WO2021053646A1 - Detection of presence of malicious tools on mobile devices - Google Patents

Detection of presence of malicious tools on mobile devices Download PDF

Info

Publication number
WO2021053646A1
WO2021053646A1 PCT/IB2020/058799 IB2020058799W WO2021053646A1 WO 2021053646 A1 WO2021053646 A1 WO 2021053646A1 IB 2020058799 W IB2020058799 W IB 2020058799W WO 2021053646 A1 WO2021053646 A1 WO 2021053646A1
Authority
WO
WIPO (PCT)
Prior art keywords
tools
malicious
information
library
suspected
Prior art date
Application number
PCT/IB2020/058799
Other languages
French (fr)
Inventor
Wee Chian LIE
Original Assignee
Cashshield Pte. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cashshield Pte. Ltd. filed Critical Cashshield Pte. Ltd.
Publication of WO2021053646A1 publication Critical patent/WO2021053646A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • This disclosure generally relates to the device intelligence field. More particularly, some embodiments relate to methods for identifying the presence of malicious tools on mobile devices.
  • Digital platforms in the form of mobile applications on mobile devices have come to rely on identifying a user's mobile device and its attributes to establish customer trust and prevent fraud. This is conventionally done through device fingerprinting, which enables the digital platform to assign an identifier to the mobile device, as well as record the device attributes of that device.
  • Fraudsters can circumvent these defense mechanisms by using device modification tools.
  • Fraudsters can use device modification tools to modify various attributes, including but not limited to device hardware, user interface, connectivity, network, sensor, and media and graphics attributes. These malicious tools are being developed with high frequency and can be obtained by would-be fraudsters from both public domains (e.g. app marketplaces) and private domains (e.g. dark web).
  • a device that has been modified by such malicious tools cannot only render mobile device identification techniques ineffective, it can also confound platforms regarding the user's actual device attributes (such as physical location or brand/model of the device). Detecting the presence of such malicious tools on mobile devices is therefore important to establishing the risk that a user's device has been modified, and the subsequent risk of the user committing fraudulent acts with such said device.
  • a method for detecting in real-time the presence of malicious tools or applications on a suspected device (that purports to be a mobile device). The method includes: receiving device information extracted from the suspected device; comparing the information extracted from the suspected device to a library of malicious tools and applications; and generating in real-time one or more outputs indicating risk that malicious tools and/or applications are associated with the suspected device, based at least in part on the comparing extracted information to the library.
  • the library of malicious tools and applications is maintained by a method that includes: automatically collecting information associated with potentially malicious applications from online sources; performing machine learning on the automatically collected information to determine indicators of potential malicious usage associated with potentially malicious applications; updating the library based in part on the determined indications of maliciousness and attributes; and automatically repeating the collecting, performing and updating.
  • the received device information includes device fingerprinting information, information about system packages, user applications, and/or passive biometrics.
  • the information can be extracted by making use of a software development kit included within a mobile app running on the suspected device.
  • the malicious tools or applications are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; and custom firmware.
  • the outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators.
  • the outputs can include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
  • the malicious tools or applications can be used for fraudulent purposes of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse.
  • the comparing and generating are performed in less than one second. According to some embodiments, the comparing and generating are performed in less than one hundred milliseconds.
  • a method for maintaining a library of malicious tools and applications.
  • the method includes: automatically collecting information associated with potentially malicious applications from one or more online sources; performing machine learning on the automatically collected information to determine indicators of potential malicious usage associated with potentially malicious applications; updating the library based in part on the determined indications of maliciousness and attributes; and automatically repeating the collecting, performing and updating.
  • the library is configured to facilitate real time detecting of the presence of malicious tools or applications on a suspected device based at least in part on a comparison of information extracted from the suspected device and the library.
  • the online sources include one or more of the following types of sources: online forums, public mobile application stores, and public mobile application repositories.
  • the collected information can also include automatically collecting information from one or more proprietary databases of device fingerprints from devices previously found to be associated with malicious activity.
  • the collected information can also include one or more of the following types: application identification; application name; application tags; application descriptions, and application vendor.
  • the machine learning can include one or more models that use logistics regression and/or multinomial naive Bayes classifiers.
  • a system for detecting the presence of malicious applications on a device.
  • the system includes: a mobile application running on a plurality of suspected devices, the mobile application configured to extract of information from the suspected device relating to potential malicious applications and transmit the extracted information a processing platform; and an autonomous risk assessment processing platform configured to receive the extracted information from the suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious applications.
  • library and “database” are used interchangeably, and both terms refer herein to a collections of digital content and/or data that is stored and can be accessed electronically from a computer system.
  • tool is sometimes understood to be designed for a specific use case, and the term “application” is sometimes understood to refer to a larger, more complex piece of software, as used herein the terms “tool” and “application” are used interchangeably.
  • FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where malicious tools can be assessed, according to some embodiments;
  • FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments
  • FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices, according to some embodiments.
  • FIG. 4 is a block diagram illustrating some aspects of detecting and assessing malicious tools on mobile devices, according to some embodiments.
  • FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where malicious tools can be assessed, according to some embodiments.
  • Mobile device 110 in this example is a smart phone, includes a mobile application (“mobile app”) 112 provided to the user of device 110 by an organization 150.
  • Mobile app 112 can in general provide any functionality including facilitating transactions and/or communication with organization 150 and/or other entities.
  • Organization 150 has an interest in assessing the risk that the user of mobile app 112, using device 110, does not intend to commit fraud or other malicious activity.
  • Organization 150 hires, retains, subscribes or otherwise contracts with cyber protection company 160 to aid organization 150 in detecting and reducing risks associated with fraudulent or malicious activity.
  • a software development kit (SDK) 114 obtained from cyber protection company 160 can be included within mobile app 112.
  • the SDK 114 is configured to facilitate the extraction of information from the device on which the mobile app is running.
  • smartphone 110 is a legitimate user of app 112 while the users of laptop 120 and smartphone 130 are employing one or more malicious tools or applications to commit fraud.
  • the user has installed a malicious spoofing tool 126 that allows laptop 120 to emulate or appear to be a smartphone.
  • malicious tool 136 can be installed to provides some other type of spoofing (e.g.
  • sets of data are collected from devices 110, 120 and 130 and transmitted via network 100 (e.g. the internet) to cyber protection company 160.
  • Protection company 160 processes the sets of data and generates a corresponding set of outputs. Categories of data collected include both device hardware and software attributes, including but not limited to hardware, user interface, connectivity, network, sensor, media and graphics attributes.
  • the outputs can be processed to produce actionable device intelligence in the form of malicious indicators, including but not limited to the presence of app cloners, network/location spoofers and various modification tools.
  • An overall score can be derived through a weighted approach and assigned to the user device or user activity to indicate the level of risk associated with the device/activity.
  • the techniques for assessing the presence of malicious tools described herein can facilitate assessment of fraudulent activity.
  • types of such fraudulent activity account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; and credit application fraud.
  • malware tool types that can be detected: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; and custom firmware.
  • data can be collected for the malicious tools threat analysis (1) collect information about system packages and user applications using one or more application programming interfaces (API) built in to the mobile device (e.g. via SDK 114 in mobile app 112); and (2) collect information about certain groups of malicious tools which includes but not limited to app ID, app name, app tags, app descriptions and app vendor. Examples of the types of data collected include: (1) system packages and user applications; and (2) malicious tools available for users to download. [0033] According to some embodiments, a database, collection or library of malicious tools and applications 162 is generated.
  • API application programming interfaces
  • processing system 164 of protection company 160 uses one or more machine learning model(s).
  • the machine learning model(s) use Logistics Regression and Multinomial Naive Bayes Classifier(s) to determine new malicious tools based on names, descriptions, tags, permissions and more.
  • the output is used for generating and updating the library of malicious tools and applications.
  • library 162 includes a trained model comprised of features (e.g. vectors of coefficients and weightings) and procedures (logic) to identify the usage of malicious tools.
  • one or more malicious indicators 152 can be generated and transmitted to company 150.
  • the malicious indicators 152 can be in the form of true/false flags to be incorporated into the approval process of a client’s platform.
  • the indicators 152 can also include a weighted score to indicate the level of risk associated with the device/activity.
  • the indicators 152 can also include a recommended risk decision to allow/block an activity based on predefined policies to cater to business use cases of organization 150.
  • the protection company 160 functionality can be part of the organization 150, and the two can be part of the same organization.
  • FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments.
  • the user’s device 110 is a smart phone, such as an iOS or Android mobile device and the organization is a merchant 150.
  • the device 110 includes an app with an SDK (such as shown in FIG. 1) that provides transfer from the device 110 via iOS/Android APIs 212 of “device fingerprint” information 214.
  • Information 214 contains non-sensitive device information and passive biometrics.
  • the information 214 is transmitted for real time algorithmic processing 224.
  • Processing 224 includes a comparison of the information 214 with a library 162 of malicious tools and applications.
  • the library 162 includes two portions: device intelligence library and model 216 and pattern recognition library and model 236.
  • the results of the real-time processing 224 include risk score / device intelligence 152 that provides merchant 150 with real-time risk analysis information on which it can make decisions. As shown, the real-time processing 224 also takes inputs from transaction information 234 and from pattern recognition library and model 236. According to some embodiments, results of processing 224 are included in risk analysis component 220 as “historical data.” According to some embodiment risk analysis component 220 is includes machine learning and is configured to update, “retrain” and/or “tune” the device intelligence library and model 216 and the pattern recognition library and model 236, as shown. In this way the library 162 is continually updated with transaction information and user device information so that it can maintain up-to-date status. [0036] FIG.
  • FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices, according to some embodiments.
  • the blocks shown in FIG. 3 can take place at a remote autonomous risk intelligence platform, such as on the servers of a cyber protection company such as shown in FIG. 1.
  • a remote autonomous risk intelligence platform such as on the servers of a cyber protection company such as shown in FIG. 1.
  • an automatic data collection or “scraping” is performed.
  • the data collected or scraped can include: application names, descriptions, etc. from online and other sources (e.g. databases, device fingerprints, online forums, public mobile application stores, repositories).
  • machine learning is conducted on the collected / scraped information to determine and then assign a series of labels or scores to each application.
  • the scores can be for various categories such as: type of purpose, maliciousness, level of risk, etc.
  • a library of malicious tools and applications is generated, which corresponds to library 162 in FIGs. 1 and 2.
  • the loop arrow indicates that the processes of automatically collecting / scraping, and machine learning assigning is operated repeatedly (e.g. either continuously, frequently, or regularly), so that the library is kept up-to-date. By ensuring the library is continuously updated, the risk associated output can be performed relatively quickly and in real-time.
  • FIG. 4 is a block diagram illustrating some aspects of detecting and assessing malicious tools on mobile devices, according to some embodiments.
  • the mobile app on the device is configured with API(s) that allow for the collection and transmission of assessment information (e.g. the device fingerprint information 214 in FIG. 2) to an assessment platform (e.g. servers of a cyber protection company 160 shown in FIG. 1).
  • assessment information e.g. the device fingerprint information 214 in FIG. 2
  • an assessment platform e.g. servers of a cyber protection company 160 shown in FIG.
  • this functionality is provided by SDK 114 within mobile app 112.
  • the device information is extracted or collected.
  • the device information is compared with the current library of malicious tools and applications (e.g. library 162 in FIGs. 1 and 2).
  • the output are generated and sent to the client organization (e.g.
  • block 418 information can be returned to the machine learning system.
  • the repeated (e.g. either continuous, frequent, or regular) updating library can provide for real time processing of threats and in practice the blocks 412, 414 and 416 can be carried out very quickly.
  • the blocks 414 and 416 can be carried out in less than one second.
  • the blocks 414 and 416 can be carried out in less than one hundred milliseconds.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Data is collected from devices and processed to generate an assessment of potential risk due to the presence of malicious tools or applications. Data collected can include device attributes such as device hardware, user interface, connectivity, network, sensor, media and graphics configuration. The generated assessment can include indicators or risk due to the presence of malicious tools such as app cloners, network/location spoofers and various modification tools. The assessment is generated in real-time by comparing collected information with an existing library of malicious tools and applications.

Description

DETECTION OF PRESENCE OF MALICIOUS TOOLS ON MOBILE DEVICES
REFERENCE TO RELATED APPLICATIONS [0001] This patent application incorporates by reference and claims the benefit of each of the following U.S. Provisional patent applications:
U.S. Prov. Ser. No. 62/950,007 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,993 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,987 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,979 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,974 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,965 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,828 filed December 18, 2019;
U.S. Prov. Ser. No. 62/949,816 filed December 18, 2019;
U.S. Prov. Ser. No. 62/903,798 filed September 21, 2019;
U.S. Prov. Ser. No. 62/903,797 filed September 21, 2019; and
U.S. Prov. Ser. No. 62/903,796 filed September 21, 2019.
[0002] This patent application is related to and incorporates by reference the following International Patent Application: Int’l Pat. Appl. Ser. No. PCT/US20/ - filed on September 21, 2020 (Attorney Docket No. Shield-013-PCT).
[0003] All of the above-referenced provisional patent applications are collectively referenced herein as “the commonly assigned incorporated applications.”
FIELD
[0004] This disclosure generally relates to the device intelligence field. More particularly, some embodiments relate to methods for identifying the presence of malicious tools on mobile devices.
BACKGROUND
[0005] Digital platforms in the form of mobile applications on mobile devices have come to rely on identifying a user's mobile device and its attributes to establish customer trust and prevent fraud. This is conventionally done through device fingerprinting, which enables the digital platform to assign an identifier to the mobile device, as well as record the device attributes of that device.
[0006] Fraudsters can circumvent these defense mechanisms by using device modification tools. Fraudsters can use device modification tools to modify various attributes, including but not limited to device hardware, user interface, connectivity, network, sensor, and media and graphics attributes. These malicious tools are being developed with high frequency and can be obtained by would-be fraudsters from both public domains (e.g. app marketplaces) and private domains (e.g. dark web).
[0007] A device that has been modified by such malicious tools cannot only render mobile device identification techniques ineffective, it can also confound platforms regarding the user's actual device attributes (such as physical location or brand/model of the device). Detecting the presence of such malicious tools on mobile devices is therefore important to establishing the risk that a user's device has been modified, and the subsequent risk of the user committing fraudulent acts with such said device.
SUMMARY
[0008] According to some embodiments, a method is described for detecting in real-time the presence of malicious tools or applications on a suspected device (that purports to be a mobile device). The method includes: receiving device information extracted from the suspected device; comparing the information extracted from the suspected device to a library of malicious tools and applications; and generating in real-time one or more outputs indicating risk that malicious tools and/or applications are associated with the suspected device, based at least in part on the comparing extracted information to the library. The library of malicious tools and applications is maintained by a method that includes: automatically collecting information associated with potentially malicious applications from online sources; performing machine learning on the automatically collected information to determine indicators of potential malicious usage associated with potentially malicious applications; updating the library based in part on the determined indications of maliciousness and attributes; and automatically repeating the collecting, performing and updating.
[0009] According to some embodiments, the received device information includes device fingerprinting information, information about system packages, user applications, and/or passive biometrics. The information can be extracted by making use of a software development kit included within a mobile app running on the suspected device.
[0010] According to some embodiments, the malicious tools or applications are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; and custom firmware.
[0011] According to some embodiments, the outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators. The outputs can include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
[0012] According to some embodiments, the malicious tools or applications can be used for fraudulent purposes of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse. [0013] According to some embodiments, the comparing and generating are performed in less than one second. According to some embodiments, the comparing and generating are performed in less than one hundred milliseconds. [0014] According to some embodiments, a method is described for maintaining a library of malicious tools and applications. The method includes: automatically collecting information associated with potentially malicious applications from one or more online sources; performing machine learning on the automatically collected information to determine indicators of potential malicious usage associated with potentially malicious applications; updating the library based in part on the determined indications of maliciousness and attributes; and automatically repeating the collecting, performing and updating. The library is configured to facilitate real time detecting of the presence of malicious tools or applications on a suspected device based at least in part on a comparison of information extracted from the suspected device and the library.
[0015] According to some embodiments, the online sources include one or more of the following types of sources: online forums, public mobile application stores, and public mobile application repositories.
[0016] According to some embodiments, the collected information can also include automatically collecting information from one or more proprietary databases of device fingerprints from devices previously found to be associated with malicious activity. The collected information can also include one or more of the following types: application identification; application name; application tags; application descriptions, and application vendor.
[0017] According to some embodiments, the machine learning can include one or more models that use logistics regression and/or multinomial naive Bayes classifiers.
[0018] According to some embodiments, a system is described for detecting the presence of malicious applications on a device. The system includes: a mobile application running on a plurality of suspected devices, the mobile application configured to extract of information from the suspected device relating to potential malicious applications and transmit the extracted information a processing platform; and an autonomous risk assessment processing platform configured to receive the extracted information from the suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious applications. [0019] As used herein, the grammatical conjunctions “and”, “or” and “and/or” are all intended to indicate that one or more of the cases, object or subjects they connect may occur or be present. In this way, as used herein the term “or” in all cases indicates an “inclusive or” meaning rather than an “exclusive or” meaning. [0020] As used herein the terms “library” and “database” are used interchangeably, and both terms refer herein to a collections of digital content and/or data that is stored and can be accessed electronically from a computer system. As used herein, the terms “library” and ’’database” can also refer to models such as trained models that include features (e.g. vectors of coefficients and weightings) and procedures (logic) that can be used to identify the presence and/or usage of malicious tools.
[0021] Although the term “tool” is sometimes understood to be designed for a specific use case, and the term “application” is sometimes understood to refer to a larger, more complex piece of software, as used herein the terms “tool” and “application” are used interchangeably.
BRIEF DESCRIPTION OF THE DRAWINGS [0022] To further clarify the above and other advantages and features of the subject matter of this patent specification, specific examples of embodiments thereof are illustrated in the appended drawings. It should be appreciated that these drawings depict only illustrative embodiments and are therefore not to be considered limiting of the scope of this patent specification or the appended claims. The subject matter hereof will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:
[0023] FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where malicious tools can be assessed, according to some embodiments;
[0024] FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments;
[0025] FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices, according to some embodiments; and
[0026] FIG. 4 is a block diagram illustrating some aspects of detecting and assessing malicious tools on mobile devices, according to some embodiments. DETAILED DESCRIPTION
[0027] A detailed description of examples of preferred embodiments is provided below. While several embodiments are described, it should be understood that the new subject matter described in this patent specification is not limited to any one embodiment or combination of embodiments described herein, but instead encompasses numerous alternatives, modifications, and equivalents.
In addition, while numerous specific details are set forth in the following description in order to provide a thorough understanding, some embodiments can be practiced without some or all of these details. Moreover, for the purpose of clarity, certain technical material that is known in the related art has not been described in detail in order to avoid unnecessarily obscuring the new subject matter described herein. It should be clear that individual features of one or several of the specific embodiments described herein can be used in combination with features of other described embodiments or with other features. Further, like reference numbers and designations in the various drawings indicate like elements.
[0028] FIG. 1 is a schematic diagram of mobile devices interacting with one or more servers where malicious tools can be assessed, according to some embodiments. Mobile device 110, in this example is a smart phone, includes a mobile application (“mobile app”) 112 provided to the user of device 110 by an organization 150. Mobile app 112 can in general provide any functionality including facilitating transactions and/or communication with organization 150 and/or other entities. Organization 150 has an interest in assessing the risk that the user of mobile app 112, using device 110, does not intend to commit fraud or other malicious activity. Organization 150 hires, retains, subscribes or otherwise contracts with cyber protection company 160 to aid organization 150 in detecting and reducing risks associated with fraudulent or malicious activity. According to some embodiments, a software development kit (SDK) 114 obtained from cyber protection company 160 can be included within mobile app 112. The SDK 114 is configured to facilitate the extraction of information from the device on which the mobile app is running. In the simple example shown in FIG. 1, there are three devices running mobile app 112, namely smart phones 110 and 130 and laptop computer 120. In this example, smartphone 110 is a legitimate user of app 112 while the users of laptop 120 and smartphone 130 are employing one or more malicious tools or applications to commit fraud. In the case of laptop 120, the user has installed a malicious spoofing tool 126 that allows laptop 120 to emulate or appear to be a smartphone. In the case of smartphone 130, malicious tool 136 can be installed to provides some other type of spoofing (e.g. email, caller ID, messaging, location) or other malicious tool or application. In some cases the devices 120 and/or 130 can include a plurality of malicious tools or applications. [0029] According to some embodiments, sets of data are collected from devices 110, 120 and 130 and transmitted via network 100 (e.g. the internet) to cyber protection company 160. Protection company 160 processes the sets of data and generates a corresponding set of outputs. Categories of data collected include both device hardware and software attributes, including but not limited to hardware, user interface, connectivity, network, sensor, media and graphics attributes. The outputs can be processed to produce actionable device intelligence in the form of malicious indicators, including but not limited to the presence of app cloners, network/location spoofers and various modification tools. An overall score can be derived through a weighted approach and assigned to the user device or user activity to indicate the level of risk associated with the device/activity.
[0030] According to some embodiments, the techniques for assessing the presence of malicious tools described herein can facilitate assessment of fraudulent activity. Following are some examples of types of such fraudulent activity: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; and credit application fraud.
[0031] According to some embodiments, following are examples of some malicious tool types that can be detected: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; and custom firmware.
[0032] According to some embodiments, following are examples of how data can be collected for the malicious tools threat analysis: (1) collect information about system packages and user applications using one or more application programming interfaces (API) built in to the mobile device (e.g. via SDK 114 in mobile app 112); and (2) collect information about certain groups of malicious tools which includes but not limited to app ID, app name, app tags, app descriptions and app vendor. Examples of the types of data collected include: (1) system packages and user applications; and (2) malicious tools available for users to download. [0033] According to some embodiments, a database, collection or library of malicious tools and applications 162 is generated. The information that is collected or “scraped” from on-line sources about tools and apps, including but not limited to application names, package identifiers, application tags, descriptions and vendors. The scraped information is evaluated for their potential for malicious usage. According to some embodiments, processing system 164 of protection company 160 uses one or more machine learning model(s). The machine learning model(s) use Logistics Regression and Multinomial Naive Bayes Classifier(s) to determine new malicious tools based on names, descriptions, tags, permissions and more. The output is used for generating and updating the library of malicious tools and applications. When information collected from a mobile device (or supposed mobile device) that is running the institution’s mobile app, the collected data can be compared with the current library. The comparison can include checks for exact matching as well as “fuzzy” matching and can include information on user's installed packages and applications. According to some embodiments, library 162 includes a trained model comprised of features (e.g. vectors of coefficients and weightings) and procedures (logic) to identify the usage of malicious tools.
[0034] Based on the results of the comparisons with the current library 162, one or more malicious indicators 152 can be generated and transmitted to company 150. The malicious indicators 152 can be in the form of true/false flags to be incorporated into the approval process of a client’s platform. The indicators 152 can also include a weighted score to indicate the level of risk associated with the device/activity. The indicators 152 can also include a recommended risk decision to allow/block an activity based on predefined policies to cater to business use cases of organization 150. According to some embodiments, the protection company 160 functionality can be part of the organization 150, and the two can be part of the same organization. Although servers are depicted in FIG. 1, in general the processing functionality can reside in one or more different physical locations. [0035] FIG. 2 is a block diagram illustrating some aspects of an overall system for detecting and assessing malicious tools and applications on mobile devices, according to some embodiments. In this example, the user’s device 110 is a smart phone, such as an iOS or Android mobile device and the organization is a merchant 150. The device 110 includes an app with an SDK (such as shown in FIG. 1) that provides transfer from the device 110 via iOS/Android APIs 212 of “device fingerprint” information 214. Information 214 contains non-sensitive device information and passive biometrics. The information 214 is transmitted for real time algorithmic processing 224. Processing 224 includes a comparison of the information 214 with a library 162 of malicious tools and applications. In this case the library 162 includes two portions: device intelligence library and model 216 and pattern recognition library and model 236. The results of the real-time processing 224 include risk score / device intelligence 152 that provides merchant 150 with real-time risk analysis information on which it can make decisions. As shown, the real-time processing 224 also takes inputs from transaction information 234 and from pattern recognition library and model 236. According to some embodiments, results of processing 224 are included in risk analysis component 220 as “historical data.” According to some embodiment risk analysis component 220 is includes machine learning and is configured to update, “retrain” and/or “tune” the device intelligence library and model 216 and the pattern recognition library and model 236, as shown. In this way the library 162 is continually updated with transaction information and user device information so that it can maintain up-to-date status. [0036] FIG. 3 is a block diagram illustrating some aspects of generating and updating a library of malicious tools on mobile devices, according to some embodiments. The blocks shown in FIG. 3 can take place at a remote autonomous risk intelligence platform, such as on the servers of a cyber protection company such as shown in FIG. 1. In block 310, an automatic data collection or “scraping” is performed. According to some embodiments, the data collected or scraped can include: application names, descriptions, etc. from online and other sources (e.g. databases, device fingerprints, online forums, public mobile application stores, repositories). In block 312, machine learning is conducted on the collected / scraped information to determine and then assign a series of labels or scores to each application. The scores can be for various categories such as: type of purpose, maliciousness, level of risk, etc. In block 314 a library of malicious tools and applications is generated, which corresponds to library 162 in FIGs. 1 and 2. The loop arrow indicates that the processes of automatically collecting / scraping, and machine learning assigning is operated repeatedly (e.g. either continuously, frequently, or regularly), so that the library is kept up-to-date. By ensuring the library is continuously updated, the risk associated output can be performed relatively quickly and in real-time.
[0037] FIG. 4 is a block diagram illustrating some aspects of detecting and assessing malicious tools on mobile devices, according to some embodiments. In block 410, the mobile app on the device is configured with API(s) that allow for the collection and transmission of assessment information (e.g. the device fingerprint information 214 in FIG. 2) to an assessment platform (e.g. servers of a cyber protection company 160 shown in FIG. 1). In FIG. 1, this functionality is provided by SDK 114 within mobile app 112. Referring to block 412 of FIG. 4, the device information is extracted or collected. In block 414, the device information is compared with the current library of malicious tools and applications (e.g. library 162 in FIGs. 1 and 2). In block 416 the output are generated and sent to the client organization (e.g. organization 150 in FIG. 1). In block 418, information can be returned to the machine learning system. This corresponds to block 312 in FIG. 3, and allows for maintaining of an up-to-date library. As mentioned, the repeated (e.g. either continuous, frequent, or regular) updating library can provide for real time processing of threats and in practice the blocks 412, 414 and 416 can be carried out very quickly. According to some embodiments, the blocks 414 and 416 can be carried out in less than one second. According to some further embodiments, the blocks 414 and 416 can be carried out in less than one hundred milliseconds.
[0038] Although the foregoing has been described in some detail for purposes of clarity, it will be apparent that certain changes and modifications may be made without departing from the principles thereof. It should be noted that there are many alternative ways of implementing both the processes and apparatuses described herein. Accordingly, the present embodiments are to be considered as illustrative and not restrictive, and the body of work described herein is not to be limited to the details given herein, which may be modified within the scope and equivalents of the appended claims.

Claims

CLAIMS What it claimed is:
1. A method for detecting in real-time the presence of malicious tools on a suspected device, the method comprising: receiving device information extracted from the suspected device; comparing said information extracted from the suspected device to a library of malicious tools; and generating in real-time one or more outputs indicating risk that malicious tools are associated with the suspected device, based at least in part on the comparing extracted information to said library, wherein said the library of malicious tools is maintained by a method comprising: automatically collecting information associated with potentially malicious tools from online sources; performing machine learning on the automatically collected information to determine indicators of potential malicious usage associated with potentially malicious tools; updating said library based in part on said determined indications of maliciousness and attributes; and automatically repeating said collecting, performing and updating.
2. The method of claim 1 , wherein the suspected device purports to be a mobile device.
3. The method of claim 1, wherein the received device information includes device fingerprinting information, information about system packages, user applications, and/or passive biometrics.
4. The method of claim 1 , where the received device information is extracted using of a software development kit included within a mobile app running on the suspected device.
5. The method of claim 1 , wherein said malicious tools are of one or more types selected from a group consisting of: app cloners; device masking tools; location spoofing tools; network spoofing tools; disposable email tools; and custom firmware.
6. The method of claim 1 , wherein said one or more outputs are configured to be processed to produce actionable device intelligence in the form of malicious indicators.
7. The method of claim 1 , wherein said outputs include one or more of the following: a weighted score, a recommended action, and specific indicators of particular risk types.
8. The method of claim 1 , wherein said comparison includes checks for exact matching as well as fuzzy matching.
9. The method of claim 1 , wherein said malicious tools can be used for fraudulent purposed of one or more types selected from a group consisting of: account takeover; fake registration; unauthorized e-wallet top-ups; fraudulent transfers; fraudulent payments; first purchase abuse; referral abuse; reward point abuse; merchant cashback abuse; peer-to-peer scams; fake seller ratings; flash sale abuse; promo abuse; withdrawal fraud; cash-out of stolen credits; money laundering; ad fraud; credit application fraud; and platform abuse.
10. The method of claim 1, wherein the said malicious tools can be used for fraudulent purposed of one or more types selected from a group consisting of: account takeover; fake registration; fraudulent transfer; fraudulent payment; reward point abuse; ad fraud; credit application fraud; and platform abuse.
11. The method of claim 1 , wherein said comparing and said generating are performed in less than one second.
12. The method of claim 1, wherein said comparing and said generating are performed in less than one hundred milliseconds.
13. A method for maintaining a library of malicious tools comprising: automatically collecting information associated with potentially malicious tools from one or more online sources; performing machine learning on the automatically collected information to determine indicators of potential malicious usage associated with potentially malicious tools; updating said library based in part on said determined indications of maliciousness and attributes; and automatically repeating said collecting, performing and updating, wherein said library is configured to facilitate real-time detecting of the presence of malicious tools on a suspected device based at least in part on a comparison of information extracted from said suspected device and said library.
14. The method of claim 13, wherein said one or more online sources include one or more of the following types of sources: online forums, public mobile application stores, and public mobile application repositories.
15. The method of claim 13, wherein said automatically collecting information further includes automatically collecting information from one or more proprietary databases of device fingerprints from devices previously found to be associated with malicious activity.
16. The method of claim 13, wherein the automatically collected information includes information of one or more types selected from a group consisting of: application identification; application name; application tags; application descriptions, and application vendor.
17. The method of claim 13, wherein the machine learning can include one or more models that use logistics regression and/or multinomial naive Bayes classifiers.
18. A system for detecting the presence of malicious tools on a device, the system comprising: a mobile application running on a plurality of suspected devices, the mobile application configured to extract of information from the suspected device relating to potential malicious tools and transmit said extracted information a processing platform; and an autonomous risk assessment processing platform configured to receive said extracted information from said suspected devices and generate risk assessment outputs in real-time for immediate use by a third party having an interest in potential malicious activity associated with the suspected devices, wherein the risk assessment output generation is based at least in part on a comparison of the extracted information and a library of malicious tools.
19. The system of claim 18, wherein said library of malicious tools is configured to be maintained at least in part by: automatically collecting information associated with potentially malicious tools from one or more online sources; performing machine learning on the automatically collected information to determine indicators of potential malicious usage associated with potentially malicious tools; and updating said library based in part on said determined indications of maliciousness and attributes.
PCT/IB2020/058799 2019-09-21 2020-09-21 Detection of presence of malicious tools on mobile devices WO2021053646A1 (en)

Applications Claiming Priority (22)

Application Number Priority Date Filing Date Title
US201962903797P 2019-09-21 2019-09-21
US201962903796P 2019-09-21 2019-09-21
US201962903798P 2019-09-21 2019-09-21
US62/903,798 2019-09-21
US62/903,797 2019-09-21
US62/903,796 2019-09-21
US201962950007P 2019-12-18 2019-12-18
US201962949979P 2019-12-18 2019-12-18
US201962949816P 2019-12-18 2019-12-18
US201962949965P 2019-12-18 2019-12-18
US201962949993P 2019-12-18 2019-12-18
US201962949974P 2019-12-18 2019-12-18
US201962949987P 2019-12-18 2019-12-18
US201962949828P 2019-12-18 2019-12-18
US62/949,816 2019-12-18
US62/949,965 2019-12-18
US62/949,828 2019-12-18
US62/949,993 2019-12-18
US62/949,987 2019-12-18
US62/949,979 2019-12-18
US62/950,007 2019-12-18
US62/949,974 2019-12-18

Publications (1)

Publication Number Publication Date
WO2021053646A1 true WO2021053646A1 (en) 2021-03-25

Family

ID=72644524

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/IB2020/058799 WO2021053646A1 (en) 2019-09-21 2020-09-21 Detection of presence of malicious tools on mobile devices
PCT/IB2020/058801 WO2021053647A1 (en) 2019-09-21 2020-09-21 Detection of use of malicious tools on mobile devices

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/IB2020/058801 WO2021053647A1 (en) 2019-09-21 2020-09-21 Detection of use of malicious tools on mobile devices

Country Status (1)

Country Link
WO (2) WO2021053646A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022071881A1 (en) 2020-09-29 2022-04-07 Cashshield Pte. Ltd. Continuous risk assessment for mobile devices
CN114996708A (en) * 2022-08-08 2022-09-02 中国信息通信研究院 Method and device for studying and judging fraud-related mobile phone application, electronic equipment and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117795379A (en) * 2021-08-04 2024-03-29 格步计程车控股私人有限公司 Apparatus and method for determining location-based counterfeiting applications

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012075336A1 (en) * 2010-12-01 2012-06-07 Sourcefire, Inc. Detecting malicious software through contextual convictions, generic signatures and machine learning techniques
US20140215621A1 (en) * 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security
US20150039513A1 (en) * 2014-02-14 2015-02-05 Brighterion, Inc. User device profiling in transaction authentications
US20190109868A1 (en) * 2015-08-31 2019-04-11 Splunk Inc. Method and System for Generating An Interactive Kill Chain View for Training A Machine Learning Model for Identifying Threats

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012075336A1 (en) * 2010-12-01 2012-06-07 Sourcefire, Inc. Detecting malicious software through contextual convictions, generic signatures and machine learning techniques
US20140215621A1 (en) * 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security
US20150039513A1 (en) * 2014-02-14 2015-02-05 Brighterion, Inc. User device profiling in transaction authentications
US20190109868A1 (en) * 2015-08-31 2019-04-11 Splunk Inc. Method and System for Generating An Interactive Kill Chain View for Training A Machine Learning Model for Identifying Threats

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022071881A1 (en) 2020-09-29 2022-04-07 Cashshield Pte. Ltd. Continuous risk assessment for mobile devices
CN114996708A (en) * 2022-08-08 2022-09-02 中国信息通信研究院 Method and device for studying and judging fraud-related mobile phone application, electronic equipment and storage medium

Also Published As

Publication number Publication date
WO2021053647A1 (en) 2021-03-25

Similar Documents

Publication Publication Date Title
US11880842B2 (en) United states system and methods for dynamically determined contextual, user-defined, and adaptive authentication
US8458069B2 (en) Systems and methods for adaptive identification of sources of fraud
US8458090B1 (en) Detecting fraudulent mobile money transactions
US11714913B2 (en) System for designing and validating fine grained fraud detection rules
WO2021053646A1 (en) Detection of presence of malicious tools on mobile devices
CN110706090A (en) Credit fraud identification method and device, electronic equipment and storage medium
US11682018B2 (en) Machine learning model and narrative generator for prohibited transaction detection and compliance
US20220215393A1 (en) Real-time updating of a security model
US20170316415A1 (en) Systems and methods for extracting browser-obtained device information for authenticating user devices
CN112581259A (en) Account risk identification method and device, storage medium and electronic equipment
Fashoto et al. Hybrid methods for credit card fraud detection using K-means clustering with hidden Markov model and multilayer perceptron algorithm
Kalaiselvi et al. Credit card fraud detection using learning to rank approach
CN112330355A (en) Consumption ticket transaction data processing method, device, equipment and storage medium
Alimolaei An intelligent system for user behavior detection in Internet Banking
KR20210096364A (en) Virtual asset fraud detection system and method thereof
Vishwakarma et al. An empiric path towards fraud detection and protection for NFC-enabled mobile payment system
CN111245815B (en) Data processing method and device, storage medium and electronic equipment
Pandey et al. Case study on online fraud detection using machine learning
Fedotova et al. Increase of economic security of internet systems of credit organizations
US20220414662A1 (en) Computer-implemented method, system, and computer program product for detecting collusive transaction fraud
US20200273039A1 (en) Systems and methods for automated fraud-type identification and decisioning
El Orche et al. Approach to combine an ontology-based on payment system with neural network for transaction fraud detection
Joshi et al. Credit card fraud detection using machine learning techniques
Wang Overview of Digital Finance Anti-fraud
Krishna et al. Use of Big Data Technologies for Credit Card Fraud Prediction

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20780366

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20780366

Country of ref document: EP

Kind code of ref document: A1