Malware infection of computers and computer systems is a growing problem. There have been many high profile examples where computer malware has spread rapidly around the world causing many millions of pounds worth of damage in terms of lost data and lost working time.
Malware is often spread using a computer virus. Early viruses were spread by the copying of infected electronic files onto floppy disks, and the transfer of the electronic file from the disk onto a previously uninfected computer. When the user tries to open the infected electronic file, the malware is triggered and the computer infected. More recently, viruses have been spread via the Internet, for example using e-mail. It is also known for viruses to be spread by the wireless transmission of data, for example by communications between mobile communication devices using a cellular telephone network.
Various anti-virus applications are available on the market today. These tend to work by maintaining a database of signatures or fingerprints for known viruses and malware. With a “real time” scanning application, when a user tries to perform an operation on a file, e.g. open, save, or copy, the request is redirected to the anti-virus application. If the application has no existing record of the electronic file, the electronic file is scanned for known virus or malware signatures. If a virus or malware is identified in a file, the anti-virus application reports this to the user, for example by displaying a message in a pop-up window. The anti-virus application may then add the identity of the infected file to a register of infected files.
In recent years, so called “application stores” have proved to be very popular with mobile users. APPLE App Store and ANDROID Market are perhaps the best known examples. An application store is an online service that allows a user to browse and download software applications from a remote server to their device. Applications are frequently free or very low cost, and a successful application can be downloaded to millions of devices.
While the same software application may be available from another source, the convenience of an application store means that the great majority of downloads of a software application are made using an app store.
With the application store paradigm in place, it is increasingly difficult for distributors of malware to use methods such as spam or Search Engine Optimization (SEO) poisoning to trick their victims to install malicious applications. The most viable attack vector left is to make malware available on an application store. A simple way of tricking users into installing malware is to provide the malware in the form of an application that appears to perform a desirable function for the user. This type of malware is known as a Trojan horse, or Trojan. While the Trojan horse appears to perform a desirable function for the user, it contains malicious code. The malicious code may be executed in addition to performing the desirable function, so the user is not aware that his computer device is running a Trojan horse. A Trojan horse may be used, for example, to display unwanted advertisements or allow a malicious third party to access the computer device and perform unwanted operations such as contacted premium rate numbers, stealing data, installing unwanted software, modifying or removing existing files and so on.
One way of making a Trojan horse is to take an existing application and modify it in order to add malicious functionality. This is sometimes termed “trojanizing” an application. One example of trojanizing is the Geinimi Trojan family that became active on the ANDROID platform at the end of 2010. Geinimi is mobile malware that poses as a gaming application. When a user installs a Geinimi Trojan horse, Geinimi can send personal data from the user's device to a remote server. Furthermore, Geinimi can receive commands from a remote third party.
Trojan horses can be detected by analysing the code of a software application to determine if it includes any malicious functionality, or emulating the software application to ascertain whether it performs any undesirable operations. These approaches can be time consuming and resource intensive.