US00873.2827B1
`
`(12) United States Patent
`ZhukOV et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 8,732,827 B1
`*May 20, 2014
`
`(54) SMARTPHONE SECURITY SYSTEM
`(71) Applicants: Igor Zhukov, Moscow (RU); Alexander
`Zuykov, Moscow (RU); Dmitry
`Mikhailov, Moscow (RU)
`(72) Inventors: Igor Zhukov, Moscow (RU); Alexander
`Zuykov, Moscow (RU); Dmitry
`Mikhailov, Moscow (RU)
`(73) Assignee: Novilab Mobile, LLC, Moscow (RU)
`(*) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`This patent is Subject to a terminal dis
`claimer.
`
`(21) Appl. No.: 13/757,898
`
`(22) Filed:
`
`Feb. 4, 2013
`Related U.S. Application Data
`(63) Continuation of application No. 13/563,769, filed on
`Aug. 1, 2012, now Pat. No. 8.387,141.
`(60) Provisional application No. 61/539,740, filed on Sep.
`27, 2011.
`
`(2006.01)
`
`(51) Int. Cl.
`H04L 29/06
`(52) U.S. Cl.
`USPC ............................................................ 726/22
`(58) Field of Classification Search
`USPC ............................................................ 726/22
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`7,162,715 B1* 1/2007 Whittaker et al. ............ 717/127
`8,572,184 B1 * 10/2013 Cosoi .............
`TO9,206
`2005/0170827 A1* 8/2005 Nagashima ...
`... 455,419
`2005/0278620 A1* 12/2005 Baldwin et al.
`T15,513
`2006/0161985 A1
`7/2006 Zhao ............................... T26/24
`2007/0283438 A1* 12/2007 Fries et al. ...................... T26/24
`2011/0047620 A1* 2/2011 Mahaffey et al. ............... T26/23
`* cited by examiner
`
`Primary Examiner – Michael S McNally
`(74) Attorney, Agent, or Firm — Bardmesser Law Group
`
`ABSTRACT
`(57)
`System for protecting a mobile device against malware or
`harmful communications via calls and SMSs. A security
`module for a personal mobile device protects the device (and
`the user) against malicious communication, unauthorized
`access to resources and user private data, and against other
`security threats. The security module includes a combination
`of some or all of the following features: control of third-party
`applications, validation of the SMS sender's number, protec
`tion against fake contact name of the SMS sender, collection
`of data about fraudulent and spam SMS messages, robust
`sending of SOS SMSs and SOS e-mails with geographic
`coordinates of the mobile device, verification of validity of
`the base station, deletion of user data from a mobile device
`remotely, locking of a phone until the password is entered and
`filtering calls and SMS messages.
`
`29 Claims, 15 Drawing Sheets
`
`11
`
`12
`
`101
`
`109
`Anti-SPAM
`
`Cotrol Modle
`(externat app.)
`
`Contro Module
`(external app.)
`
`Check
`Incoming
`SMS
`
`102
`
`7
`1.
`Protection from Eavesdropping
`oitol carinera
`and microphone
`
`set into
`l
`
`7.
`
`19
`
`Oa.
`
`Hiding Contacts
`Delete SMS,
`contacts and
`logs and save
`them ocal
`
`Bock calls
`from hidden
`contacts
`
`123
`
`Bock
`SMS from
`hidden
`Contacts
`
`Save and
`Update
`Policies
`
`instal
`Control
`Aopication
`
`113
`
`16
`
`Check Base
`Stations
`
`15
`
`rotector for
`un-Authorized
`sending of SMS
`
`O
`
`
`
`
`
`
`
`
`
`106
`
`Fie
`manager
`
`Fie
`Encryption
`
`17
`
`126
`
`128
`
`127
`129
`
`
`
`R -- \
`
`12
`
`Main Application
`Modules
`or Lt.
`risis- Z in
`w
`Sed SWS
`
`l
`
`Search of
`Commands
`within
`incoming
`SS
`
`Atti-Theft
`
`SOS Button
`
`with
`coordinates
`
`Check Si
`card
`against
`Witelist
`
`Coordinates
`
`134
`
`2
`
`08
`
`33
`
`ironSource Exhibit 1013
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 1 of 15
`
`US 8,732,827 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`pueo
`
`

`

`U.S. Patent
`
`a
`
`0,2y
`
`S
`
`2a
`
`5
`
`US 8,732,827 B1
`
`M>:>:o<
`
`
`.co:m>=o<oE025526‘228.23320
`
`vow
`
`mom
`
`NON
`
`228.2\Im9m>zo<Em:
`
`wow
`
`2:0223:28
`
`332
`
`
`
`M:o:mu=aq<50:3308:32wow
`
`momtmfiéc<
`
`6ozhmomEN
`
`
`
`0:ofibucm9:2:
`
`1co.om0..f28:50mom.uHn.
`
`><
`
`E0...—
`
`mc_ano€mm>mm_
`
`NFN
`
`-_E<
`
`_>_<n_w
`
`mrN
`
`Ems.
`
`cosmoia<
`
`mwN
`
`85:23go:m_ceasingLoto283mm
`
`9.5
`
`gm
`
`N.0."—
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 3 of 15
`
`US 8,732,827 B1
`
`
`
`
`
`
`
`
`
`?ImpoW |eqsu)
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 4 of 15
`
`US 8,732,827 B1
`
`4O2
`
`
`
`Incoming SMS
`
`Usty's
`
`401
`
`
`
`
`
`
`
`Hard Filtering is ON, Sender
`Address is not in International
`
`No
`
`Number is in Suspect List?
`
`4O7
`
`No
`
`403
`
`405
`
`
`
`Set
`Configuration,
`log review
`
`
`
`Yes
`
`and Number is in
`Contacts
`
`408
`
`
`
`Eack or White
`ist is Activated
`
`Y
`
`410
`
`Black
`
`In Black List?
`
`Yes
`
`No
`
`
`
`No
`
`412
`
`413
`
`N
`
`ls in Trusted List?
`
`419
`
`
`
`Block SMS
`Write data into Log
`
`418
`
`Generate
`Notification, Allow
`SMS through all
`No Receivers and Save
`SMS into Own DB
`
`FIG. 4
`
`421
`
`Yes Check Sender
`Authenticity
`
`Malware
`Check
`
`415
`
`
`
`ON
`
`Detected?
`
`Yes
`Block SMS
`OC
`Send message
`to Hidden
`Utility
`
`From Hidden
`Contact?
`
`Yes
`
`End
`
`

`

`U.S. Patent
`U.S. Patent
`
`May 20, 2014
`May 20, 2014
`
`Sheet 5 Of 15
`Sheet 5 of 15
`
`US 8,732,827 B1
`US 8,732,827 B1
`
`L09
`Sm
`
`
`
`58m><>502
`
`
`.co:o<vmxogm><t2
`
`
`>26;“wommsmSons:mmflo:<
`
`@0QO=8mamwmmmm
`5:25“.89:22
`
`
`
`22:83
`
`
`2%x8595>502amfiaen./FREE
`m.0."— =Em£ucmxomn.
`
`
`cocommammcmco:o:o<an3523052?.
`
`
`cozo<vmxoofi..wowwEo
`mgcggeué4/>502BEmEmEmE
`
`mom
`
`8:333><
`
`>o__on_\
`
`
`
`_9Eoocozmozga<
`
`momxumacs
`
`095.5
`
`vm>EE<
`
`co=mo=Qn<
`
`595me
`
`
`
`.mo._325m
`
`mmcmzo
`
`.20.>o=on_
`
`
`
`aa<So:vw__mo59:35So:uoEmE><8:80am:
`
`
`
`
`
`
`

`

`U.S. Patent
`U.S. Patent
`
`May 20, 2014
`
`Sheet 6 of 15
`6
`
`US 8,732,827 B1
`US 8,732,827 B1
`
`mow_m>m_2:E__momEEooE
`
`331759:285029.”.20E:W_m>m_E:.m#00M95Bow9BEBE
`0.,$321E0:=m63ch
`
`
`
`92wmcficmHmhe0socwflrfimmMWMmwowus.c.mES25“8:50NE
`
`
`mommeEBEDmvhooom.955.5.—Now.550“vomtomrwozmMEmw2xoo_m_
`
`@9385.mmno.3327_>._.
`
`2.6228:30am:
`
`
`
`Newam:5056..
`
`83.56
`
`| 09
`wow
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`«Mw_>_m832259:33mmcmzoozBEvaoomm
`
`
`
`
`
`aM“?
`emo9:36:50amwoo<
`
`
`
`592mbcom:23“$00flmwmmxomzo0=m0onm0:05“.
`
`
` ozwo>
`
`
`
`mor.20
`
`:xm
`
`>=Ewwooozm
`
`umomaoh
`
`cozooaen.
`
`m39m
`
`mEESmm
`
`wEIUE
`
`
`
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 7 Of 15
`
`US 8,732,827 B1
`
`703
`
`Receive List of
`Neighbor Base
`Stations (BS)
`
`ist of Neighbo
`BS is Empty?
`
`Neighbor BSS
`are Found in
`
`
`
`
`
`Calculate
`Distance
`Between
`Current BS
`and
`Neighboring
`BSs (using
`COOrdinates
`from DB)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`istance is
`Greater than 10K
`
`701
`
`urrent BS is
`Ound in DB2
`
`707
`
`All Stations have
`Proportional Level of
`Signal Change
`
`Yes
`
`BS with
`Outstanding
`MOdification is
`
`Notify that
`User is
`Found
`Under
`Virtual Cell
`
`

`

`U.S. Patent
`U.S. Patent
`
`May 20, 2014
`May 20, 2014
`
`Sheet 8 of 15
`Sheet 8 of 15
`
`US 8,732,827 B1
`US 8,732,827 B1
`
`Z08
`Now
`
`| 08
`row
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`wEwuEEoUE68:00:82:8528am:
`
`3258:8
`
`
`
`Es.cozmuzzoz
`
`_>_<n_m-_E<
`
`msfiR1835%
`
`scammhméooE0:22m
`
`:82...5:569:8:82.../\
`$0280259%9552%3&8;EmX22280223m\3wago\69:8«.2...
`
`
`
`Emwm_9560.
`
`>maw.
`
`=moLohwcmt..o06BEmo9min.m3H92mE9:8..=8Emwsfi
`
`
`
`
`
`cozmoczozumwmmwmmwflmmum=movcm22w5:5985me
`
`._...5980300$m>:n_BE
`
`_.n_mmcmco63:00300do0523
`
`
`
`EatEmaE996
`
`megain.
`
`95E2m>ww_>_wxoo_m_.oz<n_w-=c.mmmhouw92mm.
`
`
`
`
`
`«60:98.w_>_wJomEoo
`
`
`
`
`
`
`8&0_>_<n_m
`
`5525Low
`
`
`
`0269:0022mm.
`
`BEBEnzm
`
`
`
`E0:9mm
`
`E0:w=moucm
`
`256%
`
`$93on
`
`
`
`
`
`
`

`

`U.S. Patent
`
`US 8,732,827 B1
`
`
`
`pJONASSB)
`
`?senbex)
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 10 of 15
`
`US 8,732,827 B1
`
`1OO1
`
`1002
`
`Initial Action
`
`
`
`Incoming SMS
`
`1012
`
`White List?
`
`Yes
`
`User Data
`Deletion Command
`
`Add SIM cart
`to White List
`
`User Opens
`Anti-Theft
`
`1004
`
`
`
`Change
`Configuration,
`use White List,
`SIM, etc.
`
`Delete User
`Data
`
`Raise Flag
`"Command
`found"
`
`
`
`1016
`
`
`
`Yes
`
`Block Device
`
`
`
`Raise Flag
`"Command
`found"
`
`1003
`
`1005
`
`1007
`
`Delete
`Yes User Data
`
`Device Block
`Command?
`
`1008
`
`1009
`
`Blocking Function
`
`Yes
`
`Yes
`
`
`
`NO
`
`1011
`
`
`
`Yes
`
`Send Device
`Location
`
`1022
`
`1021
`
`Device
`Location
`Ommand 2
`
`
`
`
`
`Device Location
`Sending is ON?
`
`Send
`Yes-D Device
`Location
`
`1010
`
`Raise Flag
`"command
`found"
`
`1023
`
`No
`
`
`
`1025
`
`Flag
`"Command
`vy
`found" is
`Saised
`
`
`
`
`
`
`
`
`
`1026
`
`Y
`GS
`Block Message
`From
`Penetration into
`System
`
`NO
`
`1027
`
`End
`
`FIG. 10
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 11 of 15
`
`US 8,732,827 B1
`
`1111
`
`1112
`User presses SOS
`button
`
`User opens SOS
`or adds widgets
`
`nitial Action
`
`1118
`
`
`
`Change
`Number List
`and Initial Text
`
`1113
`
`Send Initial
`Text
`
`1115
`
`No
`
`1116
`
`1117
`
`Yes
`
`Turn on
`Coordinates
`Waiting
`
`Notification of
`Sending Error
`
`
`
`
`
`New Coordinates Received
`
`Waiting time out
`
`
`
`Ore ACCurate
`Coordinates have
`been Sent?
`
`1122
`
`
`
`No
`
`Send
`Coordinates
`
`1125
`
`End
`
`FIG. 11
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 12 of 15
`
`US 8,732,827 B1
`
`
`
`A.
`
`u
`
`N.
`
`Caefia
`
`POS
`
`tiss
`GEO (3) E(2)(s
`- 9 (DO) Settings
`
`Cactato:
`
`Socks
`
`..are:
`
`sessssssss
`s
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 13 of 15
`
`US 8,732,827 B1
`
`Operating System Instructions
`Communication instructions
`GUInstructions
`
`- 2254
`.
`
`2200
`
`
`
`Camera instructions
`other Software instructions
`Activatio Recordi
`'.
`
`''
`
`227
`
`222
`
`- a-------> --> -ssassw-waze-was--ass.sea--as-as-a-wis's:-------------------&iesel-exississar-es-s-s-s
`
`2250.
`
`Memory interface
`
`2208
`
`2202
`
`Peripherals
`interface
`
`Processor(s)
`
`2.4
`
`- 226
`
`221
`
`2212
`
`2214
`
`2220
`
`2222
`
`223A.
`
`2228
`
`assen HC
`2230
`l-O
`
`Other Sensors)
`
`- - - -
`- - -
`-
`- -
`- - -
`light Sensor
`
`Carea
`Subsystem
`
`
`
`tireless
`Contiunication
`Subsysterns)
`
`2226
`
`
`
`2232
`
`iOSubsystem
`
`- 224
`
`touch-Screer Controle
`
`Other input Controllers
`
`Touch. Screer
`
`
`
`Other input Control
`evices
`
`2246 -?
`
`2248
`
`FIG. 13
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 14 of 15
`
`US 8,732,827 B1
`
`1401
`
`... 8
`
`Get GPS
`coordinates:
`
`1402
`
`1403
`
`Get Current
`signal strength
`::::::::3rd CEO
`
`Save data as
`previous'
`
`X X Previous data X
`
`^already saved?
`
`Save data as
`current
`
`XXXYXXYXXXYXXXYXXYXXXYXXXYXXYXXXYXXXYXXYXXXYXXXYXXYXXXYXX. C Distance-500m2 as o
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NO
`
`
`
`Yes
`
`
`
`
`
`signal strera
`x-o-YesoK changed by
`Y>15dB? »
`
`No.
`WWXYXXYXXXYXXXYXXYXXXYXXXYXXYXX.-
`inform user that
`he is connected to
`: a virtual BS:
`
`10
`
`
`
`
`
`
`
`Save current
`data as
`previous', zero
`out current data
`
`FIG. 14
`
`

`

`U.S. Patent
`
`May 20, 2014
`
`Sheet 15 Of 15
`
`US 8,732,827 B1
`
`
`
`
`
`
`
`AC changed
`
`
`
`
`
`
`
`
`
`LAC of current - 15O2
`BS changed
`
`2 YCD of current Y.
`^BS changed?
`
`x 1503
`
`1504.
`
`XXXYXXYXXXYXXXYXXYXXXYXXXYXXYXXXY
`
`1506
`
`(AC of this BS
`
`8
`
`Changed
`X &previously
`8.
`x
`
`ow risk
`
`

`

`1.
`SMARTPHONE SECURITY SYSTEM
`
`US 8,732,827 B1
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation of U.S. patent applica
`tion Ser. No. 13/563,769, filed on Aug. 1, 2012, which is a
`non-provisional of U.S. Patent Application No. 61/539,740,
`filed on Sep. 27, 2011, which is incorporated by reference
`herein in its entirety.
`
`10
`
`BACKGROUND OF THE INVENTION
`
`1. Field of Invention
`The present invention relates to telecommunication tech
`15
`nology, and, more particularly, to protection of a mobile com
`munication device against malware or harmful communica
`tions.
`2. Background Art
`Various anti-virus and security software is available today
`for protecting networks, servers and personal computers
`against at least some forms of malicious applications and
`malware.
`However, mobile devices, such as Smartphones, are also
`Susceptible to malicious Software. Modern Smartphones
`access the Internet and perform a wide range of functions and,
`therefore, there is a wide range of possible types of attack by
`malware or other forms of malicious communications that
`can be launched against a mobile device.
`For example, short messages can be sent from the victim’s
`phone to paid numbers (i.e., Short Message Service), the
`victim can be signed up for a paid service by having an SMS
`sent from his number, the victim's personal data (i.e., con
`tacts, messages, call logs, etc.) can be obtained and given to
`spammers, the victim’s location can be obtained as well.
`Additionally, photo and video recording can be performed
`using the victim’s phone.
`Currently, personal mobile devices are not sufficiently pro
`tected. Accordingly, there is a need for effective protection of
`users of Smartphones (or other personal mobile devices)
`40
`against malware or other malicious attacks occurring on-line
`or via call (or SMS) communications.
`
`25
`
`30
`
`35
`
`SUMMARY OF THE INVENTION
`
`The present invention is directed to method and system for
`protection of a mobile device against malware or harmful
`communications that Substantially obviates one or several of
`the disadvantages of the related art.
`In one aspect, there is provided a system, method and
`computer program product for protecting a mobile device
`against malware or harmful communications via calls and
`SMSs. According to an exemplary embodiment, security
`module for a personal mobile device protects the device (and
`the user) against malicious communication, unauthorized
`access to resources and private data, as well as against other
`security threats.
`The security software includes a combination of one or
`more of the following features:
`Control of third-party applications by re-assembling them,
`embedding custom code into them, and replacing calls of
`controlled functions by shell method calls;
`Validation of the SMS sender's number by verifying that
`the sender's specified number and the SMSC (Short Message
`Service Center) number specified in the message's Protocol
`Description Unit (PDU) belong to the same Mobile Network
`Code (MNC);
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`Validation of the SMS sender's number by verifying it
`against Type of Number (TON) with a false number notifica
`tion, if the number is an alphanumeric string with a correct
`phone number recorded in it;
`Protection against fake contact name of the SMS senderby
`Verifying if the senders alphanumeric address is the same as
`the displayed name in all transliteration variants (the dis
`play name field in the contacts content provider) and in all
`word Subsets in the name:
`Collection of data about fraudulent and spam SMS mes
`sages by enabling users to complain about unwanted mes
`sages using the Software installed on the mobile device (i.e.,
`mobile phone or Smartphone);
`Robust and simple sending of SOS SMSs and e-mails with
`a pre-set text and sending the geographic coordinates of the
`mobile device;
`Verification of the validity of the base station (BS) the
`Subscriber is connected to by searching coordinates of the
`current and adjacent base stations in the database, and com
`paring their locations and a certain maximum distance from
`each other;
`Validation of the base station the subscriber is connected to
`by proportion of the signal level change for the current and
`nearby base stations;
`Validation of the base station the subscriber is connected
`to, if Mobile Country Code (MCC) or MNC of the BS change,
`while the subscriber has not crossed a country border (in case
`of MCC), or has not changed service provider (if MNC has
`changed);
`Identification of a fake BS, the subscriber is connected to,
`by a long BS handover when the subscriber is moving:
`An automatic update of the BS database with new BS and
`update of previous coordinates by collecting statistics of the
`identified BS by user mobile devices and by adding a new BS,
`if it is identified several times by a certain number of different
`users;
`Deletion of user data from a mobile device by: using the
`device administrator's Application Programming Interface
`(API) and by direct deletion of data from all available content
`providers;
`Locking of a phone until the password is entered by: setting
`the password to unlock the device when Switching the Screen
`on, and by interception of all user key touches or a special
`activity;
`Execution of certain actions when an SMS message with
`preset commands is received and hiding this message from
`the user;
`Detection of the device being used by a person other than
`the device's owner, when a Subscriber Identification Module
`(SIM) card that is not the user's SIM card is inserted into the
`device;
`Detection of entry of information about the user's SIM
`cards by advising the program that a new trusted card is going
`to be inserted;
`Detection of other applications use (or access) of the
`device's functions by attempting to use these functions result
`ing in their immediate release and processing situations when
`the system rejects the request;
`Detection of encryption between the phone and the base
`station by querying the baseband processor using the respec
`tive AT (attention) command(s) (the Hayes command set)
`when an incoming or outgoing call is initiated to warn the
`phone operation system (e.g., Android OS) user that no
`encryption is being used;
`Protection against SMS eavesdropping by third party pro
`grams by registration of the new message respective AT com
`
`

`

`3
`mand from the baseband processor followed by waiting for
`the respective SMS at the system applications operation level;
`Filtering calls and SMS messages by filtering the respec
`tive AT commands from the baseband processor;
`Checking current status of the microphone and baseband
`processor to detect an unauthorized operation by means of
`external controlling commands and notification of the user
`about hidden audio transmission; and
`Protection against time manipulation by the user in order to
`extend the activation period by comparing the current system
`time, the end of the license term and Service Center Time
`Stamp (TP-SCTS) field value in the latest received SMS.
`Additional features and advantages of the invention will be
`set forth in the description that follows. Yet further features
`and advantages will be apparent to a person skilled in the art
`based on the description set forth herein or may be learned by
`practice of the invention.
`The advantages of the invention will be realized and
`attained by the structure particularly pointed out in the written
`description and claims hereofas well as the appended draw
`ings.
`It is to be understood that both the foregoing general
`description and the following detailed description are exem
`plary and explanatory and are intended to provide further
`25
`explanation of the invention as claimed.
`
`5
`
`10
`
`15
`
`BRIEF DESCRIPTION OF THE ATTACHED
`DRAWINGS
`
`30
`
`35
`
`40
`
`The accompanying drawings, which are included to pro
`vide a further understanding of the invention and are incor
`porated in and constitute a part of this specification, illustrate
`embodiments of the invention and together with the descrip
`tion serve to explain the principles of the invention.
`In the drawings:
`FIG. 1 illustrates a security system architecture, in accor
`dance with the exemplary embodiment;
`FIG. 2 illustrates a mobile device security system flow
`chart, in accordance with the exemplary embodiment;
`FIG. 3 illustrates sequential activation and launch of the
`security modules from the perspective of a user's entry point
`into the security system, in accordance with the exemplary
`embodiment;
`FIG. 4 illustrates security processing of incoming SMS
`45
`using sender address and number, in accordance with the
`exemplary embodiment;
`FIG. 5 illustrates implementation of AV application, in
`accordance with the exemplary embodiment;
`FIG. 6 illustrates security processing of incoming SMSs
`and calls, in accordance with the exemplary embodiment;
`FIG. 7 illustrates a flowchart for identification of a fake
`base station (BS), in accordance with the exemplary embodi
`ment,
`FIG. 8 illustrates security handling of SMSs in accordance
`with the exemplary embodiment;
`FIG. 9 illustrates a flow chart of detection of encryption/
`decryption;
`FIG. 10 illustrates a flow chart of security processing of the
`phone in accordance with the exemplary embodiment;
`FIG. 11 illustrates a flow chart of a SOS button implemen
`tation, in accordance with the exemplary embodiment;
`FIG. 12 is a block diagram of an exemplary mobile device
`that can be used in the invention.
`FIG. 13 is a block diagram of an exemplary implementa
`tion of the mobile device;
`FIGS. 14-15 illustrate detection of a virtual Base Station.
`
`55
`
`50
`
`60
`
`65
`
`US 8,732,827 B1
`
`4
`DETAILED DESCRIPTION OF THE INVENTION
`
`Reference will now be made in detail to the embodiments
`of the present invention, examples of which are illustrated in
`the accompanying drawings.
`According to the exemplary embodiment, a system,
`method and computer program product for to protecting a
`personal mobile device (i.e., such as, for example, "Smart
`phone' available to consumers).
`Mobile devices are vulnerable to a number of security
`threats, some of which are particular to Smartphones that are
`connected to the Internet. According to the exemplary
`embodiment, the security system (applications) guards the
`mobile phone from all various threats by the security features
`illustrated in FIG. 1.
`According to the exemplary embodiment, the mobile
`device security system includes an anti-spam module 101, an
`antivirus (AV) module 102, an eavesdropping protection
`module 103, a contact hiding module 104, a main security
`module 105, an encryption module 106, an anti-theft module
`107, and an SOS button utility 108.
`The main security module 105 activates all the other mod
`ules using an activation component 125 and updates modules
`using an updating component 124. The anti-spam module
`includes a component 109 for checking incoming SMSs and
`a database 110 for storing the SMSs. The AV module 102
`includes a policy component 113 for saving and updating the
`policies/rules and a utility 114 for installation of control over
`user applications that provides its service to component 117
`that monitors use of camera and microphone. The policy
`component 113 receives updates from one or more external
`modules 111 and 112 (and others as needed).
`The eavesdropping protection module 103 can include a
`utility 120 for protection against unauthorized SMSs. The
`utility 120 is connected with a module 119 for building cus
`tom functionality into a rild (Radio Interface Layer Daemon)
`level. Additionally, the eavesdropping protection module 103
`has the component 117 that monitors camera and microphone
`use and a module 115 for checking BSS against a local data
`base 116, and any other algorithms (such as heuristics) for
`checking for fake BS’s.
`According to the exemplary embodiment, the mobile
`device protection system also includes a module 104 for
`hiding contacts. A component 123 blocks SMSs from hidden
`contacts and a component 121 blocks calls from hidden con
`tacts. A component 122 deletes SMSs, contacts and call logs
`and saves them locally.
`The mobile device protection system includes the encryp
`tion module 106 that has a file manager 126 in communica
`tion with an encryption component 127. The anti-theft mod
`ule 127 includes a component 128 for detecting commands
`within incoming SMSs and a component 129 for checking a
`SIM card against a whitelist. Additionally, it has a component
`130 for sending SMS with coordinates of the mobile device
`(which are sent to a previously defined number that the user
`can access in the event his phone is lost or stolen), a compo
`nent 131 for blocking (password-protecting) the mobile
`device and a component 132 for discarding all user data.
`The mobile device protection system also includes a SOS
`button utility 108. The utility 108 has a widget 135, a com
`ponent 133 for sending an emergency SMS and a component
`134 for receiving coordinates. The widget initiates sending
`the SMS and receiving of the coordinates, the coordinates are
`sent by SMS. The functionality of the modules and compo
`nents depicted in FIG. 1 is described in detail below. Note that
`
`

`

`5
`the SMS component interfaces with the anti-eavesdropping
`module in a one-directional manner SMS's sent by the
`SMS component are verified by the anti-eavesdropping com
`ponent.
`FIG. 2 illustrates a mobile device security system flow- 5
`chart, in accordance with the exemplary embodiment. The
`process checks if a security module is activated in step 201. If
`the module is not activated, a user activates the module in step
`202. The module activation activity is displayed in step 203.
`Then, the process checks if the security module is activated in 10
`step 204. If the module is activated in step 204, the process
`checks if the module is launched in step 210. Otherwise, the
`process goes to step 215, where is waits for the next event.
`If, in step 201, the security module is activated, then the
`module is launched in step 210. Once the security module is 15
`launched, it activates a main application 213, an anti-spam
`module 212, an AV module 211, a protection from eavesdrop
`ping module 209, a contact hiding module 208, an encryption
`module 207, an anti-theft module 206 oran SOS button utility
`205. All of the above modules process an incoming message 20
`and wait for the next message in step 215. If the application is
`launched again, the process starts from step 201. Otherwise
`(i.e. if the application is uninstalled or the mobile device is
`turned off) the process ends in step 216.
`FIG. 3 illustrates a (possibly) sequential activation of the 25
`security modules (i.e., the modules wait to be activated/
`launched), in accordance with the exemplary embodiment.
`The process starts in step 310 and user action is checked in
`step 320. If this user action requires launch of a security
`module, step 325 is executed. The process checks if the appro- 30
`priate security module is installed in step 330. If the module
`is not installed, the system installs the module in step 335. If
`the security module is installed, the process checks if the
`module is activated in step 340.
`If the module is activated, the process launches the module 35
`in step 350 and goes to another user action in step 320.
`Otherwise, the process activates the module in step 345. If the
`user action, in step 320, does not require a security module,
`the process ends in step 360.
`According to the exemplary embodiment, the following 40
`security features are implemented.
`1. Protection Against Date Manipulation.
`The security application is activated for a certain time
`period. Therefore, it should be protected against system fraud
`by date manipulation in the phone's built-in clock. To ensure 45
`such protection, reliable information about the current time is
`Supplied from a source that cannot be manipulated by the
`user. According to the exemplary embodiment, the applica
`tion uses time stamps that SMS centers add to all messages
`(TP-SCTS field in PDU).
`Once each incoming message has been received, the appli
`cation saves its time stamp for future verifications. When
`activation is verified, the latest system time and date saved (or
`the maximum of these timestamps) are compared and their
`maximum is accepted as the current time. Apart from the 55
`SMS, every server communication session is used to update
`the current time. The server adds current time to each
`response during activation, update, etc.
`The system of the exemplary embodiment includes protec
`tion against time manipulation by the user in order to extend 60
`the activation period by comparing the current system time,
`end of the license term and TP-SCTS field value in the latest
`received SMS.
`2. Anti-Virus (AV) Operation.
`The main AV operation principle is based on embedding of 65
`AV control code into the controlled applications. All poten
`tially dangerous methods are wrapped into shell methods,
`
`50
`
`US 8,732,827 B1
`
`6
`which request AV policies with respect to the performed
`actions and call (or do not call) the target method based on
`these policies. The shell (wrapper) methods do not only call
`the particular methods, but also perform other security func
`tions.
`Note that the data may not be send to the AV. The AV
`displays a notification to the user and adds it to a log record.
`According to the exemplary embodiment, the policies are
`user permissions to perform certain actions with a particular
`application. User actions can be: allow, notify, block, or
`notify and block.
`Control is established as follows. First, the apk file (i.e., a
`Zip archive, or an installation distributive file, or installation
`package) from the target application is decompressed. The
`.apk file is an installation file for Android. The apk file
`contains executable code, resources (images, locations, etc.)
`and other application files. All Android applications are dis
`tributed and stored in apk format.
`A number of files can appear, however, the protection sys
`tem is interested in two: classes.dex, which contains the appli
`cation’s executable code, and AndroidManifest.xml, which
`contains information about the application's components,
`required permissions and etc. Note that the exemplary
`embodiment is primarily targeted for Android OS, although
`other OSes are also within the scope of the invention.
`The byte code of the classes.dex file is disassembled into
`the component classes, methods, members, etc., and a class
`with shell methods is added to it. Additionally, an auxiliary
`class is added to obtain the application's context (the
`AndroidManifest.xml file is modified accordingly). The con
`text is a programmable object that is used for accessing
`Android environment, for example, for communication
`between applications.
`Then, all calls of potentially dangerous methods are found
`in the disassembled code of the classes. They are then
`replaced by calls of shell methods with the same parameters
`and types of returned values. Subsequently, the “*.apk file' is
`assembled again and signed by a new generated signature that
`is unique for each application. Note that code obfuscation
`does not affect the exemplary system. In Java, only the names
`ofuser (custom) classes and methods (i.e. those not belonging
`to any library, framework, etc.) can be obfuscated, because
`framework classes can be only called by their real names.
`Then, the file is installed again. The initial “...apk file' is
`backed-up if a restoration is needed.
`According to the exemplary embodiment, the system con
`trols third-party applications by re-assembling them, embed
`ding custom code, and replacing calls of controlled functions
`by shell method calls. The custom code can request AV poli
`cies, request application context, process calls, generate error
`detection codes, etc.
`FIG. 5 illustrates implementation of AV application as
`described above. The process initiates at an entry point 501,
`where a user opens an AV application, or a method from a
`shell (wrapper) is called from the application. In first case,
`user action is analyzed in step 507. If the user initiates appli
`cation control, then archived application is unpacked in step
`508. The process embeds proprietary elements into Android
`Manifest in step 510. The proprietary classes are added and
`the existing methods are Substituted by proprietary methods
`in step 511. Subsequently, the process packs and installs the
`application in step 512. Then, the process moves to another
`user action in step 507.
`In case, if the user executes other action in step 507, the
`settings and policies are changed, and log is reviewed in step
`509. If the method from the wrapper class is called in step
`501, the AV application policy is applied in step 502. In step
`
`

`

`7
`503 the process determines the policy. The policy can be any
`of block action and end the process in step 515, allow and call
`a target function in step 506, notify AV application about the
`action in step 505, notify AV about blocked action and suggest
`an option for a policy change based on blocked action in step
`504. Typically, there are four policies—Allow, Notify, Block
`and Notify, and Block. Here, the policy at issue is Notify and
`Block, where the intended action is not permitted, and the
`user is shown a window with a notification regarding the
`attempt. The user can select whether he wants to be notified of
`future attempts, and/or whether he permits such actions in the
`future by this application. Subsequently, the process ends in
`step 515.
`3. Verifying Validity of SMS Sender Number.
`Sender number validation is a function of an anti-spam
`module, in accordance to the exemplary embodiment. The
`anti-spam protects the user from many threats, which may
`result from thi