Yesterday at the RSA Conference in San Francisco, a researcher presented a new way to detect malware on mobile devices. He says it can catch even unknown pests and can protect a device without draining its battery or taking up too much processing power.
Experts agree that malware is coming to smart phones, and researchers have begun to identify ways to protect devices from malicious software. But traditional ways of protecting desktops against threats don’t translate well to smart phones, says Markus Jakobsson, a principal scientist at Xerox PARC and the person behind the new malware detection technology. He is also the founder of FatSkunk, which will market malware-detection software based on the research.
Most antivirus software works behind the scenes, comparing new files to an enormous library of virus signatures. Mobile devices lack the processing power to scan for large numbers of signatures, Jakobsson says. Continual scanning also drains batteries. His approach relies on having a central server monitor a device’s memory for signs that it’s been infected, rather than looking for specific software.
Devices have two types of memory–random-access memory (RAM), used by active programs, and secondary storage, which takes longer to access and generally holds data not currently in use. Jakobsson’s system would check a device by first shutting off nonvital applications, such as an e-mail app or a browser. At that point, nothing should be running except the detection software and the operating system itself. He demonstrated the software using a device running the Android mobile operating system at the RSA conference.
If malware is present and active, it will need to use some RAM to execute instructions on the device. So the central server contacts the detection software to check to see if malware is using RAM by measuring how much memory is available. It does this by completely filling the remaining memory space with random data and checking the amount of data needed against a fingerprint of the memory that was created when the device was known to be malware-free.
At this point, any malware running in the open would be revealed. The malware could try to hide its presence by allowing the random data to overwrite it in RAM, Jakobsson says, but this would prevent it from taking any further action. And if it tries to hide by accessing data in the device’s secondary storage, this would slow the device’s response to the central server, revealing the presence of malware.
Once a device passes this check, Jakobsson says, the system can be certain that no malware programs are actively running. It can then safely scan secondary storage in search of dormant malware. Jakobsson explains that the system isn’t designed to prevent malware from getting onto the device–just finding it when it’s there. In contrast to the constant scanning that antivirus software typically performs, with his system the scanning could occur before a device performed a sensitive transaction or at predetermined intervals. It could also function as a backup security system for traditional antivirus.
“This technique is certainly designed by well-recognized researchers of the community and it is clear that it’s the result of a lot of work,” says Aurélien Francillon, a researcher in the system security group at the Swiss Federal Institute of Technology in Zurich, who studies malware detection schemes. But careful analysis will need to be done to thoroughly evaluate the method, he says.