the payload (this configuration is also referred to as collaborative malware).
As shown in the flowchart of
Therefore, it can appreciated that the features disclosed herein may enable detection and/or prevention of dynamic loading of payloads containing malicious content. Moreover, the features disclosed herein may also help to prevent the execution of such payloads containing malicious content. Since such payloads containing malicious content are obtained and loaded dynamically at run time of an application program, the conventional techniques typically implemented by security vendors (e.g., antivirus software developers) may not be able to detect and/or prevent the dynamic loading (or execution) of such payloads containing malicious content.
The processing circuit 620 is arranged to obtain, process and/or send data, control data access and storage, issue commands, and control other desired operations. The processing circuit 620 may include circuitry adapted to implement desired programming provided by appropriate media in at least one example. In some instances, the processing circuit 620 may include circuitry adapted to perform a desired function, with or without implementing programming. By way of example, the processing circuit 620 may be implemented as one or more processors, one or more controllers, and/or other structure configured to execute executable programming and/or perform a desired function. Examples of the processing circuit 620 may include a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic component, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may include a microprocessor, as well as any conventional processor, controller, microcontroller, or state machine. The processing circuit 620 may also be implemented as a combination of computing components, such as a combination of a DSP and a microprocessor, a number of microprocessors, one or more microprocessors in conjunction with a DSP core, an ASIC and a microprocessor, or any other number of varying configurations. These examples of the processing circuit 620 are for illustration and other suitable configurations within the scope of the disclosure are also contemplated.
The processing circuit 620 is adapted for processing, including the execution of programming, which may be stored on the storage medium 640. As used herein, the terms “programming” or “instructions” shall be construed broadly to include without limitation instruction sets, instructions, code, code segments, program code, programs, programming, subprograms, software modules, applications, software applications, software packages, routines, subroutines, objects, executables, threads of execution, procedures, functions, etc., whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise.
In some instances, the processing circuit 620 may include one or more of: a payload and function call flow obtaining circuit/module 622, a payload and application program analyzing circuit/module 624, a payload executing circuit/module 626, and a message providing circuit/module 628.
The payload and function call flow obtaining circuit/module 622 may include circuitry and/or instructions (e.g., the payload and function call flow obtaining instructions 642 stored on the storage medium 640) adapted to obtain, at a client device, a first payload that is dynamically loaded by an application program of the client device, obtain the second payload before the second payload is dynamically loaded by the application program, and/or obtain a function call flow of the application program, the function call flow indicating a second payload that is to be dynamically loaded by the application program.
The payload and application program analyzing circuit/module 624 may include circuitry and/or instructions (e.g., the payload and application program analyzing instructions 644 stored on the storage medium 640) adapted to determine whether the first payload includes malicious, content, determine whether the second payload includes the malicious content, analyze the application program to determine a value of a confidence metric, determine whether the application program at a client device includes the malicious content, and/or determine whether the application program in combination with the first payload includes the malicious content.
The payload executing circuit/module 626 may include circuitry and/or instructions (e.g., the payload executing instructions 646 stored on the storage medium 640) adapted to prevent execution of the first payload when the first payload includes the malicious content, execute the first payload when the first payload does not include the malicious content, prevent dynamic loading of the second payload when the second payload includes the malicious content, allow the dynamic loading of the second payload when the second payload does not include the malicious content, prevent the application program from dynamically loading a second payload when the value is below a threshold, allow the application program to dynamically load the second payload when the value is greater than or equal to the threshold, prevent execution of the second payload when the second payload includes the malicious content, and/or execute the second payload when the second payload does not include the malicious content.
The message providing circuit/module 628 may include circuitry and/or instructions (e.g., the message providing instructions 648 stored on the storage medium 640) adapted to provide a notification to a user of the client device and/or provide a message indicating whether any of the application program, the first payload, and the application program in combination with the first payload includes the malicious content.
The storage medium 640 may represent one or more processor-readable devices for storing programming, electronic data, databases, or other digital information. The storage medium 640 may also be used for storing data that is manipulated by the processing circuit 620 when executing programming. The storage medium 640 may be any available media that can be accessed by the processing circuit 620, including portable or fixed storage devices, optical storage devices, and various other mediums capable of storing, containing and/or carrying programming. By way of example and not limitation, the storage medium 640 may include a processor-readable storage medium such as a magnetic storage device (e.g., hard disk, floppy disk, magnetic strip), an optical storage medium (e.g., compact disk (CD), digital versatile disk (DVD)), a smart card, a flash memory device (e.g., card, stick, key drive), random access memory (RAM), read only memory (ROM), programmable ROM (PROM), erasable PROM (EPROM), electrically erasable PROM (EEPROM), a register, a removable disk, and/or other mediums for storing programming, as well as any combination thereof. Thus, in some implementations, the storage medium may be a non-transitory (e.g., tangible) storage medium.
The storage medium 640 may be coupled to the processing circuit 620 such that the processing circuit 620 can read information from, and write information to, the storage medium 640. That is, the storage medium 640 can be coupled to the processing circuit 620 so that the storage medium 640 is at least accessible by the processing circuit 620, including examples where the storage medium 640 is integral to the processing circuit 620 and/or examples where the storage medium 640 is separate from the processing circuit 620.
Programming/instructions stored by the storage medium 640, when executed by the processing circuit 620, causes the processing circuit 620 to perform one or more of the various functions and/or process steps described herein. For example, the storage medium 640 may include one or more of: the payload and function call flow obtaining instructions 642, the payload and application program analyzing instructions 644, the payload executing instructions 646, the message providing instructions 648. Thus, according to one or more aspects of the disclosure, the processing circuit 620 is adapted to perform (in conjunction with the storage medium 640) any or all of the processes, functions, steps and/or routines for any or all of the apparatuses described herein. As used herein, the term “adapted” in relation to the processing circuit 620 may refer to the processing circuit 620 being one or more of configured, employed, implemented, and/or programmed (in conjunction with the storage medium 640) to perform a particular process, function, step and/or routine according to various features described herein.
With the above in mind, examples of operations according to the disclosed aspects will be described in more detail in conjunction with the flowchart of
For convenience, the operations of
In an aspect of the disclosure, the client device determines whether the first payload includes malicious content by analyzing at least a software code, a library, or a data structure in the first payload to identify the malicious content. In an aspect of the disclosure, the application program implements an application programming interface of the client device to dynamically load the first payload, wherein the implementation of the application programming interface triggers the determining whether the first payload includes malicious content. In an aspect of the disclosure, at least the determining whether the first payload includes malicious content, the preventing execution of the first payload when the first payload includes the malicious content, or the executing the first payload when the first payload does not include the malicious content is controlled by one or more application programming interfaces of the client device. In an aspect of the disclosure, the first payload is excluded from the application program prior to execution of the application program. In an aspect, the first payload includes at least software code that is executable at the client device. In an aspect of the disclosure, the first payload is dynamically loaded from a network or an external device that is in communication with the client device. In an aspect of the disclosure, the first payload includes software code that has been stored in a local memory of the client device in encrypted form and decrypted by the application program at run time. In an aspect of the disclosure, the preventing execution of the first payload when the first payload includes the malicious content includes halting the application program. In an aspect of the disclosure, the first payload is compiled for execution during the determining whether the first payload includes malicious content.
One or more of the components, steps, features and/or functions illustrated in the figures may be rearranged and/or combined into a single component, step, feature or function or embodied in several components, steps, or functions. Additional elements, components, steps, and/or functions may also be added without departing from novel features disclosed herein. The apparatus, devices, and/or components illustrated in the figures may be configured to perform one or more of the methods, features, or steps described herein. The novel algorithms described herein may also be efficiently implemented in software and/or embedded in hardware.
It is to be understood that the specific order or hierarchy of steps in the methods disclosed is an illustration of exemplary processes. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the methods may be rearranged. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented unless specifically recited therein. Additional elements, components, steps, and/or functions may also be added or not utilized without departing from the disclosure.
While features of the disclosure may have been discussed relative to certain implementations and figures, all implementations of the disclosure can include one or more of the advantageous features discussed herein. In other words, while one or more implementations may have been discussed as having certain advantageous features, one or more of such features may also be used in accordance with any of the various implementations discussed herein. In similar fashion, while exemplary implementations may have been discussed herein as device, system, or method implementations, it should be understood that such exemplary implementations can be implemented in various devices, systems, and methods.
Also, it is noted that at least some implementations have been described as a process that is depicted as a flowchart, a flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed. In some aspects, a process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function. One or more of the various methods described herein may be partially or fully implemented by programming (e.g., instructions and/or data) that may be stored in a machine-readable, computer-readable, and/or processor-readable storage medium, and executed by one or more processors, machines and/or devices.
Those of skill in the art would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the implementations disclosed herein may be implemented as hardware, software, firmware, middleware, microcode, or any combination thereof. To clearly illustrate this interchangeability, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system.
Within the disclosure, the word “exemplary” is used to mean “serving as an example, instance, or illustration.” Any implementation or aspect described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects of the disclosure. Likewise, the term “aspects” does not require that all aspects of the disclosure include the discussed feature, advantage or mode of operation. The term “coupled” is used herein to refer to the direct or indirect coupling between two objects. For example, if object A physically touches object B, and object B touches object C, then objects A and C may still be considered coupled to one another—even if they do not directly physically touch each other. For instance, a first die may be coupled to a second die in a package even though the first die is never directly physically in contact with the second die. The terms “circuit” and “circuitry” are used broadly, and intended to include both hardware implementations of electrical devices and conductors that, when connected and configured, enable the performance of the functions described in the disclosure, without limitation as to the type of electronic circuits, as well as software implementations of information and instructions that, when executed by a processor, enable the performance of the functions described in the disclosure.
As used herein, the term “determining” encompasses a wide variety of actions. For example, “determining” may include calculating, computing, processing, deriving, investigating, looking up (e.g., looking up in a table, a database or another data structure), ascertaining, and the like. Also, “determining” may include receiving (e.g., receiving information), accessing (e.g., accessing data in a memory), and the like. Also, “determining” may include resolving, selecting, choosing, establishing, and the like. As used herein, the term “obtaining” may include one or more actions including, but not limited to, receiving, generating, determining, or any combination thereof.
The previous description is provided to enable any person skilled in the art to practice the various aspects described herein. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects. Thus, the claims are not intended to be limited to the aspects shown herein, but are to be accorded the full scope consistent with the language of the claims, wherein reference to an element in the singular is not intended to mean “one and only one” unless specifically so stated, but rather “one or more.” Unless specifically stated otherwise, the term “some” refers to one or more. A phrase referring to “at least one of” a list of items refers to any combination of those items, including single members. As an example, “at least one of: a, b, or c” is intended to cover: a; b; c; a and b; a and c; b and c; and a, b and c. All structural and functional equivalents to the elements of the various aspects described throughout this disclosure that are known or later come to be known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the claims. Moreover, nothing disclosed herein is intended to be dedicated to the public regardless of whether such disclosure is explicitly recited in the claims. No claim element is to be construed under the provisions of 35 U.S.C. § 112, sixth paragraph, unless the element is expressly recited using the phrase “means for” or, in the case of a method claim, the element is recited using the phrase “step for.”
As those of some skill in this art will by now appreciate and depending on the particular application at hand, many modifications, substitutions and variations can be made in and to the materials, apparatus, configurations and methods of use of the devices of the present disclosure without departing from the spirit and scope thereof. In light of this, the scope of the present disclosure should not be limited to that of the particular embodiments illustrated and described herein, as they are merely by way of some examples thereof, but rather, should be fully commensurate with that of the claims appended hereafter and their functional equivalents.
